GDPR Compliance

Comprehensive Guide to Botgenuity's GDPR Compliance for Businesses Operating Within the European Union.


The General Data Protection Regulation (GDPR) aims to enhance privacy and give greater control to residents of the European Union (EU) and the United Kingdom (through UK GDPR) over their personal data. This regulation is pivotal for ensuring data protection and transparency in handling personal information.

At Botgenuity, adhering to GDPR means rigorously monitoring and documenting all data processing activities concerning you, the Data Subject. We strive to maintain a thorough understanding of how data is processed both within our organization and externally.

We aim to keep this explanation straightforward, but should you have any further inquiries regarding GDPR compliance, please reach out to our Data Protection Officer at

Botgenuity as a Data Controller

As a business, Botgenuity holds the authority and responsibility for deciding where and how your data is processed, categorizing us as a Data Controller under the GDPR framework. The role of a Data Controller is distinct from that of a Data Processor. The latter operates under the direction of a Data Controller (in this case, Botgenuity) and may handle tasks such as data collection, structuring, or storage.

When you engage with Botgenuity directly, we act as a Data Controller. However, in scenarios where another business utilizes our platform via an API, Botgenuity may also serve as a Data Processor.

Like most businesses, Botgenuity relies on various Sub Processors to function effectively. For a detailed list of these Sub Processors and their roles, please refer to our dedicated resource here.

Personal Information We Collect

In line with our Privacy Policy, Botgenuity collects and processes only the Personal Information necessary to provide you with our services. Below is an overview of the types of data we may collect based on your interaction with Botgenuity:

  • Contact Data: Primarily your email address (applicable to all users).
  • Internet Data: This may include cookies, audience metrics, tracers, and navigation data.
  • Identification Data: Occasionally, we might collect your first and last name, but only if explicitly provided by you.
  • Connection Data: This includes IP addresses, logs, and timestamps related to your usage and interactions.

Depending on your usage of Botgenuity, additional Personal Information may be collected (though not actively sought or required) through:

  • Content Uploads: Users may opt to upload personal data. While we advise against sharing excessive personal information, it is possible that various types of data could be collected unintentionally, such as:

    • Identification and Professional Data
    • Sensitive, Contact, and Personal Data
    • Economic, Financial, and National Identification Numbers
  • Interactions with Botgenuity Bots: Users or end-users may inadvertently share personal data during interactions with our AI bots. Despite our recommendation to limit personal data sharing, the following types of data may be collected unintentionally:

    • Identification and Professional Data
    • Sensitive, Contact, and Personal Data
    • Economic, Financial, and National Identification Numbers

Although this information is not explicitly requested, it may be necessary for the execution of our services, such as enabling the bot to respond accurately to queries, and thus, it may be stored.

How We Utilize Your Personal Information

At Botgenuity, we handle your Personal Information with the utmost care, using it solely for predefined Processing Activities. These activities represent the various ways in which we utilize the information provided by you to enhance your experience with our product.

For each Processing Activity, we clearly define the legal basis, ensuring compliance with GDPR stipulations. The legal bases we typically employ are:

  • Legitimate Interest (LI): We process data when it is necessary for the pursuit of our legitimate interests or those of a third party, provided these interests are balanced against your rights and freedoms. For instance, we might analyze usage data to improve our services, thereby enhancing your user experience.

  • Contractual Duties (CD): We use personal data necessary for the preparation or execution of a contract with you. For example, processing payment details to manage subscriptions or delivering services you have requested.

  • Consent (C): We process data for specific purposes when you have given your clear and informed consent. This might include sending promotional emails or collecting sensitive personal information for additional services.

Each of these bases is carefully considered to ensure that your data is used in a manner that is both lawful and respectful of your privacy. At Botgenuity, transparency in how we process personal data is paramount. We strive to provide you with clear information about the use of your data and the rights you have in controlling and managing your personal information.

