messenger

Introduction

This GDPR Policy explains how BotSailor complies with the General Data Protection Regulation (EU) 2016/679 (GDPR) and similar data protection laws in the European Economic Area (EEA), the United Kingdom (UK GDPR), and Switzerland.

This page is supplementary to our main Privacy Policy and should be read together with it. Where there is any conflict, the Privacy Policy prevails for overall data handling, while this page focuses specifically on GDPR concepts, roles, and your rights under EU/UK data protection law.

Scope of This GDPR Policy

This GDPR Policy applies when:

  • • You are located in the EEA, UK, or Switzerland, and
  • • You use BotSailor as a customer, trial user, or website visitor, or
  • • Your personal data is processed by us because one of our customers has added you as a contact, subscriber, or chatbot user through our platform.

This policy explains:

  • • Our roles as Data Controller and Data Processor
  • • The legal bases we rely on
  • • How we support you in fulfilling data subject rights
  • • How we handle international data transfers, security, and data retention
  • • How you can exercise your GDPR rights

Key GDPR Definitions (Plain Language)

To keep things clear:

Personal Data : Any information that can directly or indirectly identify a living person (e.g., name, email, phone number, IP address, chat messages, customer IDs).

Data Subject : The individual whose personal data is being processed (for example, your customer, subscriber, or website visitor).

Data Controller : The organization that decides why and how personal data is processed. The organization that decides why and how personal data is processed.

Data Processor : The organization that processes personal data on behalf of a Controller, following its documented instructions.

Processing : Any operation on personal data: collecting, storing, viewing, using, analyzing, sharing, or deleting. Any operation on personal data: collecting, storing, viewing, using, analyzing, sharing, or deleting.

Our Role: Data Controller vs Data Processor

When BotSailor is the Data Controller

We act as a Data Controller for personal data we collect about:

  • • Your BotSailor account and profile (e.g., your name, email, login data)
  • • Billing and subscription data
  • • Usage analytics and product improvement
  • • Marketing communications (when you opt in)
  • • Support tickets and communications with our team

In these cases, we decide the purposes and means of processing and are responsible for ensuring a lawful basis under GDPR.

When BotSailor is the Data Processor

We act as a Data Processor for data you upload or generate through the platform, including (but not limited to):

  • • Your subscribers` and customers` data (e.g., WhatsApp numbers, names, contact details)
  • • Chat histories and messages exchanged via WhatsApp, Facebook, Instagram, Telegram, and Website Chat
  • • Tags, labels, AI-based scores, segments, and other metadata you configure
  • • E-commerce data (e.g., order details, cart events) pulled from Shopify, WooCommerce, or other integrations
  • • Custom fields, forms, and automation flows you design

In these cases:

  • • You (our customer) are the Data Controller of your subscriber/customer data.
  • • BotSailor processes this data only on your documented instructions, as described in our Terms of Service, Privacy Policy, this GDPR Policy, and any signed Data Processing Agreement (DPA).

Data Processing Agreement (DPA)

For GDPR-compliant processing, we offer a Data Processing Agreement (DPA) that includes:

  • • Roles and responsibilities (Controller vs Processor)
  • • Subprocessor commitments
  • • Data security and confidentiality obligations
  • • Assistance with data subject requests
  • • Incident and breach notification procedures

If you are a business customer and require a signed DPA, please contact us at [email protected] or open a ticket at https://botsailor.com/tickets.

Legal Bases for Processing (GDPR)

When we act as Controller, we rely on one or more of the following legal bases:

Performance of a Contract : To create and manage your BotSailor account, process payments, and deliver the services you have requested.

Consent : For:

  • • Marketing communications (newsletters, promotions, updates)
  • • Cookies and similar technologies (where required by law)
  • • Optional integrations and data sharing you explicitly enable

Legitimate Interests

  • • Securing and maintaining the platform
  • • Preventing fraud and abuse
  • • Improving and personalizing the user experience
  • • Conducting analytics to enhance product performance

We ensure these interests do not override your fundamental rights and freedoms.

Legal Obligations

To comply with tax, accounting, regulatory, or law enforcement requirements.

Vital Interests

In rare cases, to protect someone`s vital interests (e.g., safety situations).

When we act as Processor, the legal basis is determined by you, the Controller. It is your responsibility to ensure you have a lawful basis (e.g., consent, contract, legitimate interest) for processing your subscribers` data before using BotSailor.

How BotSailor Supports Your GDPR Compliance

We have designed BotSailor to help you meet your own GDPR obligations as a Controller. This includes:

Data Minimization : Only collecting and processing data necessary for providing our services.

