Privacy Policy

Updated: April 17, 2026

In short: we store your email, subscription data and the encrypted Telegram session keys that you yourself link. We do not sell or share this data with third parties. We only read the chats you explicitly pick in the cabinet.

1. Who we are

Mooly is a service by BIBO PLB (“we”), designed to aggregate and structure Dubai real-estate listings from the sources you connect (Telegram groups, WhatsApp chats) and answer your queries via a Telegram bot and a web cabinet.

Data questions: privacy@mooly.tech.

2. What data we collect

Account: email, password hash (bcrypt), UI language, plan and subscription period, registration and last-login dates.
Telegram session: the encrypted Telethon session string tied to your phone (AES-256, key stored separately). Used to read the groups you picked.
List of selected sources: IDs and names of the Telegram / WhatsApp groups you flagged for monitoring.
Content of messages from those groups: listing text, prices, areas, contacts, timestamps. We do not read your private chats; we do not read groups you didn't pick.
Bot queries: what you asked Mooly, what results you got. Used to improve answer quality and for scheduled subscriptions.
Technical logs: IP, user-agent, timestamp. Kept 30 days for security and debugging.
Site behaviour analytics: Microsoft Clarity (session recordings, heatmaps) — only enabled after your consent in the cookie banner.

3. Why we collect it

To provide the service (auth, reading selected sources, answering).
To process payments and enforce plan limits.
To send scheduled digests for saved queries.
To debug and improve the product.
To comply with law (law-enforcement requests within jurisdiction).

4. Who we share data with

We never sell. Personal data is only processed by our technical subcontractors:

Neon (PostgreSQL) — database hosting.
Railway — application hosting.
OpenAI — listing text processing by a model to extract structured fields. Messages from selected groups are sent to the OpenAI API; OpenAI is contractually prohibited from using this content to train models.
Stripe — payment processing (when you opt into a paid plan).
Microsoft Clarity — site behaviour analytics, only after your consent.
Google Sheets API — result export on your explicit request.

5. Retention

Account — while active. After deletion: 30 days in backups, then full deletion.
Telegram session — until you disconnect it in /app/sources.
Group messages — 90 days active storage, older entries are archived.
Technical logs — 30 days.

6. Your rights

Request a copy of your data.
Correct or delete your account (in profile settings or by email request).
Disconnect your Telegram session in one click in the cabinet — we stop reading your groups.
Withdraw consent for analytics (cookie banner “Decline” button or re-open settings).
File a complaint with the supervisory authority in your jurisdiction.

7. Security

Telegram session keys are encrypted with AES-256. Web-cabinet auth uses JWT in HttpOnly cookies with SameSite=Lax, TTL 7 days. Passwords are stored only as bcrypt hashes. All traffic is HTTPS (TLS 1.2+). Production DB access is IP-restricted.

8. Cookies

Strictly-necessary cookies (auth) are always set. Analytics cookies (Microsoft Clarity) only after your explicit consent. Declining does not affect service functionality.

9. Changes

We may update this policy. The last-updated date is at the top of the document. Material changes are announced by email.