Fling is the entity that determines the purposes and means of processing personal information collected through the Service, and is the "data controller" (under the EU General Data Protection Regulation, "GDPR"), "business" (under the California Consumer Privacy Act as amended by the California Privacy Rights Act, "CCPA"), and equivalent role under other applicable data protection laws. References in this Privacy Policy to "we," "us," and "our" refer to Fling in this controller capacity.
For questions about this Privacy Policy or to exercise your data protection rights, contact us through the channels described in Section 19.
This Privacy Policy covers personal information processed by Fling in connection with:
(a) Your use of the Fling Telegram bot at @MyFling_bot; (b) Your visit to or use of the website at myfling.io and any related web properties; (c) Your purchase of paid plans via Telegram Stars; (d) Your communications with us through any channel, including in-bot support commands and the website contact section; (e) Any other interaction you have with the Service.
This Privacy Policy does not cover information processed by third parties whose products, services, or platforms we use or integrate with, including without limitation Telegram Messenger LLP, Apple, Google, OpenRouter, Replicate, ElevenLabs, payment intermediaries, hosting providers, or content delivery networks. Each of those third parties processes data subject to its own privacy policy and you should review them separately. See Section 7 for more on third-party processors.
We collect different categories of information depending on how you interact with the Service. We have grouped the categories below.
When you initiate the bot, Telegram provides the following information about you to us through the Telegram Bot API:
(a) Your Telegram user ID (a numeric identifier unique to your Telegram account);
(b) Your Telegram username, if you have one set;
(c) Your Telegram language code (e.g., "en", "ru", "es");
(d) Optional: your first name and/or last name as set in your Telegram profile, if any;
(e) Optional: a deep-link parameter (referral source) if you accessed the bot via a /start <slug> link.
We do not have access to your phone number, your contact list, your other chats, your media library, or any Telegram data beyond what the Bot API exposes to bots in private one-to-one chats.
When you interact with the bot, you provide:
(a) Text messages you type to AI characters; (b) Voice messages you record and send to AI characters (transcribed by an AI speech-to-text service, see Section 3.5); (c) Custom profile information you optionally submit via the customize feature (free-text up to 200 characters describing yourself, your preferences, or other personal context you want characters to use); (d) Character preferences (which character you select, voice on/off setting, story mode setting); (e) Feedback or support messages you submit through any contact mechanism; (f) Reactions to AI outputs (whether you continue, stop, or block).
The Service automatically records technical and operational metadata about your use, including:
(a) Subscription plan (Free, Pass, or Plus) and its current status; (b) Plan billing cycle dates (start, end, renewal status, cancellation status); (c) Remaining credits for the Free plan (texts, voice seconds, images), which reset on a daily cycle; (d) Activity timestamps (when you last interacted, when you last switched character, when you last received a proactive re-engagement message); (e) Counters for safety violations, story-mode usage, and other operational metrics; (f) Acceptance status and timestamp for these Terms and Privacy Policy; (g) Account block status (e.g., whether you have blocked the bot on Telegram).
When you purchase a paid plan (Pass or Plus), payment is processed by Telegram Stars (Telegram's native payment system, currency code XTR). We do not receive your credit card number, CVV, bank details, or any other financial credentials. Telegram and its payment partners (Apple, Google, etc.) handle that information directly under their own privacy policies. We receive only the following from Telegram after a successful payment:
(a) The fact that the payment succeeded; (b) The Telegram payment charge identifier (an opaque token, used by us only for refund and idempotency purposes); (c) The amount paid in Stars and the corresponding plan; (d) For recurring Plus subscriptions: the Telegram subscription identifier and the next renewal date provided by Telegram.
We store the charge identifier and subscription identifier in our database to (i) prevent duplicate processing of the same payment, (ii) enable cancellation through our bot, and (iii) provide refunds if we choose to. We do not store anything else from the payment flow.
