Legal

Privacy Policy

May 5, 2026

This policy describes what data the AibaBot platform collects, why and to whom we share it, how long we retain it, and the rights data subjects have.

01 · Data controller

The controller of personal data processed in connection with the Platform is [OPERATOR: legal entity, registration details, registered office — to be filled after legal entity registration].

Contact for requests: [email protected].

02 · Whom this applies to

This policy applies to two groups:

  • Users — owners of Platform accounts (legal entities and their staff) who pay for subscriptions and configure bots;
  • End customers — people who interact with Users' bots on Telegram, WhatsApp, Instagram, or the web widget. Their data is processed by the Platform on the User's instructions.

    • For End customers the User is the data controller; the Platform acts as a data processor on the User's behalf.

    03 · What we collect

    From Users

  • account data: email, password hash, name, interface language, notification flags;
  • tenant data: name, slug, plan, payment history;
  • technical data: IP address, user agent, login log, audit log of admin actions;
  • API keys and integration tokens (Telegram bot token, WhatsApp credentials, OpenAI API key) stored encrypted (AES-256-GCM).

    • From End customers (via the User)

  • channel identifier (Telegram chat_id, WhatsApp number, IG user_id), display name, language;
  • conversation content: text, voice (post-transcription), image descriptions, button selections;
  • lead form fields (name, phone, email, and other items the bot explicitly asks for);
  • tags, operator marks, notes.

    • 04 · Purposes

    Data is processed for the following purposes:

  • providing Platform functionality (bot creation and operation, analytics, broadcasts, billing);
  • authentication and protection against unauthorised access;
  • fulfilling payment-acceptance and tax-reporting obligations;
  • preventing abuse, spam, fraud, and Terms of Service violations;
  • service-related communications with the User and (with separate consent) marketing notifications.

    • 05 · Legal basis

    Legal grounds for processing:

  • Contract: User data — to perform the Platform service agreement;
  • Processor mandate: End customer data is processed on the User's instructions per Article 1, paragraph 12 of the Republic of Kazakhstan Law "On Personal Data and Its Protection" (the Platform is a processor);
  • Consent: voice transcription, image description, marketing notifications;
  • Legal obligation: tax reporting, response to authority requests.

    • 06 · Sharing with third parties

    To run the Platform, data is shared with the following processors:

    AI providers (LLM, vision, transcription)

  • OpenAI, Inc. — USA, San Francisco. Transmitted: conversation text, attached voice (for Whisper), images (for GPT-4o-mini), system prompts, bot settings.
  • Anthropic, PBC — USA, San Francisco. When the User selects a Claude model, the same data is transmitted.

    • OpenAI and Anthropic state that they do NOT use API client data to train models by default (see their public policies). API log retention on their side is up to 30 days for abuse-monitoring purposes.

    Payment provider

  • Cloudpayments — payment processing. Transmitted: plan, amount, subscription identifier. Payment cards are processed on the provider's side and are not stored on ours.

    • Email providers

  • Resend (USA) — for system emails (password reset, email verification, notifications). Transmitted: email address and message content.

    • Hosting and infrastructure

  • VPS provider (jurisdiction: Republic of Kazakhstan) used to host servers and the database.

    • All processors are bound by contracts requiring confidentiality.

    07 · Localization and cross-border transfer

    Localization in the Republic of Kazakhstan. Primary collection, accumulation, and storage of personal data of Users and End Customers takes place on servers located in the Republic of Kazakhstan, in accordance with Art. 12 of the Law of the RK "On Personal Data and Its Protection" No. 94-V of 21.05.2013 and the Rules approved by Government Resolution of the RK No. 21498. Backups are kept in the same jurisdiction.

    Cross-border transfer of part of the data to third parties takes place strictly when executing a relevant service function: LLM API calls (USA), email delivery via Resend (USA), message delivery via Telegram (Switzerland / UAE) and Meta — WhatsApp Cloud API / Instagram Direct (USA / EU). Only data necessary for the specific function is transferred, in the minimum sufficient volume.

    By signing up for the Platform and/or interacting with a User's bot, the data subject acknowledges and consents to the described cross-border transfer. The full list of subprocessors, jurisdictions, and engagement terms is published at aibabot.com/legal/subprocessors.

    The User, acting as data controller for End Customers, is responsible for ensuring all required consents are in place and for properly informing End Customers about the cross-border transfer.

    08 · Retention periods

  • User account data — for the lifetime of the account; after deletion, 90 days of backup retention, then irreversible deletion;
  • payment data — 5 years from the date of the transaction, as required by tax law;
  • End customer conversations and leads — until the tenant deletes them manually or terminates the contract; thereafter deleted along with the User's data;
  • audit logs and login logs — 12 months, for security incident investigation purposes.

    • 09 · Security

    Technical and organisational protection measures applied:

  • all API keys and integration tokens are encrypted at the database level (AES-256-GCM with regular key rotation);
  • all client-Platform traffic is transmitted over HTTPS (TLS ≥ 1.2);
  • passwords are stored as bcrypt hashes with per-user salts;
  • tenant operators have restricted permissions (RBAC: TenantOwner, Operator), all actions are logged in the audit log;
  • two-factor authentication (TOTP) is available to Users.

    • 10 · Data subject rights

    Data subjects have the right to:

  • obtain information about the processing of their data and the list of subprocessors;
  • request correction of inaccurate data;
  • request deletion of data processed unlawfully or where processing is no longer necessary (see dedicated channel below);
  • withdraw consent (note that withdrawal may result in losing access to the Platform or to the User's bot);
  • lodge a complaint with the authorised body of the Republic of Kazakhstan or the Russian Federation.

    • Personal-data deletion requests are submitted through the dedicated form at aibabot.com/legal/data-deletion or by emailing [email protected]. Response window: no more than 15 business days (RK — Art. 24 of Law 94-V) / 10 business days (RF — Art. 21 of Federal Law 152-FZ). An automated acknowledgement is sent within 24 hours.

    Complaints regarding bots, content, or privacy breaches are accepted at [email protected] and via the form at aibabot.com/legal/abuse.

    11 · Cookies

    The Platform uses only functionally necessary cookies for authentication and language preference storage. No tracking or advertising cookies are set. Bot analytics are computed server-side without cookies.

    12 · Minors

    The Platform is not intended for individuals under 18. Accounts are created by adult individuals or by representatives of organisations. If we discover an account was created by a minor without parental consent, the account is blocked and the data deleted.

    13 · Changes to this policy

    This policy may be updated. Material changes are announced in the interface and/or by email at least 14 days before they take effect. The most recent update date is shown at the top of this document.