Privacy Statement

Last updated: 
2024-11-13

At Botpress, we value privacy. That is why we have established and implemented policies and practices governing personal data.  

This statement describes how Botpress Inc. and its relevant affiliates, including Botpress Technologies, Inc. ("Botpress" or "us" or "we"), collect, use, share, store and otherwise process personal data about users of the Botpress Service (the "Service") and personal data processed through our website, which presents our products and services (the “Website”).

Depending on the context, the use of the second person ("you" or "your") refers to a Customer, User, Visitor and/or End-User.     

In this Privacy Statement:

  • Conversation Data” means content inputted by an End-User into a Customer Bot in a production environment and data generated by the Customer Bot in a conversation with an End-User.
  • Customer” means the person or business who purchased a subscription to the Service or is using the free version of the Service.
  • Customer Bot” means a program designed to automate interactions with End-Users of a service or website, including any configuration data or other associated data that is developed using Botpress software compatible with the Service by Customers, by Users on behalf of a Customer or by Botpress for the benefit of the Customer and that is hosted through the Service.
  • End-User” means an individual interacting with a Customer Bot hosted through our Services.
  • Personal data” refers to any information that identifies or could be reasonably associated with an individual.  
  • Visitor” means an individual browsing our Website.
  • Usage Data” means data about the Users’ use of the Service, which may contain personal data where identifying individual users is necessary but excluding any Conversation Data. Usage Data may include personal data about the employees and contractors of the Customer but not about End-Users interacting with Customer Bots.
  • User” means an individual using the Service on behalf of the Customer, such as an employee of the Customer.

The contact details of the person responsible for data processing is the following: [email protected]  

1. What Personal Data is Collected Through The Service

  • End-Users  

We collect analytics data, which includes:

  • The operating system and language of a device
  • The IP address from which a device accesses the Service
  • The country, state, city and postal code where the device is located
  • Navigation  data,  such  as  pages  viewed,  number  of  connections  to  the  Service, duration of a session, and date of connections to the Service.

We collect this data when an End-User interacts with a Customer Bot for the sole purpose of providing the Service to our Customers. This data is not personally linked to a specific End-User and is transmitted to us in aggregate form.  

We  process  personal  data  about  End-Users  on  behalf  of  our  Customers  pursuant  to  their instructions.  

We do not use Conversation Data or other End-User personal data for any other purpose, which includes analytics and algorithms and model improvements or training.

  • Users and Customers

We collect the following personal data:

  • Full name, email and password
  • Content of communications transmitted to us by Users, which could contain personal data  
  • Content updated to the Customer Bot, which could contain personal data, including:
    • Text response
    • Images
    • Prompts
    • Knowledge bases
    • Training utterances
    • Documents
    • Websites
  • Analytics data which may include:
    • The operating system and language of a device
    • The IP address from which a device accesses the Service
    • The country, state, city and postal code where the device is located
    • Navigation  data,  such  as  pages  viewed,  number  of  connections  to  the  Service, duration of a session, and date of connections to the Service.
  • We use the content updated to the Customer Bot for the sole purpose of providing the Service to our Customers.  
  • We do not use this content for any other purpose, including to perform analytics and model improvements, create algorithms or for training purposes.

2. What Personal Data is Collected Through The Website

  • Visitors

When a Visitor fills out a form on our Website, we collect the following personal data:

  • Full name
  • Phone number
  • Email address
  • Employment information (title, employer)
  • Any other information that Visitors voluntarily communicate to us  

When a Visitor browses our Website, we automatically collect the following analytics data, with the use of tools such as Google Analytics:

  • The operating system and language of a device
  • The IP address from which a device accesses the Website
  • The country, state, city and postal code where the device is located
  • Navigation data, such as pages viewed, number of connections to the Website, duration of a session, date of connections to the Website, page from which the Website is accessed
  • Gender
  • Age
  • Interests

This information is recorded each time a Visitor interacts with the Website. This data is not personally linked to a specific Visitor and is transmitted to us in aggregate form.  

Google Analytics may be deactivated on a browser through an add-on available at this address: https://tools.google.com/dlpage/gaoptout.  

