Privacy Policy

Last updated: April 27, 2026

This Privacy Policy explains how Wall ("we", "us", "our") handles information when you use our Telegram Mini App at wall.tg (also accessible at app.wall.lu), the Telegram bot @wall, and the website wall.lu (together, the "Service").

The Service runs inside Telegram and relies on Telegram for sign-in, messaging, and payments. Your use of Telegram itself is governed by Telegram's Terms of Service, Telegram's Privacy Policy, and the Telegram Bot Developer Terms. This Policy covers only the data handled by us.

By opening the Mini App, using the bot, or otherwise interacting with the Service, you agree to this Policy. If you do not agree, please stop using the Service.

1. Information We Collect

1.1. Data received from Telegram

When you open the Service, Telegram provides us with:

• Your Telegram user ID
• The display name you have set in Telegram and, if you have set one, your Telegram public handle. These are the values you control in your Telegram account; they are not identity documents and we do not verify their accuracy.
• A link to your Telegram profile photo
• Your Telegram interface language
• Whether you have Telegram Premium

This data is delivered through Telegram's official Mini App mechanism and is cryptographically authenticated. We do not access your phone number, contacts, or messages in Telegram.

1.2. Data you provide

• Posts and content you create (text, photos, videos, GIFs, graffiti)
• Comments and direct messages
• Profile bio, social links, and display preferences
• An optional Google account link, used as the sole account-recovery method (we do not collect email addresses or phone numbers as separate fields)
• TON wallet address, if you connect one
• Prompts you submit to AI generation features

1.3. Data collected automatically

• Activity on the Service (likes, follows, bookmarks, views)
• Timestamps (account creation, last activity)
• Transient network signals used for abuse prevention (e.g. rate limiting)
• Device locale, derived from your Telegram settings

1.4. Payment data

Payments are processed by Telegram and by third-party payment providers integrated with Telegram. We do not receive or store card numbers, bank details, or cryptocurrency private keys. For each transaction we keep:

• The amount, currency, and what was purchased
• A reference identifier from the payment provider (needed for refunds and support)
• Your in-app balances and earnings history

Refunds and disputes for Telegram Stars are handled through Telegram. See Telegram's Stars terms for details.

2. How We Use Your Information

• To operate the Service and show your public profile and content to other users
• To authenticate you via Telegram
• To deliver notifications through the Telegram bot
• To process payments, tips, gifts, and withdrawals
• To review reports and enforce our Content Policy
• To prevent spam, fraud, and abuse
• To debug problems and improve the Service, using aggregated, non-identifying data

3. Legal Bases for Processing (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR to process your personal data:

• Performance of a contract — to provide the Service you ask us to operate (Art. 6(1)(b)), including account creation, content delivery, payments, and support.
• Legitimate interests — to secure the Service, prevent fraud and abuse, debug problems, and measure aggregate usage (Art. 6(1)(f)). We balance these interests against your rights and freedoms.
• Consent — for optional features you actively use, such as linking a Google account, connecting a TON wallet, or submitting prompts to AI generation (Art. 6(1)(a)). You may withdraw consent at any time.
• Legal obligation — to keep records required by financial, tax, or law-enforcement rules (Art. 6(1)(c)).

4. Information Sharing

We share information only in the situations below. We do not sell personal data, and we do not use it for cross-context behavioral advertising.

4.1. Public by design

Your public profile (name, photo, bio, links, achievements, level), your public posts, and aggregate engagement signals (likes, followers) are visible to other users of the Service. Anonymous posts hide the author from other users but remain attributable for moderation purposes.

4.2. Service providers

To run the Service we rely on a set of third-party infrastructure and content providers. We share only the minimum data they need to perform their function:

These providers act on our instructions under their own terms and privacy policies. We do not publish the specific vendors we use for security reasons; we will name them on reasonable request to a data subject or a competent authority.

4.3. Legal requirements

We may disclose information when legally compelled (for example, a valid court order or lawful government request) or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Wall, our users, or the public.

5. Data Storage and Security

Location. Application servers, the primary database, and media object storage are operated within the European Union. Caches and CDN edges may be globally distributed; only non-personal or already-public data is served from edges.

Encryption. Client-server connections use industry-standard transport encryption. Production databases and media object storage are encrypted at rest by the hosting provider. Authentication relies on Telegram's cryptographic initData mechanism — we do not create, request, or store passwords for the Service.

Access and operational controls. Access to production data is limited to a small number of authorised personnel on the principle of least privilege, with appropriate technical and organisational measures, regular encrypted backups, and audit logging.

Vulnerability disclosure. Reports of suspected security vulnerabilities can be sent to [email protected] with subject "Security". Responsible reporters may be eligible for a bug-bounty reward at our discretion.

