lock A document for our users

Privacy Policy

Effective date: May 1, 2026 · Version 1.0

summarize In short

1. Who we are and what this document is for

This policy describes what data Hlebushek ("Hlebushek", "we") receives from you when you use the website hlebushek.com, the regional domain ru.hlebushek.com, our mobile application, and the Telegram bot @hlebushek_com_bot.

The document is written to cover two jurisdictions at once:

We're a small team. We've tried to write this honestly, without the usual legal fog. If anything is unclear, drop us a line — contacts are at the very bottom.

2. What data we receive

2.1. When you create an account

Depending on how you sign up, we keep:

We also automatically record: registration date, last sign-in time, region (ru or eu, derived from which domain you opened), and a technical session (a random token in a cookie).

2.2. When you pay

We accept payments only in cryptocurrency, through NOWPayments. For each payment, our database keeps: order number, selected plan, amount, currency, status, the NOWPayments transaction ID, and a date.

Card numbers, ID documents, real names, and addresses are never received or stored by us — none of that exists in our system. NOWPayments, as the payment processor, may request identification from you under their own rules — that is their responsibility and their own privacy policy.

2.3. Server connection logs

So that we can answer your "it isn't working" message and fix things quickly, we automatically gather a short technical summary from our servers. This is the most sensitive category of data, so we'll spell out exactly what it contains:

FieldWhat it holds
TimeTimestamp of the event
ServerWhich of our servers handled the request (for example, RU-1, FI-1)
IdentifierAn internal tag of the form user-<username> — the same one is linked to your account in our database
Event typeConnection accepted, rejected, handshake failure, timeout
DestinationThe host and port the connection is requested for, for example youtube.com:443
What we do NOT record

We do not store the IP address you connect from to our servers — this is a deliberate design decision to minimise data. Our server software handles your IP in memory while processing the connection, but it is not written to our long-term database; it is discarded.

We have no access to the contents of your traffic: the connection is encrypted on your device. We cannot read the pages you open, your messages, videos, or files. We see only the destination host and port.

We do not store full URLs — only the domain and port. No ?q=..., no paths like /profile/....

We do not share these logs with third parties for advertising, marketing, or analytics purposes.

These logs are deleted automatically after 7 days.

2.4. Support conversations

When you write to support through the Telegram bot or your account, we keep the conversation (message text, timestamps, and the link to your account) so that we can continue the dialogue and come back to it if needed. We see only what you have written to us yourself.

2.5. Notifications and feedback

If you rate a notification with the "like / dislike" button, we save that vote to inform what we send out in future. We also store the read status of in-app banners.

2.6. Service complaints

If you tap "not working" inside the mobile application, we receive a short technical report: your visible IP at that moment, the active connection profile, the status, the device platform, and any free-form comment you've added. This lets support figure out what is going on in minutes rather than hours.

2.7. Push notifications (mobile application)

To deliver push notifications to you (for example, "your subscription expires in 3 days"), we store the device token issued by Firebase Cloud Messaging and the platform (Android / iOS). When you sign out or when Google revokes the token on its side, we delete it.

2.8. Referral programme

If you take part in our referral programme, we store: who invited you, who you invited, and which credits have been issued. This data is used solely for accounting within the programme.

2.9. Aggregate traffic volume

For billing, abuse protection, and warning you as you approach the limits of your plan, we plan to keep a per-account daily total of data transferred — aggregate counters from our routing infrastructure, with no link to specific destinations or to the timing of individual connections.

At the time of publishing this version, the feature is in development: the counters are gathered and stored in an anonymised form, but they are not yet shown in your account. Once we ship it, you'll see your daily traffic in the Account section. These counters are kept for no longer than 60 days.

3. What we keep in cookies

We use only functional cookies — none for advertising or analytics. There are just three of them:

CookiePurposeLifetime
user_sessionKeeps you signed in30 days, rotated on sign-in
langRemembers the chosen interface language1 year
csrfCross-site request forgery protectionsession

Because all of these cookies are strictly necessary for the service to work, we do not show a separate cookie banner (GDPR allows this for functional cookies).

4. Why we collect this (legal bases)

In GDPR terms, we rely on the following legal bases, depending on the type of data:

In FZ-152 terms, the basis for processing is the offer agreement for the service (concluded at the moment of registration) and your separate consent for specific types of communication.

