Privacy Policy

Effective June 5, 2026 · Last updated May 13, 2026 · Operator: Feanor Services LLC

This Privacy Policy describes what personal data Feanor Services LLC ("we," "us") collects about you when you use "40 Stories to Break Your Comfort Zone" (the "Service") — the Telegram bot @Fortystoriesbot, the Mini App, and the website fortystoriesgame.com.

We are committed to collecting only the data we need to operate the Service, storing it securely, and giving you straightforward control over it.

1. What we collect

Identity and account data (from Telegram)

When you launch the Mini App, Telegram sends us a signed payload containing:

Your Telegram user ID (a numeric identifier).
Your Telegram username (if you have one).
Your first name as set on Telegram.
Your language code (e.g., en, es).

We never see your phone number, email, real name (unless your Telegram first-name field contains it), profile photo, or contact list.

Gameplay data

Your game scores, timestamps, and the level/chapter you played.
Replay metadata (the random seed used for each game, summary events at level boundaries). We do not record your taps coordinate-by-coordinate.
Story-read activity: which chapters you opened, scroll progress, and quiz attempts.

Purchase and payout data

A list of plans you purchased and the Telegram Payment Charge ID returned by Telegram for each.
Prizes awarded to you and the timestamp of payout.
If you participate in our affiliate program: the user ID of who referred you and the user IDs of people who used your referral.

What we do NOT collect

We do not use cookies, web beacons, or third-party trackers on the Mini App.
We do not collect device IDs, IP-address-based fingerprints, or precise geolocation.
We do not collect Telegram messages you send to other chats. We only see messages you send to @Fortystoriesbot.
We do not knowingly collect data from anyone under 18.

2. How we use it

We use the data above only to:

Provide the Service: authenticate you, deliver gameplay, calculate scores, run leaderboards.
Process payments and pay out prizes via Telegram Stars.
Distribute affiliate commissions.
Detect and prevent cheating, multi-accounting, and abuse.
Comply with our legal and tax obligations.
Communicate with you about the Service — via the bot, only when you initiate a chat.

We do not sell your data, share it with advertisers, or use it for any purpose other than operating the Service.

3. Who we share it with

We share data only with:

Telegram Messenger Inc. — Telegram is our payment processor and authentication provider. They process Stars purchases and refunds. See telegram.org/privacy.
OpenRouter (and downstream model providers including Google) — when our anti-cheat reviews a replay, we send a short JSON summary (level number, score, replay events) to OpenRouter for analysis by an LLM judge. No personal identifiers are included.
Our hosting provider — server logs reside on virtual machines operated by OVH SAS in the European Union. Logs retain IP addresses for 14 days for security purposes only.
Government authorities — only if compelled by a valid legal order in a jurisdiction where we have a legal presence.

4. Where it's stored and for how long

All gameplay and account data is stored in a SQLite database on a server hosted in France (European Union).
We retain data while your account is active. We retain transaction records for at least 7 years for tax and audit purposes.
You may request deletion of your account at any time (see section 6).

5. Security

We protect your data using:

HTTPS (TLS 1.2+) on all connections.
HMAC-SHA256 signature verification of every Telegram Web App authentication payload.
Server-side validation of every score submission to prevent forged data from being stored.
Server access restricted to a small set of authorized operators using SSH key authentication only.
Daily encrypted off-site backups of the database.

No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you via Telegram and the website within 72 hours.

6. Your rights

If you are in the European Economic Area, the United Kingdom, or Switzerland (GDPR)

You have the right to:

Access — request a copy of all personal data we hold about you.
Rectification — correct inaccurate data.
Erasure — request deletion of your account and personal data (subject to our legal retention obligations).
Restriction — request that we stop processing your data while we resolve a dispute.
Portability — receive your data in a structured, machine-readable format.
Object — object to specific uses of your data.
Lodge a complaint with a supervisory authority in your country of residence.

If you are in California (CCPA / CPRA)

You have the right to:

Know what personal information we have collected about you in the past 12 months.
Delete the personal information we hold (subject to legal exceptions).
Opt out of the sale or sharing of personal information. We do not sell or share personal information for advertising purposes.
Correct inaccurate personal information.
Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information.
Non-discrimination — exercising your rights will not result in reduced service.

How to exercise these rights

Email [email protected] from the email address associated with your account, or send the request via Telegram from the same account. We will respond within 30 days.

7. International transfers

Our primary database is hosted in France. If we transfer data outside the European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission, or on equivalent safeguards.

8. Children

The Service is for users 18 years and older. We do not knowingly collect data from anyone under 18. If we learn that we have collected data from a minor, we will delete it.

9. Cookies and tracking

The Service does not use cookies. The Mini App stores authentication state inside the Telegram client only. The website may use a single first-party cookie to remember your language preference; this cookie expires after one year.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced inside the Mini App and via an updated "Effective" date above.

11. Contact

For privacy questions or requests, contact:

[email protected]
Feanor Services LLC
New Mexico, USA

If you are in the European Economic Area, you may also lodge a complaint with the data protection authority in your country.