Legal
Privacy Policy
Last updated: 16 May 2026
1. Who we are
This Privacy Policy explains how BopyAI (“BopyAI”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you visit bopyai.com, use our dashboard, embed our chat widget on your website, or interact with a chat widget powered by BopyAI on another website.
For any privacy question or request, contact us at info@bopyai.com. We do not currently have a statutory obligation to appoint a Data Protection Officer, but this address reaches the person responsible for privacy at BopyAI.
2. Scope
This policy applies to:
- The public website at bopyai.com and subdomains.
- The signed-in Dashboard used by customers.
- The embeddable JavaScript Widget and related APIs.
- Transactional emails (sign-up, billing, alerts, lead notifications).
It does not cover third-party websites that embed our Widget. Those websites act as independent controllers for any data they collect outside the chat conversation.
3. Our roles under GDPR
Under the EU General Data Protection Regulation (GDPR), we act in two distinct roles:
Controller
We act as data controller for personal data relating to:
- Website visitors to bopyai.com
- Account holders (customers)
- Billing and administrative contacts
We determine the purposes and means of processing this data.
Processor
We act as data processor for personal data processed within chat conversations between our customers’ end users and AI bots operated by those customers.
In this case:
- The customer is the controller.
- We process data strictly on documented instructions.
- We do not act as a joint controller with our customers.
A Data Processing Agreement (DPA) is available on request and is automatically incorporated into all paid subscriptions, including Standard Contractual Clauses where applicable.
4. Data we collect
We only collect data necessary to operate and improve the Service.
Account & profile data
- Email address, name, hashed password.
- Authentication tokens and login identifiers.
- Login timestamps, IP address, and user agent.
Billing data
- Subscription plan and billing status.
- Billing email and address.
- Invoice history.
- Last 4 digits and card brand (via Stripe only).
Full payment card details are processed exclusively by Stripe and never reach our systems.
Bot configuration & knowledge base
- Uploaded files, text, URLs, FAQs, instructions, personas, and behavior rules.
- Customers are responsible for ensuring lawful input data.
Chat data (end users)
- Messages between end users and bots.
- AI-generated responses.
- Timestamps and conversation context.
- Pseudonymous visitor ID stored in browser.
- IP address (truncated where possible), user agent, and page URL.
- Voluntary lead data (name, email, phone).
Technical & diagnostic data
- Server logs, error logs, performance metrics.
- Abuse prevention signals and security events.
We do not intentionally collect special category data (GDPR Article 9). Customers must not configure bots to request such data without a valid legal basis.
5. Legal bases for processing
Where GDPR applies, we rely on:
- Contract (Art. 6(1)(b)) — account management, service delivery, billing.
- Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, debugging, product analytics, service improvement.
- Consent (Art. 6(1)(a)) — marketing, non-essential cookies, optional features.
- Legal obligation (Art. 6(1)(c)) — accounting, tax, regulatory compliance.
For chat data processed on behalf of customers, the customer determines the legal basis (typically legitimate interest or consent obtained on their website).
6. How we use data
We use personal data to:
- Provide and operate the Service.
- Generate AI responses.
- Manage billing and subscriptions.
- Detect and prevent fraud, spam, and abuse.
- Provide customer support.
- Improve product performance (in aggregated or de-identified form).
- Comply with legal obligations.
We do not sell personal data.
We do not use customer data or chat content to train third-party foundation models.
7. AI processing & limitations
Chat responses are generated using large language models provided by third parties, including Google (Gemini) and OpenAI (GPT), via our AI gateway.
To generate responses, we transmit:
- User messages
- Relevant conversation history
- Selected knowledge base content
Important:
- Providers act as sub-processors.
- They are contractually prohibited from using data for training their general models.
- They may temporarily retain data for abuse and safety monitoring in accordance with their own retention policies.
- We do not control provider retention timelines and update this policy if material changes occur.
AI limitations
AI-generated responses are:
- Probabilistic
- May be inaccurate, incomplete, or outdated
- Not professional advice
All outputs must be independently verified before reliance, especially for legal, medical, financial, safety, or other high-impact decisions.
Customers must clearly inform end users that they are interacting with AI.
9. International transfers
Some subprocessors are located outside the EEA (including the United States).
Where data is transferred internationally, we rely on:
- EU Standard Contractual Clauses (SCCs).
- Supplementary safeguards (encryption, access control, least privilege).
- Contractual restrictions on government access requests.
10. Retention
We retain data only as long as necessary:
- Account data: duration of account + up to 90 days after deletion.
- Chat data: default 12 months (configurable by customer).
- Billing records: 5 years (Danish Bookkeeping Act).
- Logs: 30–90 days.
- Marketing data: until withdrawal of consent + up to 2 years suppression list.
Retention is based on service delivery needs including support, continuity, abuse prevention, and legal obligations.
11. Your GDPR rights
You have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Request deletion.
- Restrict or object to processing.
- Data portability.
- Withdraw consent.
- Lodge a complaint with a supervisory authority (in Denmark: Datatilsynet).
We may require reasonable identity verification before processing requests.
For chat data, end users should first contact the website operator (data controller).
We respond within one month unless legally extended.
12. US state privacy rights
Residents of California, Virginia, Colorado, Connecticut, and Utah may have rights to:
- Access personal data.
- Delete personal data.
- Correct inaccurate data.
- Opt out of sale/sharing (we do not sell or share personal data).
- Limit use of sensitive personal data (we do not knowingly process it for inference).
- Non-discrimination for exercising rights.
- Appeal decisions (where applicable).
Requests: info@bopyai.com
Authorized agents may submit requests with proof of authorization.
13. Children
The Service is not intended for children under 16.
We do not knowingly collect data from children. If discovered, we will delete it promptly upon request.
14. Security
We use industry-standard security measures, including:
- TLS 1.2+ encryption in transit.
- Encryption at rest.
- Role-based access control.
- Row-level database security.
- Audit logging.
- Least-privilege access policies.
- Regular security reviews and updates.
No system is 100% secure, but we continuously work to protect personal data.
In the event of a breach likely to impact user rights, we will notify authorities and affected users as required by law.
16. Changes to this policy
We may update this Privacy Policy from time to time.
For material changes affecting user data:
- We will provide reasonable advance notice (email or in-product notification).
17. Contact & complaints
For all privacy-related inquiries:
Email: info@bopyai.com
EU users may also contact their local authority (in Denmark: Datatilsynet).