L Leam

Privacy Policy — Leam

Version 1.0 · Last updated: 2026-05-11 · Effective from: 2026-05-11

Service: Leam — Telegram bot, mini app and website at leam.club

This Privacy Policy explains how Aleksandra Borisova, sole trader (yksityinen elinkeinonharjoittaja) processes personal data when you use Leam. Leam is a digital self-tracking assistant for nutrition, weight, activity, habits and progress. Leam is not a medical service, medical device, clinic, diagnostic tool or substitute for professional medical advice.

1. Controller

The controller is Aleksandra Borisova, sole trader (yksityinen elinkeinonharjoittaja), registration number 3553897-8, registered address Peijinkatu 1 A 20, 02270 Espoo, Finland. Privacy: support@leam.club. Support: support@leam.club.

This Policy applies to Leam. Aleksandra Borisova, sole trader (yksityinen elinkeinonharjoittaja) acts as controller. Stripe is used for payments, and Hetzner Online GmbH is used for hosting and infrastructure services.

2. Personal data we process

We may process Telegram user ID, Telegram name and username if available, language, time zone, account status, subscription status, consent status and consent history, bot commands and service interaction history.

We may process age, gender if requested, height, weight, target weight and goals, nutrition records, meal history, activity records, dietary preferences, allergies or restrictions if provided, progress history, calculated calories, proteins, fats, carbohydrates, trends and personalised summaries.

If you send messages, images or voice notes, we may process text messages, food photos or other images, voice notes and transcriptions, metadata needed to process and display entries, and AI-generated interpretations, estimates and responses. This content may include health-related data.

We may process subscription status, plan, payment status, transaction identifiers, renewal and cancellation status, invoice and billing metadata, and data required for accounting, legal and support purposes. Payments are processed through Stripe. We do not store full card numbers.

We may process technical, usage and security data, including device/browser information where available, IP address where applicable, logs, error reports, timestamps, security events, diagnostic data and mini-app session/navigation data required for the app to function.

We may store consent records, including the consent text shown, version number, date and time, language, URL/screen reference, text hash or technical record, acceptance and withdrawal event.

3. Special category data and explicit consent

Some data processed by Leam may qualify as data concerning health or otherwise health-related special category data under Article 9 GDPR. This may include weight, body parameters, nutrition, activity, weight-loss or weight-management goals, dietary preferences, allergies or restrictions, messages/photos/voice notes that reveal health or lifestyle information, and calculated health-related metrics.

We process such data only where you have provided explicit consent for this purpose, unless another legal basis is confirmed by legal review. You may withdraw this consent at any time through /consent_status, /withdraw or support@leam.club. If you withdraw it, Leam may no longer be able to provide core features depending on nutrition, weight, activity, AI analysis and personalised recommendations.

4. Purposes and legal bases

We process personal data to create and maintain your account, provide the bot/mini app/site, log meals/weight/activity/progress, perform AI processing, generate personalised summaries/reminders/service responses, process subscriptions/payments/billing, provide support, maintain security and diagnostics, keep compliance records and send marketing communications where permitted.

Legal bases include Article 6(1)(b) GDPR for contract performance, Article 6(1)(c) for legal obligations, Article 6(1)(f) for legitimate interests such as security and support, consent where required for marketing, and Article 9(2)(a) explicit consent where health-related special category data are involved.

5. AI processing

Leam uses AI to understand text messages, transcribe and process voice notes, analyse food photos, estimate nutrition values, and generate summaries, reminders and responses. Relevant content may be sent to AI infrastructure providers, including OpenAI Ireland Ltd. and other OpenAI group entities where applicable.

We aim to minimise the data sent to AI providers. Where technically possible, we do not send Telegram user ID or direct account identifiers in AI requests unless necessary to provide the Service, maintain security or troubleshoot errors. AI providers process data under contractual processing terms where applicable. We configure providers not to use API data for training models where such setting is available and contractually supported.

AI outputs may be inaccurate. Nutrition values and recommendations are estimates and are not medical advice.

6. Processors and recipients

We do not sell personal data and do not share it for third-party advertising. We may share data with service providers where necessary to operate Leam, including Telegram FZ-LLC / Telegram group entities for message delivery, OpenAI Ireland Ltd. / OpenAI group entities for AI processing, Hetzner Online GmbH for EU hosting/storage/backups, Stripe Payments Europe Ltd. / Stripe group entities for payments/subscriptions/invoicing, and email/support/logging providers if used.

We may also disclose data where required by law, court order, regulatory authority request or to protect legal rights. Where required by applicable law, appropriate data processing agreements or other contractual safeguards are put in place with relevant providers.

7. Hosting and international transfers

Core EU/EEA service hosting is intended to be located in the EU/EEA, including through Hetzner Online GmbH. Some providers, including Telegram, OpenAI and Stripe, may process data globally or involve transfers outside the EU/EEA. Where data is transferred outside the EU/EEA, we rely on appropriate transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, additional safeguards or another lawful transfer mechanism.

8. Retention

We keep personal data only as long as necessary. Account data and nutrition/weight/activity/progress records are kept while the account is active unless deleted earlier. Consent records are kept as long as needed to prove lawful processing. Payment, tax and accounting records are kept for the required legal period. Support correspondence is kept as needed to resolve the request and protect legal rights. Security logs are kept for a limited period. Deleted account data may remain for up to a 30-day recovery window after /delete, then is deleted from active systems according to service procedures. Backups are retained for a limited technical backup cycle.

9. Security

We use technical and organisational measures intended to protect personal data, including TLS encryption in transit, controlled database access, private-network access where available, access controls, critical-operation logging, backup controls, minimisation of identifiers sent to AI providers, and separation/minimisation of Telegram identifiers from health-data processing where technically feasible.

10. Your GDPR rights

Subject to GDPR conditions and limitations, you have the right to access, rectify, erase, restrict processing, object to legitimate-interest processing, receive data portability, withdraw consent, lodge a complaint with a supervisory authority, and not be subject to solely automated decisions with legal or similarly significant effects.

Commands may include /export, /delete, /undelete, /consent_status, and /withdraw. You can also contact support@leam.club. If the Finnish authority is the relevant lead authority, the supervisory authority is the Office of the Data Protection Ombudsman in Finland; depending on residence, you may also contact your local supervisory authority.

11. Automated decision-making

Leam uses automated and AI-assisted processing to generate estimates, summaries and responses. Leam does not intend to make decisions based solely on automated processing that produce legal effects or similarly significant effects for you. AI outputs are informational and approximate.

12. Marketing communications

Service messages are part of the Service and may include reminders, summaries, payment notices, security notices, legal notices and support communications. Marketing communications such as discounts, promotions, product announcements, promo codes, campaigns and partner offers are sent only where we have the required consent or another lawful basis. You can opt in by tapping "Yes, send me offers", "Receive promos", "I agree to marketing" or a similar button, and withdraw marketing consent at any time through settings, /consent_status, /withdraw or support@leam.club.

13. Referral programme data

In connection with the referral programme, we may process:

  • referral codes and referral links;
  • information about who invited the user;
  • whether a referral code or link was used;
  • whether a 7-day free access period was granted;
  • whether the invited user purchased the first monthly subscription at a special price;
  • whether special conditions were granted, withheld, cancelled or adjusted; and
  • technical or anti-abuse signals required to prevent misuse of the referral programme.

We process this data to:

  • operate the referral programme;
  • verify whether the referral conditions are met;
  • grant, withhold, cancel or adjust special conditions and discounted pricing; and
  • prevent abuse and protect our legitimate interests.

14. Children

The Service is intended only for users aged 18 or older. We do not knowingly provide the Service to children.

15. Cookies and tracking

At the date of this version, Leam does not use cookies, web analytics, pixels, retargeting or other non-essential tracking technologies on the website or mini app. If such technologies are introduced, we will update this Policy and, where required, request consent. Strictly necessary technical processing by Telegram, Stripe, hosting providers or other third-party services may occur under their own terms and privacy policies where they act independently.

16. Third-party links and services

The Service may contain links to third-party websites, payment pages, Telegram interfaces or other services. Those third parties may process your data under their own terms and privacy policies where they act as independent controllers.

17. Changes and contact

We may update this Policy. If changes are material, we may notify you through the bot, mini app, website, payment flow or email where available. For privacy matters: support@leam.club. For support: support@leam.club.