Privacy policy.
International edition of the WAM Agents privacy policy — how the Georgian entity processes your data under GDPR and KVKK, including the DeepSeek default-model transfer.
WAM Agents — Privacy Policy
This is the international edition of the WAM Agents Privacy Policy, applicable to Users who subscribe through Creem checkout. Users who subscribe through the Russian entity are governed by a separate Privacy Policy.
Controller: IE Artem Polyanskiy, Georgia (Small Business). Tax ID (s/n): 305603825. Contact: support@magnets.tg.
Effective date: 16 June 2026. Version: 1.0 (international edition).
1. Who we are
1.1. This Privacy Policy explains how IE Artem Polyanskiy (the “Provider”, “we”), registered in Georgia (Tax ID / s/n 305603825), processes personal data of users of the WAM Agents service (the “Service”).
1.2. For the purposes of the EU General Data Protection Regulation (GDPR), the Provider acts as the controller of the personal data described below. For Users in Turkey, the Provider acts as the data controller (veri sorumlusu) within the meaning of the Law on the Protection of Personal Data No. 6698 (KVKK).
1.3. This Policy forms an integral part of the Terms of Service and uses the definitions established there.
2. Scope
2.1. This Policy covers the WAM Agents Service accessed through Telegram (@wamagentsbot and the personal bot allocated to the User) and the isolated Container in which the User’s Agent runs.
2.2. It does not cover third-party services the User connects to (for example, the User’s own LLM-provider account), which are governed by those third parties’ own privacy policies.
3. Personal data we process
3.1. Account and identification data: Telegram user identifier, Telegram username, Telegram language code, and preferred interface language.
3.2. Contact data: the email address the User provides for billing, receipts or support.
3.3. Credential data: the Bot Token (Telegram) and, for own-model plans, the OAuth Token (e.g. Anthropic), stored solely to operate the Service for the User.
3.4. Payment data: the User’s card and payment-instrument data are collected and processed by Creem acting as Merchant of Record (Section 7), not by the Provider. The Provider receives from Creem only transaction identifiers, payment status, Subscription state and recurring-charge identifiers. The Provider does not process or store full card numbers or CVV codes.
3.5. Consent records: the fact, time and text version of the User’s acceptance of the Terms, and — for the default-model plan — the fact and time of the User’s explicit consent to the cross-border transfer of data to the People’s Republic of China (Section 6).
3.6. Service-operation metadata: per-Container activity logs, including timestamps, command types and short prompt previews (limited to 100 characters) for diagnostics and abuse detection. The Provider does not retain the full texts of prompts and responses.
3.7. Container telemetry: CPU, memory and disk usage, availability metrics, and Docker lifecycle events.
3.8. Agent configuration: policies, skills and other configuration artefacts placed within the writable working space of the Container.
3.9. Message content. The content of the User’s messages to the Agent is processed in transit to perform the Service. The User may, at their own discretion, place personal data — their own or that of third parties — into the Agent; on the default model this content is transmitted to DeepSeek as described in Section 6.
4. Data we do not process
4.1. The Provider does not retain the full bodies of the User’s dialogues beyond ephemeral transit and the short metadata in clause 3.6.
4.2. For own-model plans, the full dialogue flows from the User’s Container to the LLM provider’s API using the User’s own OAuth Token and is governed by that provider’s privacy and retention policies. For that transfer the User acts as an independent controller; the Provider does not determine its content.
4.3. The Provider does not process full bank-card numbers, CVV codes or other sensitive cardholder data (clause 3.4).
5. Purposes and legal bases
5.1. The Provider processes personal data for the following purposes and on the following legal bases (GDPR Article 6; KVKK Articles 5 and 9):
(a) To provide the Service — registration, allocation and operation of the Container and Agent. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
(b) Billing, Subscription management, auto-renewal and refunds — operated through Creem as Merchant of Record. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)).
(c) Support, incident response, security monitoring and abuse prevention. Legal basis: the Provider’s legitimate interests in operating a secure service (Art. 6(1)(f)).
