GDPR Compliance
Comprehensive Guide to Botgenuity's GDPR Compliance for Businesses Operating Within the European Union.
Overview
The General Data Protection Regulation (GDPR) aims to enhance privacy and give greater control to residents of the European Union (EU) and the United Kingdom (through UK GDPR) over their personal data. This regulation is pivotal for ensuring data protection and transparency in handling personal information.
At Botgenuity, adhering to GDPR means rigorously monitoring and documenting all data processing activities concerning you, the Data Subject. We strive to maintain a thorough understanding of how data is processed both within our organization and externally.
We aim to keep this explanation straightforward, but should you have any further inquiries regarding GDPR compliance, please reach out to our Data Protection Officer at dmitri@botgenuity.com.
Botgenuity as a Data Controller
As a business, Botgenuity holds the authority and responsibility for deciding where and how your data is processed, categorizing us as a Data Controller under the GDPR framework. The role of a Data Controller is distinct from that of a Data Processor. The latter operates under the direction of a Data Controller (in this case, Botgenuity) and may handle tasks such as data collection, structuring, or storage.
When you engage with Botgenuity directly, we act as a Data Controller. However, in scenarios where another business utilizes our platform via an API, Botgenuity may also serve as a Data Processor.
Like most businesses, Botgenuity relies on various Sub Processors to function effectively. For a detailed list of these Sub Processors and their roles, please refer to our dedicated resource here.
Personal Information We Collect
In line with our Privacy Policy, Botgenuity collects and processes only the Personal Information necessary to provide you with our services. Below is an overview of the types of data we may collect based on your interaction with Botgenuity:
- Contact Data: Primarily your email address (applicable to all users).
- Internet Data: This may include cookies, audience metrics, tracers, and navigation data.
- Identification Data: Occasionally, we might collect your first and last name, but only if explicitly provided by you.
- Connection Data: This includes IP addresses, logs, and timestamps related to your usage and interactions.
Depending on your usage of Botgenuity, additional Personal Information may be collected (though not actively sought or required) through:
-
Content Uploads: Users may opt to upload personal data. While we advise against sharing excessive personal information, it is possible that various types of data could be collected unintentionally, such as:
- Identification and Professional Data
- Sensitive, Contact, and Personal Data
- Economic, Financial, and National Identification Numbers
-
Interactions with Botgenuity Bots: Users or end-users may inadvertently share personal data during interactions with our AI bots. Despite our recommendation to limit personal data sharing, the following types of data may be collected unintentionally:
- Identification and Professional Data
- Sensitive, Contact, and Personal Data
- Economic, Financial, and National Identification Numbers
Although this information is not explicitly requested, it may be necessary for the execution of our services, such as enabling the bot to respond accurately to queries, and thus, it may be stored.
How We Utilize Your Personal Information
At Botgenuity, we handle your Personal Information with the utmost care, using it solely for predefined Processing Activities. These activities represent the various ways in which we utilize the information provided by you to enhance your experience with our product.
For each Processing Activity, we clearly define the legal basis, ensuring compliance with GDPR stipulations. The legal bases we typically employ are:
-
Legitimate Interest (LI): We process data when it is necessary for the pursuit of our legitimate interests or those of a third party, provided these interests are balanced against your rights and freedoms. For instance, we might analyze usage data to improve our services, thereby enhancing your user experience.
-
Contractual Duties (CD): We use personal data necessary for the preparation or execution of a contract with you. For example, processing payment details to manage subscriptions or delivering services you have requested.
-
Consent (C): We process data for specific purposes when you have given your clear and informed consent. This might include sending promotional emails or collecting sensitive personal information for additional services.
Each of these bases is carefully considered to ensure that your data is used in a manner that is both lawful and respectful of your privacy. At Botgenuity, transparency in how we process personal data is paramount. We strive to provide you with clear information about the use of your data and the rights you have in controlling and managing your personal information.
