Privacy Policy

This Privacy Policy explains how BotSync collects, uses, stores, shares, and protects personal information when you use our website, dashboard, mobile app, messaging automation, AI tools, CRM, booking tools, broadcasts, knowledge base, and integrations.

BotSync is used by businesses and teams to communicate with their leads, students, customers, and contacts. In most cases the workspace owner decides what data is collected and how it is used (the data fiduciary or data controller), while BotSync provides the software platform that processes it on the workspace owner's behalf (the data processor).

If you are a contact, lead, or message recipient whose information appears in a BotSync workspace, your primary point of contact for data requests is usually the business that uses BotSync. BotSync will assist that business when required.

We collect information directly from workspace owners and authorized users, automatically when you use the service, and from connected third-party platforms that you authorize.

• Account information: name, email address, phone number, organization details, login credentials (passwords are stored only as bcrypt hashes), role, plan, billing status, and security settings such as two-factor authentication state.
• Lead and conversation information: names, phone numbers, Instagram or Facebook identifiers, message content, comments, documents, media attachments, email addresses, course or product interests, budget, city, timeline, exam status or score, callback numbers, booking details, lead stages, tags, notes, and activity logs created by the workspace.
• Connected channel data: WhatsApp Business phone number IDs, WhatsApp Business Account IDs, Instagram professional account IDs, Facebook Page IDs, app-scoped sender IDs, access tokens, webhook subscription state, template status, and delivery or read events.
• Billing and payment information: subscription plan, billing cycle, invoice line items, GSTIN where provided, Razorpay customer ID, order ID, payment ID, and signed payment verification data. Card details are processed by Razorpay and never stored by BotSync.
• Technical and security information: IP address, browser, device, operating system, log events, cookies or similar identifiers, API responses, webhook payloads, rate-limit counters, error reports, audit logs of administrator and impersonation actions, and usage analytics needed to operate and secure the service.
• Communications with us: support emails, in-product feedback, and bug reports.

If an authorized Android user enables call-log sync in the BotSync mobile app, BotSync may read recent call-log metadata from that device only when the user manually starts a sync.

The sync is used to match phone calls against existing CRM lead phone numbers and add call activity to matched leads. We do not store unmatched call records or Android contact names from the device.

For matched calls we may store limited activity metadata such as call direction, call type, duration, timestamp, device identifier, sync source, and the BotSync user who performed the sync. Users can disable call-log sync at any time from the mobile app and revoke the Android permission from the device settings.

When a workspace connects an Instagram, Facebook, WhatsApp, or other Meta account, BotSync receives information from Meta APIs and webhooks that is necessary to provide messaging, automation, inbox, CRM, analytics, and support features.

We only request and use Meta permissions for product features that are shown in the BotSync app, such as receiving Instagram DMs, replying from Inbox, handling comment-triggered automations, syncing WhatsApp message status events, and helping teams manage customer conversations.

• Account identifiers: professional account IDs, Page IDs, app-scoped sender IDs, usernames, display names, and profile metadata permitted by the granted permission.
• Message content: messages, comments, and media attachments exchanged between the connected account and end users, plus delivery and read events.
• Auth artifacts: access tokens, token status, granted permission scopes, and connection timestamps.
• We do not use Meta user data for unrelated advertising, profiling outside the workspace owner's service purpose, training general-purpose AI models, or building unrelated datasets.

We use the information described above only for clearly defined purposes tied to running and improving the BotSync service.

• Service delivery: authenticate users, route conversations, send and receive messages, generate AI replies, manage leads, book meetings, run campaigns, sync sheets, and show analytics.
• Reliability and safety: debug issues, investigate failures, monitor system health, enforce rate limits, detect fraud or abuse, enforce platform policies, and respond to incidents.
• Billing: meter usage, generate invoices, process payments, and reconcile transactions.
• Support: respond to support tickets, troubleshoot connection or webhook issues, and contact workspace owners about service-related matters.
• Compliance: meet legal, tax, audit, and platform-policy obligations, including Meta and WhatsApp Business Platform requirements.
• Product improvement: aggregated and de-identified usage analysis to improve performance, reliability, and UX. We do not use customer message content or lead PII to train third-party AI models.

BotSync sends selected conversation context, CRM summaries, knowledge base content, prompts, and related details to AI providers when AI features are enabled in your workspace. This is done to generate replies, summaries, classifications, follow-ups, lead scoring, or knowledge base answers.

Default AI subprocessors are OpenAI and OpenRouter. The active provider, model, and fallback chain are configurable per workspace and visible in the AI Training Center. We pass only the minimum context needed to generate a response, and we do not authorize providers to use your data to train their general-purpose models.

AI output may be inaccurate, incomplete, or unsuitable for a specific situation. Workspace owners are responsible for configuring prompts and rules, reviewing critical outputs, and not relying on AI for legal, financial, medical, admissions, or other professional decisions. Where automation results in a decision that significantly affects a person, you should keep a human-review channel available.