(d) Cross-border transfer to the PRC for the default model (Section 6). Legal basis: the User’s explicit consent (Art. 6(1)(a)), which also constitutes the derogation under Art. 49(1)(a) and explicit consent (açık rıza) under KVKK Art. 9.
(e) Compliance with tax, accounting and other statutory obligations to which the Provider is subject. Legal basis: legal obligation (Art. 6(1)(c)).
(f) Service improvement in aggregated, de-identified form. Legal basis: legitimate interests (Art. 6(1)(f)).
5.2. Where processing relies on consent, the User may withdraw it at any time (Section 10); withdrawal does not affect the lawfulness of processing carried out before withdrawal.
6. Default model (DeepSeek) and transfer to the PRC
6.1. The default flow. Unless the User attaches their own model, the Agent’s computations are performed via the Provider’s shared technical key against the API of Hangzhou DeepSeek Artificial Intelligence Co., Ltd. (“DeepSeek”). This flow transmits data to DeepSeek’s servers in the People’s Republic of China (PRC), where it is processed and stored under PRC law.
6.2. Data transferred. The following are transferred to DeepSeek: the content of the Agent’s system and user messages, the content of the model’s responses, request metadata (timestamps, model identifier, token counts), and the network metadata of the outbound connection from the Container (the IP address of the Provider’s hosting infrastructure in Germany). The Provider does not embed direct identifiers (Telegram identifier, name, email) in these requests; the User acknowledges, however, that message content may include personal data placed in the Agent at the User’s own discretion.
6.3. No adequacy; legal basis for the transfer. The PRC has not received an adequacy decision from the European Commission, and the level of protection there differs materially from that under EU/EEA and Turkish law. The transfer therefore takes place on the basis of the User’s explicit consent, given by an affirmative action when subscribing to the default-model plan after this disclosure is presented (GDPR Art. 49(1)(a); KVKK Art. 9). Without that consent the default flow cannot be provided. The User may withdraw consent at any time (clause 6.7).
6.4. DeepSeek’s processing and retention. Under DeepSeek’s own Terms of Use and Privacy Policy: data is stored on servers in the PRC; the retention period is stated as “as long as necessary”, with no fixed calendar limit; and DeepSeek’s terms permit it to use the transmitted inputs and outputs to provide and improve its services and, under its Open Platform Terms, to train its models. These conditions are set by DeepSeek and cannot be modified by the Provider, which also does not control the timing of deletion on DeepSeek’s side.
6.5. Regulatory context the User should be aware of:
(a) Italy — in January 2025 the Italian authority (Garante) ordered restrictions on the distribution of the DeepSeek application in Italy over data-protection concerns.
(b) Germany — in 2025 the Berlin data-protection commissioner referred to Apple and Google a request concerning DeepSeek’s disclosure of safeguards for transfers to the PRC.
(c) EU investigations — formal proceedings concerning DeepSeek have been announced by the authorities of France (CNIL), Ireland (DPC), Belgium (APD) and the Netherlands (AP).
(d) DeepSeek self-restriction — effective 8 April 2026, DeepSeek applies network restrictions on direct access from the United States.
(e) Sanctions — as of the effective date of this Policy, DeepSeek is not on the OFAC SDN list, the BIS Entity List, or under EU restrictive measures. The regulatory environment may change, and the Provider will give notice of material changes.
6.6. No bilateral DPA. As of the effective date, DeepSeek does not publish a standard data-processing agreement; the engagement rests on DeepSeek’s Terms of Use and Open Platform Terms in their current form. The Provider will update this Policy and the Subprocessors page if a bilateral DPA is concluded.
6.7. How to avoid the transfer. The User may, at any time: (a) attach their own model via the /claude command, routing traffic to the chosen provider (e.g. Anthropic in the USA) under the User’s own account; or (b) withdraw the consent of clause 6.3 — in which case the default flow ceases and the User either switches to an own-model plan or cancels the Subscription with a pro-rata refund under the Refund & Cancellation policy. The Provider recommends that the User not place third parties’ personal data or special-category data into an Agent running on the default model.