3. Why We Process Personal Data

We process the personal data collected through the use of the Service or the Website for the following purposes:

  • Operation of the Service, Customer Service and Technical Support
    • We process the personal data collected through the Service to provide services to our Customers, including customer service and technical support, in accordance with their instructions. Conversation Data is processed only for this purpose.  
    • As part of the Service, we will process the personal data of Users and Visitors to respond to their requests, including requests for assistance, payment processing, etc.
  • Communication with Users, Customers and Visitors

We process personal data about Users and Customers to communicate with them about their use of the Service or the Website. We may also send marketing communications about us, our products and promotions, but only if Customers and Users have agreed to receive marketing communications  from  us.  We  comply  with  all  applicable  regulations  regarding  unsolicited electronic messages. If you no longer wish to receive electronic communications from us, you may unsubscribe at any time by writing to us at [email protected]

If a Visitor has provided personal data, we use it for communication purposes.  

  • Identification and Authentication of Users and Customers

To  render  the  Service,  we  process  personal  data  to  identify  and  authenticate  Users  and Customers.

  • Product Improvement

We process aggregated Usage Data to improve our products and services, identify trends in product use and develop new products and offerings.  

We also use browser cookies and other tracking technologies to improve our Website.

  • Personalization of our Service and Website

We process the data collected through the Website to offer Visitors content that corresponds to their  situation  or  interests.  For  example,  the  home  page  of  the  Website  may  be  displayed according to language preferences, and the products and services displayed may be different depending on geographic location.  

We may also use personal data to customize our Customers' and Users' experience of the Service.

  • Maintenance and Security

We process the data collected through the Website and the Service and data from analytics tools to monitor Users' and Customers' use of the Website and the Service, to prevent misuse of the Website or the Service, to identify problems or bugs with the Website or the Service, and to determine what features need to be improved.  

We may use data collected automatically to ensure the security of the Website, the Service and our computer systems (e.g. to prevent misuse or to deter, monitor and prevent fraud).

  • Personalized Marketing and Retargeting

We process the data collected through the Website to provide marketing materials, and customize our Website and advertising campaigns based on data collected, such as a subscription to our newsletter, interest in our products and services and clickthrough data, including the pages visited or the products viewed on the Website. This data allows us to target audiences to partners offering advertising services.  

We use browser cookies and other tracking technologies to personalize Visitors’ experience on the Website and deliver advertisements to targeted audiences (based on Website traffic only).  

Data collected through the Service, including Conversation Data, is not used for this purpose.

  • Comply with legal obligations

Where applicable, we process personal data to comply with laws and regulations that apply to our activities, including for dispute resolution, responding to lawful requests and cooperating with government entities or courts.

4. How We Store and Transfer Personal Data

We retain your personal data only as long as it's necessary for the intended processing purposes or, as the case may be, until you or our Customer request that we destroy it. The retention duration is determined by the reasons for collecting personal data and using the information and/or as mandated by relevant laws.

Botpress has operations in multiple countries. Some data relating to the use of the Service and the Website, email automation, support requests and payments are processed by our service providers through facilities that may be located in other jurisdictions. Therefore, your personal data may be accessed or transferred outside your country of residence.  

Personal data about End-Users collected through the Service (such as Conversation Data) is stored electronically  by  our  service  providers  on  servers  located  in  the  United  States  or  other  locations determined by the relevant Customer.  

We ensure that the transfer of such Personal Data is made in a secure manner, with appropriate safeguards concerning the nature of the personal data being transferred.

In case of transfers of personal data outside the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate transfer mechanisms and are compliant with the EU-US, UK-US and/or Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce. Please refer to the “Information for individuals in the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland’’ section for more information.  

Data generated from Google Analytics is stored on servers controlled by Google.  

5. How We Protect Personal Data

Botpress has put in place organizational, physical and technical measures to secure the personal data entrusted to us, which you can find in Schedule 2 of our Data Processing Agreement. You can also ask for a complete description of the security measures in effect to protect personal data at any time by writing to us at [email protected]

Your personal data is hosted on servers operated by our service providers and is protected against unauthorized access or use by security measures proportionate to the sensitivity of the data. Any financial data is subject to additional security measures that comply with the standards established by payment card networks.

Our employees and suppliers are informed of the confidential nature of personal data collected through the Website and the Service. They are made aware of the appropriate security measures to prevent unauthorized access to personal data through an enterprise-wide cybersecurity policy and training.