5. How long we keep things

WhatRetention
Server connection logs7 days, then automatic deletion
Internal server diagnostics (not linked to you)7 days
Account, payment history, referral creditsUntil you delete them, or up to 3 years of inactivity
Support conversations1 year after the ticket is closed
"Not working" reports from the appUntil the account is deleted or until manual cleanup
Broadcast notification textIndefinitely (this is shared content, not personal data)
Per-user notification delivery records (read status, rating)Until your account is deleted
Email confirmation codes, password-reset tokens, temporary nonces for Telegram sign-inMinutes to hours (short TTL)
FCM device tokensUntil you sign out or until Google marks the token as invalid
Aggregate per-account traffic counters60 days
IP address in the "new sign-in" emailNot stored in the database — only present in the email itself, in your inbox

6. Who we work with (third parties)

To run the service, we have to use a small set of vendors. We pass them only what is technically necessary for the part of the work they handle. We do not work with any analytics, advertising, or CRM partners.

VendorWhat they receiveWhyLocation
NOWPayments Payment parameters, the payer's wallet address, and KYC data where their own rules require it Crypto payment processing Cyprus / EU
Cloudflare IP addresses of connections to the website and API, DNS queries, HTTP metadata DNS, CDN, DDoS protection, performance USA
Firebase Cloud Messaging Device tokens, push notification text Delivering push notifications to the mobile app USA
Hostinger Server infrastructure (our VPS) Hosting the website, database, and service infrastructure Cyprus / Lithuania
Hostinger SMTP Recipient address and email body Sending transactional and broadcast emails Cyprus / Lithuania

Those five are the entire list. We have no Google Analytics, Yandex Metrika, Sentry, Segment, Mixpanel, Hotjar, Facebook Pixel, customer.io, or any other analytics or marketing tooling.

Disclosures to law enforcement

Any company operating legally has to respond to lawfully issued requests. We will not write "we will never disclose anything" — that would not be true. So here is the honest version:

7. How connection masking works

In Russia, our service uses a traffic masking technique whereby our encrypted connection externally appears as an ordinary connection to a well-known Russian online resource. This is necessary for compatibility with traffic filtering systems that, in some regions, only permit connections to certain destinations.

What this means for you:

8. Your rights

Under FZ-152 and GDPR you have the right to: access your data, correct it, erase it (right to erasure / Art. 17 GDPR), withdraw consent, request portability (Art. 20 GDPR), and complain to a supervisory authority. Most of these rights are already available to you directly in your account — without written requests:

delete_forever

Delete account

Removes your data from the database and revokes server access.

Account → Delete account
unsubscribe

Unsubscribe from emails

Every marketing email contains a one-click unsubscribe link.

Account → Notifications
tune

Adjust notifications

Turn technical, product, and promotional notifications on or off, and pick the delivery channel.

Account → Notifications
verified_user

Two-factor protection

Enable 2FA via an authenticator app to protect sign-in.

Account → Security
key

Change password

Available at any time in security settings.

Account → Security
download

Access and export

Requests for a copy of your data are currently handled through support. Reply within 30 days.

privacy@hlebushek.com

If you believe we have breached your rights, please write to us — we try to reply quickly. You also have the right to contact your country's competent data protection authority (EU/EEA users — the national supervisory authority for data protection).

9. Age of users

Hlebushek is not intended for people under 16 years of age (in line with Art. 8 GDPR). We do not ask you for documents, but if you become aware that your child under 16 has created an account without your consent, please write to us and we will delete it.

10. How we protect data

We are a small team, so we focus on simple, well-tested measures:

No system is ever fully invulnerable. Should an incident occur that may affect your data, we will inform you within a reasonable time, in line with FZ-152 and GDPR (Art. 33–34) requirements.

11. Where the data physically lives

Our core database and infrastructure are hosted on servers in the European Economic Area (EEA), where GDPR provides one of the strictest data protection regimes in the world. The vendors listed in section 6 may process the data we send them on their own servers in the USA (Cloudflare, Firebase Cloud Messaging) and in the EU / Cyprus (NOWPayments, Hostinger).

For users based in Russia: we observe the rights granted to you by FZ-152 — access, correction, erasure, withdrawal of consent — independently of where our servers are physically located. See section 8 for how to exercise these rights.

If you wish to minimise the data you share with us, you can register anonymously with an account key — without an email and without a Telegram link. In that case we hold no identifying information beyond the existence of your account itself.

12. Changes to this policy

If we make material changes to this policy, we will give you notice in advance: a notification in your account and an email (if you've given us a verified one). The current version is shown at the bottom of the page. We keep older versions in a change history and can send them on request.

13. How to reach us

General questions
support@hlebushek.com
GDPR and FZ-152 requests
privacy@hlebushek.com
Telegram support
@hlebushek_sup
Website
hlebushek.com · ru.hlebushek.com

We aim to reply within 1–3 business days. Requests submitted under GDPR or FZ-152 are handled within the statutory time limits (up to 30 days under GDPR, up to 30 days under FZ-152).