Privacy Policy

Last updated: May 2026

This Privacy Policy explains how we collect, use, share, and protect personal information when we operate Botflare - Bot Creator and provide your account, billing, and support experience, and how you can exercise your privacy rights.

01 Scope and definitions

1.1 Scope of this Policy

This Privacy Policy ("Policy") describes how Sichuan Miaosuan Technology Co., Ltd. ("we," "us," or "our") collects, uses, shares, and protects personal information when we provide products and related services under the "Botflare - Bot Creator" brand, including Bot creation and orchestration capabilities for multiple platforms delivered through websites, apps, APIs, and related documentation, together with accounts, billing, and customer support.
If a feature update includes a separate privacy notice or supplementary terms that conflict with this Policy, the terms specific to that update control for those matters; all other matters continue to be governed by this Policy.
This Policy does not apply to third-party websites, third-party Bot platforms (such as Telegram or Discord), or hardware and software environments you deploy yourself; your conduct in those environments is governed by their respective privacy notices and terms. We only process personal information described in this Policy to the extent needed to integrate and interoperate as described here.

1.2 Who this Policy covers

"You" means a natural person who visits, registers for, or uses our products and services or, where you use services on behalf of an organization with authorization, that organization and its authorized users.
If you are a minor, please read this Policy and use the services only with parental or guardian consent and guidance; guardians may contact us to exercise rights relating to minors, as described in the "Children's privacy" section.

1.3 Key definitions

Personal information: information relating to an identified or identifiable natural person, recorded electronically or otherwise, excluding information that has been anonymized.
Sensitive personal information: personal information that, if leaked or misused, may easily harm the dignity of a natural person or endanger personal or property safety. Where we collect this, we will explain it separately and obtain consent where required, unless otherwise permitted by law.
Processing: includes collection, storage, use, processing, transmission, provision, disclosure, deletion, and other handling of personal information.
Personal information processor / controller: the entity that determines the purposes and means of processing; for the services described in this Policy, that is Sichuan Miaosuan Technology Co., Ltd. (doing business as "Botflare - Bot Creator"); if an affiliate processes on our behalf, we will identify that in writing where applicable.
Entrusted processor / processor: a third party that processes personal information on our behalf and under our instructions (such as cloud infrastructure and email or ticketing vendors), bound by contract and applicable law.
Account: credentials and related profile information you register in our systems for identification and sign-in.

1.4 Contact us

Personal information processor: Sichuan Miaosuan Technology Co., Ltd. (Botflare - Bot Creator).
Customer support and privacy inquiries: team@botflare.ai. We generally respond to general inquiries within three (3) business days. For requests to exercise privacy rights, we will handle them within the timeframes required by applicable law (for example, for certain requests from users in China, we aim to respond within fifteen (15) business days unless the law requires otherwise).

1.5 Relationship to other documents

This Policy, together with our Terms of Service and Refund and Cancellation Policy, form important terms governing your use of the services. If documents conflict, the provisions that govern personal information processing are controlled by this Policy unless mandatory law requires otherwise.

02 Information we collect

2.1 Overview

We collect personal information only as needed to provide, maintain, improve, and securely operate our products, and to meet legal obligations. The specific data depends on the features you use, your device and browser, and whether you are signed in.
Some information is provided by you; some is generated or logged automatically when you use the services; when you connect third-party Bot platforms, payment providers, or identity providers, we may also receive limited information based on your authorization.
If you decline to provide information that is necessary for a specific feature, that feature may be unavailable or limited.

2.2 Account and identity information

Registration and sign-in: email address, third-party login identifiers, unique account identifiers, and similar details.
Billing and subscriptions: subscription tier, order numbers, invoice or tax details you provide, billing or tax addresses you provide, payment method type, and masked last-four digits where applicable.
Paid checkout: when you purchase through a third-party checkout service we offer, sensitive payment data such as full card numbers and complete billing addresses are typically collected directly by that third party (including any Merchant of Record and its payment partners); we receive limited information such as transaction identifiers, subscription status, and information needed for fulfillment and reconciliation, as determined by the integration.

2.3 Membership and subscription data

Subscription status: if you purchase a membership or subscription, we may validate online eligibility by processing information related to your account, tier, expiry, sessions, or linked transaction identifiers, as needed to deliver and maintain your entitlements.

2.4 Usage, logs, and operations data

Service usage: feature selections, configuration changes, summarized API frequency and outcomes, and metadata about Bot workflows and tasks (such as task IDs, timestamps, and error codes), for troubleshooting, analytics, and product improvement.
Technical and security logs: IP address (or shortened or hashed forms), User-Agent, device type, application version, session identifiers, access times, and request paths.

