Privacy Policy

Effective Date: 2025-11-11

Who we are. [BotBay Technologies Private Limited] (“BotBay“, “we“, “us“, or “our“) operates botbay.in and related apps, dashboards, APIs, and marketplace services (collectively, the “Services“). BotBay is based in New Delhi, Delhi, India.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our site, create an account, purchase or sell through our marketplace, or otherwise interact with the Services. By using the Services, you agree to this Policy.

Marketplace scope: BotBay is a marketplace platform. Independent sellers (“Sellers“) list and provide their own products and support. In many cases, Sellers are independent controllers of any personal data they process outside of the BotBay platform (e.g., via their own support tools). Sellers must publish their own privacy notices.

1) Data We Collect

We collect the following categories of information, depending on how you use the Services:

  1. Account & Contact Data – name, username, email, password, country, phone (optional), profile details.
  2. Order & Billing Data – items purchased/sold, pricing, taxes, currency, partial payment details (tokenized by our processors), billing address, transaction IDs, invoices.
  3. Identity & KYC (Sellers) – government-issued IDs, business registration details, PAN/GSTIN, address, and verification artifacts, as required for payouts, AML, and sanctions screening.
  4. Usage & Device Data – IP address, device identifiers, browser type, language, time zone, referrer URLs, pages viewed, links clicked, session duration, error logs, and telemetry.
  5. Support & Communications – messages to support, emails, chat transcripts, attachments, feedback, and review content.
  6. Marketing Preferences – newsletter subscription status, campaign engagement, and analytics.
  7. Platform Integrations – third‑party handles, game or platform IDs, and settings you connect to bots (as applicable).
  8. Cookies & Similar Technologies – cookies, pixels, and local storage used for authentication, preferences, analytics, advertising, and fraud prevention. See Section 10.

We do not knowingly collect sensitive personal data unless a Seller or you provide it to us for a specific, lawful purpose (e.g., identity verification for payouts).

2) How We Use Data (Purposes)

We use personal data to:

  • Provide and operate the marketplace and Services, process orders, facilitate Seller listings, and enable downloads/activation.
  • Payments & payouts via Stripe, PayPal, and Razorpay; handle taxes, invoices, refunds/chargebacks.
  • Secure the platform – detect/prevent fraud and abuse; manage access, rate limits, and incident response.
  • Support & communications – respond to inquiries, provide updates, resolve issues, and send transactional emails.
  • Improve the Services – analytics, debugging, A/B tests, product research, and feature development.
  • Comply with law – KYC/AML/sanctions screening, record keeping, and responding to lawful requests.
  • Marketing (with consent/legitimate interest) – newsletters, announcements, feedback surveys, and promotions. You can opt out anytime.

3) Legal Bases (where applicable)

Where required (e.g., EU/EEA/UK), we rely on the following legal bases:

  • Contract – to provide the Services and fulfill orders.
  • Legitimate interests – to secure and improve the Services, prevent fraud, and market to existing users (balanced against your rights).
  • Consent – for optional cookies, newsletters, and certain data sharing.
  • Legal obligations – tax, accounting, and KYC/AML requirements.

4) Data Sharing & Recipients

We share data with:

  1. Sellers (Marketplace). We share Buyer information needed to fulfill an order (e.g., email, username, license key mapping, item details). Sellers may process additional data directly (e.g., via their own support tools). Sellers are independent controllers for their own processing and must provide their own privacy policies.
  2. Payment Processors. Stripe, PayPal, and Razorpay process payments, store payment tokens, manage disputes, and handle compliance checks. We share order details and limited personal data necessary for processing.
  3. Service Providers (Processors). Hosting (e.g., cloud providers), email/SMS vendors, analytics, logging, error monitoring, anti‑fraud, content delivery networks, KYC/AML providers, and customer support tools. They process data on our instructions under confidentiality and security obligations.
  4. Law Enforcement & Legal. Where required by law or necessary to protect rights, safety, or security.
  5. Business Transfers. In the event of a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards and notice.

We do not sell personal data for monetary consideration. We may disclose limited data for advertising/analytics subject to your consent and choices (see Section 10).

5) Retention

We keep personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements:

  • Accounts: retained while active; deleted or anonymized after closure subject to backup and legal holds.
  • Orders & invoices: generally retained for 8 years (tax/accounting).
  • KYC (Sellers): retained per regulatory requirements and anti‑fraud needs.
  • Telemetry/logs: typically 12–24 months, unless needed longer for security or debugging.

6) Your Rights & Choices

Depending on your jurisdiction, you may have rights to:

  • Access personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Delete/erase certain data, subject to legal exceptions.
  • Restrict or object to processing in certain circumstances.
  • Port data to another service.
  • Withdraw consent where processing is based on consent.