BotSync is a paid SaaS product, not an ad business. Our incentives are aligned with the workspace owner, not with monetizing personal data.

• We do not sell personal information, Meta user data, Instagram messages, Facebook messages, WhatsApp messages, lead data, or CRM data.
• We do not use Meta user data for unrelated advertising or profiling outside the workspace owner's service purpose.
• We do not expose access tokens, app secrets, or developer credentials to normal workspace users — sensitive fields are encrypted at rest using AES-256 keys derived from a per-environment encryption secret.
• We do not train third-party AI models on workspace conversation content.
• We do not request Meta permissions that are not needed for the active BotSync feature, and we do not use granted permissions for hidden or unrelated features.

BotSync uses the following third-party subprocessors to deliver the service. Each subprocessor is contractually obligated to protect your data and process it only on documented instructions.

• Cloud hosting and database: VPS infrastructure (data hosted in India), PostgreSQL with pgvector, Redis for caching and Socket.io fan-out.
• AI providers: OpenAI (chat, embeddings) and OpenRouter (multi-provider AI routing). Active provider depends on workspace configuration.
• Messaging platforms: Meta (WhatsApp Business Platform, Instagram Graph API, Facebook Graph API).
• Payments: Razorpay (subscription checkout, payment verification, webhook settlement) and Razorpay's downstream card networks for card payments.
• Transactional email: configured email provider (Resend by default; workspace SMTP may be used when configured by the workspace owner).
• Error monitoring and observability: Sentry for application error tracking; structured logs are retained within our infrastructure.
• Integrations chosen by the workspace owner: Google (Sheets, OAuth, Calendar) and similar third-party tools the workspace connects.
• Push notifications for mobile users: Firebase Cloud Messaging (FCM).
• A current subprocessor list and any material updates can be requested at support@botsync.in.

When you connect WhatsApp, Instagram, Facebook, Meta, Google Sheets, OpenAI, OpenRouter, Razorpay, or other integrations, we receive tokens, account IDs, page IDs, phone number IDs, message events, delivery events, template status, webhook events, and related data needed to operate the integration.

You should only connect accounts, phone numbers, pages, documents, and data sources that you are authorized to use. You are responsible for ensuring your use of each connected service follows that service's terms, platform policies, and permission requirements.

Depending on where you and your contacts are located, the lawful basis for processing personal information may include consent, performance of a contract, legitimate interest, legal obligation, or — for India — the consent and legitimate-use grounds under the Digital Personal Data Protection Act, 2023 (DPDPA).

Workspace owners are responsible for obtaining and managing required opt-ins, consents, disclosures, unsubscribe requests, deletion requests, and platform-specific permissions for their contacts. BotSync provides opt-out, broadcast suppression, and consent-recording features to help meet these obligations, but the legal responsibility for sending messages stays with the workspace owner.

We share information only with the parties listed in the Subprocessors section, with the connected third-party platforms you authorize, and as required by law or to protect BotSync, users, or others.

• Service providers: hosting, database, logging, payment, messaging, AI, analytics, storage, and communication providers as listed under Subprocessors. They process data only on documented instructions and under written contracts.
• Connected platforms: Meta, Google, and other platforms you connect, only as needed to perform the action requested by the workspace owner — for example sending a message, receiving a webhook, syncing a sheet, or verifying a connection.
• Legal and safety: regulators, courts, law enforcement, platform integrity teams, or other parties when we believe disclosure is required by law, legal process, security investigation, platform enforcement, fraud prevention, or to protect the rights, safety, and integrity of BotSync, users, or others.
• Business transfer: in the event of a merger, acquisition, restructuring, or asset sale, personal information may be transferred to the successor entity, subject to this Privacy Policy or a successor policy that provides equivalent protection.

We retain personal information only as long as needed for the purposes described in this policy. Indicative retention windows for the main data categories are listed below. Workspace owners can request earlier deletion via the Data Deletion page.

• Active workspace data (conversations, leads, knowledge base, settings): retained for the lifetime of the workspace. Workspace owners can delete individual leads or conversations from the dashboard at any time.
• Account closure: when a workspace is deleted via support, account and workspace records are deleted or de-identified within 30 days, except where retention is required for legal, billing, fraud-prevention, or platform-compliance reasons.
• Operational logs and webhook payloads: typically retained for up to 90 days, then deleted or aggregated.
• Audit logs of administrator and impersonation actions: retained for up to 12 months for security and compliance review.
• Billing records, invoices, and payment evidence: retained for up to 8 years to meet Indian tax and accounting requirements.
• Encrypted backups: rolling backups are retained for up to 35 days and are overwritten on rotation. Deleted data continues to exist in backups during this window.
• De-identified or aggregated analytics that cannot reasonably be linked to a person may be retained indefinitely.