2.5 Device and diagnostic information

Device and hardware environment: device model, operating system and version, language and locale, screen resolution (for UI layout), optional device identifiers where permitted by the platform.
Crashes and performance: crash summaries, sampling, and limited log excerpts. We disclose in the product whether you can disable or narrow certain diagnostics; we aim to minimize or aggregate sensitive fields.

2.6 Third-party platforms and integrations

When you connect Botflare - Bot Creator to accounts or Bots on Telegram, Discord, or similar platforms, we may receive platform user IDs, channel or conversation IDs, and metadata about messages and commands, consistent with OAuth, webhooks, or similar mechanisms each platform supports.
Messages and media: if your Bot configuration sends or receives messages, media, or files, related content may pass through our systems briefly to route and orchestrate workflows; retention depends on your settings, platform rules, and legal requirements.
If you connect your own systems through APIs or webhooks, you must ensure you have lawful grounds to process related personal information; we handle it only as instructed by your configuration.

2.7 Other information you submit

Examples: support ticket content, surveys, promotions, optional profile fields you choose to provide.

2.8 Aggregated and anonymized data

We may aggregate or anonymize information so it no longer identifies a specific person and use derived data where permitted by law; such processing may fall outside portions of this Policy that apply solely to identifiable personal information, subject to applicable law.

03 How we use information

3.1 Overview

We use personal information only for the purposes described in this Policy and on lawful bases required by applicable law. Unless permitted by law or your separate consent, we do not use personal information for incompatible purposes.
When we use subprocessors, we contractually require appropriate safeguards and limit processing to the instructed scope.

3.2 Providing, maintaining, and delivering the services

Creating accounts, verifying identity, sign-in, sessions, presenting in-product interfaces, configuration, and outputs.
Operating Botflare - Bot Creator: routing commands and messages between connected platforms according to your configuration; storing templates, configs, and version information where the product enables it.
Providing APIs and responding to integrations you lawfully initiate.

3.3 Product improvement and quality

Understanding usage trends, errors, and performance to fix bugs and plan features; we prioritise aggregated or anonymized information where feasible.
Internal testing or staged rollouts; where identifiable personal information is involved, we provide notice where required and obtain consent where legally necessary.

3.4 Security, risk management, and anti-abuse

Detecting and mitigating fraud, abuse, unauthorised access, DDoS attempts, scraping, malicious Bot activity, or other harmful conduct affecting you, us, or other users.
Identity verification, access controls, logging, and alerting; correlating datasets where reasonably needed to investigate abuse patterns.
Following platform policies and technical limits regarding automation or messaging where applicable (including marketplace or platform rules).

3.5 Support and operational communications

Helping you via tickets, email, or in-app channels; diagnosing issues and, where you consent or the law permits, temporarily broadening diagnostics.
Sending important transactional notices such as security, functionality, billing, or subscription reminders. Promotional emails are sent only where allowed by applicable law and with an unsubscribe link where required.

3.6 Billing and subscriptions

Tracking tiers, entitlement limits (including how many concurrently hosted Bots are permitted for your tier, as stated on pricing and in-product disclosures), arrears, and reconciling transactions with payments partners; receipts and confirmations are provided by checkout partners or shown in-product. We may notify you via email or in-product announcements about subscription or account-related matters material to you.

3.7 Compliance and rights requests

Meeting legal, regulatory, and lawful governmental requests such as lawful investigations and records retention obligations.
Responding to access, correction, deletion, restriction, portability, objection, and similar requests permitted by applicable law and keeping records needed for audits where legally required.

3.8 Business transactions

If ownership changes through merger, acquisition, restructuring, or asset sale, personal information may transfer as permitted by law. We will seek to bind successors to continue this Policy or obtain consent again where legally required.

3.9 Automated decisions

Should we introduce automated decisions with significant legal effects, we will provide required explanations, meaningful human oversight, or other safeguards under applicable law. If we do not offer such features, disclosures in-product control.

04 Legal bases for processing (summary)

4.1 Overview

Where permitted by applicable law, we rely on one or more of the following: performance of a contract with you, your consent where required, compliance with legal obligations, or other lawful grounds such as safeguarding legitimate interests consistent with applicable law. Your statutory rights and remedies are determined by applicable law where you reside.

05 Sharing and disclosure

5.1 Overview

We do not sell your personal information. If local law treats certain sharing as a "sale" under a specialised definition, that definition applies.
We disclose personal information only as described in this Policy, with consent where necessary, or as permitted or required by law.

