SpoofScan – Privacy Policy

Summary: Static website without cookies/tracking/Google Fonts; only technically necessary server logs at the host (Strato). Telegram bot processes minimal data: Telegram user ID, @username/display name, language, command parameters and entitlements; no full-text chat archiving. Payment exclusively in SOL (on-chain); statutory bookkeeping retention obligations are fulfilled. Telegram acts as its own controller (possible third-country processing); alternatives (website/email) are available.

SpoofScan – Juergen Kossowski
Windmuehlenstrasse 9, 04425 Taucha, Germany

Email (general): contact@spoofscan.com
Email (data protection): datenschutz@spoofscan.com
Email (withdrawal): widerruf@spoofscan.com

Phone: no hotline; please contact via email.
Legal notice (Impressum) available; details are consistent.

This policy applies to spoofscan.com and *.spoofscan.com, the Telegram bot @SpoofScanBot, and the official Telegram channels/groups (see sec. 6).

Target audience: international; use only where legally permitted locally. Contract languages: German and English (bot dialogue predominantly EN). In case of discrepancies, the German version prevails. Minimum age: 18 years.

The legal bases mentioned apply depending on the specific context of processing (see below).

• Art. 6(1)(b) GDPR – contract/pre-contractual measures
• Art. 6(1)(c) GDPR – legal obligations (e.g., retention)
• Art. 6(1)(f) GDPR – legitimate interests (IT security, operations, abuse prevention, communication)
• Art. 6(1)(a) GDPR – consent (only for optional marketing DMs, currently not active)

No special categories of personal data (Art. 9 GDPR), no personal profiling, no decisions within the meaning of Art. 22 GDPR.

No Data Protection Officer appointed (Art. 37 GDPR not applicable). Contact: Controller (see sec. 1).

5.1 Hosting/location

Hosting by Strato (Germany/EU). Data processing agreement (Art. 28 GDPR) in place.

5.2 Server log files

Categories: IP address, date/time, requested URL/request line, HTTP status, bytes transferred, referrer (if sent), user agent, error messages if any.

Purposes: operation/delivery, security/abuse detection, stability/performance, error analysis, forensic evidence.

Legal basis: Art. 6(1)(f) GDPR. Retention: up to 6 weeks (longer in case-related situations until clarification; then deletion/anonymisation).

5.3 Cookies & local storage or similar technologies

We currently use no cookies or comparable storage technologies on our website. A cookie banner is therefore not required. We also use no local storage methods such as Local Storage, Session Storage, or IndexedDB. Note: Should our hosting provider set a technically necessary cookie in individual cases (e.g., for load balancing or attack mitigation), this is consent-free under Sec. 25(2) no. 2 TDDDG (formerly TTDSG). No profiling takes place. Current status: any purely technical provider session cookie for load balancing is currently not in use.

5.4 External content

No external fonts/scripts/iFrames/CDN assets. In case of future changes, this policy will be updated with provider, resource, purpose and legal basis.

5.5 Service Infrastructure (Product Backend)

The product and backend functions (Telegram bot, analytics, entitlements, billing) run on infrastructure operated by dataforest GmbH (AS58212) in the maincubes FRA01 data center (Frankfurt/Offenbach, DE/EU). A data processing agreement in accordance with Art. 28 GDPR is in place. Note: This information refers to the service infrastructure and must be distinguished from the static website hosting (Strato).

Unless stated otherwise in this Privacy Policy, the retention periods for personal data processed within the service infrastructure follow the periods described in Sections 7 and 8.

6.1 Official structure (active)

6.2 Join quiz (5 questions) & moderation

Upon joining channels/groups, a short quiz (5 easy questions) is used to prevent spam and ensure community quality.

Data: Telegram user ID, where applicable @username/display name, timestamps, answers/score, decision (admit/deny), moderator ID/reason if applicable.

Legal basis: Art. 6(1)(f) GDPR. Retention: rolling 30 days; in incidents until clarification.

Moderation/anti-spam: processing of the affected message/metadata (timestamp, message ID), user ID/@username, violation category, decision. Retention: 30 days; in incidents until resolved.

6.3 Channel information, direct messages & opt-out

Channel posts contain product-related notices/updates. Bot DMs are used to deliver the service.

Legal bases: channel posts Art. 6(1)(f); service-related bot DMs Art. 6(1)(b); marketing DMs only with consent (Art. 6(1)(a)) – currently not active.

We do not store the full text of channel posts or direct messages in our own systems; in this respect, the retention and deletion periods of Telegram as an independent controller apply (see Section 6.4).

Parameter, meta and usage data processed by the SpoofScan Bot are subject to the retention periods set out in Section 7.5.

