Telegram Bot Privacy: What Data Do Bots Collect? (2026)

Telegram bots are convenient, but every bot is a third-party application controlled by a developer or company outside of Telegram. Understanding what data a bot can — and cannot — access is essential for making informed decisions about which bots to trust with different types of information. This guide explains exactly what data bots receive, what they can store, how to check whether a bot is safe, and how to revoke access if you change your mind. Browse more tools in the Utilities category.

What Data Can a Telegram Bot Access?

When you interact with a Telegram bot, Telegram sends the bot's server a JSON update object for each message. This object contains specific fields. Understanding exactly what is and is not in this object is the foundation of bot privacy.

Data a Bot Always Receives When You Message It

Your Telegram user ID: A permanent numeric identifier (e.g. 123456789). This never changes and uniquely identifies your account.
Your first name: The first name set in your Telegram profile.
Your last name: If set in your profile (optional on Telegram).
Your username: Your @handle, if you have one set. Optional on Telegram.
Your language code: The language your Telegram app is set to (e.g. en, de, pt).
The chat ID: The ID of the conversation (same as your user ID for private chats with the bot).
The message text: What you typed and sent.
Message timestamp: When the message was sent.
Media files: Photos, videos, documents, voice messages you send to the bot.

Data a Bot Does NOT Receive

Your phone number: Not included in the standard update object. Bots cannot see your phone number unless you explicitly share it using Telegram's contact-sharing feature (requestContact) and consent to the request.
Your other conversations: Bots have zero access to messages in other chats — with other bots, groups, or people.
Your contact list: Bots cannot see who you have saved in your Telegram contacts.
Your profile photo: The update object does not include your photo. Bots can download it separately by calling the getUserProfilePhotos API method — this is technically possible and some bots do it to display avatars in their interface.
Your IP address or device information: These are not transmitted via the Bot API.
Messages in groups where the bot is not a member: A bot in group A cannot see messages in group B.
Messages in groups with "privacy mode" enabled: In groups where a bot is a member but privacy mode is enabled (the default), the bot only sees messages that directly mention it (@botname) or are commands (/command). It does not see general group conversation.

Data Access in Groups

When a bot is added to a group, its data access depends on its admin rights and privacy mode:

Privacy mode ON (default): Bot sees only messages addressed to it or commands. Does not read general group conversation.
Privacy mode OFF (admin must disable): Bot sees all messages in the group. Used for moderation bots that need to monitor all content.
Admin rights: Bots with admin rights can access additional information: group member list (via getChatMember), chat information, and administrative actions log in some configurations.

What Bots Can Store and For How Long

There is an important distinction between what data Telegram sends to the bot and what the bot's developer chooses to store:

Telegram sends the data. The bot's server receives it. What happens next is entirely up to the developer. A privacy-conscious bot might store only what it needs for immediate functionality and discard the rest. A data-harvesting bot might log every message, every user ID, and every interaction permanently.

Telegram has no technical mechanism to enforce data minimization on bot operators. This is a policy and trust question, not a technical constraint. The only protection is:

The bot's published privacy policy (which may or may not be enforced or even exist)
Your own judgment about which bots to trust with what information
GDPR and other data protection regulations that give you rights over your data in applicable jurisdictions

Privacy Policy Requirements for Telegram Bots

Telegram requires bots collecting user data to have a privacy policy. @BotFather allows setting a privacy policy URL when configuring a bot. However, enforcement is limited — many bots lack privacy policies without consequence.

What a legitimate bot's privacy policy should tell you:

What data is collected
How long data is retained
Whether data is shared with third parties
How to request data deletion
Contact information for the data controller
Applicable jurisdiction and legal basis for processing (for GDPR compliance)

If a bot collects personal information (names, phone numbers, payment data, location) without a privacy policy, treat it with caution.

