1. Introduction
Simple Business Bots ("SBB", "we", "us") respects your privacy. This policy explains what data we collect, how we use it, and your choices. This policy applies to both business owners who subscribe to our service and end users (website visitors) who interact with chatbots powered by SBB.
2. Information We Collect
From business owners (subscribers):
- Business name, website URL, and contact email (provided during onboarding)
- Dashboard login PIN (generated during setup, stored securely hashed with bcrypt)
- Authentication tokens (stored as SHA-256 hashes, revoked on PIN change or logout)
- Payment information (processed by Stripe — we do not store card numbers)
- Uploaded documents (PDFs) used to build chatbot knowledge
- Widget customization settings (color, theme, icon, greeting message, tone and conversation style preferences)
- Email change verification codes (temporary, expire after 15 minutes)
- Owner activity history (knowledge updates, setting changes, rescrapes, PIN changes — retained for 90 days)
- Lead follow-up status tracking (New, Contacted, Converted, Closed) and follow-up reminder preferences
- Hidden conversation preferences (conversations you choose to hide from your activity view)
- Integration credentials (API keys, OAuth tokens) for optional third-party services you choose to connect (stored encrypted at rest)
From end users (website visitors chatting with a bot):
- Chat messages and conversation history
- Contact information voluntarily provided (name, phone, email) when lead capture is enabled
- Browser-generated request data (IP address, user agent) in standard server logs
3. How We Use Your Information
- AI-powered responses: Chat messages are sent to OpenAI's API to generate responses. Messages are processed in real time and are subject to OpenAI's usage policies. Product inventory data (if inventory sync is enabled) is also included in chat prompts to answer availability questions.
- Bot personality customization: Owners can configure tone, conversation style, and response preferences, which are used to shape the AI system prompt and influence bot behavior.
- Lead notifications: When a visitor shares contact info, we email it to the business owner. If a lead webhook is configured (e.g., Zapier or Make), we also send a structured JSON payload to the configured URL. If a CRM or email marketing integration is connected (e.g., HubSpot, Pipedrive, Mailchimp), lead data is also pushed to that service as authorized by the business owner.
- Email reply drafting (Growth/Premium): Owners can paste customer emails or online reviews into the dashboard to generate AI-drafted responses grounded in their bot's knowledge base. This content is sent to OpenAI for processing but is not stored on our servers.
- Weekly reports: We analyze conversation event logs to generate performance summaries for business owners.
- Service improvement: We log conversation events (questions asked, answer summaries, topics, whether the bot could answer) to monitor service quality. Logs do not contain full conversation transcripts.
4. Third-Party Services
We use the following third-party services to operate:
| Service | Purpose | Data shared |
|---|
| OpenAI | AI response generation | Chat messages, business FAQ content |
| Stripe | Payment processing | Payment details, email |
| Microsoft Azure | Hosting, storage, monitoring | All service data (US-based servers) |
| Purelymail | Email delivery | Recipient email, message content |
| Cloudflare | DNS, CDN, email routing | IP address, user agent, timestamps, business ID |
| Azure AI Document Intelligence | OCR for scanned PDF documents | Uploaded PDF content |
| Mailchimp (optional) | Email marketing (if enabled by business owner) | Visitor name, email (only with visitor consent) |
| HubSpot (optional) | CRM and/or newsletter (if enabled by business owner) | Lead name, phone, email |
| Pipedrive (optional) | CRM (if enabled by business owner) | Lead name, phone, email |
| Follow Up Boss (optional) | CRM (if enabled by business owner) | Lead name, phone, email |
| Clio (optional) | Legal CRM (if enabled by business owner) | Lead name, phone, email |
| Constant Contact (optional) | Email marketing (if enabled by business owner) | Visitor name, email |
| Google Calendar (optional) | Appointment booking (if enabled by business owner) | Visitor name, phone, email, appointment time |
| Google Sheets (optional) | Lead spreadsheet (if enabled by business owner) | Lead name, phone, email, topic |
| WhatsApp / Meta (optional) | Messaging channel (if enabled by business owner) | Chat messages, phone number |
| WooCommerce/Shopify APIs (optional) | Inventory sync for e-commerce sites | Product catalog data (optional API key auth for stock/price data) |
| Lasso CRM (optional) | CRM (if enabled by business owner) | Lead name, phone, email |
| Lead webhooks (optional) | Automation (Zapier, Make, etc., if configured) | Lead name, phone, email, topic |
5. Data Storage and Security
- All data is stored on Microsoft Azure servers in the United States.