If you send voice messages, the audio file is downloaded from Telegram, immediately submitted to a third-party AI speech-to-text provider (currently the Whisper model on Replicate) for transcription, and deleted from our systems immediately after transcription. We do not retain, archive, analyze, or store the audio file. Only the resulting transcript is processed by the AI character and is then handled identically to a text message — see Section 3.6.
If you receive voice messages from a character, those voice messages are generated on demand by a third-party text-to-speech provider (currently ElevenLabs via Replicate) and delivered to your Telegram chat. We do not retain a copy of the synthesized voice file after delivery.
Conversation content (the text exchanges between you and AI characters) is processed in real time and is held in volatile, in-memory session state only. We do not write the substance of your conversations to our database. Conversation memory is disposable: when your session ends, when the bot restarts, or when our session-cleanup processes run, the in-memory conversation history is lost. The conversations table in our database stores only timestamps of when you last interacted with each character — for activity metrics and proactive re-engagement scheduling — and does not contain the content of any message.
Important caveats to the above: (a) During processing, conversation content is transmitted to third-party AI model providers (see Section 7.2) so they can generate responses. Their handling of that content is governed by their own privacy policies. (b) If you submit a message that triggers our internal safety systems, the offending content may be retained briefly in operational logs for trust-and-safety review (see Section 3.8). (c) If an error occurs during processing of a message, parts of the message text may be captured in error logs (see Section 3.8) for debugging purposes. (d) Custom profile information you submit via the customize feature is stored persistently in our database (see Section 3.2(c)).
The Service generates AI Outputs (text replies, voice messages, images) in response to your prompts. We do not retain copies of generated text replies after delivery. Generated images are stored briefly on the server for delivery to your Telegram chat and are then deleted; copies remain in your Telegram chat history under your control. Generated voice messages are deleted from our servers after delivery, as described in Section 3.5.
We maintain logs for security, abuse prevention, debugging, and operational reliability. These logs may include:
(a) Safety violation logs — when our automated safety systems flag a user input as a potential violation, the system records the violation category, a timestamp, the affected user identifier, and may include the text of the offending input for trust-and-safety review; (b) Operational logs — bot startup/shutdown, request handling, payment processing, scheduled job execution, and similar operational events. These logs may include user identifiers but typically do not include conversation content; (c) Error logs — when an error occurs, our error logging system captures the error message, the stack trace, the function and line where it occurred, a snapshot of the in-memory ring buffer (approximately the last 200 lines of bot activity), and a regex-extracted user identifier where present. The 200-line context snapshot may incidentally include short snippets of user input or AI outputs that were active at the moment of the error; (d) Access logs — IP-level metadata for the website at myfling.io and the admin dashboard, captured by hosting infrastructure for security purposes.
If you visit the website at myfling.io, we and our hosting provider may automatically collect technical information about your visit, including:
(a) Your IP address (truncated or anonymized where feasible); (b) Your user agent string (browser type and version, operating system); (c) Referrer URL (if your browser provides one); (d) Pages you visit, including timestamps; (e) Approximate geographic location derived from your IP address; (f) Cookie and similar technology identifiers (see Section 3.10).
The website may use a minimal set of strictly necessary cookies and similar technologies for functionality (e.g., session state, language preferences, security). The bot itself does not use cookies. We do not currently use cookies for advertising, retargeting, behavioral tracking, or third-party analytics on the website. If we ever introduce non-essential cookies or third-party trackers, we will update this Privacy Policy and, where required by applicable law, request your consent before doing so.
For clarity, we do not intentionally collect any of the following:
(a) Your phone number, email address, or other contact details (unless you voluntarily provide them to us through a support channel); (b) Your real name (unless you voluntarily put it in your custom profile information); (c) Your address, location, biometric data, health data, or genetic data; (d) Your financial account credentials (handled by Telegram); (e) Information from any other Telegram chat, channel, group, or contact list; (f) Information about your device beyond what is described in Section 3.9.