How to Check If a Bot Is Safe

Check the Bot's Privacy Policy

In @BotFather, you can check if a bot has a privacy policy URL set: /mybots → [select bot] → Bot Settings → Privacy Policy. For bots you do not own, the privacy policy URL may be listed in the bot's description or its website.

Check the Bot's Privacy Mode

Add the bot to a test group and send /start. Check the notification Telegram shows when adding the bot — it specifies whether the bot has access to all messages or only commands. Legitimate moderation bots need full message access; simple utility bots should not.

Look for the Bot on Established Directories

Bots listed on reputable directories (including tgram.bot) have been reviewed and have some community validation. Unknown bots with no search results and no discoverable developer identity are higher risk.

Examine What the Bot Asks For

Be cautious if a bot requests: your phone number (unless clearly necessary), location data, or asks you to complete a login on an external website. Legitimate bots rarely need phone numbers; phone number requests are a common phishing vector.

Check for Open Source Code

Open source bots can be code-reviewed. If a bot links to a GitHub repository, you or a developer you trust can verify that the code does what the bot claims and nothing more.

How to Revoke Bot Access

Unlike OAuth applications, Telegram bots do not have a formal "revoke access" mechanism in the traditional sense. Here are the practical options:

Block the Bot

Blocking a bot in Telegram stops it from receiving any new messages from you. The bot's server still has whatever data it collected before the block, but no new data will be sent.

Open the bot chat → tap the three-dot menu → Block bot

Request Data Deletion

Under GDPR (if the bot operator is subject to it), you have the right to request erasure of your data. Contact the bot's operator via the privacy policy contact information. Legitimate operators must comply within 30 days.

Delete the Conversation

Deleting the chat on your Telegram client removes messages from your view but does not delete data from the bot's server. This is cosmetic from a privacy perspective.

For Group Bots: Remove the Bot from the Group

As a group admin, you can remove any bot from the group. This stops future data collection from that group. Data already collected by the bot before removal is unaffected.

Bots vs Telegram Itself: Where Is the Privacy Risk?

A common misconception is that Telegram is the primary privacy concern. In practice, well-designed third-party bots can be a larger risk than Telegram itself for specific data types, because:

Telegram as a company is subject to GDPR and has a published privacy policy with legal obligations
Telegram's servers are secured to a high standard; small bot operators may have weaker security
Telegram does not monetize user data; some bot operators may
Telegram's end-to-end encryption (in Secret Chats) is not available for bot conversations — bot messages are stored on Telegram's servers in standard encryption, readable by Telegram and accessible to law enforcement with valid legal process

For sensitive communications, use Telegram Secret Chats (end-to-end encrypted) with other humans, not bots. Bots cannot participate in Secret Chats.

FAQ

Can a Telegram bot read my messages in other chats?

No. A bot only receives messages sent directly to it in its own chat, or messages in groups where it is a member and has appropriate access rights. It has no visibility into any other conversation on Telegram.

Does using a bot expose my phone number?

Not automatically. Your phone number is not included in standard bot updates. It is only shared if you use Telegram's requestContact feature, which shows an explicit "Share your phone number" button you must actively tap to confirm. Never share your phone number with a bot unless you understand why it needs it and trust the operator.

What happens to my data if a bot service shuts down?

When a bot service shuts down, data on their servers may be deleted (if the operator is responsible) or may linger. There is no Telegram mechanism that forces deletion. If data privacy matters for a specific bot, request deletion proactively before the service appears to be winding down.

Are bots in official Telegram channels safer than random bots?

Bots promoted in official or verified Telegram channels have at least passed a basic credibility check through their association with established communities. They are generally lower risk than random bots found through unsolicited links. However, even recommended bots can have poor data practices — check the privacy policy regardless of source.

Do bots have access to Telegram Premium features or status?

The Bot API provides some information about users' Telegram Premium status in the user object (a is_premium boolean field). This allows bots to offer premium-specific features to Telegram Premium subscribers if they choose to. It is not a privacy concern — it is a publicly visible account attribute similar to a username.