Privacy Policy

Personal Data means any information that relates to an identified or identifiable natural person, or that is reasonably capable of being associated with a particular individual or household. This includes, by way of example, your name, business email, phone number, IP address, device identifiers, authentication tokens, and usage logs. This term is interpreted consistently with the definitions in the EU GDPR, UK GDPR, Israel’s Privacy Protection Law, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Canada’s PIPEDA, and any other applicable privacy statute.

Customer Personal Data means any Personal Data that Boti processes on behalf of and under the instructions of a customer in connection with delivering the Services.

Service Data refers to operational metrics, telemetry, and aggregated information that Boti processes independently for purposes such as security, billing, analytics, and product improvement. Service Data is handled separately from Customer Personal Data as described in Section 8.

Boti does not intentionally collect special-category or sensitive personal data (such as health information, biometric identifiers, or precise geolocation), and we instruct customers not to upload such data to the platform.

2.1 Information You Provide Directly

When you create an account, subscribe to a plan, submit a support request, or otherwise interact with the Services, you may provide personal data such as:

• Name, business email address, and phone number
• Payment details (processed by Stripe; we never store full card numbers on our servers)
• Bot configurations, workflow definitions, conversation templates, and prompts
• Content you upload, including images, documents, and knowledge-base files
• Messages and feedback sent to our support team

2.2 Information Collected Automatically

When you interact with the Services, we automatically gather technical and usage data, including:

• IP address and approximate geographic location
• Browser type, operating system, and device identifiers
• Pages visited, features used, actions taken, and timestamps
• Error logs and performance diagnostics
• Referral source and session duration

2.3 Bot and Conversation Data

We store the bots you create, their configurations, connected channels, and the conversations they conduct with your customers. This data is essential for delivering the Service, enabling analytics, and helping you improve bot performance.

2.4 Third-Party Integrations

If you connect your account to third-party services (such as WhatsApp Business via Meta, Google Sheets, Google Calendar, or a CRM), we receive only the minimum data needed to operate that integration. Such data is processed under the same terms as other Customer Personal Data.

For Google Calendar, this includes accessing your calendar to check availability for open time slots, and creating, editing, or deleting calendar events on your behalf through your bot. For Google Sheets, this includes reading from and writing to spreadsheets that you designate for use with your bot workflows.

Boti’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2.5 Google User Data: Handling, Sharing, and Restrictions

When you authorize Boti to access your Google account data (such as Google Calendar events or Google Sheets content), the following rules apply specifically to that data:

• Purpose: Google user data is used exclusively to provide the features you requested — checking calendar availability, creating or managing events, and reading from or writing to your designated spreadsheets. We do not use Google user data for advertising, analytics, market research, AI/ML model training, or any purpose unrelated to providing or improving these specific integrations.
• Sharing with AI Providers: When your bot uses Google Calendar or Google Sheets data to respond to end users, the retrieved data (e.g., available time slots, spreadsheet content) may be passed to our AI providers (OpenAI, Anthropic/Claude) solely to generate a contextual response within the conversation. These providers do not store or use this data for model training or any purpose beyond generating the immediate response. Google user data is never sold, rented, or shared with advertising platforms, analytics services, or any other third parties. The only additional exceptions are: (a) you give explicit prior consent, (b) it is required by law (e.g., a valid court order), or (c) it is part of a merger, acquisition, or asset sale, in which case you will be notified in advance.
• No Human Access: Boti employees and contractors do not read your Google user data unless you specifically ask us to for support purposes, it is required for security investigations, it is required by law, or it is aggregated and anonymized for internal operational purposes.
• Storage and Retention: Google user data is stored only for as long as needed to deliver the integration. Calendar data is queried in real time and is not persistently stored beyond what is necessary for the bot to function. Sheets data is read and written as instructed by your workflows and is not retained separately by Boti.

2.6 Children’s Data

Boti’s Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If you become aware that a child has provided us with personal data, please contact us at legal@boti.bot and we will promptly delete it.

Boti processes personal data only when a valid legal ground applies. Depending on your location, these grounds may include:

Applicable Frameworks

• Israel: Privacy Protection Law, 5741-1981, and subsidiary regulations.
• European Economic Area & UK: EU General Data Protection Regulation (GDPR) and UK GDPR.
• United States: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and other applicable state privacy statutes.
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA).
• Switzerland: Revised Federal Act on Data Protection (revFADP).

