Privacy Policy

1. Introduction

Simple Business Bots ("SBB", "we", "us") respects your privacy. This policy explains what data we collect, how we use it, and your choices. This policy applies to both business owners who subscribe to our service and end users (website visitors) who interact with chatbots powered by SBB.

Our role. When a website visitor chats with a bot powered by SBB, the business owner who enabled that chatbot is the controller of the visitor's data — they decide whether to enable lead capture, newsletter signup, CRM sync, calendar booking, webhooks, and similar features. SBB acts as a service provider (processor) for the business owner with respect to that visitor data, processing it under the owner's instructions to operate the chatbot. SBB also acts on its own behalf for limited operational purposes — billing, account security, fraud prevention, abuse monitoring, service quality, and compliance — as described in the sections below. Visitors interacting with a chatbot may also need to review the privacy notice of the business operating the website where the chatbot is embedded for additional information about how that business uses their data.

2. Information We Collect

From business owners (subscribers):

• Business name, website URL, and contact email (provided during onboarding)
• Dashboard login PIN (generated during setup, stored securely hashed with bcrypt)
• Authentication tokens (stored as SHA-256 hashes, revoked on PIN change or logout)
• Payment information (processed by Stripe — we do not store card numbers)
• Uploaded documents (PDFs) used to build chatbot knowledge
• Widget customization settings (color, theme, icon, greeting message, tone and conversation style preferences)
• Email change verification codes (temporary, expire after 15 minutes)
• Owner activity history (knowledge updates, setting changes, rescrapes, PIN changes — retained for 90 days)
• Lead follow-up status tracking (New, Contacted, Converted, Closed) and follow-up reminder preferences
• Hidden conversation preferences (conversations you choose to hide from your activity view)
• Integration credentials (API keys, OAuth tokens) for optional third-party services you choose to connect (stored in Azure Storage with platform-level encryption at rest)

From end users (website visitors chatting with a bot):

• Chat messages and conversation history
• Contact information voluntarily provided (name, phone, email) when lead capture is enabled
• Browser-generated request data (IP address, user agent) in standard server logs

3. How We Use Your Information

• AI-powered responses: Chat messages are sent to OpenAI's API to generate responses. Messages are processed in real time and are subject to OpenAI's usage policies. Product inventory data (if inventory sync is enabled) is also included in chat prompts to answer availability questions.
• Bot personality customization: Owners can configure tone, conversation style, and response preferences, which are used to shape the AI system prompt and influence bot behavior.
• Lead notifications: When a visitor shares contact info, we email it to the business owner. If a lead webhook is configured (e.g., Zapier or Make), we also send a structured JSON payload to the configured URL. If a CRM or email marketing integration is connected (e.g., HubSpot, Pipedrive, Mailchimp), lead data is also pushed to that service as authorized by the business owner.
• Email reply drafting (Growth/Premium): Owners can paste customer emails or online reviews into the dashboard to generate AI-drafted responses grounded in their bot's knowledge base. This content is sent to OpenAI for processing but is not stored on our servers.
• Weekly reports: We analyze conversation event logs to generate performance summaries for business owners.
• Service improvement: We log conversation events (questions asked, answer summaries, topics, whether the bot could answer) to monitor service quality. Logs do not contain full conversation transcripts.

4. Third-Party Services

We use the following third-party services to operate:

Service	Purpose	Data shared
OpenAI	AI response generation	Chat messages, business FAQ content
Stripe	Payment processing	Payment details, email
Microsoft Azure	Hosting, storage, monitoring	All service data (US-based servers)
Purelymail	Email delivery	Recipient email, message content
Cloudflare	DNS, CDN, email routing, cookieless web analytics (aggregate page views)	IP address, user agent, timestamps, business ID, referrer, page path
Azure AI Document Intelligence	OCR for scanned PDF documents	Uploaded PDF content
Mailchimp (optional)	Email marketing (if enabled by business owner)	Visitor name, email (only with visitor consent)
HubSpot (optional)	CRM and/or newsletter (if enabled by business owner)	Lead name, phone, email
Pipedrive (optional)	CRM (if enabled by business owner)	Lead name, phone, email
Follow Up Boss (optional)	CRM (if enabled by business owner)	Lead name, phone, email
Clio (optional)	Legal CRM (if enabled by business owner)	Lead name, phone, email
Constant Contact (optional)	Email marketing (if enabled by business owner)	Visitor name, email
Google Calendar (optional)	Appointment booking (if enabled by business owner)	Visitor name, phone, email, appointment time
Google Sheets (optional)	Lead spreadsheet (if enabled by business owner)	Lead name, phone, email, topic
WhatsApp / Meta (optional)	Messaging channel (if enabled by business owner)	Chat messages, phone number
WooCommerce/Shopify APIs (optional)	Inventory sync for e-commerce sites	Product catalog data (optional API key auth for stock/price data)
Lasso CRM (optional)	CRM (if enabled by business owner)	Lead name, phone, email
Lead webhooks (optional)	Automation (Zapier, Make, etc., if configured)	Lead name, phone, email, topic

5. Data Storage and Security

• All data is stored on Microsoft Azure servers in the United States.
• All connections use HTTPS encryption in transit.
• The chatbot (and live chat, if enabled) never asks for sensitive financial information. As an added safeguard, credit card numbers and Social Security numbers shared in chat are automatically redacted before storage.
• Dashboard access is protected by a hashed PIN. Authentication tokens are stored as one-way hashes and are revoked when you change your PIN or use the forgot-PIN feature.
• We do not sell, rent, or share your data with third parties for marketing purposes.

