Privacy Policy

1. Introduction

PopABot ("we", "our", "us") is committed to protecting the privacy of its users ("you", "your"). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our chatbot management platform, and when your website visitors ("end-users") interact with chatbots powered by PopABot.

By using PopABot, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

2. Data Controller and Data Processor

When you use PopABot: PopABot acts as the data controller for your account information, billing data, and usage analytics.

When your end-users interact with your chatbot: You are the data controller for end-user data collected through your chatbot (names, emails, phone numbers, conversation content, appointment details, uploaded files). PopABot acts as a data processor on your behalf, processing this data solely to provide the service.

You are responsible for ensuring that your use of PopABot complies with all applicable data protection laws in your jurisdiction, including obtaining any necessary consents from your end-users before collecting their personal data through your chatbot.

3. Data We Collect

Account information: name, email address, password (encrypted via bcrypt), preferred language, profile settings.

Billing data: processed securely by Stripe. We never store your credit card numbers, bank account details, or full payment credentials on our servers.

Chatbot data: chatbot configurations, datasets, knowledge bases, flow builder settings, conversation histories between your chatbots and your website visitors.

End-user data (processed on your behalf): visitor names, email addresses, phone numbers, messages, uploaded files, appointment booking details, and any custom form data collected through your chatbot.

Calendar data: when you connect Google Calendar, we access calendar event data (event times, availability, attendee information) to provide appointment booking functionality. We store calendar connection credentials (encrypted OAuth tokens) and appointment records.

Google Sheets data: when you connect Google Sheets, we access your spreadsheets to create new sheets and append captured lead data (names, emails, phone numbers, form responses, conversation context). We store connection credentials (encrypted OAuth tokens) and sheet configuration details (spreadsheet IDs, column mappings).

Usage data: pages visited, actions performed, IP address, browser type, device information, access times, and referring URLs.

Cookies: we use essential cookies for authentication and language preferences. We do not use advertising or third-party tracking cookies.

4. Lawful Basis for Processing

We process personal data on the following legal bases under the GDPR:

• Contractual necessity (Art. 6(1)(b)): to provide and maintain the PopABot service, manage your account, and process payments.
• Legitimate interest (Art. 6(1)(f)): to improve our products, ensure platform security, prevent fraud, and send service-related communications.
• Legal obligation (Art. 6(1)(c)): to comply with applicable tax, accounting, and regulatory requirements.
• Consent (Art. 6(1)(a)): where required, such as for optional marketing communications. You may withdraw consent at any time.

5. How We Use Your Data

Your data is used to:

• Provide, operate, and maintain the PopABot service.
• Manage your account, subscription, and billing.
• Process AI-powered chatbot conversations via third-party AI providers.
• Send service-related notifications (transactional emails, SMS alerts, appointment confirmations).
• Provide appointment booking and calendar integration functionality.
• Export captured lead data to Google Sheets as configured by you.
• Improve our products and user experience.
• Ensure platform security and prevent abuse.
• Comply with legal obligations.

6. Data Sharing and Sub-Processors

We never sell your personal data. We share data with the following third-party sub-processors solely to provide the service:

• OpenAI: conversation messages are sent to OpenAI's API for AI-powered responses. Messages are transmitted without your account credentials. OpenAI's data usage policies apply.
• Stripe: payment and billing data for subscription management.
• Google (Google Calendar API): calendar availability, event creation, and attendee information for appointment booking. See Section 7 for details.
• Google (Google Sheets API, Google Drive API): spreadsheet creation and lead data export. See Section 7 for details.
• Cloudflare (R2 Storage): file uploads submitted through chatbot forms.
• MongoDB Atlas: database hosting for all application data.
• Hosting provider: infrastructure and server hosting.
• Email service provider: transactional email delivery (appointment confirmations, notifications, password resets).

We may also disclose data if required by law, court order, or governmental authority, or to protect our rights, safety, or property.