5.2 Service providers and processors

We engage vendors for hosting, storage, CDN, databases, messaging, ticketing, CRM, logging, analytics, fraud prevention, security, payments, tax and invoicing infrastructure, Merchant of Record or checkout partners, and similar functions, strictly as needed and under contractual obligations.

5.3 Checkout and Merchant of Record partners

Paid subscriptions or add-ons may be processed by checkout partners acting as Merchant of Record or processors; they collect payment data, issue tax documents as applicable, and determine how transaction-related personal information is handled under their privacy notices. The provider shown at checkout and in your payment confirmation governs that transaction.
For questions about the entity processing a specific payment, contact team@botflare.ai; we may share only limited information where confidentiality or legal rules require.

5.4 Third parties you direct

When you connect Botflare - Bot Creator to Telegram, Discord, or other services, or send data through webhooks or APIs you configure, information flows according to your settings; those providers act under their own policies and may be independent controllers or co-controllers as their terms describe.

5.5 Law, regulation, and legal process

We may disclose information to regulators, courts, or law enforcement when required by valid legal process or applicable law and may notify you when permitted unless notice is prohibited by law or would harm investigations or others' safety.

5.6 Protecting rights, safety, and integrity

We may disclose information to professional advisers (such as counsel), auditors, or partners where reasonably necessary to assert or defend legal claims, investigate fraud or security incidents, protect users or systems, enforce our Terms of Service, or verify compliance obligations.

5.7 Corporate restructuring

Personal information may be transferred in mergers, financings, or asset transactions; where required by law we will notify you and seek contractual commitments binding successors or obtain consent again as required by law.

5.8 Public disclosures

We do not publicly disclose identifiable personal information except as legally required or with your consent. Information you voluntarily post in forums or public channels is disclosed at your own risk.

5.9 Aggregated and de-identified data

We may share statistics or de-identified data that reasonably cannot identify you for benchmarking, insights, marketing, or research, subject to applicable law.

06 Cross-border transfers

6.1 Possibility and safeguards

Accounts, subscriptions, orders, billing, Merchant of Record services, processors, emails, or support tooling may operate outside your region (for example within the EU/EEA or elsewhere). Accordingly, limited personal information may be transferred internationally. Some entirely local setups may minimise transfers; details depend on the features enabled.

6.2 Questions

Contact us via the addresses in "Contact us" for a plain-language explanation of safeguards we rely on where we can responsibly provide one.

07 Data retention

7.1 Overview

Retention aligns with contractual needs, legal accounting and tax mandates, preserving records for disputes or claims, legitimate security investigations, and product documentation. Once retention ends we delete or anonymize data unless narrow backup exceptions apply (Section 7.9).
When retention periods lapse, information is erased or aggregated; residual encrypted backups are addressed through rotation and secure deletion where technically necessary.

7.2 Accounts and profiles

Accounts generally retain credentials (hashed passwords), registrations, profiles, and settings while active. Closure or contractual termination triggers reasonable deletion steps aside from lawful retention carve-outs (Sections 7.4 and 7.7).

7.3 Usage, engineering, and performance logs

API telemetry, orchestration logs, diagnostics, error reports, performance metrics—retention depends on tier, in-product retention settings, and infrastructure design; afterward we erase or summarise data that no longer identifies you.

7.4 Billing, invoicing, and finance records

Orders, charge history, invoicing artefacts, reconciliation files—generally retained for legally required durations (often multiple years depending on our corporate domicile) before irreversible anonymization or deletion compliant with tax and audit rules.

7.5 Messages and media

Content routed via Botflare - Bot Creator may persist briefly or longer depending on retries, audits, backups, history settings, and counterpart platform policies; deletion tools available in-product may coexist with mirrored copies retained by third-party platforms pursuant to their terms.

7.6 Customer support transcripts

Tickets, chats, emails are kept for a reasonable operational window (typically twelve (12) to thirty-six (36) months unless law requires adjustments) for quality assurance, authorised training datasets, or dispute reconstruction; you may request deletion of ancillary content unrelated to lawful obligations subject to feasibility.

7.7 Security, misuse, investigations, and disputes

Evidence pertinent to breaches, misconduct, lawsuits, audits, government investigations, chargebacks or payment disputes—may prolong retention until matters conclude and statutory periods expire whichever occurs last.

7.8 Deletion or restriction requests

When you validly request deletion absent legal exceptions, we cease non-essential processing and delete or anonymize data. If retention must continue, we explain the legal basis and timeline.

7.9 Backups and residual copies

Encrypted backups may temporarily retain data until overwritten or destroyed per backup policies; those copies are not used for daily operations and are purged with the backup lifecycle.