You should be aware that the Service is designed for explicit adult content, and the act of using the Service can be inferred to reveal information about your sexual interests, fantasies, and preferences. Any custom profile information, conversation prompt, or other content you submit may itself constitute "special category" or "sensitive" personal information under the GDPR, CCPA, or equivalent laws (e.g., information concerning sex life or sexual orientation). By using the Service and submitting such information, you provide your explicit consent to its processing for the purposes described in this Privacy Policy. You should not submit sensitive information you are not comfortable having processed by the third-party AI providers identified in Section 7.
We use the information described in Section 3 only for the purposes described in this Section 4 and only as necessary for those purposes.
For any purpose for which we ask for and receive your specific consent.
If you are located in the European Union, the European Economic Area, the United Kingdom, or Switzerland, the lawful bases on which we process your personal information depend on the processing activity:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service in response to your use of it | Performance of a contract (Article 6(1)(b) GDPR) |
| Processing payments and managing subscriptions | Performance of a contract (Article 6(1)(b) GDPR) |
| Safety, abuse prevention, and security | Legitimate interests (Article 6(1)(f) GDPR) — preventing harm, protecting users, maintaining service integrity |
| Legal compliance and lawful requests | Legal obligation (Article 6(1)(c) GDPR) |
| Service operation, debugging, error logging | Legitimate interests (Article 6(1)(f) GDPR) — operational reliability |
| Marketing communications (where required by law) | Consent (Article 6(1)(a) GDPR) |
| Processing of conversation content that may reveal sexual orientation or sex life | Explicit consent (Article 9(2)(a) GDPR) |
| Establishing, exercising, or defending legal claims | Legitimate interests / legal claims (Article 6(1)(f) and 9(2)(f) GDPR) |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our legitimate interests are not overridden by your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests, as described in Section 9.
Where we rely on consent (including explicit consent under Article 9), you have the right to withdraw your consent at any time, although withdrawal does not affect the lawfulness of processing that took place before withdrawal.
We retain personal information only as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Category | Retention Period |
|---|---|
| Account record (Telegram ID, username, language) | Until you stop using the Service for an extended period or request deletion; we may delete inactive accounts at our discretion |
| Custom profile information (free-text customize field) | Until you delete it via the bot, you stop using the Service, or you request deletion |
| Subscription and payment records | For the duration of the relationship plus the period required by applicable tax, accounting, and consumer-protection law (typically 6 to 10 years) |
| Conversation content (text and voice) | Not stored persistently; processed in volatile in-memory session state only |
| Conversation timestamps (without content) | Retained for activity metrics and proactive re-engagement scheduling, typically up to 12 months |
| Voice audio files received from you | Deleted immediately after transcription |
| Generated voice and image files | Deleted from our servers after delivery to your chat (copies remain in your Telegram chat history under your control) |
| Safety violation logs | Retained for trust-and-safety review and for the duration necessary to investigate, prevent, and respond to abuse — typically up to 24 months, longer if a specific incident is under active investigation |
| Operational and error logs | Retained for debugging and incident response, typically up to 90 days; longer for incidents under active investigation |
| Website access logs | Retained by hosting infrastructure for the period required for security and analytics, typically 30 to 90 days |
| Information required for legal compliance | Retained for the period required by the applicable law |
After a retention period expires, information is deleted, anonymized, or aggregated such that it can no longer reasonably be used to identify you.
Note that timestamps and operational logs may persist after you stop using the Service, until they age out of their respective retention periods. Likewise, payment and tax records may persist for several years after your last interaction, in compliance with applicable financial recordkeeping laws.
We do not sell your personal information. We share personal information only in the limited circumstances described below.
We share personal information with third parties that provide services to us under written contracts requiring them to protect the information and use it only on our behalf. These include:
(a) Hosting and infrastructure providers — for running the bot, the database, the admin dashboard, and the website; (b) AI model providers — see Section 7.2; (c) Payment intermediaries — see Section 7.3; (d) Content delivery networks (CDNs) — for delivering the website; (e) Error monitoring and logging tools — currently self-hosted, but third-party providers may be used in the future.