| Processing Activity | Purpose | Legal Basis |
|---|---|---|
| Creating, accessing, managing, and using your account | To grant you access to Botgenuity, administer and manage your account, and allow you to use our service | LI, CD, C |
| Payment & billing management | To process payments and manage subscription transactions | CD, C |
| Adding content to a Botgenuity bot (AI training) | To enable you to add content to your Botgenuity bot, enhancing its ability to answer questions | LI, CD, C |
| Conversational interaction with a Botgenuity bot | To facilitate interaction and conversation with your Botgenuity bot and obtain responses | LI, CD, C |
| Customer support | To provide assistance and support to our users | LI |
| Bug and security monitoring | To prevent and investigate potential system abuse or security breaches | LI |
| Website audience measurement | To analyze website traffic and user engagement | LI, C |
| Service improvement | To maintain and enhance the performance of Botgenuity and understand user interactions | LI |
| Newsletter subscription management | To distribute newsletters and analyze engagement | LI, C |
| Marketing communications | To inform you about updates, promotions, and features related to Botgenuity | LI, C |
| Marketing communication (Customers' end users) | To enable customers to collect email addresses from end users through chat forms | LI, C |
| B2B Lead management * | To engage with potential business clients about Botgenuity via email and manage leads | LI |
| Testimonial collection * | To collect and display user testimonials on our website | C |
| Virtual demo session * | To organize and conduct demo sessions for which users can sign up | C |
| Feedback collection * | To collect user feedback for display on our Public Roadmap | C |
| Affiliate and referral programs management * | To manage and reward participants in our affiliate and referral programs | LI, CD |
Please note that the Processing Activities marked with an asterisk (*) are optional and not essential to the core functionalities of the Botgenuity service. Participation in these activities is entirely at your discretion.
We commit to retaining your Personal Information only for the duration necessary to fulfill the purposes for which it was collected. Once these purposes are achieved, or at your request, we will proceed to archive, erase, or anonymize your information accordingly.
In certain circumstances, such as in the case of a complaint or potential litigation, we may retain your Personal Information for a longer period. This retention will be based on our reasonable judgment of the necessity to preserve evidence or manage legal risks.
Our Sub Processors
Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a subscription OR for where you are sharing your Botgenuity as a widget on your website.
| Processing Activity | Categories of Personal Information Processed | Sub Processors | Security Measures | DPA |
|---|---|---|---|---|
| Creating, accessing, managing and using your account | Contact data | Vercel, Clerk, Planetscale | User access control, Data encryption, Data backup measures, System & network protection, Data retention and erasure, Control of processors, Traceability measures | Vercel DPA, Clerk DPA, Planetscale DPA |
| Payment & billing management | Economic and financial data, Identification data, Connection data, Internet data, Contact data | Stripe, PayPal | Traceability measures, Data backup measures, Data encryption, Control of processors, User access control, Data retention and erasure | Stripe DPA, PayPal DPA |
| Adding Content, AI training | Identification Data, Professional Data, Sensitive Data, Contact Data, Personal Data | OpenAI, AWS, Pinecone, Cohere, Planetscale | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | OpenAI DPA, Pinecone DPA, Cohere DPA, AWS DPA |
| Interaction with an Botgenuity 'bot' | Identification Data, Professional Data, Sensitive Data, Contact Data, Personal Data | OpenAI, Cohere, Pinecone, AWS, Vercel, Planetscale, Clerk, Pipedream, Slack | User access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measures | OpenAI DPA, Pinecone DPA, Cohere DPA, AWS DPA, Vercel DPA, Clerk DPA, Planetscale DPA, Slack DPA |
| Bug and security monitoring | Connection data, Location data, Internet data | Sentry | Software protection measures, Data encryption, User access control, Control of processors | Sentry DPA |
| Website audience measurement | Connection data, Internet data | Posthog | User access control, Data encryption, Control of processors | Posthog DPA |
| Service improvement | Connection data, Internet data | Vercel, Posthog | Software protection measures, Data encryption, Control of processors, User access control | Posthog DPA, Vercel DPA |
| Newsletter subscription management | Internet data, Contact data | MailerLite | Data encryption, Control of processors, User access control, Data retention and erasure | MailerLite DPA |
| Marketing communication | Internet data, Contact data | MailerLite | Data encryption, Control of processors, User access control, Data retention and erasure | MailerLite DPA |
| Affiliate and referral programs management * | Identification data, Professional data, Internet data, Contact data | Partnero | Data encryption, Control of processors | Partnero DPA |
Our Policies
You can find our policies here:
Accessing or Deleting Your Data
Under the General Data Protection Regulation (GDPR), specifically Articles 12 to 23, you are endowed with specific rights regarding the management of your personal information. Botgenuity is committed to ensuring that you can exercise these rights easily and transparently.
Your Rights Over Your Personal Information
-
Right of Access:
- You have the right to request access to your personal information that Botgenuity holds, as well as to receive a copy of this information.
-
Right to Rectification:
- If you believe that any personal information we hold about you is incorrect, outdated, or incomplete, you can request that we update or correct this information.