Processing ActivityPurposeLegal Basis
Creating, accessing, managing, and using your accountTo grant you access to Botgenuity, administer and manage your account, and allow you to use our serviceLI, CD, C
Payment & billing managementTo process payments and manage subscription transactionsCD, C
Adding content to a Botgenuity bot (AI training)To enable you to add content to your Botgenuity bot, enhancing its ability to answer questionsLI, CD, C
Conversational interaction with a Botgenuity botTo facilitate interaction and conversation with your Botgenuity bot and obtain responsesLI, CD, C
Customer supportTo provide assistance and support to our usersLI
Bug and security monitoringTo prevent and investigate potential system abuse or security breachesLI
Website audience measurementTo analyze website traffic and user engagementLI, C
Service improvementTo maintain and enhance the performance of Botgenuity and understand user interactionsLI
Newsletter subscription managementTo distribute newsletters and analyze engagementLI, C
Marketing communicationsTo inform you about updates, promotions, and features related to BotgenuityLI, C
Marketing communication (Customers' end users)To enable customers to collect email addresses from end users through chat formsLI, C
B2B Lead management *To engage with potential business clients about Botgenuity via email and manage leadsLI
Testimonial collection *To collect and display user testimonials on our websiteC
Virtual demo session *To organize and conduct demo sessions for which users can sign upC
Feedback collection *To collect user feedback for display on our Public RoadmapC
Affiliate and referral programs management *To manage and reward participants in our affiliate and referral programsLI, CD

Please note that the Processing Activities marked with an asterisk (*) are optional and not essential to the core functionalities of the Botgenuity service. Participation in these activities is entirely at your discretion.

We commit to retaining your Personal Information only for the duration necessary to fulfill the purposes for which it was collected. Once these purposes are achieved, or at your request, we will proceed to archive, erase, or anonymize your information accordingly.

In certain circumstances, such as in the case of a complaint or potential litigation, we may retain your Personal Information for a longer period. This retention will be based on our reasonable judgment of the necessity to preserve evidence or manage legal risks.

Our Sub Processors

Note that the Sub Processors marked (**) are relevant for the end users, i.e. if you are to collect emails from your own users on a subscription OR for where you are sharing your Botgenuity as a widget on your website.

Processing ActivityCategories of Personal Information ProcessedSub ProcessorsSecurity MeasuresDPA
Creating, accessing, managing and using your accountContact dataVercel, Clerk, PlanetscaleUser access control, Data encryption, Data backup measures, System & network protection, Data retention and erasure, Control of processors, Traceability measuresVercel DPA, Clerk DPA, Planetscale DPA
Payment & billing managementEconomic and financial data, Identification data, Connection data, Internet data, Contact dataStripe, PayPalTraceability measures, Data backup measures, Data encryption, Control of processors, User access control, Data retention and erasureStripe DPA, PayPal DPA
Adding Content, AI trainingIdentification Data, Professional Data, Sensitive Data, Contact Data, Personal DataOpenAI, AWS, Pinecone, Cohere, PlanetscaleUser access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measuresOpenAI DPA, Pinecone DPA, Cohere DPA, AWS DPA
Interaction with an Botgenuity 'bot'Identification Data, Professional Data, Sensitive Data, Contact Data, Personal DataOpenAI, Cohere, Pinecone, AWS, Vercel, Planetscale, Clerk, Pipedream, SlackUser access control, Software protection measures, Data encryption, Data retention and erasure, Control of processors, Traceability measuresOpenAI DPA, Pinecone DPA, Cohere DPA, AWS DPA, Vercel DPA, Clerk DPA, Planetscale DPA, Slack DPA
Bug and security monitoringConnection data, Location data, Internet dataSentrySoftware protection measures, Data encryption, User access control, Control of processorsSentry DPA
Website audience measurementConnection data, Internet dataPosthogUser access control, Data encryption, Control of processorsPosthog DPA
Service improvementConnection data, Internet dataVercel, PosthogSoftware protection measures, Data encryption, Control of processors, User access controlPosthog DPA, Vercel DPA
Newsletter subscription managementInternet data, Contact dataMailerLiteData encryption, Control of processors, User access control, Data retention and erasureMailerLite DPA
Marketing communicationInternet data, Contact dataMailerLiteData encryption, Control of processors, User access control, Data retention and erasureMailerLite DPA
Affiliate and referral programs management *Identification data, Professional data, Internet data, Contact dataPartneroData encryption, Control of processorsPartnero DPA

Our Policies

You can find our policies here:

Accessing or Deleting Your Data

Under the General Data Protection Regulation (GDPR), specifically Articles 12 to 23, you are endowed with specific rights regarding the management of your personal information. Botgenuity is committed to ensuring that you can exercise these rights easily and transparently.