Breach notification. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and affected users without undue delay, as required by applicable law (including Articles 33 and 34 of the GDPR where it applies).

No online service can be completely secure. We apply reasonable measures to protect your data, but we make no guarantee of absolute security.

6. Data Retention, Deactivation and Deletion

• Account data is kept while your account exists.
• Posts and content are kept until you delete them. Deleted items are removed from view immediately and purged from backups over time.
• Direct messages are kept until the sender deletes them.
• Payment and transaction records are retained for as long as required by applicable financial and tax law.
• Moderation evidence (reported content, decisions, appeals) is retained for a limited period for audit and dispute resolution.
• Transient signals used for abuse prevention expire automatically.

Account deactivation (initiated by you). You may deactivate your account at any time from the in-app Settings. Deactivation takes effect immediately: your profile and content are hidden from other users from the moment you confirm the action. Your data is preserved during the cancellation window so you can change your mind. To cancel a deactivation, simply sign back into the Service — reactivation is automatic on sign-in, no separate request required. If, after 180 days from the moment of deactivation, you have not signed back in, the account becomes eligible for full deletion under this Section.

Account deletion. You may also request immediate, irreversible deletion of your account from the in-app Settings or by contacting us. Deletion removes your profile and personal identifiers from the Service. Content you posted publicly may be retained in anonymised form where it forms part of conversations with other users, and records required by financial, tax, or law-enforcement rules are retained for the periods set out above.

7. Automated Decision-Making

We use automated systems for spam detection, rate limiting, and basic content-safety checks. These systems do not make decisions producing legal or similarly significant effects on you without human review. Important moderation actions (account suspension, permanent removal of content) are reviewed by human moderators, and you can appeal any decision as described in our Content Policy.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data (you can update most fields directly in the app)
• Delete your content or request deletion of your account
• Request an export of your data
• Withdraw consent and stop using the Service
• Object to or restrict specific processing
• Lodge a complaint with your local data protection authority. If you are in the EEA, you may also contact the Serbian Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs).

In-app you can edit your profile, manage notifications, block other users, and delete your content at any time. To make any other request, contact us at [email protected]. We respond to verified requests within 30 days as required by the GDPR.

9. Children's Privacy

The Service is not directed to children under 13 (or the minimum age for using Telegram in your country, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Cookies and Local Storage

The Service does not use third-party advertising or analytics cookies. Your browser's local storage is used only to remember UI preferences (such as theme, draft recovery, and recent tools). This data is not transmitted to us.

11. International Transfers

Because Telegram, our service providers, and our users operate globally, your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses approved by the European Commission) for such transfers.

12. Telegram Mini App framing and jurisdictional scope

Wall is provided exclusively as a Telegram Mini App and a complementary Telegram bot. All sign-in, messaging delivery, and payment flows are routed through Telegram's infrastructure. The Service is operated outside the Russian Federation and personal data is processed in the European Union.

Wall is not directed at users in any specific national market beyond making the Service available, like Telegram itself, to any Telegram user worldwide. Without limiting the foregoing, we do not consider Wall to be an "information distribution organizer" (организатор распространения информации) within the meaning of Russian Federal Law No. 149-FZ, a foreign person within the scope of the "landing" requirements of Federal Law No. 236-FZ, or an entity performing primary processing of Russian residents' personal data on the territory of the Russian Federation under Federal Law No. 152-FZ. The platform on which Wall runs — Telegram — is governed by its own Privacy Policy and Terms of Service; any obligations relating to particular national jurisdictions arising out of Telegram's own operations are matters between users and Telegram.

No admissions. Nothing in this Policy is, or shall be construed as, an admission of jurisdiction, applicability of any specific national law, or any factual circumstance. We reserve all defences available to us under applicable law.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated through the Service or the Telegram bot at least 30 days before they take effect. Continued use of the Service after an update constitutes acceptance of the updated Policy.

14. Data Controller and Operator

G MEDIA PARTNERS EUROPE d.o.o.
Starine Novaka 23, Beograd, Republika Srbija
Email: [email protected]
Web: g.media

When Wall expands beyond the Telegram Mini App format into a standalone product, the operator of that standalone product will be a separate company incorporated in Dubai (United Arab Emirates). Until that company is incorporated and the standalone product is launched, the operator and data controller of the Service is G MEDIA PARTNERS EUROPE d.o.o. We will update this Policy with the Dubai entity's details and the relevant transfer mechanism before any change in operator takes effect.

15. Contact

• Privacy questions: [email protected] (subject: "Privacy")
• Security reports / bug bounty: [email protected] (subject: "Security")
• Company: [email protected]
• Telegram: @wall

16. Related Documents

• Terms of Service
• Content & DMCA Policy
• Referral Program Terms
• Telegram Terms of Service
• Telegram Privacy Policy