Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
Back to blog

How BotBye Approaches GDPR as a Bot Protection Vendor

Bot protection tools sit in an interesting position under GDPR. We process data on behalf of our customers — IP addresses, device fingerprints, behavioral signals — and we do so automatically, at scale, on every request. That makes GDPR compliance not just a legal checkbox, but a core part of how we build and operate BotBye.

This post explains how we think about GDPR, what we've put in place, and what it means for you as a BotBye customer.

BotBye is a Data Processor — You Are the Controller

When you integrate BotBye on your website or API, your users' data flows through our systems. Under GDPR, this creates a clear split of responsibilities:

  • You (our customer) are the data controller — you decide why and how user data is collected on your platform.
  • We (BotBye) are the data processor — we process that data only to provide the bot protection service you requested, strictly on your instructions.

This means BotBye never uses visitor data for our own purposes, never sells it, and never processes it beyond what's needed to detect and block malicious traffic.

What Data We Process

When BotBye is active on your platform, we may process the following visitor data:

  • IP address
  • Device name, model, and type
  • Operating system name and version
  • Browser and browser version
  • Time zone and language settings
  • Device ID
  • GeoIP (derived from IP)
  • Session and behavioral signals

This data is used solely to generate a risk assessment for each request — determining whether it comes from a human user or an automated bot.

Our GDPR Commitments

Data Processing Agreement (DPA)

We provide a full Data Processing Agreement to all customers. The DPA covers:

  • Our role as processor and your role as controller
  • The categories of data processed and purposes of processing
  • Technical and organizational security measures
  • Sub-processor disclosure and notification obligations
  • Support for data subject rights (access, erasure, portability)
  • Cross-border transfer safeguards (Standard Contractual Clauses)

The DPA is available at botbye.com/dpa and is incorporated by reference into our Terms of Use.

Infrastructure in the EU

BotBye's primary infrastructure runs on Hetzner Online GmbH, hosted in Germany (European Union). Visitor data processed by BotBye does not leave the EU through our core infrastructure.

Sub-processors

We use a small, carefully selected set of third-party sub-processors. Each is disclosed publicly at botbye.com/sub-processors, along with the data they process, their location, and the safeguards in place for any cross-border transfers.

We notify customers at least 30 days before onboarding any new sub-processor, giving you time to raise objections if needed.

Breach Notification

In the event of a personal data breach affecting customer data, we notify affected customers without undue delay — in practice, we aim for within 24 hours of becoming aware of the incident.

Our notification includes: what happened, what data was involved, the likely consequences, and the measures we've taken. This supports your obligation under GDPR Article 33(1) to notify your supervisory authority within 72 hours.

What This Means for You as a BotBye Customer

When you use BotBye, you can tell your own users and regulators:

  • The personal data collected by BotBye on your behalf is processed in the EU.
  • You have a signed DPA in place with BotBye governing that processing.
  • BotBye's sub-processors are disclosed and covered by appropriate transfer safeguards.
  • In the event of a breach, you will be notified promptly and with the information needed to meet your regulatory obligations.

Frequently Asked Questions

Does BotBye sell or share visitor data with third parties? No. BotBye does not sell personal data. Visitor data is shared only with sub-processors listed at botbye.com/sub-processors, strictly for the purpose of providing the service.

Where is visitor data stored? Primarily in Germany (EU) via Hetzner. Certain service functions (billing, email) involve US-based sub-processors with SCCs in place.

Can I request deletion of a specific user's data? Yes. Contact us at [email protected] with the request. We will process it and confirm deletion.

Is BotBye suitable for platforms serving EU users? Yes. BotBye is designed with EU-based infrastructure and full GDPR documentation to support compliant deployment.

Get the DPA

If you're a BotBye customer and need a signed copy of the DPA, or have questions about our data processing practices, contact us at [email protected].

The full DPA is available at botbye.com/dpa.

Back to blog