Your Rights Over Your Personal Information

  1. Right of Access:

    • You have the right to request access to your personal information that Botgenuity holds, as well as to receive a copy of this information.
  2. Right to Rectification:

    • If you believe that any personal information we hold about you is incorrect, outdated, or incomplete, you can request that we update or correct this information.
  3. Right to Object:

    • You may object to the processing of your personal information by Botgenuity, particularly if the processing is based on our legitimate interests. This right applies under specific circumstances and includes the ability to object to profiling based on these provisions.
  4. Right to Restriction of Processing:

    • In certain situations, you have the right to request that we temporarily halt the processing of your personal information. This might be while verifying the accuracy of personal data you contested, or if you have objected to processing based on legitimate interests.
  5. Right to Withdraw Consent:

    • If you have previously given consent to the processing of your personal data, you have the right to withdraw that consent at any time. This withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
  6. Right to Data Portability:

    • Where technically feasible, you can request that we transfer the personal information you provided to us to another organization, or directly to you. This right only applies to personal information you have provided to us, where the processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means.
  7. Right to Erasure:

    • You can request the deletion of your personal information from our systems if it meets the legal grounds for deletion, such as the data no longer being necessary for the purposes for which it was collected or you withdrawing consent.

How to Exercise Your Rights

To exercise any of the above rights, please send a detailed email to We are dedicated to responding to and completing all requests within 30 days.

Special Considerations for End Users of Our Customers

If you are an end user of one of Botgenuity’s customers, please note that your rights request will be forwarded to our customer, who is responsible for responding to your request directly. This is because, in such cases, they are the Data Controller of your information.

International Data Transfers

Botgenuity prioritizes the security and privacy of your personal information, including how it is handled across borders. While we endeavor to process your personal data within the European Union (EU), certain operations necessitate engaging with service providers located outside the EU, notably in the United States.

Compliance with EU Data Transfer Regulations

Thanks to the EU's Adequacy Decision and the newly established EU-US Data Privacy Framework, transferring personal data to the US does not compromise the protection it is afforded under EU law. This framework ensures that our US-based Sub Processors adhere to data protection standards that are equivalent to those mandated by the GDPR.

Mechanisms for Safe Data Transfer

To legally and safely facilitate these international data transfers, Botgenuity utilizes Standard Contractual Clauses (SCCs). These clauses have been rigorously evaluated and approved by the European Commission. They provide a robust legal foundation ensuring that personal data continues to receive a high level of protection when transferred outside the European Economic Area (EEA).

The SCCs serve as a critical tool for data transfers, ensuring compliance with the GDPR’s stringent requirements for transferring personal data to non-EEA countries. They incorporate specific data protection safeguards, allowing data exporters to use these clauses without needing prior authorization from data protection authorities.

For additional details on these mechanisms, you are encouraged to visit the European Commission’s website. Here, you will find resources including a FAQ that clarify the validity and application of SCCs for exporting personal data from the EEA to the US.

The following are Sub Processors we use where your Personal Information may be transferred outside of the EU:

Privacy and Encryption of Personal Information

At Botgenuity, safeguarding your personal information is paramount. We employ robust encryption methods to ensure the security and confidentiality of your data, both at rest and in transit.

Encryption at Rest

To protect your personal information while it is stored on our servers, we utilize Advanced Encryption Standard (AES) with a 256-bit key. AES 256 is recognized globally for its strength and effectiveness in securing data against unauthorized access. This level of encryption ensures that your data remains private and secure from potential threats.

Encryption in Transit

When your personal information is transmitted over the internet, it is protected using Transport Layer Security (TLS) version 1.2 or higher. TLS is a protocol that ensures privacy between communicating applications and their users on the internet. By using TLS 1.2+, we ensure that your data is transmitted securely, preventing eavesdropping and tampering by malicious actors.

Reporting a Security Vulnerability or Breach

At Botgenuity, we take security very seriously and strive to maintain the highest standards of data protection. If you suspect that you have identified a security vulnerability or have evidence of a data breach within our systems, we urge you to report it immediately.

How to Report

Please send a detailed email to at your earliest convenience. Include as much information as possible about the potential vulnerability or breach to help us understand the nature and scope of the issue. Your prompt reporting is crucial in enabling us to act swiftly to investigate and address the problem.