6. How We Share Personal Data

We only share personal data in the manner described in this statement. Your personal data may be disclosed to the categories of recipients below for the following purposes:

  • Botpress Employees

Personal data is accessible to our officers and employees, who must have access to it as part of their duties. Each employee is bound by a confidentiality agreement.  

  • Customers

We share personal data collected through the Service about End-Users with our Customer controlling the Customer Bot with which the End-User interacts. The Customer is the controller with respect to such personal data.

  • Service Providers

We  share  personal  data  with  service  providers  that  allow  us  to  provide  our  services  more efficiently. We only share personal data with service providers that agree in writing to keep personal data confidential and which implement security and personal data protection measures comparable to our own.

A  list  of  our  service  providers  processing  personal  data  is  available in  Schedule  1  of  this statement.

  • Affiliates

We may share your personal data with the Botpress family for the purposes outlined in this statement.  

  • Other Third Parties  
    • If required by law: We may also disclose personal data to third parties if expressly permitted or required to do so by law or if we are compelled to do so by a competent authority.  We  may  disclose  personal  data  in  connection  with  legal  proceedings  if necessary to protect our rights or those of our Users or to meet national security or law enforcement requirements.
    • Transfer  of  business:  If  the  sale  or  restructuring  of  all  or  part  of  our  business  is contemplated, we may disclose personal data to the persons or organizations involved before and after the transaction, whether or not the transaction actually takes place. In such a case, these persons or organizations commit to us to maintain the confidentiality of personal data so disclosed and to use the same exclusively to evaluate the feasibility of the transaction and in accordance with this statement if the transaction is completed.

7. What Are Your Privacy Rights Over Personal Data

We may verify the identity of individuals asking to exercise their rights with respect to their personal data. Any information collected to perform this verification will not be used for any other purpose.

  • Data controlled by Customers

When we process your personal data on behalf of our Customers (e.g. if you are an End-User and you interact with a Customer Bot), you must directly contact our Customer to exercise your rights in connection with your personal data. When this situation applies, we will forward your requests to the relevant Customer and will collaborate with the Customer in relation to your request.  We  are  not  authorized  by  our  Customers  to  release  information  to  End-Users. Conversation Data and personal data about Users are typically processed on behalf of our Customers.

  • Withdrawal of Consent

Your browser allows you to withdraw your consent to certain processing of your personal data, in particular by preventing the recording of browser cookies.

If you wish to withdraw your consent to the processing of your personal data beyond what is permitted by the Website or your browser, please notify us by writing to us at [email protected]. Using the Website or the Service entails some processing of your personal data. The only way to stop all processing of your personal data is to stop using the Website and the Service.

  • Right of Access, Rectification and Portability

Subject to what is stated in the ‘’Data controlled by Customers’’ section, if you would like to access personal data we hold about you or have inaccurate personal data modified in our files, you may make a request at [email protected] We will respond to your request promptly and no later than required under applicable law. If required by law, we will provide personal data in a structured, commonly used and machine-readable format.

  • Right to Deletion

Subject to what is stated in the ‘’Data controlled by Customers’’ section, you may, in certain circumstances, request the deletion of personal data that we hold about you. To make such a request, please write to us at [email protected]. We will respond to your request promptly and no later than required under applicable law. If you continue to use the Website or the Service, we will again collect certain personal data about you.

  • Restriction of Processing

Subject to what is stated in the ‘’Data controlled by Customers’’ section, End-Users may request the restriction of the processing of their personal data where such processing is unlawful, if End- Users contest the accuracy of such personal data or where deletion of personal data is not permitted under applicable law. You may make a request at [email protected].

  • Right to Limit the Use and Disclosure of Personal Data and/or Opt-In for Sensitive Information Collection

Subject to what is stated in the ‘’Data controlled by Customers’’, you may have the right to limit the use and disclosure of your personal data. Although Botpress currently does not share personal data with third parties, we remain committed to ensuring you can exercise this right should that practice change in the future. Specifically, you will have the option to opt-out whether your personal data is disclosed to a third party or used for a purpose materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.Moreover, for sensitive personal data processing, Botpress must always obtain your affirmative express consent (opt-in) before such information is disclosed to a third party or used for a purpose other than those originally stated or subsequently authorized by you.You may make a request at [email protected].

