Legal

Privacy Policy

Last updated: March 2026

Your conversations are encrypted — we cannot read them

All conversation message content is encrypted with AES-256-GCM directly in your browser before being written to our database. The encryption key is unique per chatbot and stored only within your account. Even with full database access, Otonomi staff see only unreadable ciphertext.

1. Who We Are

BotChap is a SaaS chatbot widget builder operated by Otonomi Technologies and Consulting FZCO, registered in the Dubai Silicon Oasis Free Zone, Dubai, UAE ("Otonomi", "we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use BotChap ("the Service").

By using BotChap you agree to the practices described in this policy. If you do not agree, please stop using the Service.

2. Data We Collect

2.1 Account Data

When you sign in with Google we receive your name, email address, and profile photo from Google's OAuth service. We store this to identify your account and personalise the Service.

2.2 Profile Data

You may optionally provide your phone number and postal address from your Profile page. This information is stored in your Firestore account document, is private to you, and is used only for billing and support purposes. You can update or delete it at any time from your Profile page.

2.3 Billing & Payment Data

Payments are processed by Stripe on behalf of Otonomi Technologies and Consulting FZCO. We never store your full card number, CVV, or raw payment details on our servers. We retain your Stripe customer ID, subscription plan, billing interval, and subscription renewal date to manage your account.

2.4 Chatbot Configuration Data

All widget settings you create — including backend URLs, appearance settings, API keys, and authentication tokens — are stored in our Firebase Firestore database and are accessible only to your account via Firebase Security Rules. Sensitive credentials (API keys, auth tokens) are stored server-side and never sent to end-user browsers.

2.5 Conversation Data

When end-users interact with your deployed BotChap widgets, basic session metadata (chatbot ID, message count, timestamp, browser user-agent) is always recorded to power your analytics dashboard. Full message content is only stored if you have explicitly enabled the Log Full Messages setting.

When message logging is enabled, all message text is encrypted client-side using AES-256-GCM before it is written to Firestore. A unique 256-bit encryption key is automatically generated per chatbot and stored within your chatbot configuration. Stored messages appear only as encrypted ciphertext — they are meaningless without the corresponding key, which lives exclusively in your account.

You are responsible for informing your end-users that their messages may be logged and for obtaining any consent required by the laws of your jurisdiction.

2.6 Usage & Technical Data

We may collect standard server logs including IP addresses, browser type, pages visited, and timestamps. This data is used for security monitoring, debugging, and service improvement only. We do not sell this data.

3. How We Use Your Data

  • To create and manage your BotChap account
  • To process payments and manage your subscription via Stripe
  • To deliver the Service features included in your plan
  • To send transactional emails (subscription confirmations, renewal reminders, cancellation notices, support replies)
  • To power your analytics dashboard (session counts, message counts, conversation timelines)
  • To investigate and resolve technical issues or abuse reports
  • To comply with legal obligations under UAE law

We do not use your data for advertising and we do not sell or share your personal data with third parties for their own purposes.

4. Legal Basis for Processing

We process your personal data on the following grounds:

  • Contract performance — to provide the Service you have signed up for
  • Legitimate interests — to keep the Service secure, operational, and improving
  • Legal obligation — to comply with applicable laws and financial regulations
  • Consent — where you have explicitly opted in (e.g. enabling conversation logging)

5. Encryption Architecture

This section explains how BotChap protects conversation content so that neither Otonomi staff nor unauthorised parties can read it.

  • Key generation — when you create a chatbot, your browser generates a unique random AES-256-GCM key using the Web Crypto API. This key is stored in your chatbot's Firestore configuration document, which only your account can access.
  • Encryption before storage — every message sent or received through your widget is encrypted in the browser using that key before it is written to Firestore. Our server never receives plaintext message content.
  • Decryption on demand — when you view conversation logs in your Analytics dashboard, messages are fetched from Firestore and decrypted in your browser using the key from your chatbot config. Decrypted text is never sent back to our servers.
  • What we store — only encrypted ciphertext (e.g. aGVsbG8=:dGhpcyBpcyBl…). Without the key, this is unreadable.

6. Third-Party Services

We use the following third-party processors. Each operates under its own privacy policy:

Google Firebase

Authentication, real-time database (Firestore)

Privacy Policy

Stripe

Payment processing and subscription management

Privacy Policy

Google OAuth

Sign-in authentication (Google accounts)

Privacy Policy

GoDaddy (Secure Server)

Transactional email delivery via SMTP

Privacy Policy

When you configure your own AI backends, webhooks, or third-party integrations inside BotChap widgets, user messages are forwarded to those external endpoints. You are solely responsible for the privacy practices of those services.

7. Data Retention

  • Account & profile data — retained while your account is active. Deleted within 90 days of a verified account deletion request.
  • Billing records — retained for 7 years to comply with UAE financial regulation.
  • Conversation logs — retained while the associated chatbot exists. Permanently deleted when you delete the chatbot or your account.
  • Analytics metadata — session counts and timestamps are retained for 12 months.
  • Server logs — retained for up to 90 days for security monitoring, then automatically purged.

8. Data Security

We apply multiple layers of security to protect your data:

  • Encryption in transit — all data is transmitted over HTTPS/TLS
  • Conversation encryption at rest — message content is encrypted with AES-256-GCM in your browser before storage; Otonomi staff see only ciphertext (see Section 5)
  • Per-user database isolation — Firebase Security Rules ensure each user can read and write only their own documents
  • Server-side credential proxy — your API keys and auth tokens are stored server-side and proxied to backends; they are never exposed in end-user browsers
  • Payment security — card data is handled entirely by Stripe and never touches our servers

Despite these controls, no system is completely secure. Please use a strong, unique password for your Google account and notify us immediately at support@otonomi.co if you suspect unauthorised access.

9. Cookies

BotChap uses only functional cookies required to maintain your authenticated session (managed by Firebase Auth). We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. You can clear cookies at any time through your browser settings, which will log you out of the Service.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data (name, phone, address can be updated directly from your Profile page)
  • Erasure — request deletion of your account and associated data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Restriction — request that we limit how we use your data pending a dispute
  • Withdraw consent — disable conversation logging at any time from your chatbot settings

To exercise any of these rights, email support@otonomi.co. We will respond within 30 days.

11. International Data Transfers

Your data is stored on Google Firebase infrastructure, which operates data centres globally and may be located outside the UAE. Google maintains Standard Contractual Clauses and other appropriate safeguards for international transfers. By using BotChap you acknowledge and consent to this transfer.

12. Children's Privacy

BotChap is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact us at support@otonomi.co and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

14. Contact

For any privacy-related questions, data requests, or security concerns, please contact us at:
Otonomi Technologies and Consulting FZCO
Dubai Silicon Oasis, Dubai, UAE
support@otonomi.co