Workspace owners and individuals may request deletion of personal information held by BotSync. Detailed instructions, identifiers needed, and timelines are listed on the Data Deletion page.

Workspace owners can email support@botsync.in from the registered workspace email to request workspace, lead, conversation, or integration deletion. Contacts inside a BotSync workspace should usually contact the business that uses BotSync; BotSync will assist that business as required.

Meta-connected accounts can be disconnected at any time. You can also revoke the BotSync app from your Facebook or Instagram settings. After a verified deletion request we will delete or de-identify applicable data within 30 days, except where a longer retention is required for legal, billing, security, or platform-compliance reasons.

We use technical and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction.

• Encryption in transit: HTTPS/TLS for all browser and API traffic; webhook payloads are verified against Meta's HMAC signature when configured.
• Encryption at rest: sensitive credentials (WhatsApp access tokens, OpenAI keys, Razorpay secrets, Google OAuth tokens) are encrypted using AES-256 with environment-bound keys before being written to the database.
• Access control: workspace data is partitioned by workspace owner ID; admin access is restricted to a small set of accounts and protected by two-factor authentication and IP allowlisting; super-admin impersonation sessions are bound to the originating admin session.
• Monitoring: structured audit logs, error monitoring via Sentry, rate limits on authentication and webhook endpoints, and platform-level incident controls let us pause outbound or webhook traffic during an incident.
• Customer responsibilities: you are responsible for protecting your account credentials, limiting teammate access, rotating API keys when needed, removing users who no longer need access, and promptly notifying us of suspected unauthorized access at support@botsync.in. No system is completely secure, and BotSync does not warrant that the service will be uninterrupted or error-free.

If the Digital Personal Data Protection Act, 2023 (DPDPA) applies to the processing of your personal data, you have the following rights with respect to data held by BotSync as a data processor or data fiduciary.

• Right to access a summary of personal data we hold about you and the processing activities we carry out.
• Right to correction, completion, and updating of personal data that is inaccurate, incomplete, or misleading.
• Right to erasure of personal data that is no longer needed for the purpose it was collected, subject to retention required by law.
• Right to grievance redressal by writing to BotSync at support@botsync.in. We aim to acknowledge a grievance within 7 business days and resolve it within 30 days.
• Right to nominate another person to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent that you previously gave for processing. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• If we cannot resolve your grievance, you may approach the Data Protection Board of India under the DPDPA.

If the EU/UK/Swiss General Data Protection Regulation applies to the processing of your personal data, you have the following rights.

• Right of access, rectification, erasure ('right to be forgotten'), restriction of processing, and objection to processing.
• Right to data portability for personal data you provided to us, where the processing is based on consent or contract and is carried out by automated means.
• Right to withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint with your local supervisory authority.
• International transfers: BotSync is operated from India. If you are in the EEA, UK, or Switzerland and we transfer your personal data to India or to a subprocessor outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses, or on your explicit consent, as permitted by GDPR.

BotSync uses cookies and similar technologies to keep users signed in, remember settings, protect sessions, understand product usage, measure performance, and improve the website or dashboard.

• Strictly necessary cookies (such as the nexusdesk_session cookie) are required for login, security, and basic dashboard functionality.
• Analytics and performance cookies help us understand which pages and features are used so we can improve them.
• We do not place advertising or cross-site tracking cookies on the dashboard.
• You can control cookies through your browser settings. Disabling strictly necessary cookies will break login and dashboard functionality.

BotSync is intended for business and organizational use. Under DPDPA, processing personal data of a child (under 18 in India) requires verifiable consent from a parent or legal guardian. BotSync is not designed for children to create accounts or manage workspaces.

If a workspace processes information about students or minors, the workspace owner is responsible for obtaining the required parental consent, restricting tracking and behavioral monitoring of children, and following the additional protections required by DPDPA and any other applicable law.

BotSync's primary infrastructure (web servers, database, queues, file storage, backups) is hosted in India. Some subprocessors, such as OpenAI, OpenRouter, Meta, Google, Sentry, and Firebase, may process data in other regions including the United States and the European Union.

If you or your contacts are located outside India, your personal data may be transferred to, stored, and processed in India and in the regions where our subprocessors operate. By using BotSync and connecting third-party services, you understand that information may be transferred and processed in those regions as needed to provide the service.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected workspace owners and, where required by law, the relevant supervisory authority (such as the Data Protection Board of India or the CERT-In incident response window of 6 hours), without undue delay.

Workspace owners are responsible for cascading breach notifications to their own contacts and end users where required by their applicable law.

We may update this Privacy Policy from time to time. When we make material changes we will update the effective date at the top of this page and, where appropriate, notify workspace owners through email or the dashboard.

For privacy questions, data deletion requests, Meta data requests, DPDPA grievances, or other privacy concerns, contact us at support@botsync.in or through the support channel available in your BotSync workspace. We aim to acknowledge requests within 7 business days.