Opt-out: leave the channel/group; bot: /stop or block.

6.4 Telegram as an Independent Controller / Third Country

Telegram acts as an independent controller and may process personal data outside the EU/EEA (including, but not limited to, the UAE and the USA). We have reviewed the publicly available privacy information provided by Telegram (https://telegram.org/privacy) as of the date this privacy policy was last updated. However, we have no influence over Telegram’s actual data processing practices and assume no responsibility for the accuracy or timeliness of their content. Alternatives: Website or email. Internally, we only process the Telegram data necessary for our services (primarily user ID).

6.5 Premium channels & entitlements

Access via entitlements (mapping Telegram ID ↔ permission/term). Legal basis: Art. 6(1)(b). Retention: up to 24 months after last activity or pursuant to statutory duties (payment/invoice see sec. 8).

7.1 Purpose/functions

Onboarding, entitlements/unlock after payment, retrieval of checks/alerts/scores, configuration (symbols/exchanges/thresholds), system notices, /stop.

7.2 Data categories

• Master data: Telegram user ID (required), where applicable @username, display name, language setting.
• Content data: commands/parameters (e.g., symbol, exchange, thresholds). No full-text archiving.
• System/metadata: timestamps, status codes, delivery status, rate-limit/anti-spam events.
• Result data: object-related scores/alerts (market/symbol/exchange), no personal profiles.

7.3 Persistence, locations, security

Database: PostgreSQL on a dedicated root server (dataforest GmbH) in the maincubes FRA01 DC (DE/EU). Volumes encrypted (at rest), all connections TLS (in transit), optional field-level encryption (pgcrypto).

Logs: app logs (without message full texts) 30 days; security events 90 days; audit logs 180 days; longer where incident-related until purpose ceases. PII minimisation/masking implemented.

7.4 Legal bases

Art. 6(1)(b) (contract/service provision incl. tests), Art. 6(1)(f) (IT security/abuse prevention/availability). Consent (Art. 6(1)(a)) only for optional cases, currently inactive.

7.5 Deletion/backups

Telegram ID/username/display name: deletion no later than 24 months after last activity or upon request (unless obligations prevent this). Interaction/parameter events: 30 days. Anti-spam/rate-limit: 30 days. Backups: encrypted, rotation 35 days (technically restorable until overwritten).

7.6 Obligation to provide

The Telegram user ID is technically required to use the bot; without it, the service cannot be provided.

7.7 External market/price data (CEX) – no recipients of personal data

Our system obtains market and price data via the public/contractual APIs of the following exchanges: Binance, Bybit, MEXC, BingX. The data are processed and analysed on our server in Frankfurt am Main (DE/EU) and then delivered to our Telegram users.

No personal data of our users are transmitted to these exchanges – in particular no Telegram IDs, email addresses, user IP addresses, payment or profile data. Only the technical request data required for retrieval are transmitted (e.g., the server IP of our system).

The exchanges mentioned are therefore not recipients of personal data within the meaning of the GDPR in this process. Our legal bases: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (legitimate interest in reliable data sources, IT security and system operation).

Note: Should user-related data in the future (e.g., API keys or personal trading data) be exchanged with exchanges, we will update this privacy policy. In that case, the exchanges would be named as recipients and any international transfers, including appropriate safeguards (e.g., EU standard contractual clauses), would be presented transparently.

8.1 Procedure & data

Payment exclusively in SOL (prices shown in EUR; billing at the SOL equivalent). Data processed: sender wallet, transaction hash/signature, amount (SOL), block time/timestamp, EUR/SOL quote, mapping Telegram ID ↔ invoice/entitlement, invoice/receipt ID.

8.2 Legal bases

Art. 6(1)(b) (contract), Art. 6(1)(c) (retention duties), Art. 6(1)(f) (fraud prevention/evidence).

8.3 Retention periods

• Books, records, inventories, annual financial statements, management reports: 10 years (cf. § 147 para. 3 sentence 1 in conjunction with para. 1 no. 1 AO; § 257 para. 4 in conjunction with para. 1 no. 1 HGB)
• Accounting vouchers (including incoming and outgoing invoices): 8 years (as of 01/01/2025; § 147 para. 3 sentence 1 in conjunction with para. 1 no. 4 AO, as amended; § 257 para. 4 in conjunction with para. 1 no. 4 HGB, as amended)
• Business and commercial letters (received/sent) as well as other documents received: 6 years (§ 147 para. 3 sentence 1 in conjunction with para. 1 nos. 2, 3, 5, 6 AO; § 257 para. 4 in conjunction with para. 1 nos. 2, 3 HGB)
• Operational payment logs (detail): 90 days; thereafter aggregation/anonymisation (Art. 5(1)(c), (e) GDPR – data minimisation/storage limitation)
• Mapping Telegram ID ↔ payment/invoice: up to 8 years (invoice/accounting voucher evidence); only if part of the commercial books/annual financial statements: up to 10 years.

