Privacy
Last updated: July 2026
The short version: your Telegram identity is your account, everything we store exists to make a feature work, there are no trackers, no analytics scripts, no advertising, and no selling of anything — and you can wipe your website data yourself, any time.
Your account: Telegram, nothing else
There is no registration form and no password. When you log in, the 𝕏TV Account Manager bot confirms it's you with a single tap in Telegram, and we store the three things Telegram tells us: your numeric Telegram ID, your username and your first name. That's the entire identity layer. We never see your phone number, your contacts, your messages or anything else from your Telegram account.
Logins are protected end-to-end: one-time login links expire after ten minutes, work exactly once, are confirmed explicitly in the bot, and can be declined with one tap — which voids the link permanently.
What we store — and the feature it powers
- Ratings, favorites, watchlist, My𝕏TV lists, reports — so they work on the website and in the bots alike, and so title pages can show honest community numbers.
- Your display name and profile picture— both optional, both set by you. The picture is stored as a small image on our own infrastructure; we never reference Telegram's file system for it.
- Notifications — your inbox entries (login alerts, arrivals, gifts, digests) with their read state. They expire automatically after 90 days.
- Notification preferences — the per-category toggles you set in the Account Manager.
- Membership metadata — join date, premium status and lifetime supporter days (for tiers), badges, XP counters. These come from your activity in the 𝕏TV bots.
What we deliberately never do
- No third-party analytics, tracking pixels or ad networks — the pages you read are between you and us.
- No selling, renting or sharing of data with anyone, full stop.
- No email addresses, phone numbers or real names required for your member account — ever. (Joining the opt-in Developer Program is the one exception; see below.)
- No browsing profiles: we don't log which titles you look at against your account.
The Developer Program (opt-in)
If you apply for API access, we additionally ask for your name, email address, optionally an organization and website, and a description of your project — API keys act on behalf of software, so we need to know whose software it is. None of this applies unless you apply.
- Who sees it — your application (including name and email) is read by the moderation team to approve or decline it, and by nobody else. It is never shown publicly and never shared outside the project.
- What it's used for — running the Developer Program and contacting you about your API usage. No newsletters, no marketing, nothing else.
- Your keys — stored only as cryptographic hashes; the full key exists exactly once, on your screen at creation. Per-key request counters exist so you can see your own usage.
- Leaving — revoke your keys any time; ask through the Telegram bots to have your developer profile deleted entirely.
Cookies: exactly one
xtvdb_session — a cryptographically signed session token set when you log in. HttpOnly, 30-day lifetime, removed on logout. There are no advertising, preference or tracking cookies, and nothing is stored in your browser beyond this one credential.
Sessions can be revoked server-side at any moment: "Log out all web sessions" (on the website or in the Account Manager) invalidates every session cookie ever issued to your account, instantly.
Security codes
Sensitive actions — logging out everywhere, deleting your website data — require a six-digit one-time code that the Account Manager sends to your Telegram. Codes live for ten minutes, allow five attempts, and every request supersedes the previous code. This is the closest thing 𝕏TV has to a password, and it never leaves Telegram.
Counting views without tracking you
Title pages count views. To keep refreshes from inflating the numbers we keep a short-lived, one-way hashed marker derived from your session or network address; it expires by itself within hours and cannot be reversed into an identity. The public API is rate-limited per network address using counters held only in memory — nothing is written to disk.
Images and external content
Posters, backdrops and stills are loaded from the content delivery networks of our metadata sources; your browser contacts those servers directly when loading images, as with any embedded image on the web. Artwork and metadata are assembled from public sources and community contributions and remain the property of their respective owners.
Retention & deletion — you hold the switch
Notifications self-delete after 90 days; login links after ten minutes; security codes after ten minutes; view-count markers within hours. Everything else lives until you remove it.
Under Account → Security, "Delete my 𝕏TVDb web data" removes your display name, profile picture, My𝕏TV lists, website ratings and notifications, and signs you out everywhere — guarded by a security code, effective immediately. Data created inside the Telegram bots (favorites, premium, XP) belongs to your bot account; full account deletion is handled by the 𝕏TV team through the bots.
Questions
Anything unclear, or a request we haven't automated yet? Reach the 𝕏TV team through the Telegram bots — a human reads it.