Privacy Policy

Effective Date: March 18, 2026

1. Introduction

Welcome to BotHero.ai ("BotHero," "we," "us," or "our"). We are committed to protecting your privacy and handling your personal information with care and transparency.

BotHero.ai provides a platform that enables small businesses to create and deploy AI-powered Telegram bots for customer engagement, lead capture, and automated support. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, platform, and services.

2. Data Controller

BotHero.ai is the data controller responsible for your personal information. You can contact us at:

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Company name (optional)
  • Password (encrypted and hashed)
  • Account preferences and settings

3.2 Bot Configuration Data

When you create and configure bots, we collect:

  • Bot names, descriptions, and personality settings
  • Telegram bot tokens (encrypted before storage)
  • Knowledge base content you upload
  • Custom prompts and instructions
  • Integration configurations

3.3 Conversation Data

When your bots interact with users on Telegram, we collect and process:

  • Message content (text, voice, images)
  • Telegram user IDs (anonymized)
  • Timestamps and metadata
  • Bot responses and AI-generated content
  • Conversation context and history
  • Detected language code (e.g., 'en', 'pt', 'de') — inferred from message text analysis and the language field in the user's Telegram profile, used solely to route bot responses to the user's language

3.4 Usage and Analytics Data

We automatically collect information about how you use our service:

  • Pages visited and features used
  • Time spent on our platform
  • Click patterns and navigation paths
  • Device information (browser type, OS, screen resolution)
  • IP address — collected for security, fraud prevention, and abuse detection
  • Country of access — derived from your IP address using GeoIP lookup to determine applicable pricing under our Purchasing Power Parity program and to comply with sanctions regulations
  • Message volume and bot performance metrics

3.5 Payment Information

Payment processing is handled by Stripe. We collect:

  • Billing name and address
  • Subscription plan and billing cycle
  • Payment method type (last 4 digits of card)
  • Transaction history and invoices

Note: We do not store full credit card numbers. All payment card data is handled securely by Stripe. As a Merchant of Record, Stripe handles all PCI-DSS compliance on our behalf.

3.6 Location and Language Inference Data

In addition to the data you provide directly, we infer certain information to deliver and improve our services:

Country Inference via GeoIP

  • We perform a server-side GeoIP lookup on your IP address at the time of login and checkout
  • We record only your ISO country code (e.g., "BR", "DE", "US") — not your precise location
  • This country code is used to determine applicable pricing under our Purchasing Power Parity (PPP) program and to verify compliance with international sanctions regulations
  • No cookie is set for this lookup; it is performed entirely server-side using the MaxMind GeoLite2 database

Language Detection

  • We detect language from two sources: the language field in the user's Telegram profile (provided by Telegram) and analysis of message text content
  • The detected language code is stored per conversation and used to route bot responses in the user's preferred language
  • Language metadata is also used in aggregate for analytics and platform improvement
  • Language data follows the same retention schedule as conversation data (90-day default)

Legal Basis

  • Language detection: Contract performance — necessary to deliver bot responses in the user's language as part of the service
  • GeoIP for pricing: Legitimate interests — determining fair pricing based on purchasing power parity, balanced against your privacy rights
  • GeoIP for sanctions compliance: Legal obligation — required to comply with applicable export control and sanctions regulations

4. How We Use Your Information

We use your information for the following purposes:

Service Delivery

  • Process and route messages to your bots
  • Generate AI responses using LLM providers
  • Store conversation history for context and analytics
  • Provide bot management and configuration tools

Service Improvement

  • Analyze usage patterns to improve features
  • Monitor system performance and reliability
  • Debug issues and provide technical support
  • Develop new features based on user needs

Communication

  • Send service-related notifications and updates
  • Respond to support requests and inquiries
  • Provide account and billing information
  • Send product updates and feature announcements (optional)

Security and Compliance

  • Detect and prevent fraud and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect user safety and platform integrity

Geographic Pricing (Purchasing Power Parity)

  • Determine your country of access to apply Purchasing Power Parity (PPP) pricing where available
  • Apply the correct local tax rate (VAT, GST, or other applicable tax) at checkout via Stripe Tax
  • Verify that your country is not subject to applicable international sanctions before processing transactions
  • Maintain records of the applicable pricing tier applied to your account for billing accuracy and audit purposes

6. Data Sharing and Third Parties

We do not sell your personal information. We share data only in the following circumstances:

Service Providers

  • Stripe: Payment processing (Merchant of Record, PCI-DSS compliant)
  • Hetzner: Cloud hosting infrastructure (Germany, EU)

AI and LLM Providers

Message content is sent to our LLM providers to generate bot responses:

  • Cerebras: Primary LLM provider (GPT-OSS-120b model)
  • DeepInfra: Fallback LLM provider

These providers process messages to generate responses but do not use your data to train their models. Data is transmitted via encrypted connections and subject to their privacy policies.

Telegram

Your bots operate on the Telegram platform. Message data is transmitted between Telegram and our services. Telegram's privacy policy governs data on their platform.

Legal Requirements

We may disclose information if required by law, legal process, or government request, or if necessary to protect rights, safety, or security.

Business Transfers

In the event of a merger, acquisition, or asset sale, your information may be transferred. We will provide notice and choices before any transfer.

7. Data Retention

We retain your data for the following periods:

Account Data: Retained until you delete your account, plus 30 days for backup purposes.
Conversation Data: Default retention is 90 days. You can configure custom retention periods (7-365 days) based on your subscription tier.
Analytics and Logs: Aggregated analytics retained for 12 months. Server logs retained for 90 days.
Billing Records: Retained for 7 years to comply with tax and accounting regulations.
GeoIP Country Code: Retained with your account data and deleted upon account deletion. Not retained separately after account closure.
Conversation Language Metadata: Follows the same retention schedule as conversation data — 90 days by default, or your configured retention period (7–365 days). Deleted when the associated conversation data is deleted.
Deleted Data: Permanently deleted within 30 days of retention period expiration, except where legally required to retain longer.