Data Portability & Export : Allowing you to export your contact and campaign data (e.g., via CSV or API) so you can respond to data access or portability requests from your customers.

Data Deletion / Right to be Forgotten< : Allowing you to delete specific subscribers or entire accounts. When you delete an account, we permanently delete or anonymize the associated personal data after any legally required retention period.

Access Controls & Permissions : >Role-based access, secure logins, and session management to help you restrict which team members can view or modify certain data.

Security Measures : Encryption in transit (TLS), encryption at rest where applicable, hardened infrastructure, logging, and monitoring.

Records & Auditability : Internal logging helps us identify and investigate security issues and support compliance reviews.

Data Subject Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you (or your end users) may have the following rights regarding personal data:

Right of Access : Obtain confirmation of whether we process your personal data and receive a copy.

Obtain confirmation of whether we process your personal data and receive a copy.

Right to Rectification : Request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten) : Request deletion of your personal data in certain circumstances (e.g., withdrawal of consent where no other legal basis applies).

Request deletion of your personal data in certain circumstances (e.g., withdrawal of consent where no other legal basis applies).

Right to Restriction of Processing : Request that we restrict processing in certain situations (e.g., while assessing a dispute about accuracy or legality).

Request that we restrict processing in certain situations (e.g., while assessing a dispute about accuracy or legality).

Right to Data Portability : Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller where technically feasible.

Right to Object : Object at any time to processing based on our legitimate interests, and object to direct marketing, including profiling related to direct marketing.

Right to Withdraw Consent: If processing is based on consent, you may withdraw that consent at any time (this does not affect processing carried out before withdrawal).

Rights Related to Automated Decision-Making : You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless certain conditions apply.

Important: For data where BotSailor acts as Processor (e.g., your WhatsApp subscriber data), we cannot respond directly to those individuals` rights requests. In such cases, we will refer the request to you (the Controller) or act on your documented instructions.

International Data Transfers

Because we are based in Bangladesh and use global cloud infrastructure, your personal data may be transferred to and processed in countries outside the EEA/UK/Switzerland, including (but not limited to) the United States, EU member states, and other locations where our subprocessors operate.

Where required by GDPR, we implement appropriate safeguards, such as:

  • • Standard Contractual Clauses (SCCs) approved by the European Commission
  • • UK International Data Transfer Addendum (for UK data)
  • • Adequacy decisions where applicable
  • • Technical and organizational measures to protect your data in transit and at rest

By using our services, you acknowledge that your data may be processed in countries with different data protection laws, as described in our Privacy Policy and this GDPR Policy.

Security & Data Breach Notification

We apply industry-standard security measures, including:

  • • Encryption (in transit and, where applicable, at rest)
  • • Access controls and authentication
  • • Regular patching and infrastructure hardening
  • • Logging and monitoring of key systems
  • • Employee confidentiality and security awareness training

In the event of a personal data breach affecting your data:

  • • We will investigate promptly
  • • We will notify you without undue delay when required by GDPR
  • • Where appropriate, we will also notify relevant supervisory authorities

When BotSailor acts as Processor, we will notify you (the Controller) so that you can fulfill your own notification duties towards data subjects and regulators.

Subprocessors

To deliver our services, we may engage carefully selected third-party service providers (Subprocessors) for:

  • • Cloud hosting and infrastructure
  • • Payment processing
  • • Email delivery and notifications
  • • Analytics, logging, and monitoring
  • • Messaging channel connectivity (e.g., via WhatsApp/Facebook APIs)

Each subprocessor is bound by data protection and confidentiality obligations, and we enter into appropriate data processing agreements with them.

Automated Decision-Making & AI

BotSailor provides AI-powered features such as:

  • • Intent detection
  • • Lead or segment scoring
  • • Automated responses and routing
  • • Spam or low-quality lead filtering (where configured)

These processes are designed to assist businesses in providing better customer experiences and are generally not used to make legal or similarly significant decisions about individuals.

You may:

  • • Turn off certain automations
  • • Change rules, scoring logic, and conditions
  • • Override AI-driven actions by manual settings within your BotSailor account

We do not use personal data from your WhatsApp/Facebook/Instagram subscribers or from Google Workspace APIs to train generalized public AI models.

Your Right to Complain to a Supervisory Authority

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with your local data protection supervisory authority (for example, in the EEA or UK).

We would, however, appreciate the chance to address your concerns first. Please contact us and we will do our best to resolve any issue.

Updates to This GDPR Policy

We may update this Policy from time to time. When we do notify you of major changes via email or platform notice.

Contact Us

For any questions about this GDPR Policy, our data practices, or to exercise your rights: https://botsailor.com/contact-us