Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
GDPR Compliance

GDPR Compliance

This guide is intended to help BotBye customers adhere to GDPR compliance. It describes BotBye's role in data processing, the data we handle, and the API endpoints that support your obligations under the General Data Protection Regulation.

BotBye's Role in Data Processing

When you integrate BotBye into your website, mobile application, or API, the data flow involves two distinct roles:

  • You (the Customer) are the data controller. You determine why and how personal data of your end-users is processed.
  • BotBye acts as a data processor. We process personal data of your end-users strictly on your behalf and according to your instructions, solely to provide our fraud protection and risk scoring services.

For data related to your BotBye account (registration, billing, support), BotBye acts as a data controller. This is covered in our Privacy Policy.

What Data Does BotBye Process?

When operating as a data processor on behalf of our customers, BotBye collects and processes the following categories of data from your end-users' requests:

Data Category Examples
Network data IP address, GeoIP (country, region, city)
Device data Device name, device model, device ID
System data OS name, time zone, language
Session data Account ID (as provided by your integration)

BotBye does not collect names, email addresses, passwords, payment information, or any other directly identifying personal data from your end-users — unless you explicitly pass such data through custom fields in your integration.

All data is processed in real time for the purpose of risk scoring and fraud detection. After the retention period determined by your subscription plan expires — or after termination of your contract — we store this data only in anonymized form.

Account and billing data retention is governed separately by the Privacy Policy.

Data Retention

Retention of end-user request data is determined by your subscription plan:

Plan Requests TTL Sessions TTL
Free 7 days 14 days
Starter 14 days 28 days
Pro 28 days 60 days
Business 60 days 120 days
Enterprise Custom Custom

After the TTL expires, data is automatically purged or anonymized. You can review your current retention settings in the BotBye Dashboard under Project Settings.

Supporting GDPR Rights (DSAR)

BotBye provides a Privacy API to help you fulfill Data Subject Access Requests (DSARs) from your end-users and manage your own account data. These endpoints support the following GDPR articles:

  • Article 15 — Right of access by the data subject
  • Article 17 — Right to erasure ("right to be forgotten")
  • Article 20 — Right to data portability

All Privacy API requests require authentication via the X-Api-Key header.

Full API documentation is available at api-docs.botbye.com in the Privacy section.

Customer Data Endpoints

These endpoints manage privacy-related data for your BotBye account (your data as a customer).

Get Customer Privacy Data

Retrieves all privacy-related data associated with your customer account, including personal information, account details, activity logs, and associated metadata. Use this to fulfill data subject access requests (Article 15) or for compliance reporting.

1

GET https://api.botbye.com/api/v1/{account_id}/privacy/data

Authentication: X-Api-Key header with your API key.

Response: Returns a JSON object containing all privacy-related data for the customer, organized in a node-based format with edges for relationships. Status 200 OK.

Purge Customer Data

Permanently deletes all privacy-related data associated with your customer account. Use this to fulfill "right to be forgotten" requests (Article 17) or for account closure.

1

DELETE https://api.botbye.com/api/v1/{account_id}/privacy/data

Authentication: X-Api-Key header with your API key.

Response: Returns a confirmation response indicating successful deletion. Status 200 OK.

This action is irreversible. Once customer data is purged, it cannot be recovered. Before executing, ensure you have verified the deletion request is legitimate, completed any required data exports, obtained necessary approvals, and documented the deletion for compliance records.

End User Data Endpoints

These endpoints manage privacy-related data for individual end users of your application. They require both server_key and end_user_account_id parameters, enabling granular data isolation — you can manage data for a specific end user without impacting other users.

Get End User Privacy Data

Retrieves all privacy-related data for a specific end user identified by their server key and account ID. Returns end user profile information, behavioral data, session information, associated tracking data, and timestamps. Use this to respond to individual DSAR requests (Article 15) or for data portability (Article 20).

1

GET https://api.botbye.com/api/v1/{account_id}/privacy/end-users/

Required parameters: server_key, end_user_account_id

Authentication: X-Api-Key header with your API key.