  • Complaint

If you wish to lodge a complaint in relation to the processing of your personal data by Botpress, you may do so by writing to [email protected]. You may also lodge a complaint about our processing of personal data to the supervisory authority of your place of residence. If you are a EU, UK or Switzerland resident and you wish to make a complaint in relation to the transfer of your personal data outside of these regions, please refer to the “Information for individuals in the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland’’ section for more information. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Botpress commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received, in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

8. How we use cookies and other tracking technologies

We use browser cookies and other tracking technologies to:

  • Improve the performance of the Website
  • Personalize Visitors’ experience on the Website
  • Deliver advertisements to targeted audiences (based on Website traffic only).  

Visitors can control the storage of browser cookies from their browser. Cookies and trackers that are not strictly necessary for the website's operation will not be used without the Visitor’s consent. Some tracking technologies are provided by our suppliers, which may be able to combine some of the data collected through the Website with other data they hold about Visitors.

If you want to understand how we use Google Analytics, refer to the ‘’What Personal Data is collected through the Website’’ section.

9. Minors

Botpress Service and Website do not knowingly collect personal data from children under the age of 16, as the Service and Website do not target children. Children under 16 years of age should not use our Service or Website or provide Botpress with any personal data without the consent of a parent or legal guardian. Should we become aware of the collection of personal data from a minor under 16 years of age, we may promptly remove this information without prior notice. If you suspect such an incident, please contact [email protected]  

10. Information for individuals in the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland

Botpress adheres to GDPR and is part of an EU Data Protection Representative Program.  We will process personal data based on the following legal basis:

  • With your consent, where applicable
  • To fulfill our obligations under our agreements with Customers and Users
  • Where it is necessary, based on our legitimate interests, to:
    • render the Service
    • manage our relationship with you
    • operate our Website
    • provide support to Customers, Users, End-Users and Visitors
    • improve our products based on aggregated data  
    • detect, prevent, or investigate misuse, fraud, security incidents or other illegal activities about the Service or use of the Website
  • To comply with our legal or regulatory obligations

Your personal data might undergo processing, transfer, or disclosure in the United States and other countries where our affiliates and service providers operate or have servers. We ensure that the recipient of your personal data maintains an adequate level of protection. This is achieved through arrangements such  as  back-to-back  agreements  with  standard  contractual  clauses  or  other  approved  transfer mechanisms, as sanctioned by the European Commission or the relevant data protection authority.

If you are a Customer, we strongly advise initiating a Data Processing Agreement (DPA) with us. You can find our DPA by clicking here or visiting our legal portal. This document constitutes a formal agreement  that  acknowledges  Botpress’  GDPR  compliance  and  assists  you  in  upholding  GDPR standards in its utilization of Botpress as a data processor. A signed copy of our DPA can be obtained by contacting [email protected]

Botpress is committed to implementing appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. This includes protecting data against unauthorized or unlawful processing, accidental loss, destruction, or damage.  

Botpress has appointed a Data Protection Officer (DPO) who is responsible for ensuring compliance with data protection laws and regulations, including GDPR. You may reach out to the DPO by email at [email protected]

VeraSafe has been appointed as Botpress’ representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted in addition to Botpress’ DPO, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031.

Alternatively, VeraSafe can be contacted at: VeraSafe Netherlands BV

Keizersgracht 555

1017 DR Amsterdam

Netherlands

For any additional information with respect to our processing of personal data, you may contact us at [email protected].

EU-US, UK-US, Swiss-US Data Privacy Framework  

In alignment with our commitment to upholding robust data protection measures when transferring personal data from the EEA or UK to the United States, we actively engage in the EU-US Data Privacy Framework ("EU Framework"), the UK Extension to the EU Framework ("UK-US Framework") and the Swiss-US  Data  Privacy  Framework  ("Swiss-US  Framework")  (collectively  the  "Frameworks").  The following US-based entity is fully compliant with the Frameworks:

  • Botpress Inc, 131 Continental Dr, Suite 305, Newark, DE 19713 United States

Botpress Inc. adheres fully to the Frameworks. Botpress is certified by the US Department of Commerce in relation to the processing of personal data received from the EEA, UK and Switzerland.  We  are  subject  to  the  investigatory  and  enforcement  powers  of  the  Federal  Trade Commission (FTC) for the purposes of the Frameworks.

In cases of any discrepancies between the terms stated in this statement and the Frameworks, the Frameworks shall take precedence. For more information about the Frameworks and to access our certification details, please visit https://www.dataprivacyframework.gov/.  