-
Right to Object:
- You may object to the processing of your personal information by Botgenuity, particularly if the processing is based on our legitimate interests. This right applies under specific circumstances and includes the ability to object to profiling based on these provisions.
-
Right to Restriction of Processing:
- In certain situations, you have the right to request that we temporarily halt the processing of your personal information. This might be while verifying the accuracy of personal data you contested, or if you have objected to processing based on legitimate interests.
-
Right to Withdraw Consent:
- If you have previously given consent to the processing of your personal data, you have the right to withdraw that consent at any time. This withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
-
Right to Data Portability:
- Where technically feasible, you can request that we transfer the personal information you provided to us to another organization, or directly to you. This right only applies to personal information you have provided to us, where the processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means.
-
Right to Erasure:
- You can request the deletion of your personal information from our systems if it meets the legal grounds for deletion, such as the data no longer being necessary for the purposes for which it was collected or you withdrawing consent.
How to Exercise Your Rights
To exercise any of the above rights, please send a detailed email to support@botgenuity.com. We are dedicated to responding to and completing all requests within 30 days.
Special Considerations for End Users of Our Customers
If you are an end user of one of Botgenuity’s customers, please note that your rights request will be forwarded to our customer, who is responsible for responding to your request directly. This is because, in such cases, they are the Data Controller of your information.
International Data Transfers
Botgenuity prioritizes the security and privacy of your personal information, including how it is handled across borders. While we endeavor to process your personal data within the European Union (EU), certain operations necessitate engaging with service providers located outside the EU, notably in the United States.
Compliance with EU Data Transfer Regulations
Thanks to the EU's Adequacy Decision and the newly established EU-US Data Privacy Framework, transferring personal data to the US does not compromise the protection it is afforded under EU law. This framework ensures that our US-based Sub Processors adhere to data protection standards that are equivalent to those mandated by the GDPR.
Mechanisms for Safe Data Transfer
To legally and safely facilitate these international data transfers, Botgenuity utilizes Standard Contractual Clauses (SCCs). These clauses have been rigorously evaluated and approved by the European Commission. They provide a robust legal foundation ensuring that personal data continues to receive a high level of protection when transferred outside the European Economic Area (EEA).
The SCCs serve as a critical tool for data transfers, ensuring compliance with the GDPR’s stringent requirements for transferring personal data to non-EEA countries. They incorporate specific data protection safeguards, allowing data exporters to use these clauses without needing prior authorization from data protection authorities.
For additional details on these mechanisms, you are encouraged to visit the European Commission’s website. Here, you will find resources including a FAQ that clarify the validity and application of SCCs for exporting personal data from the EEA to the US.
The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:
| Sub Processor | Location | DPA |
|---|---|---|
| MailerLite | US | Data Processing Agreement |
| Vercel | US | Data Processing Agreement |
| Stripe | US | Data Processing Agreement |
| PayPal | US | Data Processing Agreement |
| PostHog | US | Data Processing Agreement |
| AWS | US | Data Processing Agreement |
| OpenAI | US | Data Processing Agreement |
| Pinecone | US | Data Processing Agreement |
| Planetscale | US | Data Processing Agreement |
| Clerk | US | Data Processing Agreement |
| Slack | US | Data Processing Agreement |
Privacy and Encryption of Personal Information
At Botgenuity, safeguarding your personal information is paramount. We employ robust encryption methods to ensure the security and confidentiality of your data, both at rest and in transit.
Encryption at Rest
To protect your personal information while it is stored on our servers, we utilize Advanced Encryption Standard (AES) with a 256-bit key. AES 256 is recognized globally for its strength and effectiveness in securing data against unauthorized access. This level of encryption ensures that your data remains private and secure from potential threats.
Encryption in Transit
When your personal information is transmitted over the internet, it is protected using Transport Layer Security (TLS) version 1.2 or higher. TLS is a protocol that ensures privacy between communicating applications and their users on the internet. By using TLS 1.2+, we ensure that your data is transmitted securely, preventing eavesdropping and tampering by malicious actors.
Reporting a Security Vulnerability or Breach
At Botgenuity, we take security very seriously and strive to maintain the highest standards of data protection. If you suspect that you have identified a security vulnerability or have evidence of a data breach within our systems, we urge you to report it immediately.
How to Report
Please send a detailed email to support@botgenuity.com at your earliest convenience. Include as much information as possible about the potential vulnerability or breach to help us understand the nature and scope of the issue. Your prompt reporting is crucial in enabling us to act swiftly to investigate and address the problem.