Privacy Policy

1. Who we are

InBots (“InBots”, “we”, “us”, “our”) operates https://inbots.ai and https://dashboard.inbots.ai. InBots is a B2B SaaS platform that provides Arabic-native AI customer support agents to businesses, primarily in the Kingdom of Saudi Arabia. For any privacy-related inquiry, contact us at privacy@inbots.ai.

2. What data we collect

We process three categories of data:

• Business account data — when a business owner connects a Facebook Page, Instagram Business account, WhatsApp Business account, or other supported channel to InBots through OAuth, we receive: access tokens, Page/account IDs, Page/account names, profile pictures, and the business owner’s email address.
• Customer conversation data — when a customer sends a message to a business connected to InBots, we process: the customer’s platform-scoped identifier (e.g. Messenger PSID, Instagram IGSID), display name and profile picture (where provided by the platform), the message content, and the timestamp. This data is used to generate the AI reply and to populate the business owner’s inbox.
• Account & product telemetry — we log authentication events, API usage, subscription status, and diagnostic events necessary to operate the service.

3. How we use data

We use data only to: (a) generate AI replies to customer messages on behalf of the connected business, (b) display conversation history in the business owner’s dashboard, (c) operate and secure the service (authentication, rate limiting, fraud prevention), and (d) bill the business for usage under their subscription plan.

We do not sell data. We do not use data for advertising, audience targeting, or marketing to end customers of our business customers.

4. Sub-processors

We use the following third-party service providers. Each is bound by data-protection terms and processes data only on our behalf:

• Google Cloud Platform — cloud hosting, database, secrets management (Cloud Run, Cloud SQL, Secret Manager)
• Google Gemini & Anthropic Claude — AI model providers; only the minimum message context required to generate a reply is transmitted
• Firebase Authentication — business owner login
• Resend — outbound email notifications
• Stripe — subscription billing
• DigitalOcean — isolated per-tenant WhatsApp bridge instances (only for tenants who connect WhatsApp via QR mode)

5. Security

All access tokens and secrets are encrypted at rest using AES-256. All data in transit is encrypted using TLS 1.2+. Webhook deliveries from Meta, Stripe, and other platforms are verified using HMAC signatures. Each tenant’s data is logically isolated; no tenant can read another tenant’s data.

6. Retention & deletion

Access tokens and webhook event metadata are retained only while the business remains connected to InBots. When a business owner disconnects a channel from the InBots dashboard, revokes the app from the platform’s own settings (e.g. Facebook Business Integrations), or deletes their InBots account, all tokens and credentials are deleted within 24 hours. Conversation transcripts are retained for the duration of the active subscription as part of the CRM record the business needs to operate, and deleted within 30 days of account closure.

To request deletion of your data, visit inbots.ai/data-deletion or email privacy@inbots.ai.

7. Data subject rights

You may request access to, correction of, or deletion of your personal data at any time by emailing privacy@inbots.ai. We respond to verified requests within 30 days.

8. Changes to this policy

We may update this policy from time to time. Material changes will be notified to account admins by email at least 14 days before they take effect.