The Service relies on third-party AI providers to generate text, voice, and image content. When you submit a message to the Service, the content of your message — together with relevant context such as the character description and your custom profile information — is transmitted to one or more of these AI providers for processing. Currently this includes:
(a) OpenRouter — for text generation via the underlying large language model providers it routes to (currently x.ai's Grok 4.1 Fast and Meta's Llama 3.3 70B Instruct); (b) Replicate — for image generation (currently FLUX-based image models with custom LoRAs), voice synthesis (currently ElevenLabs Turbo v2.5), and speech-to-text transcription (currently OpenAI's Whisper); (c) ElevenLabs — for voice synthesis when accessed directly or through Replicate; (d) Future or alternative AI providers that we may add or substitute for the providers above.
Each of these providers processes your data subject to its own privacy policy and data-handling practices. We have no control over what each provider does with your data after we send it to them for processing. Some providers may retain content for service-quality monitoring, abuse detection, or model improvement, in accordance with their own policies. By using the Service, you consent to this transmission and processing. We strongly recommend that you review the privacy policies of each AI provider before submitting sensitive content.
Paid plans are processed through Telegram Stars, which is operated by Telegram and may use Apple, Google, or other in-app purchase intermediaries depending on the platform you use to buy Stars. We receive only the limited information described in Section 3.4. Your purchase of Telegram Stars and any related personal or financial data is processed by Telegram and its app store partners under their own privacy policies, not ours.
We may disclose personal information to courts, law enforcement, regulators, or other third parties when we believe in good faith that disclosure is necessary to:
(a) Comply with applicable law, regulation, court order, subpoena, or other valid legal process; (b) Respond to lawful requests from public authorities, including for national security and law enforcement purposes; (c) Establish, exercise, or defend our legal rights or those of others; (d) Protect the rights, property, or safety of Fling, our users, or the public; (e) Detect, prevent, or address fraud, security, technical, or abuse issues; (f) Report or respond to any actual or suspected violation of any applicable law, including any content involving the sexual exploitation of minors. We may report such content to the National Center for Missing & Exploited Children (NCMEC), the Internet Watch Foundation (IWF), or equivalent organizations and to law enforcement.
We may make these disclosures without prior notice to you when we believe that doing so is consistent with applicable law and the requesting party's instructions.
If we are involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or other change of control, your personal information may be transferred to or acquired by the successor entity or other counterparty as part of the transaction. We will notify you of any such change in this Privacy Policy or by other reasonable means.
We may share aggregated, de-identified, or anonymized information with third parties for any purpose, including research, analytics, marketing, and service improvement. This information cannot reasonably be used to identify you and is not subject to this Privacy Policy.
We may share personal information with third parties when you give us your specific consent to do so.
The Service is operated using infrastructure that may be located in the United States, the European Union, or other jurisdictions. The third-party AI providers in Section 7.2 are typically located in the United States. If you are located outside the country where the Service or its providers are hosted, your personal information will be transferred to and processed in countries other than your own, including countries that may not have data protection laws equivalent to those in your home country.
By using the Service, you understand and consent to such transfers. Where required by GDPR or equivalent law, we (and our processors) rely on appropriate safeguards for international transfers, such as Standard Contractual Clauses approved by the European Commission or, where applicable, an adequacy decision. You may request more information about these safeguards by contacting us through the channels in Section 19.
Depending on where you are located, you have certain rights regarding your personal information. The rights below are described as if you have all of them; some may not apply to you depending on your jurisdiction.