To exercise rights, contact privacy@botbay.in. We may need to verify your identity and the scope of the request. For marketplace orders, you may also need to contact the Seller directly for data they process independently.

Residents of California and other regions with specific privacy laws may have additional rights (e.g., to opt out of certain sharing for cross‑context behavioral advertising). We honor such requests in accordance with applicable law.

7) International Transfers

We may transfer, store, and process data outside your country (including to the EU/EEA/UK, US, and India). Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses, processor agreements, and security measures). Copies of relevant safeguards can be requested at legal@botbay.in.

8) Security

We employ administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, audit logs, and vulnerability management. However, no method of transmission or storage is 100% secure.

9) Children’s Privacy

The Services are not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

10) Cookies & Similar Technologies

We use cookies, pixels, and local storage for:

  • Essential – authentication, session management, security, fraud prevention.
  • Preferences – language, region, UI settings.
  • Analytics – usage metrics, diagnostics, and performance.
  • Advertising/Attribution (optional) – campaign measurement and retargeting.

Your choices:

  • Use our cookie banner to manage non‑essential cookies.
  • Adjust browser settings to block or delete cookies.
  • Opt out of marketing emails via the unsubscribe link.

11) Seller Responsibilities (Data Controller Notice)

Sellers must:

  • Provide a compliant privacy notice and point of contact.
  • Process Buyer data only for legitimate purposes related to the order and support.
  • Maintain appropriate security and access controls.
  • Honor data rights requests they receive from Buyers.
  • Comply with KYC/AML/sanctions, export controls, and applicable consumer and privacy laws.
  • Delete or anonymize Buyer data when no longer needed, subject to legal obligations.

12) Communications & Marketing

  • Transactional emails (order confirmations, security alerts) are required for service delivery.
  • Marketing – We send newsletters/promotions with your consent or as allowed by law. You can opt out at any time without affecting transactional emails.

13) Third‑Party Links & Services

The Services may link to third‑party sites or tools. We are not responsible for their privacy practices. Review their privacy policies before providing data.

14) Changes to this Policy

We may update this Policy from time to time. Material changes will be posted on this page and, where appropriate, notified via email or the Service. Your continued use after the Effective Date constitutes acceptance of the updated Policy.

15) Contact Us

Controller: BotBay Software Inc
Email: privacy@botbay.in | legal@botbay.in
Support: support@botbay.in

16) Region‑Specific Disclosures (Summaries)

A) India (DPDP Act 2023)

  • Data principal rights include access, correction, erasure, grievance redressal, and consent withdrawal.
  • Consent is obtained through clear notices; non‑essential processing relies on your consent or legitimate uses.
  • Grievance Officer: Vishesh Arora, grievance@botbay.in, Address: New Delhi, Delhi.

B) EU/EEA/UK (GDPR/UK GDPR)

  • Controller: BotBay for platform Services; Sellers are independent controllers for their own listings/support.
  • Data Protection Officer (if appointed): Vishesh Arora, dpo@botbay.in.
  • Representative (if appointed): Vishesh Arora.
  • Complaints: You may lodge a complaint with your local supervisory authority.

C) California (CCPA/CPRA)

  • We do not sell personal information for money. We may share limited data for cross‑context behavioral advertising with your consent.
  • Rights: know, delete, correct, opt out of sharing/sale, and limit use of sensitive information.
  • Authorized Agents: You may designate an agent to submit requests subject to verification.

17) Data Subject Request (DSR) Instructions

To submit a request, email privacy@botbay.in with:

  • Your account email and country
  • Request type (access, correction, deletion, portability, restriction/objection)
  • Proof of identity (we will provide secure upload instructions)

We will respond within applicable statutory timelines. If we cannot fulfill a request due to legal obligations or Seller control, we will explain why.

18) Cookie Table (Example)

Category Cookie Purpose Duration
Essential __session Auth/session continuity Session
Essential csrf_token CSRF protection 2 hours
Preferences locale Language & region 6 months
Analytics _ga Google Analytics (if used) 13 months
Analytics plausible_ignore Analytics opt‑out (if used) 1 year
Advertising _fbp Campaign attribution (if used) 3 months

Update this table to reflect your actual vendors.

19) Vendor List (Example)

  • Payments: Stripe, PayPal, Razorpay
  • Hosting/CDN: [AWS/GCP/Azure], Cloudflare
  • Analytics: [Plausible/GA4], PostHog
  • Email/Comms: [Sendgrid/SES], [Intercom/HubSpot/Drift]
  • Error & Logs: Sentry, Datadog, Logtail

Final Notes

  • This Policy is part of our Terms & Conditions and uses terms defined there.
  • If this Policy conflicts with a localized version, the local version governs where required by law.