Privacy Policy

• Vendors — businesses who sign up for a BotNira workspace.
• End users — individuals who chat, call, message or email a Vendor whose front desk runs on BotNira.

Vendors are the Data Controllers of their End users' conversations. BotNira acts as the Data Processor on their behalf.

From Vendors at signup and while using the service

• Full name, business name, work email, hashed password
• Business description, FAQs and tone settings you paste into Bot Studio
• Channel credentials you connect (WhatsApp Business Account IDs, phone number IDs, access tokens issued by Meta)
• Billing information processed by our payment provider (we never store card numbers)

From End users (customers who contact your business)

• Their name and phone number / email when provided (including WhatsApp profile name)
• The text of each message they exchange with BotNira
• Basic metadata: channel, timestamps, message delivery status

Automatically

• Standard server logs (IP address, user agent, API endpoints called)
• A single cookie / localStorage key in the embeddable web widget to remember a conversation

• Deliver the service — route messages to/from the Vendor's trained bot, show conversations in the Inbox, schedule appointments.
• Train the Vendor's bot in real time — we send the Vendor's business description + FAQs (never End-user data from other Vendors) to our LLM provider as grounding context.
• Billing & usage metering — count messages, minutes, and appointments for the Vendor's plan.
• Security & abuse prevention — rate-limit, detect fraud, and audit access.

We do not sell End-user data. We do not use End-user data to train general-purpose AI models.

To run BotNira we share the minimum necessary data with:

• Meta Platforms Inc. — for WhatsApp Business Cloud API (receiving + sending messages).
• BotNira's AI engine — to generate the AI replies (we send the Vendor's business info + the current conversation, never a customer's private data outside of what they themselves typed).
• MongoDB Atlas — as our primary database.
• Stripe — payment processing (we never see full card numbers).

Each processor is contractually bound to handle data only on our instructions and in line with applicable data-protection laws.

When a Vendor connects their WhatsApp number to BotNira through Meta's Embedded Signup, we receive the WhatsApp Business Account ID, Phone Number ID and an access token scoped to that Vendor's account.

• We use these tokens only to send and receive messages on behalf of the Vendor.
• Message content is stored in our database for the Vendor to view in their Inbox.
• We do not share WhatsApp message content with any third party other than the AI providers listed above, and only to generate an immediate reply.
• A Vendor can disconnect WhatsApp at any time from Channels → WhatsApp → Disconnect; tokens are revoked and no further messages flow through BotNira.

• Conversations & transcripts: retained for as long as the Vendor's workspace is active. Vendors can delete individual conversations at any time.
• Billing records: 7 years (legal requirement).
• When a Vendor deletes their workspace, all associated conversations, messages, appointments and integration tokens are permanently deleted within 30 days.

Depending on your jurisdiction (GDPR, PIPEDA, CCPA), you have the right to:

• Access a copy of your data
• Correct inaccurate data
• Request deletion ("right to be forgotten")
• Object to processing and/or withdraw consent
• Port your data to another provider

End users should direct requests to the Vendor they interacted with (the Data Controller). Vendors can email us directly — see contact below — and we respond within 30 days.

We encrypt data in transit (TLS 1.2+) and at rest. Access tokens are stored only in our backend database, never in client-side code. Production access is restricted to a small number of authorised engineers and logged.

BotNira is operated from Canada. Data may be transferred to and processed in the United States and the European Union by our sub-processors listed above, each under Standard Contractual Clauses.

BotNira is not directed at children under 16 and we do not knowingly collect their data.

If we materially change this policy we'll notify active Vendors by email 30 days before the change takes effect.

Data protection queries: privacy@thedigisparrow.com
Mailing: The Digi Sparrow, Toronto, Canada