If you are in the European Union, the European Economic Area, the United Kingdom, or Switzerland, you have the following rights subject to the conditions in the GDPR or equivalent national law:
(a) Right of access — to obtain confirmation that we process your personal information and to receive a copy of it; (b) Right to rectification — to correct inaccurate or incomplete personal information; (c) Right to erasure ("right to be forgotten") — to request deletion of your personal information in certain circumstances; (d) Right to restriction of processing — to limit how we use your personal information in certain circumstances; (e) Right to data portability — to receive your personal information in a structured, commonly used, machine-readable format and (where technically feasible) transmit it to another controller; (f) Right to object — to object to processing based on legitimate interests or for direct marketing; (g) Right not to be subject to automated decision-making that produces legal effects or similarly significant effects, except in certain permitted cases (the Service does not currently make automated decisions of this kind); (h) Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of past processing; (i) Right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
(a) Right to know — to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it; (b) Right to access — to request a copy of the specific pieces of personal information we have collected about you; (c) Right to delete — to request deletion of personal information we have collected from you, subject to certain exceptions; (d) Right to correct — to request correction of inaccurate personal information; (e) Right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, so this right does not require any action on your part; (f) Right to limit use of sensitive personal information — to direct us to use sensitive personal information only for limited permitted purposes; (g) Right to non-discrimination — for exercising any of these rights.
To exercise any of these rights, see Section 9.4 below. We will verify your identity before responding to a request.
Other jurisdictions including Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), and various U.S. states (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) provide similar rights. We will honor valid requests under those laws to the extent they apply.
To exercise any of the rights described above, contact us through the channels in Section 19. Please include enough information for us to verify your identity (typically your Telegram user ID and any other identifying information you have provided) and to understand the nature of your request. We will respond within the time frame required by applicable law (typically 30 days under the GDPR, 45 days under CCPA, with possible extensions).
We may decline requests that are excessive, repetitive, manifestly unfounded, or that we are required or permitted to decline under applicable law. If we decline, we will explain why.
You may also delete your account by contacting us as described above. Note that some information may be retained even after account deletion, including: information we are legally required to keep (e.g., transaction records), information needed to enforce our Terms or defend legal claims, information in safety logs related to active investigations, and aggregated or anonymized information.
We implement reasonable and appropriate technical and organizational security measures designed to protect personal information from unauthorized access, disclosure, alteration, loss, or destruction. These measures include:
(a) Encryption of data in transit using industry-standard TLS; (b) Restricted access to production databases on a need-to-know basis; (c) Authentication and authorization controls for the admin dashboard; (d) Idempotency and atomicity guarantees for payment processing; (e) Automated safety systems to detect and prevent prohibited content; (f) Regular review of security practices.
However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. You acknowledge that you provide personal information at your own risk, and that we are not responsible for any unauthorized access, breach, loss, or other compromise of personal information that occurs despite our reasonable security measures, except as required by applicable law.
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and (where required) you, in accordance with applicable law.
The Service is for adults only and is not intended for, directed to, or designed to attract anyone under the age of eighteen (18) — or twenty-one (21) where that is the legal age of majority for sexually explicit content. We do not knowingly collect personal information from minors.
If you are under the legal age, you must not access the Service or provide any personal information to us. If we discover or are informed that we have collected personal information from a minor, we will delete that information promptly, terminate the associated account, and may report the incident to the appropriate authorities.
If you are a parent or legal guardian and you become aware that a minor in your care has used the Service, contact us immediately using the channels in Section 19.
The Service is designed for explicit adult content. Your decision to use the Service, the prompts you submit, the conversations you have, and the custom profile information you provide may reveal information about your sexual orientation, sexual interests, sexual practices, sex life, or other sensitive personal matters. This is a foreseeable consequence of using the Service for its intended purpose.
By using the Service, you provide your explicit consent under GDPR Article 9(2)(a), CCPA, and equivalent laws to the processing of such "special category" or "sensitive" personal information for the purposes described in this Privacy Policy. You alone control what you submit to the Service. We strongly recommend that you do not submit information you would not want processed by us and by the third-party AI providers identified in Section 7.
You may withdraw your consent at any time by stopping use of the Service and requesting deletion of your account. Withdrawal of consent does not affect the lawfulness of processing that took place before withdrawal.
The Service uses automated systems for content moderation, safety scoring, and operational decisions (such as expiring credits, downgrading expired plans, sending re-engagement messages). These automated systems may use information about you (e.g., safety violation counts) to take actions such as suspending an account or sending a notification.