Legal Grounds We Rely On

• Performance of a Contract: Processing necessary to deliver the Services you have agreed to under our Terms of Service.
• Legitimate Interests: Processing for platform security, fraud detection, aggregate analytics, and product improvement, where these interests do not override your privacy rights.
• Consent: For non-essential cookies, marketing communications, and any other processing requiring your affirmative opt-in. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligations: Retention and disclosure as required by tax regulations, court orders, export controls, or other statutory duties.
• Vital Interests: In exceptional circumstances, to prevent serious harm or respond to an emergency.

We process personal information for the following purposes:

1. Service Delivery: Operating and maintaining the platform, processing bot conversations, generating AI responses, and deploying your bots across channels.
2. Personalization: Tailoring features, suggestions, and interface elements to your usage patterns and workspace configuration.
3. Analytics and Improvement: Analyzing usage trends, diagnosing errors, measuring feature adoption, and refining our AI models. Where feasible, this analysis is performed on de-identified or aggregated data.
4. Security: Detecting, preventing, and investigating fraud, abuse, unauthorized access, and other security threats.
5. Communications: Sending transactional messages (account alerts, billing confirmations, security notices) and, with your opt-in, product updates and marketing.
6. Payments: Processing subscriptions, invoices, and credits through our payment processor (Stripe).
7. Legal Compliance: Fulfilling legal, regulatory, tax, and audit obligations in all jurisdictions where we operate.
8. Dispute Resolution: Handling claims, enforcing agreements, and defending legal proceedings.

Boti does not engage in automated decision-making that produces legal or similarly significant effects on individuals.

As a data processor, Boti engages trusted third-party sub-processors to support the delivery of our Services. These include:

• WhatsApp / Meta: Message routing and delivery for WhatsApp-connected bots. Meta’s privacy policy governs data processed through their infrastructure.
• Stripe: Payment processing and billing. We never store full payment card details; Stripe is our PCI-compliant processor.
• OpenAI: AI model provider for generating bot responses and processing prompts.
• Claude: AI model provider and integration services.
• PostHog: Product analytics and feature-usage tracking.
• Google Analytics: Website traffic and usage analytics.

All sub-processors are bound by contractual obligations that provide protections equivalent to those in our DPAs. We will provide reasonable notice of any sub-processor changes and allow customers to object within ten (10) business days.

We do not sell your personal data. We do not share Customer Personal Data for cross-context behavioral advertising.

Because Boti serves customers globally and works with sub-processors in various countries, your personal data may be transferred outside your country of residence. For customers in the EEA, UK, or Switzerland, we safeguard international transfers using:

• EU Standard Contractual Clauses (SCCs): Module 2 (Controller-to-Processor) as adopted by Commission Decision 2021/914, incorporated into our DPAs.
• UK International Data Transfer Addendum: Version B1.0, issued by the UK ICO.
• Swiss Addendum: Adapting the SCCs for compliance with the revised Swiss FADP.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions from the European Commission or relevant authorities.

For transfers from Israel, we comply with the transfer mechanisms prescribed by the Israeli Privacy Protection Authority.

Boti may investigate and disclose personal information if we have a good-faith belief that doing so is:

• Required to comply with a valid legal process, court order, or governmental request. Unless prohibited by law, we will notify the affected customer before producing data.
• Necessary to prevent, detect, or investigate fraud, security incidents, or other harmful activity.
• Required to protect our rights, property, reputation, or those of our users or the public.

Any disclosure will be limited to what is strictly necessary and will comply with applicable privacy laws.

When you use the Services, we automatically collect operational telemetry ("Log Data") to help secure and improve the platform. Log Data may include:

• IP address and approximate location
• Browser type and version
• Pages, APIs, and features accessed
• Timestamps and session duration
• Unique session or device identifiers
• Error and debugging codes

Log Data is retained for up to ninety (90) days unless a longer period is required by law. It is used for performance monitoring, troubleshooting, and platform improvement.

Boti and selected partners use cookies, pixels, and similar technologies to operate, secure, and analyze the Services. We employ the following categories:

• Essential Cookies: Required for sign-in, session management, fraud prevention, and consent storage. These are set based on legitimate interests and do not require consent.
• Analytics Cookies: Measure feature usage, diagnose errors, and improve performance (e.g., PostHog, Google Analytics). We obtain prior consent for these in the EEA/UK/CH and honor opt-out signals (e.g., Global Privacy Control) in the United States.
• Functional Cookies: Remember your preferences such as language, theme, and layout settings.
• Marketing Cookies: Enable conversion tracking and campaign measurement. We do not use them for cross-context behavioral advertising. These require consent in the EEA/UK/CH.

You can manage cookie preferences at any time through your browser settings or by enabling a recognized opt-out mechanism such as Global Privacy Control. Disabling non-essential cookies will not affect core functionality. Analytics cookies are automatically deleted or anonymized after thirteen (13) months.