- All connections use HTTPS encryption in transit.
- The chatbot (and live chat, if enabled) never asks for sensitive financial information. As an added safeguard, credit card numbers and Social Security numbers shared in chat are automatically redacted before storage.
- Dashboard access is protected by a hashed PIN. Authentication tokens are stored as one-way hashes and are revoked when you change your PIN or use the forgot-PIN feature.
- We do not sell, rent, or share your data with third parties for marketing purposes.
6. Browser Storage
Chat Widget: Our chat widget uses your browser's localStorage to persist conversation history so returning visitors can continue where they left off. We do not use tracking cookies. No data is shared with advertising networks.
Owner Dashboard Sessions: The dashboard stores your session state (business ID, authentication token, display preferences) in localStorage so you stay logged in across page reloads and app restarts. This data is cleared when you log out.
Push Notifications (Owner Dashboard): If you enable push notifications, your browser generates a push subscription (endpoint URL and encryption keys) which we store on our servers. Notifications are delivered via the Web Push protocol (VAPID) using standard browser APIs — no third-party push service is involved. You can disable notifications at any time through your browser settings or the dashboard.
Service Worker & Offline Support: The owner dashboard registers a service worker that caches page assets for offline access. Cached data is stored in your browser's Cache Storage and is automatically updated when new versions are available. When an update is detected, a banner prompts you to refresh. You can clear this data through your browser's site settings.
7. Do Not Track
Our service does not use tracking cookies, advertising pixels, or cross-site tracking technologies. We do not track visitors across third-party websites. Because we do not engage in tracking, our service effectively honors Do Not Track (DNT) browser signals by default.
8. Data Retention
- Chat conversations: Stored in session tables during the active session (automatically deleted after 24 hours). Conversation events are logged to Application Insights and retained for up to 90 days.
- AI conversation state: Chat conversations are stored on OpenAI's servers for up to 30 days to support multi-turn conversation continuity. This data is subject to OpenAI's API data usage policies and is not used for model training.
- Lead data: Lead status and follow-up reminders retained as long as the business subscription is active.
- Business configuration: Retained for 30 days after subscription cancellation, then permanently deleted. This includes knowledge base content, widget settings, integration credentials, and RAG search index data.
- Owner activity history: Change history (knowledge updates, setting changes, rescrapes) retained for up to 90 days in application logs.
- Free trial data: Trial configurations are automatically deleted 7 days after expiration if not converted to a paid subscription.
- Payment records: Managed by Stripe per their retention policies.
9. Your Choices
Business owners:
- You can update or delete your bot's knowledge base at any time from the dashboard.
- You can hide individual conversations from your dashboard activity view. Hidden conversations are excluded from your dashboard but remain in application logs for the standard retention period.
- Some plans support emailing updates to your bot's knowledge base. Attachments (PDFs) are temporarily stored for processing and deleted after the update is applied. Your sender email address is matched to identify your account.
- You can cancel your subscription, which stops all data collection and triggers deletion after 30 days.
- You can request data export or deletion by emailing us.
End users (website visitors):
- Chat is voluntary — you choose what to share in conversation.
- You can clear your local chat history by clearing your browser's localStorage.
- You can request deletion of your conversation data by contacting the business or emailing us.
10. Children's Privacy
Our service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
11. Business Transfers
If our business is acquired, merged, or sold, your data may be transferred to the new owner as part of that transaction. We will notify you via email before your data is subject to a different privacy policy.
12. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after changes constitutes acceptance.
13. Contact
For privacy questions or data requests, contact us at [email protected].