In short: Engflow uses Telegram data to sign you in, stores your learning progress, and processes technical events needed to operate and improve the product. We do not sell personal data or use advertising trackers.
1. Who is responsible for your data
Engflow is currently operated by its creator as an individual, not by a registered company. In
this policy, “Engflow”, “we”, and “the Service” mean the person operating Engflow. You can contact
the data operator through @engflow_bot with
the /support command.
This policy covers the Engflow Telegram Mini App, the Engflow bot, engflow.me, and support requests. Telegram processes data independently under its own privacy policy and is not part of Engflow.
2. Data we collect
Telegram data
- Telegram user ID, name, username, interface language, and profile photo when Telegram provides them to the Mini App.
- Technical Mini App launch data required to verify that a session is authentic.
Learning data
- Selected course, settings, level, and interface language.
- Learned, hidden, and favorite words, answers, review intervals, streaks, and progress.
- Exercise activity and technical errors connected with a learning session.
Payments and support
- Purchase type, Telegram Stars amount, date, status, and Telegram payment identifier.
- Premium status, expiration, auto-renewal cancellation, refunds, and purchase history.
- Support messages, username, name, and any information you choose to include in a request.
Engflow does not receive your bank card number, billing address, or details of the account used to buy Stars. Telegram handles Stars purchases and the native payment interface.
Website and technical analytics
- Engflow first-party product analytics starts on the first page view unless the visitor previously opted out.
- A random session identifier, sections viewed, button clicks, scroll depth, and visit duration.
- Viewport size, browser language, referral source, and allowed UTM parameters.
- Privacy-notice version, your choice, language, choice time, and Global Privacy Control or Do Not Track signals. We do not store an IP address or User-Agent in the choice record.
- IP address and standard technical logs that may be processed by our servers and hosting providers.
When an analytics session starts, the server may add country, region, city, timezone, and ASN derived locally from the IP address. The raw IP address is not copied into the product analytics event. We do not record product search text and currently do not use landing data for advertising profiles.
IP address and approximate network location
- An IP address may be stored in server sessions and security events to protect accounts and investigate abuse.
- The IP address may be used to derive country, region, city, timezone, ISP, ASN, network range, and VPN, proxy, Tor, mobile, or hosting indicators.
Approximate geography and ASN are resolved on Engflow's server using local GeoLite2 databases; the IP address is not sent to MaxMind for an individual lookup. A public Tor exit-node list is also downloaded in advance and checked locally.
When a payment invoice is created or an administrator performs a manual security check, the IP address may be selectively sent over HTTPS to proxycheck.io to detect VPN, proxy, Tor, hosting-network, and abuse indicators. Engflow disables provider-side query tagging, caches normalized indicators, and does not retain the full provider response or precise location returned by it. A failed check does not block a purchase.
3. Why we use data
- Contract: sign-in, progress sync, reviews, Premium, purchases, and support.
- Legitimate interests: security, abuse prevention, error diagnosis, and product improvement.
- Legal obligations: payment records, refunds, disputes, and binding government requests.
4. Cookies and browser storage
The landing page currently does not use advertising cookies or third-party advertising pixels.
First-party sessionStorage holds a random session ID, queued events, and sections
already viewed. Session entries are removed when the browser session ends. Engflow does not use
this identifier to recognize a visitor across separate browser sessions.
After an explicit choice, a necessary localStorage entry stores a random preference ID,
the notice version, permission or refusal, and the time it changed. If you opt out, Engflow stops
new events, clears analytics entries, and removes the attribution marker from bot links.
You can change your decision with the control below. Opening engflow.me/en/?nostats=1 also selects “Necessary only”. Engflow automatically honors active Global Privacy Control and Do Not Track signals. You can also clear Engflow site data in your browser settings.
5. Who receives data
We share data only as needed to operate the Service:
- Telegram, for authentication, Mini Apps, bot messages, Stars, receipts, subscriptions, and refunds.
- Hosting, database, file storage, and content delivery providers.
- MaxMind (GeoLite2), for local approximate-geography and ASN databases; this is not a per-user IP request.
- Tor Project, for a public exit-node list that Engflow checks locally.
- proxycheck.io, for selective VPN, proxy, Tor, hosting-network, and abuse indicators during payment and manual security checks.
- Technical contractors working under our instructions and confidentiality obligations.
- Government authorities when disclosure is legally required or necessary to protect rights and safety.
We do not sell personal data or share it with advertising networks.
This product includes GeoLite2 Data created by MaxMind, available from maxmind.com.
6. International processing
Engflow is available internationally, and Telegram or our infrastructure providers may process data outside your country. We select providers with appropriate safeguards and use available contractual transfer mechanisms where applicable law requires them.
7. Retention
- Account and progress data: while your account is used or the data is needed to provide the Service.
- Payment records: while needed for refunds, disputes, accounting, and legal obligations.
- Support requests: until resolved and for a reasonable period afterward for dispute history and safety.
- Technical analytics: in aggregate or pseudonymous form for as long as needed to understand the product.
- Privacy-choice records: for as long as needed to respect your decision and demonstrate lawful processing.
Backups may remain for a limited additional period until they rotate out. Data may be retained longer when required by law or an active dispute.
8. Security
We use Telegram init data verification, access controls, encrypted connections, rate limits, logging of critical actions, and backups. No online service can guarantee absolute security. Do not send passwords, Telegram login codes, seed phrases, bank card data, or bot tokens to support.
9. Your rights
Depending on your location, you may ask to:
- access your data and receive a copy;
- correct inaccurate data;
- delete your account and data;
- restrict or object to processing;
- receive portable data or withdraw consent;
- complain to a competent data protection authority.
Send /support to @engflow_bot
and describe your request. We may verify account ownership before disclosing or deleting data.
Deletion may not cover records that we must retain by law.
10. Children
Engflow is not intended for children below the age at which they can independently consent to data processing and use Telegram under the rules of their country. Where parental or guardian consent is required, it must be obtained before using the Service.
11. Changes and contact
We may update this policy when the product, infrastructure, or law changes. The current date is shown at the top. We will provide notice of material changes in the Service or through the bot where reasonably possible.
Data questions: @engflow_bot, command
/support. See Support for more details.