At Ask Bob, we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your information when you use our AI-powered customer service platform. We act as a Data Processor for your business data while you remain the Data Controller.
Information We Collect
Account Information: When you create an account, we collect your name, email address, company name, and billing information.
Chat & Conversation Data: We collect chat messages between your customers and Bob, including session identifiers and conversation context. Chat logs are retained for 30 days by default.
Business Data: To train your AI chatbot, we may collect information about your business, products, and services that you provide or authorize us to access through integrations.
Integration Data: When you connect third-party services (Shopify, Zendesk, etc.), we process data from those integrations including:
- OAuth tokens (encrypted with AES-256)
- Product catalogs and order information
- Customer support ticket data
- Webhook payloads (signature-verified)
Learning Data: With your explicit consent, we generate "knowledge cards" from your integration data to improve Bob's responses. All learning data undergoes automatic PII redaction.
Automatically Collected Data: We collect hashed IP addresses (retained 7 days), device fingerprints, browser type, and usage patterns through cookies and similar technologies.
How We Use Your Information
- Provide and improve our AI customer service platform
- Train and customize your chatbot to serve your customers better
- Process payments and manage your account
- Provide customer support and respond to your inquiries
- Send important updates about our service
- Analyze usage patterns to improve our platform
- Detect and prevent fraud and abuse
Data Protection & Security
We implement enterprise-grade security measures to protect your data:
- Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
- Credential Security: KEK/DEK envelope encryption for OAuth tokens and secrets
- Multi-Tenant Isolation: Row-level security (RLS) ensures strict tenant data separation
- Webhook Security: HMAC signature verification, replay protection, and rate limiting
- PII Protection: Automatic redaction in learning pipelines and audit logs
- Audit Logging: Comprehensive audit trail for all data access and modifications
- Infrastructure: AWS hosting with VPC isolation, IAM access controls
- Monitoring: Real-time security alerts via Prometheus/Grafana
Data Sharing & Sub-Processors
We do not sell or rent your personal information. We may share limited data with:
- Infrastructure (AWS): Cloud hosting and data storage (US-East-1)
- LLM Providers (OpenAI, Anthropic): Chat processing only, no data storage
- Payments (Stripe): Billing information only
- Your Integrations: Data flows to/from services you connect (Shopify, Zendesk, etc.) are governed by your agreements with those providers
- Legal Requirements: When required by law or to protect our rights
All sub-processors are bound by Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) for international transfers.
Your Rights (GDPR & CCPA)
You have the following rights regarding your data:
- Right of Access: Request a copy of your personal data (fulfilled within 30 days)
- Right to Rectification: Update or correct inaccurate information
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Data Portability: Export your data in JSON format
- Right to Restrict Processing: Limit how we use your data
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Revoke learning consent for integrations at any time
- Right to Lodge a Complaint: Contact your local data protection authority
To exercise these rights: Submit a Data Subject Access Request (DSAR) to privacy@askbob.ai. We will respond within 30 days. Identity verification required.
Cookies & Tracking
We use cookies and similar technologies to:
- Keep you logged in to your account
- Remember your preferences and settings
- Analyze how you use our platform
- Provide personalized experiences
You can control cookies through your browser settings, but some features may not work properly if cookies are disabled.
International Data Transfers
Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses approved by data protection authorities
- Adequacy decisions for countries with equivalent protection
- Certification schemes and codes of conduct
Data Retention
We retain your data only as long as necessary to provide our services and comply with legal obligations:
- Chat Messages: 30 days (configurable per tenant)
- Session Data: 7 days
- Audit Logs: 90 days
- Integration Tokens: Until revoked or integration disconnected
- Knowledge Cards: Per your consent settings (revocable)
- Account Data: Account lifetime + 30 days post-deletion
- Aggregated Analytics: Retained indefinitely (anonymized)
For complete retention details, see our GDPR Data Map.
Children's Privacy
Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.
Updates to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via email or through our platform. Your continued use of our service constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@askbob.ai
- Mail: Ask Bob, Privacy Officer, [Address]
This Privacy Policy is designed to be transparent and comprehensive. We believe in earning your trust through clear communication about our data practices.