Privacy Policy

BadBots.ai ("we," "us," or "our") is operated by Dr. Lead Flow LLC. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our website at badbots.ai (marketing site), app.badbots.ai (application), api.badbots.ai (API), and any related services (collectively, the "Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

We collect information in several ways depending on how you interact with our Service:

a. Account Information

When you create an account, we collect your name, email address, and password. Authentication is managed through Supabase Auth. We do not store plaintext passwords.

b. Business Information

To connect your GoHighLevel account, you provide your GHL Location IDs, Private Integration Tokens (PIT), agent configurations, business names, and related CRM settings. This data is necessary for us to perform chatbot audits on your behalf.

c. Usage Data

We collect data about how you use the Service, including audit runs, test results, grading scores, scenarios executed, and feature interactions. This helps us improve the platform and your experience.

d. Payment Information

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. Stripe may share with us your billing name, email, last four digits of your card, and subscription status.

e. Automatically Collected Information

When you access our Service, we automatically collect your IP address, browser type and version, device type, operating system, referring URLs, pages visited, and timestamps. This data is collected via server logs and Vercel Web Analytics.

f. AI Conversation Data

During chatbot audits, we generate synthetic test conversations. These are test messages injected into your GHL chatbot through temporary contacts—they are not real customer conversations. We store these test conversations to produce audit reports and improve our grading algorithms. Temporary test contacts are deleted from your GHL account after each audit completes.

• Provide and maintain the Service: Operate your account, run chatbot audits, generate reports, and deliver results.
• Run AI chatbot audits: Create temporary test contacts in your GHL account, inject test messages, collect bot responses, and grade them using our 4-dimension rubric.
• Process payments: Manage subscriptions, process charges, handle billing inquiries, and send payment receipts via Stripe.
• Transactional communications: Send emails related to your account (welcome, password reset), billing (receipts, subscription changes), and audit results (completion notifications, weekly summaries).
• Improve the Service: Analyze aggregated usage patterns to improve our grading algorithms, expand our scenario library, and enhance platform reliability.
• Product updates: Communicate new features, platform changes, and product announcements. You can opt out of non-essential communications at any time.
• Security and fraud prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity.

We share your information with the following third-party service providers, solely to operate and improve our Service:

• Supabase (database hosting, authentication, real-time data) — US East region. Stores your account data, audit results, and application state.
• Vercel (web application hosting) — global CDN. Hosts app.badbots.ai and badbots.ai.
• Cloudflare (API hosting, DNS, CDN, security) — hosts api.badbots.ai and provides DDoS protection.
• Stripe (payment processing) — processes all subscription payments and stores payment method details.
• GoHighLevel (chatbot testing) — we access your GHL account via your Private Integration Token to create test contacts, inject messages, read agent configurations, knowledge bases, and conversation data.
• Anthropic (AI grading) — test conversation data is sent to the Claude API for analysis and grading. Anthropic does not use API inputs to train their models.
• OpenAI / Google (planned future AI providers) — we may offer alternative AI grading providers in the future.
• Resend (transactional email) — sends account, billing, and audit notification emails on our behalf.

We do NOT sell your personal information to third parties.

We may also disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

• Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery.
• Audit results and reports: Retained for 12 months from creation. You may export your reports at any time.
• Test conversations: Retained for 90 days, then automatically deleted. Test contacts in your GHL account are deleted immediately after each audit run.
• Payment records: Retained for 7 years per legal and tax requirements.
• Server logs: Retained for 30 days for security and debugging purposes.

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and personal data, subject to legal retention requirements.
• Export: Request your data in a structured, machine-readable format, including audit reports and conversation logs.
• Opt-out: Unsubscribe from marketing and product update emails at any time via the unsubscribe link or by contacting us.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information. "Do Not Sell My Personal Information" requests are acknowledged but no action is required as we do not engage in the sale of personal data.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Categories of information collected: Identifiers (name, email, IP address), commercial information (subscription details, payment history), internet activity (usage logs, pages visited), and professional information (business name, GHL configurations).

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional terms apply:

• Legal Basis for Processing: We process your personal data based on: (a) contract performance — to provide the Service you signed up for; (b) legitimate interest — to improve our platform and prevent fraud; (c) consent — for marketing communications, which you may withdraw at any time.
• International Data Transfers: Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard data transfers.
• Data Protection Officer: For GDPR-related inquiries, contact us at [email protected].
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates the GDPR.
• Additional Rights: You may request restriction of processing, object to processing based on legitimate interest, and request data portability.

We use the following types of cookies:

• Essential Cookies: Authentication session cookies (e.g., Supabase auth tokens) are required for the Service to function. These cookies identify your logged-in session and cannot be disabled while using the app.
• Analytics Cookies: Vercel Web Analytics collects anonymous, aggregate usage data (page views, traffic sources, device types). No personally identifiable information (PII) is collected by our analytics.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Row Level Security: Supabase RLS policies ensure you can only access your own data. All 8 database tables have RLS enabled.
• Token encryption: GHL Private Integration Tokens and API keys are encrypted at rest.
• Access controls: Role-based access (Owner, Admin, Manager, Viewer) limits what team members can see and do.
• Infrastructure security: Cloudflare DDoS protection, Vercel edge network, and Supabase managed infrastructure with automated backups.

No method of transmission or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

BadBots.ai is a business-to-business platform not intended for use by anyone under the age of 16. We do not knowingly collect personal information from individuals under 16. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at [email protected].

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at the address associated with your account at least 15 days before the changes take effect. Non-material changes (formatting, clarifications) may be made without notice.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: