DUROV'S DOSSIER

Privacy

We track proof, not private behavior.

We track proof, not private behavior.

Most bots in this space watch your chats, count your messages, profile your sleep schedule, and sell the rest. We refuse to. This file is short on purpose — read the whole thing.

How you start using it

One step: type your X handle to the bot. That's it.

No wallet required. No X OAuth. No signature. No Mini App walkthrough. No privacy wall before you can do anything.

Your Telegram ID is captured automatically because you're already talking to the bot. That single action — linking an X handle — opts you in. The threshold is low because we want the least information that makes the product useful, not the most.

What we record

An allowlist of product events. Actions you deliberately took:

  • bot commands you sent (/start, /dossier, /linkwallet, etc.)
  • buttons you tapped inside messages we posted
  • mission opens (you tapped Open Target on a mission)
  • mission completions (you tapped the tenant's done button — Done on PYONYA, Completed on REDRAW, etc.)
  • verified X replies (your reply to the mission tweet was found via the public X API)
  • reply-speed bonuses (how fast your verified reply landed)
  • mission streak events
  • achievements you earned (deterministic triggers — see ALGORITHM.md)
  • weekly leaderboard finishes and weekly winner records
  • reward records (manual or future automated payouts)
  • the identities you chose to link: Telegram username, X handle, and optionally a wallet address you typed
  • community setup and admin actions (e.g. an admin running /setupcommunity, creating a mission, uploading a logo)
  • Mini App actions you take while signed into the Mini App (profile edits, role applications, payment intents)
  • public / project-submitted events pushed via API (e.g. global challenge completions)

Each event is an append-only row with the project, your user reference, the action, an optional value, optional metadata, the source, and a timestamp. That's the entire surveillance footprint.

What we refuse to do

The bot exists inside Telegram groups so it receives general chat messages in transit. It writes none of them. The codebase only persists from the allowlist above.

We do not:

  • read or store DMs
  • scrape private Telegram chats
  • store the text or content of general chat messages
  • count messages per user
  • track per-user active hours
  • infer your timezone or sleep schedule from chat patterns
  • track who talks most
  • claim to know whether you are online, logged in, watching, or currently active
  • run third-party trackers, ad pixels, or hidden analytics on our public pages
  • profile you, segment you, build behavioral models about you, or sell your data
  • ask for seed phrases, private keys, or any custodial credential
  • move funds from your wallet or sign transactions on your behalf
  • auto-like, auto-repost, auto-reply, auto-follow, auto-report, or auto-DM on your behalf
  • inject ads into the partner chats we live in or append marketing to API responses
  • use fake or fabricated seed data — every score is derived from real events
  • scan full wallet histories or fetch arbitrary on-chain data; the only on-chain reads are described in Wallet privacy below

"Active member" means a user who completed at least one mission in the relevant period. It never means "chatted a lot." Community analytics — now and forever — are calculated from mission events only, never from chat surveillance.

The bot deliberately avoids words like Online, Logged in, Watching, Currently active. It says Last mission activity, Last completed mission, or Last bot interaction. The product cannot truthfully claim to know your real-time presence, so it doesn't try.

Wallet privacy

Linking a wallet is always optional. You can earn reputation, climb leaderboards, and have a fully working Raid Resume without one.

If you link one:

  • The address is masked everywhere in public displays (EQabc...789).
  • The raw address is never sent to the Mini App or embedded in public HTML.
  • We never ask for your seed phrase, private key, or wallet password.
  • We do not move funds from your wallet. The product's only on-chain writes are receive-only — see Autonomous Community Pro below.
  • Conviction Score / Jeetivity is opt-in and per-community: it activates only for communities whose admin has set their own jetton master address in their setup. Your wallet is checked only against that one token, and only for that one community's gauge. No general wallet scanning, no cross-token profiling.
  • Conviction Score is balance-over-time — we snapshot your holding of that community's token twice a day. Selling down drops the score; holding or accumulating raises it. The full formula and labels live in ALGORITHM.md.
  • Even a freshly-linked wallet displays as Unknown on the gauge until enough on-chain history exists (minimum 3 snapshots). We never label users on thin data.

Autonomous Community Pro — receive-only

The Community Pro upgrade flow uses TON Connect to take a one-time payment from a community admin's wallet to a fixed operator receiving address. The platform's role is purely observation:

  • We never request, hold, store, or sign with any user's TON private key.
  • A chain-watcher worker polls public on-chain data for incoming transfers to the operator address.
  • When an inbound transfer matches a pending payment intent (by reference + amount), the worker auto-grants Pro to that community.
  • The system can never move funds out of any wallet — TON Connect transactions are signed by the user in their own wallet app.

Append-only events. No hidden edits.

The reputation ledger is append-only.

  • A correction is a reversal event that points back at the original. Both rows stay in history.
  • Manual bonuses, when allowed, are visible as point_adjustments plus matching reputation_events. They are not hidden.
  • The allowAdminScoreEdits setting defaults to false and is not exposed as a hidden score-manipulation path.

This is enforced in code, not just in policy. There is no admin button anywhere that silently changes your number.

What's public, what's masked

A user's Raid Resume is public at /u/:xHandle once you've linked your X handle. It shows your grade, score, per-community breakdown, achievements, verified action counts, Conviction status (when available), and a masked wallet (if linked). It deliberately does not expose your Telegram user ID, any internal database IDs, or the raw wallet address.

You can hide your profile entirely from the Mini App profile editor (Public profile: off), in which case /u/:xHandle renders a private placeholder.

A community page is public at /c/:slug and shows the community's branding, computed grade + network rank, stats, and leaderboard.

Public pages carry no third-party trackers and no ad pixels.

Telegram Stars subscriptions (Individual Pro)

The optional Individual Pro tier ("Dossier Professional") can be unlocked via a Telegram Stars subscription. Stars billing is handled entirely by Telegram — we receive only the successful_payment event Telegram sends our bot, and we store the resulting charge id + expiry so we can apply the perks. You can cancel the subscription at any time in Telegram → Settings → Subscriptions. We never see your card or any custodial credential.

Secrets and operational security

  • BOT_TOKEN, DATABASE_URL, X_API_BEARER_TOKEN, TON_API_KEY and other secrets load from environment variables only. Never hardcoded.
  • .env is gitignored. .env.example carries placeholders only.
  • A leaked bot token must be revoked in BotFather and rotated.

In one line

Most bots in this space surveil you. We track the buttons you deliberately tapped, full stop.

Contact and corrections

Questions or a takedown request: open an issue on the repository, or contact the maintainer through the bot.

This document describes shipped behavior. If you find any divergence between this file and the product, that's a bug — report it.