Privacy and Personal Data Processing Policy

General Provisions

This Policy defines how personal data of StemRed users is processed and protected on chat-stem.ru, in the web application, and in related client applications. The Policy is applied in accordance with the laws of the Russian Federation, including Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” and Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”, where their requirements apply to the service.

The personal data operator is the individual developer and owner of the StemRed service who administers the chat-stem.ru domain. The operator can be contacted through the built-in support chat or at support@chat-stem.ru.

If translations differ, the Russian-language version of this Policy is used for interpretation.

Data We Process

StemRed processes account data: email address, username, display name, avatar, profile settings, verification status, cryptographic password hash, session data, and device data.

To operate the messenger, StemRed processes contacts, chat lists, room participants, privacy settings, blocking data, notification data, and message delivery data. Messages, files, attachments, voice messages, and voice calls are transmitted and stored in encrypted form.

The server may process technical data required for delivery and synchronization: sender and recipient identifiers, event date and time, delivery status, attachment size, connection parameters, IP address, device type, browser, operating system, application version, session identifiers, push tokens, cookies, localStorage data, and security logs.

When a user contacts support, StemRed processes the request text, attached files, contact details, technical error data, and support conversation history. Do not send passwords, access codes, payment data, or other secret information to support.

Purposes and Legal Grounds

Data is used for registration and sign-in, delivery of encrypted messages, files, and notifications, chat synchronization between devices, voice calls, storing user settings, abuse prevention, error diagnostics, support responses, and compliance with legal requirements.

Processing is based on the user’s consent, the user agreement, the need to provide service functions, the operator’s legitimate interests in protecting the service and users, and legal requirements. If a user does not provide data required for registration, sign-in, or message delivery, the relevant service functions may be unavailable.

Processing Procedure

Processing may be automated or mixed. Within the stated purposes, the operator may collect, record, systematize, accumulate, store, update, use, transfer, provide, access, depersonalize, block, delete, and destroy data.

StemRed does not request special categories of personal data and does not use voice messages or calls for biometric identification. If a user sends such information in encrypted correspondence, the operator has no access to its content.

Personal data does not become publicly available without a separate legal basis. Username, display name, avatar, and other profile elements may be visible to other service users within privacy settings and communication scenarios.

End-to-End Encryption

The content of messages, files, attachments, voice messages, and voice calls is protected by end-to-end encryption. Encryption keys are created and stored on users’ devices. StemRed does not have access to the keys and cannot read messages, view files, listen to voice messages, or listen to calls.

The service stores and transmits encrypted data and technical information required for delivery, notifications, synchronization, account protection, and abuse investigations. If a user voluntarily sends correspondence content or a file to support, a complaint, or another unencrypted channel, such data is processed to review the request, protect users, and comply with legal requirements.

Storage and Protection

Access to technical data is limited to service necessity. Passwords are stored as cryptographic hashes. Protection measures include end-to-end content encryption, HTTPS, session control, security logs, backups, restricted access to service systems, and measures against unauthorized access.

When an account or data is deleted, StemRed deletes or depersonalizes information within technical capabilities and security requirements. Some technical records may be stored for a limited period when necessary to prevent abuse, diagnose incidents, or comply with lawful requirements.

In the event of a personal data incident, the operator conducts an internal review and notifies Roskomnadzor in the manner and within the time limits established by Russian law.

Localization and Cross-Border Transfer

The initial collection, recording, systematization, accumulation, storage, update, and retrieval of personal data of Russian Federation citizens are performed using databases located in the Russian Federation, except where Russian law expressly provides otherwise.

Cross-border transfer of personal data is possible only with a legal basis, after fulfilling the requirements of Russian law, including notification of Roskomnadzor where such notification is required, and only to the extent necessary for a specific function or compliance with law.

Third-Party Services

Infrastructure services, including hCaptcha, may be used for hosting, abuse prevention, registration checks, email delivery, voice communication, traffic transmission, push notifications, and media delivery. Such services receive only data required to perform their function and do not receive access to decrypted message, file, or call content.

Data may be transferred to third parties on the operator’s instruction, under an agreement requiring confidentiality and data security, with the user’s consent, or in cases provided by law.

Government Requests

The operator reviews government requests only where there is a legal basis and provides information within the limits of the law and actual technical capability. Because of end-to-end encryption, the operator does not possess users’ private keys or decrypted content of messages, files, voice messages, and calls.

If requirements for an information dissemination organizer or an instant messaging service organizer apply to the service, the operator complies with such requirements within Russian law, including measures for message confidentiality, restriction of prohibited information, and provision of available information to authorized authorities.

User Rights

A user may request information about processing of their personal data, change profile data, withdraw consent, request correction, blocking, termination of processing, or deletion of data, unless this conflicts with legal requirements, service security, or mandatory storage of certain technical records.

To exercise these rights, use the built-in support chat or support@chat-stem.ru. A user may also contact Roskomnadzor or a court if they believe that personal data processing violates their rights.

Contacts

For privacy, personal data, and security questions, use the built-in support chat or support@chat-stem.ru.