Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Telegram's privacy policy, governing how Telegram Messenger Inc. collects and uses personal data including phone numbers, IP addresses, device metadata, contact lists, and cloud-stored messages, photos, and files. The policy states that cloud chat content is stored on Telegram's servers in encrypted form and may be subject to disclosure of IP address and phone number to law enforcement upon receipt of a valid judicial order, while secret chat content is end-to-end encrypted and not stored server-side. The policy also discloses that audio data from voice and video messages may be shared with Google LLC for transcription, and message text may be shared with Google LLC or Microsoft Corporation for translation, both at the user's explicit request.
This document is Telegram Messenger Inc.'s Privacy Policy governing the collection, storage, processing, and disclosure of personal data in connection with its cloud-based messaging services, with legitimate interests cited as the primary legal basis for processing under GDPR Article 6. The policy states that Telegram collects mobile phone numbers, profile names and pictures, email addresses (for 2FA recovery or login authentication), IP addresses, device metadata, username change history, and contact names and numbers; it explicitly states that user data is not used for ad targeting or profiling, and that sponsored messages are based solely on public channel topics rather than user data. Notably, the policy asserts that cloud chat messages, photos, videos, and documents are stored server-side in encrypted form with encryption keys held by Telegram across multiple jurisdictions, while secret chats use end-to-end encryption with no server-side storage, creating a meaningful operational distinction between chat types that affects the scope of any compelled disclosure. The policy engages GDPR through its designation of EDPO as EEA Article 27 representative, its reliance on Standard Contractual Clauses for intra-group transfers to entities in the British Virgin Islands and Dubai, and its disclosure that law enforcement data requests are limited to IP address and phone number upon receipt of a valid judicial order, with disclosures reported quarterly; applicable law in EEA jurisdictions may impose additional constraints on the legitimate interests basis and the adequacy of transfer mechanisms used. The policy also discloses data sharing with Google LLC and Microsoft Corporation for translation services, and with Google LLC for voice-to-text transcription at user request, both described as restricted-purpose processing under agreements with Telegram.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial2 important changes detected
3 versions captured · Last updated: June 2026
Removal of this provision eliminates explicit disclosure of the legal basis ('legitimate interests') for Telegram's metadata collection practices under GDPR.
Removal of this provision eliminates explicit disclaimer regarding Telegram's liability for payment disputes involving third-party bot developers and payment processors.
Provision name shortened from 'Law Enforcement Disclosure of IP and Phone Number' to 'Law Enforcement Disclosure' but excerpt content remains identical.
Excerpt significantly expanded to provide detailed technical specification of what data bots can access, including public account data, interactive data, and group message access modes.
Provision name expanded from 'Message Text Sharing with Google and Microsoft for Translation' to 'Voice and Message Data Sharing with Google and Microsoft' and excerpt extended to include voice data sharing (truncated in excerpt).
Provision name changed from 'Intra-Group Data Sharing with BVI and Dubai Entities' to 'Intra-Group Data Transfers to BVI and Dubai Entities' (substituting 'Transfers' for 'Sharing') but excerpt content remains identical.
Provision name expanded from 'Metadata Retention for Security Purposes' to 'Security Metadata Retention (12 Months)' for clarity but excerpt content remains identical.
3 provisions unchanged.
View full change record →Monitoring
Telegram has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Cloud Chat Server Storage and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.