The period generally begins at the end of the calendar year in which the record originated/was last entered or was received/sent (§ 147 para. 4 AO; § 257 para. 5 HGB). Longer retention where necessary for the establishment/defence of civil law claims (usually up to 3 years, § 195 BGB).

8.4 Recipients/service providers

• Billing backend/backups: dataforest GmbH (DC maincubes FRA01, DE/EU; DPA)
• Solana RPC: Helius (USA) – transmission of public on-chain data only; EU SCCs, TLS, data minimisation
• Email receipt (optional): EU mail provider (DPA)

8.5 Refunds

Refunds in SOL to the sender wallet; conversion based on the EUR amount at the time of the original payment receipt; no fees for consumers.

9.1 Email contact

Emails to contact@spoofscan.com (general) and datenschutz@spoofscan.com (GDPR): processing of sender email/name, content/attachments, date/time, subject, headers/metadata; provider-side server logs. Legal bases: Art. 6(1)(b)/(f)/(c). Retention: general correspondence up to 12 months; commerce-relevant 6 years; tax-relevant 10 years; mail/server logs approx. 6 weeks.

9.2 Withdrawal form (fillable PDF)

Optional, fillable PDF; send to widerruf@spoofscan.com.

Fields (data-minimised): Telegram ID (required), where applicable @username/display name, invoice/receipt ID, transaction hash, payment timestamp, withdrawal declaration, date, optional contact email.

Legal bases: Art. 6(1)(c) (statutory evidence), (b) (handling), (f) (evidence/defence against unfounded claims). Retention: typically up to 3 years after year-end (regular limitation period) or 6/10 years if billing-relevant.

Beta access via @SpoofScan_Beta; selection by questionnaire for professional traders.

Data: Telegram ID, where applicable @username/display name, answers/result, timestamps, admission decision, assigned entitlements (beta access).

Legal bases: Art. 6(1)(b) (pre-contractual measure/participation terms; beta testing agreement), Art. 6(1)(f) (quality/security check).

Anonymous beta testing agreement available in DE/EN; nominal mention only with explicit consent.

Retention: beta questionnaire/decision 12 months after beta end; agreement (evidence) up to 3 years after year-end unless longer duties apply.

Third-country reference exists in particular for Telegram (independent controller; possible processing incl. UAE/USA) and for Helius (USA) as RPC provider.

Measures: for processors outside the EU/EEA, use of appropriate safeguards (notably EU SCCs), TLS transport, at-rest encryption, data minimisation/access restrictions. Residual risks: potentially lower protection level/government access. Alternatives: web/email instead of Telegram. On-chain data are public; internal personal linkages are minimised.

• Rights under Arts. 15–22 GDPR: access, rectification, erasure, restriction, data portability, objection (in particular to Art. 6(1)(f)).
• Consent may be withdrawn at any time with effect for the future.
• Right to lodge a complaint with a data protection supervisory authority (at the place of residence/work or at the controller’s seat).

Contact to exercise rights: datenschutz@spoofscan.com or by post (see sec. 1). Identity verification may be required (e.g., matching Telegram ID/invoice/transaction reference). Deadlines: response usually within one month (extension by up to two months in complex cases with reasons).

Practical opt-out paths: leave channel/group; bot /stop or block.

TOMs (excerpt): TLS 1.2+, encrypted server volumes, hardened SSH (key login), 2FA for admins, host-based firewalls, rate limits/fail2ban, RBAC/least privilege, secrets management (separation/rotation), encrypted backups (retention 35 days) with regular restore tests, self-hosted observability in the EU with PII minimisation/masking and the log periods stated in sec. 7.3. Data minimisation: primarily Telegram ID + required contract/usage metadata; no full-text chat storage.

Data breaches: defined reporting paths/emergency plan; notification of reportable incidents to the supervisory authority preferably within 72 h; notification of data subjects if applicable; full documentation.

For bot use, providing the Telegram user ID is technically necessary; without it, the service cannot be provided. For unlocking paid features, on-chain transaction data are required; without them, no entitlements. There is no further statutory obligation to provide data; if not provided, certain functions cannot be used.

RoPA: maintained (controller view for website, bot, payment, support; processor relationships documented). DPIA: currently not required (no special categories; no large-scale/personal profiling; no decisions with legal effect).

This privacy policy is valid in the version stated above. Changes (e.g., for new features/service providers) will be published here; additionally, a notice will be provided on the website and in the official EN channel. For material changes requiring consent, we will obtain it in advance.