Complaints

Botpress commits to addressing complaints regarding the protection and processing of your personal data that is transferred to the United States under the Frameworks. If you are an individual from the EEA, UK  or  Switzerland  with  inquiries  or  complaints  related  to  the  Frameworks,  please  contact [email protected]. We will thoroughly investigate and seek resolutions for any complaints or disputes concerning the processing of personal data within 45 days of receiving your complaint.

Should your complaint remain unresolved through these channels, there exists the option, under specific conditions, to invoke binding arbitration for certain remaining claims that haven't been addressed by alternative  redress  mechanisms.  Further  details  can  be  found  at: https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.  

If a privacy complaint or dispute relating to personal data received by Botpress in reliance on the Frameworks cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you.  

To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy- services/dispute-resolution/submit-dispute/

If a complaint or dispute cannot be resolved through this process, we have also agreed to cooperate with the EU and UK data protection authorities and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the panel established by such data protection authorities.

Onward Transfers

With  regard  to  accountability  for  onward  transfers,  Botpress  acknowledges  its  duty  regarding  the processing of personal data received and subsequently transmitted to our service providers. We maintain accountability according to the Frameworks if a service provider handles personal data covered by this statement  in  a  manner  inconsistent  with  the  Frameworks.  This  remains  true  unless  Botpress  can demonstrate that we are not responsible for the incident that led to the damages.

11. Modifications

We may modify this Privacy Statement from time to time to reflect changes in our personal data processing practices or any requirement under applicable law. If a modification is made, the new statement will be available through the Service and on this Website.

The statement posted via this website shall be deemed to be the statement then in effect and the date at the top of the statement will be updated to reflect the date of effectiveness. We recommend that you check this website from time to time to inform yourself of any changes in this statement.

12. Additional Information

Schedule 1 - List of Service Providers (Subprocessors) Data collected through the Website  

Google LLC  

  • We use Google Analytics services on the Website and on our software platform.
  • Google Analytics provides information about the behaviour of Website visitors, including through the use of cookies which allow Google to collect information about certain events on the Website such as the pages you visit, the length of a session or the products you view;
  • Data collected by Google is used in compliance with Google’s privacy policy.
  • Botpress does not use data obtained through the Workspace API to develop, improve, or train generalize AI and/or ML models.

Facebook Inc.

  • We use a “Facebook Pixel” on the Website.
  • Our Facebook Pixel allows Facebook to collect some information about events on the Website, such as pages visited or products viewed.
  • Sharing data with Facebook allows the customization of our advertising campaigns on Facebook.
  • Data collected by Facebook is used in conformity with Facebook’s Data Privacy Policy.

LinkedIn Corporation

  • The linkedin tags collect some information about events on the Website, such as pages visited or products viewed.
  • Sharing data with Linkedin allows the customization of our advertising campaigns on Linkedin.
  • Data collected by Linkedin is used in conformity with Linkedin’s Data Privacy Policy.

Hubspot

  • We use Hubspot services in connection with the Website.
  • Hubspot processes information about website traffic and visitors’ profiles for marketing purposes.

Hotjar  

  • We use Hotjar services on the Website.
  • Hotjar provides information about the behaviour of Website visitors.

Salesforce

  • Data gathered from the Website is processed through Salesforce software services for marketing purposes.

Mixpanel

  • Mixpanel is used to collect product and Website usage analytics, which is used to improve the service.

Intercom

  • Intercom is used to provide live support to visitors of the service and the Website.

Data collected through the Service

Amazon Web Services

  • AWS hosts our cloud services and all Customer Data.
  • AWS processes analytics information about usage of the Botpress cloud services.

Google Analytics

  • Google Analytics processes analytics information about usage of Botpress cloud services.  

Freshdesk

  • Freshdesk provides help desk services.  
  • Freshdesk processes all data provided by users for technical support purposes.

Hotjar

  • We use Hotjar services on the service.
  • Hotjar provides information about the behaviour of service visitors.

OpenAI

  • OpenAI is used to process user text inputs to generate text responses.

Microsoft Azure

  • Azure is used to find information on websites and to help generate text responses.

Mixpanel

  • Mixpanel is used to collect product and Website usage analytics, which is used to improve the service.

Intercom

  • Intercom is used to provide live support to visitors of the service and the Website.