Personal Data Processing
This document describes how Zhamly processes your personal data under the Armenian Personal Data Protection Law and analogous laws elsewhere. The short version is in the Privacy Policy; this page is the formal legal frame.
Data Controller
Zhamly, Yerevan, Armenia. Contact: privacy@zhamly.com.
If you book with a provider via Zhamly, the provider is the controller of the personal data you share with them for the purpose of providing the service to you. Zhamly is the processor that handles that data on the provider's behalf, plus the controller of platform-level data (your Telegram account, consents, audit records).
Categories of personal data
Standard categories only:
- Identification data: Telegram user ID, optional username, name, language
- Contact data: optional phone number, optional email address
- Booking history: services booked, dates, status, related provider
- Consent records: which consent versions you accepted, when, in which locale
- Technical data: IP address, user agent (for security + abuse detection)
- Analytics data: cookieless page views and Core Web Vitals
We do not process special categories of personal data (health, religion, ethnicity, etc.). If you share such data with us informally (e.g. in a free-text field that doesn't exist today), we have no legal basis to keep it and will delete it.
Legal basis for processing
- Contract performance — to provide the booking service you've requested.
- Consent — for processing transactional notifications (you can withdraw this), and for optional integrations like Google Calendar sync.
- Legitimate interest — service security, abuse prevention, anonymized analytics, audit trails.
- Legal obligation — retention of consent records and certain audit logs where required by law.
Cross-border transfers
Some of our technical providers (Telegram, Vercel, Resend) operate servers outside Armenia. Where personal data is transferred, we rely on the providers' published data processing terms and on Armenia's adequacy assessments where applicable. We do not transfer personal data to any jurisdiction without comparable protections.
Your rights
Under applicable data protection law you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase data ("right to be forgotten")
- Restrict or object to processing
- Data portability (export in a portable format)
- Withdraw consent (where consent is the legal basis)
- Lodge a complaint with the Armenian Personal Data Protection Agency
To exercise any right, open /privacy in the Zhamly Telegram bot or email privacy@zhamly.com. We respond within 30 days.
Retention
See the retention table in the Privacy Policy. When a retention period expires, the data is deleted or, where deletion is technically impossible (audit logs), securely anonymized.
Security
We employ technical and organizational measures appropriate to the risk: TLS for all network traffic, encryption at rest for sensitive fields (OAuth refresh tokens), least-privilege role-based access, audit logging, regular dependency updates. No security measure can be perfect; we will notify you and the relevant authority of any qualifying personal data breach within the legally required time frame.
Updates
Material updates to this document trigger a re-prompt for your consent inside the Telegram bot. The version + effective date at the top identify the current edition.