Privacy and Personal Data Processing Policy

Updated: May 24, 2026

General Provisions

This Policy defines how personal data of StemRed users is processed and protected on chat-stem.ru, in the web application, and in related client applications. The Policy is applied in accordance with the laws of the Russian Federation, including Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” and Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”, where their requirements apply to the service.

The personal data operator is the individual developer and owner of the StemRed service who administers the chat-stem.ru domain. The operator can be contacted through the built-in support chat or at support@chat-stem.ru.

If translations differ, the Russian-language version of this Policy is used for interpretation.

Data We Process

StemRed processes account data: email address, username, display name, avatar, profile settings, verification status, cryptographic password hash, session data, and device data.

To operate the messenger, StemRed processes contacts, chat lists, room participants, privacy settings, blocking data, notification data, and message delivery data. Messages, files, attachments, voice messages, and voice calls are processed by the service for delivery, synchronization, storage, and security controls.

The server may process technical data required for delivery and synchronization: sender and recipient identifiers, event date and time, delivery status, attachment size, connection parameters, IP address, device type, browser, operating system, application version, session identifiers, push tokens, cookies, localStorage data, and security logs.

When a user contacts support, StemRed processes the request text, attached files, contact details, technical error data, and support conversation history. Do not send passwords, access codes, payment data, or other secret information to support.

Purposes and Legal Grounds

Data is used for registration and sign-in, delivery of messages, files, and notifications, chat synchronization between devices, voice calls, storing user settings, abuse prevention, error diagnostics, support responses, and compliance with legal requirements.

Processing is based on the user’s consent, the user agreement, the need to provide service functions, the operator’s legitimate interests in protecting the service and users, and legal requirements. If a user does not provide data required for registration, sign-in, or message delivery, the relevant service functions may be unavailable.

Processing Procedure

Processing may be automated or mixed. Within the stated purposes, the operator may collect, record, systematize, accumulate, store, update, use, transfer, provide, access, depersonalize, block, delete, and destroy data.

StemRed does not request special categories of personal data and does not use voice messages or calls for biometric identification. If a user sends such information in chats, files, voice messages, calls, or support requests, it is processed under the same service rules and legal grounds.

Personal data does not become publicly available without a separate legal basis. Username, display name, avatar, and other profile elements may be visible to other service users within privacy settings and communication scenarios.

Content Security

The active messenger runtime does not currently provide E2EE. StemRed protects communication with HTTPS, account authorization, private media access controls, session controls, security logs, backups, and restricted access to service systems.

E2EE v2 is in development. Until it is released, the service may process message and media content as needed for delivery, synchronization, storage, support requests, abuse investigation, and lawful requirements.

Storage and Protection

Access to technical data and service systems is limited to service necessity. Passwords are stored as cryptographic hashes. Protection measures include HTTPS, session control, security logs, backups, restricted access to service systems, private media access controls, and measures against unauthorized access.

When an account or data is deleted, StemRed deletes or depersonalizes information within technical capabilities and security requirements. Some technical records may be stored for a limited period when necessary to prevent abuse, diagnose incidents, or comply with lawful requirements.

In the event of a personal data incident, the operator conducts an internal review and notifies Roskomnadzor in the manner and within the time limits established by Russian law.

Localization and Cross-Border Transfer

The initial collection, recording, systematization, accumulation, storage, update, and retrieval of personal data of Russian Federation citizens are performed using databases located in the Russian Federation, except where Russian law expressly provides otherwise.

Cross-border transfer of personal data is possible only with a legal basis, after fulfilling the requirements of Russian law, including notification of Roskomnadzor where such notification is required, and only to the extent necessary for a specific function or compliance with law.

Third-Party Services

Infrastructure services, including hCaptcha, may be used for hosting, abuse prevention, registration checks, email delivery, voice communication, traffic transmission, push notifications, and media delivery. Such services receive only data required to perform their function; message and media access remains governed by StemRed service authorization where technically applicable.

Data may be transferred to third parties on the operator’s instruction, under an agreement requiring confidentiality and data security, with the user’s consent, or in cases provided by law.

Government Requests

The operator reviews government requests only where there is a legal basis and provides information within the limits of the law, actual technical capability, and available service data.

If requirements for an information dissemination organizer or an instant messaging service organizer apply to the service, the operator complies with such requirements within Russian law, including measures for message confidentiality, restriction of prohibited information, and provision of available information to authorized authorities.

User Rights

A user may request information about processing of their personal data, change profile data, withdraw consent, request correction, blocking, termination of processing, or deletion of data, unless this conflicts with legal requirements, service security, or mandatory storage of certain technical records.

To exercise these rights, use the built-in support chat or support@chat-stem.ru. A user may also contact Roskomnadzor or a court if they believe that personal data processing violates their rights.

Contacts

For privacy, personal data, and security questions, use the built-in support chat or support@chat-stem.ru.