Boti implements industry-standard safeguards to protect your personal information, including:

• Encryption in Transit: All traffic between your browser or API client and our servers is encrypted using TLS.
• Encryption at Rest: Database encryption with managed key rotation.
• Access Controls: Role-based access, multi-factor authentication for administrative accounts, and periodic access reviews.
• Infrastructure Security: Data hosted in certified data centers with physical access controls, monitoring, and environmental safeguards.
• Security Monitoring: Real-time alerting, centralized logging, and regular vulnerability assessments.
• Personnel: Employees sign confidentiality agreements and receive security awareness training.
• Incident Response: We maintain a dedicated incident-response process and will notify affected customers within 72 hours of confirming any notifiable breach.

Your Role: Please keep your account credentials confidential, enable multi-factor authentication where available, and notify us promptly if you suspect unauthorized access to your account.

While we strive to protect your data, our Services rely on third-party providers (e.g., Meta/WhatsApp, OpenAI), and we cannot guarantee their uninterrupted availability or security. Please review their respective privacy policies.

We retain personal information only as long as necessary to fulfill the purposes described in this Policy or as required by law. General retention guidelines:

• Account Data: Retained for the duration of your active account.
• Conversation Data: Retained while your account is active and for up to 90 days after account closure.
• Log Data: Retained for up to 90 days.
• Billing Records: Retained as required by applicable tax and accounting regulations.

Upon account deletion, we will remove your personal data within 30 days, except for data we are legally required to retain (e.g., for tax, fraud prevention, or legal defense purposes). Backup copies may persist for up to 90 days before permanent deletion.

To request account deletion, email us at legal@boti.bot.

Depending on your jurisdiction, you may exercise some or all of the following rights by emailing legal@boti.bot. We will verify your identity and respond within 30 days or such other period as required by local law.

• Right of Access / Portability: Request a copy of the personal data we hold about you in a commonly used format.
• Right to Rectification: Ask us to correct inaccurate or incomplete personal information. You can also update most data directly in your account settings.
• Right to Deletion: Request erasure of your personal data, subject to legal exceptions.
• Right to Restrict Processing: Ask us to limit processing in certain circumstances.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw previously given consent for optional processing activities.
• Opt-Out of Sale/Sharing: Boti does not sell or share personal information. If this changes, we will provide an opt-out mechanism.

Boti will not discriminate against you for exercising any of these rights. If you believe a request was wrongly denied, EEA/UK/Swiss residents may contact their local supervisory authority; U.S. residents may appeal by replying to our decision within 60 days.

Our Services may contain links, integrations, or references to external services not operated by Boti (for example, WhatsApp, Google Workspace, Stripe, or various AI providers). Your interactions with those services are governed by their own privacy policies and terms. We encourage you to review them before providing personal information, as Boti is not responsible for the privacy practices of external sites.

By using the Services, you consent to receive transactional and administrative communications from Boti, including account alerts, security notifications, and billing messages. You may opt out of non-essential marketing emails at any time via the unsubscribe link or your account settings; opting out will not affect essential service communications.

To send formal privacy notices to Boti, email legal@boti.bot.

This Policy is governed by and construed in accordance with the laws of the State of Israel, without regard to its conflict-of-law principles. Any disputes arising under this Policy shall be submitted to the exclusive jurisdiction of the courts of Tel Aviv-Jaffa, Israel.

However, if you reside in a jurisdiction that grants mandatory consumer or data protection rights under local law, those provisions will apply to the extent they conflict with this Policy. For residents of the EEA, UK, or Switzerland, international data transfers are subject to the Standard Contractual Clauses as described in Section 6.

Boti reserves the right to modify this Privacy Policy to reflect changes in our practices, legal requirements, or the Services. We will post any revised version at this URL and update the "Last Updated" date at the top. For material changes that reduce your rights or expand our processing, we will provide at least 30 days’ advance notice by email or in-product notification. Continued use of the Services after the updated Policy takes effect constitutes your acceptance of the revised terms.

If you have questions about this Policy, wish to exercise your privacy rights, or need to report a concern, please contact us:

• Email: legal@boti.bot
• Phone: +972-53-564-6690

We aim to respond to all verified requests within 30 days. If you believe your inquiry has not been satisfactorily resolved, you may lodge a complaint with your local data protection authority.

If any provision of this Policy is found to be unlawful, void, or unenforceable, it shall be interpreted to achieve its intent as closely as possible, or if that is not possible, it will be severed, and the remaining provisions will continue in full force.

This Policy, together with the Terms of Service, the applicable Data Processing Agreement, and any supplemental product terms, constitutes the entire agreement between you and Boti regarding privacy and data protection.