Privacy Policy

Effective date: April 1, 2026

1. Who We Are

RemoteAgent is operated by:
DDO LTD
Registration number: MT30710326
23, Office 2, Triq Giuseppe Calleja
Swatar, Msida MSD2270, Malta
We are the data controller for personal data processed through this service. For privacy inquiries, contact us at privacy@ddo.mt.

2. What Data We Collect

Via Telegram Login:
  • Telegram user ID (numeric)
  • Telegram username (if public)
  • First name (used only for greeting messages)
Via Stripe (paid plans only):
  • Billing name and email address
  • Payment method (stored by Stripe — we never see raw card data)
Usage data:
  • Session metadata (start time, status, first 200 characters of prompts)
  • Agent connection status and last-seen timestamps
  • Server logs (IP addresses, request timestamps) — retained for 30 days
Cookie consent (if you interact with our consent banner):
  • An anonymous UUID generated in your browser (never linked to your account)
  • Your consent choices (analytics on/off, advertising on/off) with timestamp
  • A SHA-256 hash of your IP address (irreversible — we cannot recover the original IP)

3. What Transits Our Servers

Because RemoteAgent is a relay service, the following data passes through our infrastructure in transit but is not stored beyond what is described in Section 2:
  • Your Telegram messages (prompts): The text you send to the bot passes through our webhook endpoint and is forwarded via Redis to your local agent. Only the first 200 characters are stored as a session preview. Full prompt content is not persisted on our servers.
  • Agent output: Text streamed back from your agent transits our servers to be delivered to your Telegram chat. It is not stored beyond the current session's streamed output (used only to reconstruct the message if delivery is interrupted).
What we do NOT collect or store:
  • Your AI provider API key (Anthropic, Google, OpenAI, etc.) — it never leaves your server
  • Your source code or file contents
  • Full conversation history beyond what you explicitly continue across sessions
  • Passwords (we use Telegram for authentication)

4. How We Use Your Data

  • To authenticate you and manage your account
  • To deliver the relay service between your agent and Telegram
  • To send you service notifications and trial reminders via Telegram bot
  • To process payments and manage subscriptions
  • To detect abuse and ensure service security
  • To analyse site usage and improve the service (only with your explicit consent)

5. Legal Basis (GDPR)

We process your personal data under the following legal bases:
  • Contract performance — to provide the service you signed up for
  • Legitimate interests — security, fraud prevention, service improvement
  • Consent — for analytics and advertising cookies (which you can withdraw at any time)
  • Legal obligation — compliance with applicable law, including GDPR consent audit logging

6. Third-Party Services (Data Processors)

We use the following third-party processors. Each has been assessed as providing adequate data protection guarantees:
  • Telegram — authentication and messaging (Telegram Privacy Policy applies)
  • Stripe — payment processing (PCI-DSS compliant; Stripe Privacy Policy applies)
  • Neon (PostgreSQL) — primary database, hosted in EU (AWS eu-west-1)
  • Upstash (Redis) — real-time message relay between agent and Telegram bot
  • Vercel — web hosting and serverless functions (EU region)
  • Google (Analytics / Tag Manager) — site analytics, only loaded after your explicit consent
We do not sell your data to third parties.

7. Cookies & Tracking

We use the following categories of cookies:
  • Essential — a single httpOnly session cookie to keep you logged in. Always active; no consent required.
  • Analytics — Google Analytics 4 and Microsoft Clarity. Loaded only after your explicit consent.
  • Advertising — Google AdSense. Loaded only after your explicit consent.
You can change or withdraw your consent at any time using the cookie preferences button in the site footer. We implement Google Consent Mode v2 to ensure tracking scripts are blocked until consent is granted.

8. Data Retention

We retain your account data for as long as your account is active. If you cancel or your trial expires without subscribing, account data is deleted after 30 days. Server logs are deleted after 30 days. Consent audit records are retained for 3 years as required for GDPR compliance. You can request immediate deletion of your account data at any time.

9. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:
  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for analytics/advertising cookies, at any time via the cookie preferences panel
  • Lodge a complaint — with the Malta Information and Data Protection Commissioner (IDPC): idpc.org.mt
To exercise any of these rights, contact us at privacy@ddo.mt. We will respond within 30 days.

10. Security

We implement industry-standard security measures including HTTPS everywhere, encrypted session tokens (JWT), HMAC-SHA256 signature verification on Telegram webhooks, hashed IP addresses in consent logs, and access controls on our database.
Relay access disclosure: As the operator of the relay infrastructure, DDO LTD has technical access to the messaging channel between your Telegram account and your local agent. We contractually commit (in our Terms of Service) never to use this access to inject unauthorised commands. Any command executed by your agent produces a visible response in your Telegram chat — there is no mechanism for silent access. Full session logs are available in your dashboard.
Despite these measures, no system is completely secure — use the service at your own risk.

11. International Transfers

Our primary infrastructure operates within the EU/EEA. Where data is processed outside the EU (e.g. Vercel edge functions), we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms as required by GDPR Chapter V.

12. Changes to This Policy

We may update this policy from time to time. We will notify you via Telegram bot of material changes at least 14 days before they take effect. The effective date at the top of this page will always reflect the latest version.

13. Contact

For privacy-related requests or questions: privacy@ddo.mt
DDO LTD — MT30710326
23, Office 2, Triq Giuseppe Calleja
Swatar, Msida MSD2270, Malta
Terms of ServiceBack to home