We do not currently use automated decision-making in the strict sense of GDPR Article 22 (i.e., decisions based solely on automated processing that produce legal effects or similarly significant effects on you). Account suspensions for safety violations are subject to human review where appropriate. If we ever introduce automated decision-making that meets the GDPR Article 22 threshold, we will update this Privacy Policy and provide the safeguards required by law.
We may send you marketing and promotional communications as described in Section 20.3 of the Terms of Service. We will obtain your consent where required by applicable law. You may opt out of non-essential marketing communications by stopping use of the Service or blocking the bot on Telegram. Transactional, operational, safety, legal, and account-related communications cannot be opted out of as long as you maintain an account.
The Service may contain links or integrations to third-party websites, services, applications, or platforms that are not owned or controlled by us, including without limitation Telegram. We are not responsible for the privacy practices or content of any third party. We encourage you to review the privacy policies of any third-party service before providing them with personal information.
The website may also include links to social media or other external services. Use of those services is governed by their own privacy policies.
See Sections 5 (Legal Bases), 8 (International Transfers), and 9.1 (GDPR Rights) for the disclosures required by the GDPR and equivalent UK and Swiss law. EU/EEA/UK/Swiss residents may also exercise the rights described in Section 9 by contacting us as described in Section 19.
See Section 9.2 for the disclosures and rights required by the CCPA/CPRA. We do not sell personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as that term is defined in the CPRA. California residents may also designate an authorized agent to exercise rights on their behalf, subject to verification.
The categories of personal information we collect from California residents in the past twelve (12) months are described in Section 3 above. The categories of sources are: directly from the user, automatically through use of the Service, from Telegram, and from third-party AI providers (in the form of generated outputs). The business purposes for which we collect each category are described in Section 4.
For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws: you generally have rights of access, correction, deletion, and (where applicable) opt-out of targeted advertising and sale of personal information. We do not engage in targeted advertising or sale of personal information. To exercise other rights, contact us as described in Section 19.
Brazilian residents may exercise rights under the Lei Geral de Proteção de Dados (LGPD) including rights of access, correction, anonymization, blocking, deletion, portability, and information about sharing. Contact us as described in Section 19.
We will honor data subject rights granted by other applicable data protection laws to the extent they apply to our processing activities.
Some browsers transmit "Do Not Track" (DNT) or "Global Privacy Control" (GPC) signals. The bot does not use the kind of cross-site tracking that DNT and GPC are designed to address. The website at myfling.io does not currently respond differently to DNT or GPC signals because we do not engage in third-party tracking, behavioral advertising, or "sales" or "sharing" of personal information that those signals are intended to opt out of. If we ever introduce such practices, we will update this Privacy Policy and respect DNT/GPC signals where required by law.
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of the Privacy Policy will reflect the date of the most recent change. For material changes, we will provide notice through the bot, the website, or by other reasonable means before the changes take effect. Non-material changes may be made without notice.
Your continued use of the Service after any modification constitutes your acceptance of the modified Privacy Policy. If you do not agree to any modification, you must immediately cease using the Service. We encourage you to review this Privacy Policy periodically.
For privacy-related questions, concerns, requests, or to exercise any of the rights described in Section 9, contact us through:
/support command at @MyFling_botWhen contacting us about a privacy matter, please include:
(a) A clear description of your request; (b) The right you are exercising or the question you are asking; (c) Information sufficient for us to verify your identity (typically your Telegram user ID, plus any additional identifying information we may reasonably request); (d) Your preferred method for receiving our response.
We will respond within the time frame required by applicable law. We may need to verify your identity before responding to certain requests, particularly requests that involve access to or deletion of personal information.
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection supervisory authority in your country (for EU/UK/Swiss residents) or with the relevant authority in your jurisdiction.
BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, STORAGE, SHARING, AND OTHER PROCESSING OF YOUR INFORMATION AS DESCRIBED HEREIN.