Privacy Policy

Last updated: March 3, 2026

1. Introduction

Botfy ("we", "our", or "the Platform") is an AI-powered sales automation platform operated by Botfy AI. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services at botfy.io and related APIs.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name and email address
  • Company name
  • Password (stored as a bcrypt hash — we never store plaintext passwords)

2.2 Messaging Data

When your AI agents interact with end-users via WhatsApp, Telegram, or web chat, we process conversation messages to generate AI responses. Conversations are stored per-tenant and are not shared across accounts.

2.3 Google Calendar Data

If you connect Google Calendar, we request the following OAuth scopes:

  • calendar.readonly — to check your availability (free/busy)
  • calendar.events — to create scheduling events on your behalf

We store an encrypted OAuth refresh token to maintain the connection. We do not read, store, or share the content of your existing calendar events. We only query free/busy time slots and create new events when requested by your AI agents.

2.4 Uploaded Documents & Media

Files you upload to the knowledge base or media catalog are stored in isolated, tenant-specific storage. They are used exclusively to power your AI agents' responses.

3. How We Use Your Information

  • Provide and maintain the Platform's AI services
  • Authenticate your identity and manage your account
  • Process conversations between your AI agents and end-users
  • Schedule events via Google Calendar when you enable the integration
  • Track usage for billing and plan enforcement
  • Improve our services and fix bugs (using aggregated, anonymized data)

4. Data Sharing

We do not sell your personal data. We may share data only with:

  • AI model providers (e.g., OpenAI) — conversation text is sent to generate responses. No personal account data is included.
  • Infrastructure providers (Vercel, Supabase) — for hosting and database services, under their respective DPAs.
  • Payment processors (Stripe) — for billing, if applicable.
  • Legal authorities — only if required by law or to protect our rights.

5. Data Security

We implement industry-standard security measures including:

  • Encryption at rest and in transit (TLS 1.2+)
  • Fernet-encrypted storage for OAuth tokens and API keys
  • Bcrypt password hashing
  • Tenant-level data isolation (multi-tenant architecture)
  • JWT-based authentication with short-lived access tokens

6. Third-Party Integrations & Revoking Access

You can disconnect third-party integrations at any time:

  • Google Calendar: Disconnect from your Botfy dashboard (Settings → Integrations) or revoke access directly at myaccount.google.com/permissions. Upon disconnection, we delete your stored OAuth tokens.
  • Telegram / WhatsApp: Remove the bot configuration from your dashboard. Conversation history is retained for your records but can be deleted upon request.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete all associated data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for optional data processing

To exercise any of these rights, contact us at the address below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

10. Contact

For privacy-related questions or data requests, contact us at:

Email: privacy@botfy.io