8. Your Rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights:

Right to Access

Request a copy of the personal data we hold about you. We will provide this in a structured, commonly used format within 30 days.

Right to Rectification

Request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data. We will comply unless we have a legitimate reason to retain it (e.g., legal obligations, pending disputes).

Right to Data Portability

Export your data in JSON format, including account details, bot configurations, and conversation history (where applicable).

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

Right to Restrict Processing

Request limitation of processing in certain circumstances (e.g., while we verify data accuracy).

Right to Withdraw Consent

Withdraw consent for processing based on consent at any time. This does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

File a complaint with your local data protection authority if you believe we have violated your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Opt-Out: We do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

BotHero.ai does not currently maintain a physical presence in California. To submit CCPA requests, contact [email protected] with the subject line "CCPA Request" and include your name and the email address associated with your account. We will verify your identity and respond within 45 days, with one 45-day extension where reasonably necessary.

10. Brazilian Privacy Rights (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018) grants you the following rights with respect to your personal data:

Your Rights Under LGPD

  • Right to Confirmation: Confirm whether we process your personal data
  • Right to Access: Obtain a copy of your personal data we hold
  • Right to Correction: Correct incomplete, inaccurate, or outdated personal data
  • Right to Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
  • Right to Portability: Receive your personal data in a structured format to transfer to another service provider
  • Right to Deletion: Request deletion of personal data processed with your consent
  • Right to Information on Sharing: Obtain information about which public and private entities with whom we share your data
  • Right to Consent Revocation: Revoke consent for processing activities based on consent at any time
  • Right to Review of Automated Decisions: Request human review of decisions made solely through automated processing that affect your interests

Legal Bases Under LGPD Article 7

We process your personal data under the following legal bases as defined by LGPD Article 7:

  • Consent (Art. 7, I): For optional features and marketing communications
  • Contract performance (Art. 7, V): For account management, bot operation, and service delivery
  • Legitimate interests (Art. 7, IX): For security, fraud prevention, and service improvement
  • Compliance with legal obligation (Art. 7, II): For tax records, sanctions screening, and regulatory compliance

International Data Transfers (LGPD Article 33)

When we transfer your personal data outside Brazil, we ensure adequate protection through contractual clauses and data processing agreements that provide protection equivalent to that required under the LGPD, in accordance with Article 33 and guidance from the Autoridade Nacional de Proteção de Dados (ANPD).

How to Exercise Your LGPD Rights

To exercise any of your LGPD rights, contact us at [email protected]. We will respond within 15 days as required by LGPD. We may verify your identity before processing your request.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. See our Cookie Policy for detailed information.

Types of cookies we use:

  • Essential Cookies: Required for authentication and core functionality (cannot be disabled).
  • Analytics Cookies: Help us understand usage patterns and improve our service (can be disabled).
  • Preference Cookies: Remember your settings and preferences (can be disabled).

You can control cookies through your browser settings or our cookie preference center.

12. International Data Transfers

BotHero.ai operates globally. Your information may be transferred to and processed in countries other than your country of residence, including the United States and the European Union.

When we transfer data outside the EEA, UK, or Switzerland, we ensure adequate protection through:

EEA, UK, and Switzerland

When we transfer personal data from the EEA, UK, or Switzerland to third countries (including the United States where some of our sub-processors are located), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (EU Commission Implementing Decision 2021/914) and equivalent mechanisms adopted under UK GDPR and Swiss law.

Brazil (LGPD Article 33)

Transfers of personal data from Brazil to other countries are made in accordance with LGPD Article 33. We ensure that recipient countries or organizations provide a degree of protection equivalent to that provided by the LGPD, through contractual clauses and data processing agreements reviewed for compliance with ANPD guidance.

Canada (PIPEDA)

For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Transfers of personal data outside Canada are subject to contractual protections requiring recipient organizations to provide comparable levels of protection.

Sanctioned Jurisdictions

We do not process personal data in or on behalf of individuals located in jurisdictions subject to comprehensive U.S. sanctions (OFAC), EU restrictive measures, UN Security Council sanctions, or UK financial sanctions. This includes but is not limited to Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine. We use GeoIP screening to prevent account creation from sanctioned jurisdictions.

13. Children's Privacy

BotHero.ai is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16.

If you believe we have inadvertently collected information from a child under 16, please contact us immediately at [email protected], and we will promptly delete such information.

14. Data Security

We implement industry-standard security measures to protect your data:

Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
Access Controls: Role-based access controls (RBAC) limit who can access your data. Multi-factor authentication (MFA) is available for all accounts.
Token Security: Telegram bot tokens are encrypted before storage using application-level encryption with key rotation.
Infrastructure: Hosted on SOC 2 Type II certified infrastructure with regular security audits and penetration testing.
Monitoring: 24/7 security monitoring and automated threat detection.
Backups: Daily encrypted backups with 30-day retention stored in geographically diverse locations.

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

  • Update the "Effective Date" at the top of this policy
  • Notify you via email (to your registered email address)
  • Display a prominent notice on our website for 30 days
  • For significant changes affecting your rights, request your consent where required by law

Your continued use of BotHero.ai after changes become effective constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email:
General inquiries: [email protected]
Privacy-specific: [email protected]
Mailing Address:
BotHero.ai
(Address TBD)
Data Protection Officer:
[email protected]

We aim to respond to all privacy-related inquiries within 30 days.

This Privacy Policy was last updated on March 18, 2026.
Thank you for trusting BotHero.ai with your data.

Privacy Policy | BotHero.ai