6. Browser Storage

Chat Widget: Our chat widget uses your browser's localStorage to persist conversation history so returning visitors can continue where they left off. We do not use tracking cookies. No data is shared with advertising networks.

Owner Dashboard Sessions: The dashboard stores your session state (business ID, authentication token, display preferences) in localStorage so you stay logged in across page reloads and app restarts. This data is cleared when you log out.

Push Notifications (Owner Dashboard): If you enable push notifications, your browser generates a push subscription (endpoint URL and encryption keys) which we store on our servers. Notifications are delivered via the Web Push protocol (VAPID) using standard browser APIs — no third-party push service is involved. You can disable notifications at any time through your browser settings or the dashboard.

Service Worker & Offline Support: The owner dashboard registers a service worker that caches page assets for offline access. Cached data is stored in your browser's Cache Storage and is automatically updated when new versions are available. When an update is detected, a banner prompts you to refresh. You can clear this data through your browser's site settings.

7. Do Not Track

Our service does not use tracking cookies, advertising pixels, or cross-site tracking technologies. We do not track visitors across third-party websites. Because we do not engage in tracking, our service effectively honors Do Not Track (DNT) browser signals by default.

For aggregate page-view analytics on our marketing pages we use Cloudflare Web Analytics — a cookieless, privacy-first analytics service that records page views, referrers, and country-level geography without cookies, browser fingerprinting, or cross-site tracking. Cloudflare Web Analytics does not identify individual visitors. The chat widget itself is not subject to this analytics layer.

8. Data Retention

• Chat conversations: Stored in session tables during the active session (automatically deleted after 24 hours). Conversation events are logged to Application Insights and retained for up to 90 days.
• AI provider data handling: Chat messages are sent to OpenAI's API to generate responses. OpenAI may retain API data for abuse monitoring and service operation in accordance with its API data usage policies; this generally includes a retention window of up to 30 days for abuse-monitoring purposes. API data is not used to train OpenAI's models unless we opt in (we do not). Some chat features rely on OpenAI's server-side conversation continuity, which means OpenAI may also retain conversation state for the duration described in their policies.
• Lead data: Lead status and follow-up reminders retained as long as the business subscription is active.
• Business configuration: Retained for 30 days after subscription cancellation, then permanently deleted. This includes knowledge base content, widget settings, integration credentials, and RAG search index data.
• Owner activity history: Change history (knowledge updates, setting changes, rescrapes) retained for up to 90 days in application logs.
• Free trial data: Trial configurations are automatically deleted 7 days after expiration if not converted to a paid subscription.
• Payment records: Managed by Stripe per their retention policies.

9. Your Choices

Business owners:

• You can update or delete your bot's knowledge base at any time from the dashboard.
• You can hide individual conversations from your dashboard activity view. Hidden conversations are excluded from your dashboard but remain in application logs for the standard retention period.
• Some plans support emailing updates to your bot's knowledge base. Attachments (PDFs) are temporarily stored for processing and deleted after the update is applied. Your sender email address is matched to identify your account.
• You can cancel your subscription, which stops all data collection and triggers deletion after 30 days.
• You can request data export or deletion by emailing us.

End users (website visitors):

• Chat is voluntary — you choose what to share in conversation.
• You can clear your local chat history by clearing your browser's localStorage.
• You can request deletion of your conversation data by contacting the business or emailing us.

U.S. state privacy rights, where applicable. If you are a resident of a U.S. state with a comprehensive consumer privacy law (such as California, Connecticut, Colorado, Virginia, Utah, Texas, or others), and that law applies to SBB or to the business operating the chatbot you used, you may have additional rights including the right to access or know what personal data is held about you, to delete it, to correct inaccuracies, to obtain a portable copy, to opt out of any sale, sharing, or targeted advertising use of your data (SBB does not sell or share data for targeted advertising), to limit the use of sensitive personal data where applicable, and to be free from discrimination for exercising these rights. You may also have the right to appeal a denied request and to designate an authorized agent to act on your behalf. We may need to verify your identity before fulfilling a request. To exercise any of these rights, contact us at the email below; if your request concerns data the business owner controls, we will route the request to them or assist in fulfilling it as a service provider.

10. Children's Privacy

Our service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Business Transfers

If our business is acquired, merged, or sold, your data may be transferred to the new owner as part of that transaction. We will notify you via email before your data is subject to a different privacy policy.

12. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after changes constitutes acceptance.

13. Contact

For privacy questions or data requests, contact us at [email protected].