Chatbot Builder
Español
This document is not legal advice.
Kitebots is built to help our customers use AI chatbots while respecting the privacy rights of their end-users. We align our platform, contracts, and operations with the EU/UK General Data Protection Regulation (GDPR) and comparable privacy laws. This page summarizes how we support GDPR compliance for you and your visitors.
When you deploy a chatbot, you are the data controller for your visitors’ personal data and Kitebots is your data processor, processing it only on your instructions. For your own account data, Kitebots is the controller. Our Data Processing Addendum (DPA) at /dpa documents these roles, security commitments, sub-processor terms, and international-transfer safeguards (Standard Contractual Clauses).
Access and portability: account owners can export their personal data in a structured, machine-readable (JSON) format from Account → Your Data & Privacy.
Erasure: account owners can request deletion of their account and associated data (chatbots, leads, chat history, billing records, and identity) from the same screen. We also remove data from third-party stores (vector indexes, file storage) and the identity provider.
Rectification, restriction, and objection: contact privacy@kitebots.com and we will action verifiable requests.
For your visitors’ requests, we provide tooling and assistance so you can fulfill access and erasure requests as the controller, including automatic expiry of chat data and per-conversation deletion.
Our site presents a consent banner with granular categories (necessary, functional, analytics, marketing) and stores the visitor’s choice; non-essential technologies are only used after opt-in. See our Cookie Policy at /cookie-policy.
For the deployed chat widget, you can enable a consent prompt so the widget only stores identifiers and collects conversation data after your visitor agrees. Configure this in your chatbot settings and provide your own Privacy Policy URL to display in the widget.
We encrypt personal data in transit (TLS) and at rest (AES-256), isolate workspaces, apply least-privilege access, and enable point-in-time recovery on key data stores. Chat sessions and messages expire automatically on a short retention schedule, and lead/account data is retained only as long as needed and then deleted or anonymized.
We use a limited set of vetted sub-processors, including Amazon Web Services (hosting and infrastructure), OpenAI and comparable LLM API providers (response generation), Upstash (vector search), Razorpay (payments), and Meta (optional WhatsApp/messaging integrations you enable). A current list is available on request.
To sign a DPA, request our sub-processor list, or exercise any data-subject right, contact privacy@kitebots.com. We respond to verifiable requests within the timeframe required by law (generally within one month under GDPR). You may also lodge a complaint with your local supervisory authority.