08 Security

8.1 Overview

We implement administrative, technical, and physical safeguards appropriate to the risks of processing and aim to protect personal information from unauthorized access, disclosure, alteration, loss, or destruction.
No method of transmission or storage is completely secure; this section describes measures in general terms and is not a warranty or guarantee of a particular security outcome, nor is it a certification of compliance with any industry rule unless separately agreed in writing.

8.2 Organizational measures

Access controls, least-privilege policies, personnel training commensurate with our scale, vendor contracts, and periodic risk reviews when appropriate.

8.3 Technical measures

TLS for public traffic, authentication and rate limits for APIs and web access, encryption or hashing for sensitive fields where feasible, separation of production and non-production environments, logging of security-relevant events.

8.4 Product guidance

Security on third-party Bot platforms (webhook secrets, token scopes) depends on your configuration; follow each platform's recommended rotation and storage practices.

8.5 Security incidents

If we reasonably believe personal information may have been compromised, we activate response procedures permitted by applicable law and may notify you through email, postings, or in-product banners describing the incident, probable impact, and remedial measures as appropriate.

8.6 Your responsibilities

Protect passwords, API keys, and devices; do not share administrative tokens.
Notify us promptly of suspected compromise and cooperate with reasonable verification procedures.

09 Your rights

9.1 Overview

Laws where you reside may grant privacy rights vary (access, correction, deletion, portability, objection, appeals, complaints to regulators).
You may self-serve updates, exports, or account closure directly in-product where enabled; submit other inquiries to team@botflare.ai. We may authenticate your identity reasonably to prevent misuse.
We aim to complete substantiated privacy requests within approximately thirty (30) days unless a shorter timeframe is mandated (for instance by certain statutes in China) or complexity requires lawful extension plus explanation. Repeated or abusive requests may be charged a reasonable administrative fee permitted by applicable law or refused as allowed by applicable law.

9.2 Access and transparency

Receive confirmation of processing, summaries of categories, copies or exports where technically feasible respecting others' rights.

9.3 Rectification

Request corrections or supplementation of inaccurate data.

9.4 Erasure ("right to be forgotten")

Request deletion when applicable law permits; statutory exceptions (tax, litigation holds, lawful retention) may prevail. Partial deletion or segregation may substitute where mandated.

9.5 Restriction / limitation

Request paused processing pending disputes or legitimacy reviews where afforded by statute.

9.6 Portability

Receive structured, machine-readable exports of certain data originated by you—or direct transfer when technically interoperable—with practical limits if third-party cooperation absent.

9.7 Object / opt-out

Object to processing anchored in legitimate interests (balanced against our compelling grounds) or to direct marketing, which ceases promptly when required.

9.8 Withdraw consent

Where processing hinges on consent, you may revoke it anytime without retroactive illegality earlier processing but future features relying on consent may pause.

9.9 Users located in mainland China (if applicable)

Where the Personal Information Protection Law of the People's Republic of China and related rules apply, you may have rights relating to personal information processing, including to be informed, to decide, to access or copy, to correct or supplement, to delete, and to obtain explanations. You may exercise these rights through the channels listed in this section. If we refuse a request, we will state the reasons when required by law.

10 Children's privacy

10.1 Intent

Our services are intended for adults and users with full legal capacity; we do not market to children or design features to collect children's data.

10.2 Age thresholds and parental consent

Child definitions differ by region (ages such as 13, 14, 16, or 18). Where consent is mandated before collection, we honor it and stop processing upon withdrawal when required; guardians may notify us if a child supplied data without permission and we verify and handle requests appropriately.

10.3 Inadvertent collection

If we learn underage personal information was collected without required consents, we delete or otherwise address it as law commands and improve age screens or verification where viable.

11 Cookies and similar technologies

11.1 Basics

Our websites may use cookies and similar mechanisms for sessions or preferences alongside necessary security tooling.

11.2 Categories

Strictly necessary, preferences, analytics (where legally required—and only after consent mechanisms where applicable), optional marketing integrations if introduced.

11.3 Third-party cookies

Embedded services may deposit their cookies consistent with those providers' disclosures.

12 Policy updates

12.1 Revisions

We revise this Policy for feature, legal, or business developments; revisions post with refreshed "Last updated" metadata.

12.2 Material changes

When changes substantially reduce your rights or expand collection or use materially, provide prominent notices (for example banners, emails) when required plus obtain refreshed consent whenever mandatory before continued novel processing occurs.

12.3 Continued use

Except where barred by statute, continuing to use services after revisions indicates acceptance unless you oppose by ending use or exercising deletion rights feasible for you under applicable privacy law or product controls.

12.4 Historical archives

Prior versions may be archived or linked; if unavailable, contemporaneous screenshots or transactional emails evidencing disclosures may suffice.