Privacy Policy

BoundBot, Inc. ("BoundBot," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we collect, use, store, and protect information when you interact with our websites, products, or services (collectively, the "Services").

This policy applies to all users of the Services, including workspace owners, team members, and end users who interact with bots powered by BoundBot.

1. Our Role Under GDPR

Under the General Data Protection Regulation (GDPR) and similar data protection laws:

• We act as a Data Controller for data we collect directly from our users (account information, billing, analytics).
• We act as a Data Processor for data that our customers process through the Services (end-user conversations, knowledge base content, leads, orders).

Our customers who use BoundBot to interact with their own end users are the Data Controllers for that end-user data. We process it on their behalf under the terms of our Data Processing Agreement (DPA).

2. Information We Collect

A. Information You Provide

• Account data: Name, email address, hashed password credentials managed through our authentication provider, and profile picture when you create an account.
• Workspace data: Team name, industry, website URL, and description.
• Billing data: Subscription and payment information processed through our billing provider (Lemon Squeezy). We do not store credit card numbers.
• Knowledge base content: Documents (PDF, DOCX, TXT), FAQ entries, website URLs, and product catalog data that you upload.
• Bot configuration: System prompts, workflow definitions, and custom actions.

B. Information Collected Automatically

• Usage data: Browser type, device information, IP address, pages visited, and feature usage.
• Cookies: We use cookies and similar technologies as described in our Cookie Policy.

C. Information from Third-Party Channels

When you connect messaging channels (WhatsApp, Messenger, Instagram, Telegram, Slack, Discord, or WebChat), we receive:

• Messages sent by end users to your connected channels
• Sender display names and profile pictures (where available)
• Channel-specific identifiers and metadata

3. Lawful Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

4. AI Processing and Data

BoundBot uses artificial intelligence to generate automated replies to end-user messages. Here is how your data interacts with AI:

• AI provider: We use Google Vertex AI (Gemini models) to process conversations. Conversation messages, knowledge base context, and bot configuration are sent to Google's API to generate responses.
• No model training by BoundBot: BoundBot does not use your customer data to train its own models. We process AI requests through Google Vertex AI under Google Cloud's then-current data processing terms and product commitments.
• Conversation history: Recent conversation messages (up to 20) are sent to the AI provider to maintain context for replies.
• Conversation summaries: For longer conversations, we generate summaries to maintain context efficiently. These summaries are stored in our database.
• Embeddings: Knowledge base content and product catalog data are converted into vector embeddings using Google Vertex AI for semantic search. These embeddings are stored in our database.

5. How We Use Information

• Providing, maintaining, and improving the Services
• Processing and routing messages across channels
• Generating AI-powered responses to end-user messages
• Performing semantic search on knowledge base content
• Managing billing, subscriptions, and usage tracking
• Sending transactional emails (invitations, notifications)
• Analyzing usage patterns to improve the product
• Detecting and preventing fraud or abuse
• Complying with legal obligations

6. Data Sharing and Subprocessors

We do not sell your personal information. We share data with third-party service providers (subprocessors) only as necessary to deliver the Services. A complete list of our subprocessors is available on our Subprocessors page.

Key categories of subprocessors include:

• Cloud infrastructure: Google Cloud Platform (hosting, AI processing)
• Database and authentication: Supabase (PostgreSQL, auth, file storage)
• Billing: Lemon Squeezy (payment processing, subscriptions)
• Email: Resend (transactional emails)
• Messaging platforms: Meta (WhatsApp, Messenger, Instagram), Telegram, Slack, Discord
• Analytics: Google Analytics, Microsoft Clarity, Vercel Analytics

We may also disclose information if required by law or in response to valid legal requests.

7. International Data Transfers

BoundBot is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States or other countries where our subprocessors operate.

We protect international transfers using:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all subprocessors that include appropriate safeguards
• Google Cloud's GDPR commitments and data processing terms for Vertex AI

8. Data Retention

We retain personal data only as long as necessary for the purposes described above:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Conversation and message history: Retained according to your subscription tier (Free: 30 days, Starter: 90 days, Pro: 365 days, Enterprise: unlimited unless otherwise agreed in writing).
• Analytics retention: Analytics views and reporting features are retained according to your subscription tier (Free: 7 days, Starter: 30 days, Pro: 90 days, Enterprise: unlimited unless otherwise agreed in writing).
• Workspace data: Soft-deleted with a 30-day recovery window, then permanently purged.
• Billing records: Retained as required by tax and accounting laws (typically 7 years).
• Webhook event logs: Automatically deleted after 30 days.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data (GDPR Article 32):

• HTTPS encryption for all data in transit
• AES-256-GCM encryption for sensitive credentials (API tokens, OAuth tokens)
• Role-based access control (RBAC) with tenant-level data isolation
• Row-level security (RLS) at the database level
• Secure authentication via Supabase Auth with JWT validation
• Regular backups of all data
• Monitoring and logging of system access

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we continuously work to protect your data.

10. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data via your account settings.
• Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account from your account settings or contact us.
• Right to data portability (Art. 20): Export your personal data in a machine-readable format from your account settings. For workspace-owned operational data, exports may be limited to workspace owners or administrators.
• Right to restrict processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent (Art. 7): Withdraw consent at any time where processing is based on consent (e.g., marketing, analytics cookies).

To exercise your rights, use the self-service tools in your account settings or contact us at privacy@boundbot.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

11. Facebook Messenger Platform Integration

Introduction

Our application integrates with the Facebook Messenger Platform provided by Meta Platforms to allow Page owners to respond to messages sent to their Facebook Pages. We access the following permissions:

• pages_show_list: To access the list of Facebook Pages you manage and let you select a Page to connect.
• pages_messaging: To receive and send messages on your connected Facebook Page.
• pages_manage_metadata: To subscribe your Page to Messenger webhooks and configure messaging settings.

We only process messages necessary to provide messaging functionality. We do not use this data for advertising, profiling, or resale. We design this integration to operate in line with applicable Facebook Platform and Messenger requirements.

12. Cookies and Tracking

We use cookies and similar technologies to operate the Services and analyze usage. Some analytics services may load in a limited, privacy-preserving or consent-mode state before you opt in, but analytics and marketing storage is denied by default until you provide consent. For full details, see our Cookie Policy.

We use Google Consent Mode v2 to ensure analytics and marketing cookies are only activated after you provide consent. You can manage your cookie preferences at any time using the cookie consent banner.

13. Children's Privacy

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. If we make material changes, we will notify you by email or through the Services. Continued use of the Services after changes constitutes acceptance of the updated policy.

15. Contact Information

If you have questions about this Privacy Policy, your data rights, or our privacy practices, please contact us at:

BoundBot, Inc.
Privacy inquiries: privacy@boundbot.com
General inquiries: hello@boundbot.com

Related Documents

• Terms of Service
• Cookie Policy
• Data Processing Agreement
• Subprocessor List
• Data Deletion Request