7. International transfers and subprocessors
7.1. The Provider engages the following processors and recipients:
| Recipient | Role | Location |
|---|---|---|
| Creem (Armitage Labs OÜ) | Merchant of Record — payment processing, billing documents, tax collection and remittance | Estonia (EU/EEA) |
| Hetzner Online GmbH | Hosting of Containers and Agent runtime | Germany (EU/EEA) |
| Telegram FZ-LLC | Message transport via the Telegram Bot API | UAE |
| Deepgram, Inc. | Speech-to-text for voice, audio and video messages | USA |
| Hangzhou DeepSeek Artificial Intelligence Co., Ltd. | Default-model inference (Section 6) | PRC |
| Anthropic PBC | Own-model (Claude) inference via the User’s own OAuth Token; the User is an independent controller for this flow | USA |
7.2. Transfer mechanisms. Transfers to recipients within the EU/EEA (Creem, Hetzner) do not require a transfer mechanism. For recipients outside the EU/EEA: the transfer to DeepSeek (PRC) relies on the User’s explicit consent (Section 6); transfers to Telegram (UAE) and Deepgram (USA) are necessary for the performance of the contract requested by the User (GDPR Art. 49(1)(b)) and, where applicable, are covered by appropriate safeguards. For Users in Turkey, transfers abroad are made on the basis of explicit consent under KVKK Art. 9. The current list of subprocessors is published at Subprocessors.
8. Retention
8.1. Account data and Container configuration are retained for the duration of the Subscription.
8.2. On cancellation (/cancel), Container data is destroyed when the Container is de-initialised.
8.3. On account deletion (/delete), all records associated with the User are removed from the Provider’s systems, except: (a) accounting and tax data whose retention is required by applicable Georgian law; (b) limited log records needed to investigate security incidents — up to 90 days; and (c) data that has been irreversibly anonymised.
8.4. Backups are rotated on a cycle of no more than 30 days.
8.5. DeepSeek side. The retention and deletion of data transferred to DeepSeek under the default model are determined by DeepSeek’s Privacy Policy (clause 6.4) and are not controlled by the Provider.
9. Security
9.1. The Provider applies technical and organisational measures proportionate to the risk, including: (a) per-User Container isolation (Linux namespaces with cap_drop: ALL, read_only: true, no-new-privileges: true, tmpfs-mounted home, non-root execution); (b) volume encryption in foreign infrastructure (LUKS or equivalent); (c) access control on the least-privilege principle; (d) transport encryption (TLS); (e) monitoring, log rotation and incident response; and (f) pseudonymisation of user identifiers in the execution tier.
9.2. The Bot Token and OAuth Token are treated as confidential. The User remains responsible for revoking them (via BotFather or the LLM provider) on any suspected compromise.
10. Your rights
10.1. Subject to applicable law, the User has the right to: (a) access their personal data; (b) rectify inaccurate data; (c) erase data (“right to be forgotten”); (d) restrict or object to processing; (e) data portability; and (f) withdraw consent — including the consent to the PRC transfer for the default model — at any time.
10.2. The User is not subject to decisions producing legal or similarly significant effects taken solely by automated means (Section 11).
10.3. Requests are made to support@magnets.tg or via @wamagentsbot. The Provider responds without undue delay and in any event within one month, extendable where permitted by law.
10.4. Complaints. A User in the EU/EEA may lodge a complaint with their local supervisory authority. A User in Turkey may apply to the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu).
11. Automated decision-making
11.1. The Provider does not use the User’s personal data to take automated decisions producing legal or similarly significant effects without human involvement. Agent actions are performed under the User’s control (Terms, Section 7).
12. Children
12.1. The Service is not directed to persons under 16 years of age. If the Provider becomes aware that a person under 16 is using the Service, the relevant personal data will be deleted unless its retention is required by law.
13. Changes to this Policy
13.1. The Provider may update this Policy. Notice of material changes is given via @wamagentsbot, by email, or by in-product announcement, at least 30 days before the effective date (Terms, Section 15).
14. Contact
14.1. Controller: IE Artem Polyanskiy, Georgia (Small Business), Tax ID (s/n) 305603825. Data-protection enquiries: support@magnets.tg.