Privacy Policy
Last updated: March 1, 2026
BotInbox ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our platform at botinbox.com and related services (the "Service").
This policy applies to all users of our Service, including visitors, registered users, and customers. By using the Service, you acknowledge that you have read and understood this policy.
1. Data Controller
BotInbox is the data controller responsible for your personal data. If you have questions about how your data is processed or wish to exercise your rights, you can contact our Data Protection Officer at:
- Email: privacy@botinbox.com
- Address: BotInbox, Data Protection Officer
2. Information We Collect
2.1 Information You Provide
- Account information: name, email address, password (hashed), organization name and details when you register.
- Communication data: messages, conversations, and attachments you send or receive through our platform on behalf of your organization.
- Contact information: customer contact details you import or create within the Service.
- Support requests: information you provide when contacting our support team.
- Payment information: billing details processed securely through our third-party payment processor. We do not store full payment card numbers.
2.2 Information Collected Automatically
- Device and browser information: IP address, browser type, operating system, device type.
- Usage data: pages visited, features used, timestamps, referring URLs.
- Cookies and similar technologies: as described in our Cookie Policy.
- Log data: server logs for security, performance monitoring, and error tracking.
3. Lawful Basis for Processing
Under the GDPR, we process your personal data based on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Essential cookies | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies (if enabled) | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Information
- To provide, operate, and maintain the Service.
- To authenticate your identity and manage your account.
- To process messages across email, WhatsApp, live chat, and other channels.
- To provide AI-powered features such as smart replies and auto-labeling.
- To send transactional emails (account verification, password resets, security alerts).
- To respond to your support inquiries.
- To detect, prevent, and address fraud, abuse, and security issues.
- To improve and develop the Service based on aggregated, anonymized usage data.
- To comply with legal obligations.
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:
- Service providers: trusted third-party processors who help us operate the Service (hosting, email delivery, payment processing), bound by data processing agreements.
- Legal requirements: when required by law, regulation, legal process, or enforceable governmental request.
- Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to you.
- With your consent: when you explicitly authorize us to share specific data.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to countries with an adequacy decision from the European Commission.
- Other legally recognized transfer mechanisms under the GDPR.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
- Account data: retained while your account is active and for 30 days after deletion to allow recovery.
- Conversation data: retained while your account is active. Deleted within 30 days of account termination.
- Log data: retained for up to 90 days for security and debugging purposes.
- Billing records: retained for up to 7 years as required by tax and accounting laws.
You may request earlier deletion at any time by contacting us.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Secure password hashing using bcrypt.
- Role-based access control and organization-level data isolation.
- Regular security audits and vulnerability scanning.
- Automated backups with encryption.
- Rate limiting and DDoS protection.
No system is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
9. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Restriction | Request that we limit how we process your data. |
| Portability | Receive your data in a structured, machine-readable format (JSON/CSV). |
| Objection | Object to processing based on legitimate interest. |
| Withdraw consent | Withdraw consent at any time where processing is based on consent. |
| Complaint | Lodge a complaint with your local data protection supervisory authority. |
To exercise any of these rights, contact us at privacy@botinbox.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
10. Data Processing on Behalf of Customers
When you use BotInbox to communicate with your customers, you act as the data controller for the personal data of your end-users, and we act as the data processor. In this capacity:
- We process your end-users' data only as instructed by you and in accordance with our Data Processing Agreement (DPA).
- You are responsible for obtaining appropriate consent or legal basis from your end-users.
- We provide tools for you to manage, export, and delete your end-users' data.
- A DPA is available upon request for enterprise customers.
11. Children's Privacy
Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.
12. Cookies and Tracking Technologies
We use essential cookies required for the Service to function. We do not use third-party advertising or tracking cookies. For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@botinbox.com
- General inquiries: Contact page