7. Google API Services User Data Policy

PopABot's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google Calendar integration:

• We only access Google Calendar data necessary to provide appointment booking functionality (checking availability, creating/updating/deleting calendar events).
• We store appointment records (event times, attendee names/emails) as part of the booking feature.
• Calendar data is retained for 12 months after the appointment date, then automatically deleted.

Google Sheets integration:

• We access Google Sheets and Google Drive file access only as needed to create spreadsheets for you or work with spreadsheets that you explicitly select in the app.
• When you choose an existing spreadsheet, we use the Google Picker so you can select the specific file you want to share with PopABot for lead export.
• We store spreadsheet IDs and column mapping configurations to route lead data to the correct sheet and columns. We do not store copies of your spreadsheet contents.

Limited Use disclosure:

PopABot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve user-facing features that are prominent in the PopABot application (appointment booking and lead data export).
• We do not transfer Google user data to any third party, except as necessary to provide the PopABot service, with your explicit consent, for security purposes, or to comply with applicable laws.
• We do not use Google user data for advertising, retargeting, market research, data brokering, credit assessment, or any purpose unrelated to providing the PopABot service.
• We do not sell or transfer Google user data to advertising platforms, data brokers, or information resellers.
• We do not use Google user data to train generalized or non-personalized artificial intelligence or machine learning models. Google-sourced data (calendar events, spreadsheet information) is never sent to AI services such as OpenAI.
• No PopABot employee or contractor reads your Google user data, unless (a) you give affirmative consent to view specific data for a support request, (b) it is necessary to investigate a security incident or abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations in accordance with applicable privacy laws.

Applicable to all Google integrations:

• We store encrypted OAuth tokens (AES-256-GCM) to maintain your Google connections. These tokens are never shared with third parties.
• You can revoke PopABot's access to your Google account at any time from your PopABot account settings or from your Google Account permissions.
• When you disconnect a Google integration or delete your PopABot account, we delete your stored OAuth tokens and associated Google connection data within 30 days. Appointment records previously created remain subject to the retention period stated above.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our sub-processors operate. When we transfer personal data from the European Economic Area (EEA), UK, or Switzerland, we ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Sub-processor compliance with equivalent data protection standards.

9. Data Retention

• Account data: retained while your account is active. Upon account deletion, personal data is deleted within 30 days, except where retention is required by law (e.g., billing records for tax purposes, retained for up to 7 years).
• Conversation histories: retained according to your subscription plan limits. You can delete conversations at any time from your dashboard.
• Appointment records: retained for 12 months after the appointment date, then automatically deleted.
• Uploaded files: retained while the associated chatbot and account are active. Deleted within 30 days of account deletion.
• Usage logs: retained for up to 90 days for security and debugging purposes.

10. Data Security

We implement industry-standard security measures, including:

• Password encryption using bcrypt with salting.
• All communications encrypted via HTTPS/TLS.
• JWT-based authentication with secure token handling.
• OAuth tokens encrypted at rest.
• Restricted access to production data on a need-to-know basis.
• Input validation and sanitization to prevent injection attacks.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

12. Automated Decision-Making

PopABot uses artificial intelligence to generate chatbot responses based on your configuration and datasets. These AI-generated responses are automated but do not constitute automated decision-making with legal or similarly significant effects on individuals under GDPR Article 22. The AI assists conversations; it does not make binding decisions on behalf of you or your end-users.

13. Children's Privacy

PopABot is not intended for use by individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

14. Your Rights

Under the GDPR and other applicable data protection laws, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate personal data.
• Erasure: request deletion of your personal data ("right to be forgotten").
• Portability: request your data in a structured, machine-readable format.
• Restriction: request limitation of processing in certain circumstances.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertes).

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notification on the platform at least 14 days before they take effect. Your continued use of the service after the changes take effect constitutes acceptance of the updated policy.

16. Contact

For any questions regarding this Privacy Policy or to exercise your data protection rights, contact us at:

PopABot
Email: [email protected]

Last updated: March 25, 2026