Response: Returns a JSON object containing all privacy-related data for the specified end user. Status 200 OK.

Purge End User Data

Permanently deletes all privacy-related data for a specific end user. This enables granular data deletion for individual end users while maintaining data for other users. Use this to fulfill individual GDPR/CCPA deletion requests (Article 17).

1

DELETE https://api.botbye.com/api/v1/{account_id}/privacy/end-users/

Required parameters: server_key, end_user_account_id

Authentication: X-Api-Key header with your API key.

Response: Returns a confirmation response indicating successful deletion. Status 200 OK.

This action is irreversible. Once end user data is purged, it cannot be recovered. This operation permanently removes all data for the specified end user, does not affect other end users' data, and cannot be undone or reversed.

It may take up to 24 hours for the data to be fully purged from all systems.

Best practices for end user data operations:

1. Always retrieve and backup data using the GET endpoint before deletion. 2. Verify the server_key and end_user_account_id are correct. 3. Document the deletion request with timestamps and request details. 4. Maintain compliance records of the deletion. 5. Confirm deletion was successful by checking the response.

Data Processing Agreement (DPA)

BotBye offers a Data Processing Agreement that governs how we process personal data on behalf of our customers, in accordance with Article 28 of the GDPR. The DPA covers:

  • Scope and purpose of data processing
  • Categories of data subjects and personal data
  • Technical and organizational security measures
  • Sub-processor obligations and notification procedures
  • Data breach notification commitments
  • Assistance with DSARs and DPIAs
  • Data return and deletion upon contract termination

The full DPA is publicly available at botbye.com/dpa. For questions or to request a signed copy, contact us at [email protected].

Sub-Processors

BotBye engages a limited number of sub-processors to deliver our services. We maintain an up-to-date list of sub-processors and will notify customers of any changes at least 30 days in advance, in accordance with our DPA.

Current sub-processors:

Sub-Processor Purpose Location Safeguards
Hetzner Infrastructure and hosting EU (Germany) Data remains in EU; no cross-border transfer
Stripe Payment processing USA EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs)
Elastic Email Transactional and marketing email delivery USA Standard Contractual Clauses (SCCs) per Chapter V GDPR

The complete and current sub-processor list is available at botbye.com/sub-processors. To subscribe to change notifications, contact [email protected].

Security Measures

BotBye implements technical and organizational measures to protect personal data, including:

  • Encryption in transit — All data transmitted between your systems and BotBye is encrypted using TLS 1.2+.
  • Encryption at rest — Personal data stored in our databases is encrypted at rest.
  • Access control — Role-based access control (RBAC) limits internal access to personal data to authorized personnel only.
  • Infrastructure isolation — Customer data is logically isolated between tenants.
  • Monitoring and logging — We maintain audit logs for access to personal data and security-relevant events.
  • Incident response — We have documented procedures for detecting, reporting, and responding to data breaches in compliance with Article 33 (notification to supervisory authority within 72 hours) and Article 34 (notification to data subjects).

International Data Transfers

BotBye's primary infrastructure is located in the European Union (Germany) via Hetzner. Where data processing involves transfers to the United States (e.g., payment processing via Stripe, email delivery via Elastic Email), we rely on appropriate safeguards as required by Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) and participation in the EU-US Data Privacy Framework by our sub-processors.

Your Responsibilities

As the data controller, you are responsible for:

  • Informing your end-users that you use BotBye as a data processor, including in your privacy policy.
  • Establishing a legal basis for collecting and processing end-user data through BotBye (e.g., legitimate interest in fraud prevention — Article 6(1)(f)).
  • Forwarding DSARs to BotBye via our Privacy API when a request relates to data we process on your behalf.
  • Configuring retention appropriate to your data protection requirements via your subscription plan.

Questions?

If you have questions about BotBye's GDPR compliance, or need assistance with a data subject request, contact our team at [email protected].

For our full privacy practices, see the BotBye Privacy Policy.