Social Media
Government
Streaming
Online Delivery
Finance
iGaming
E-commerce
Travel
Ads
Healthcare
Account takeoverPreventing unauthorized logins
Multi-accountingPreventing duplicate accounts
Data scrapingSafeguarding sensitive business data
API AbuseDetecting abnormal API activity
Account sharingIdentifying shared accounts
Fake accountsBlocking fake registrations
Brute force attackBlock automated credential attacks
Form spamFiltering automated submissions
Coupon fraudPreventing promo exploitation
SMS pumpingMitigating SMS-based fraud
Industries
Use Cases
DocumentationBlogPricing
Log in
Start for Free
On this page

Data Processing Agreement

Effective Date: The date of Customer's acceptance of the BotBye Terms of Service.

This Data Processing Agreement ("DPA") is incorporated into and forms part of the BotBye Terms of Service (the "Agreement") between BotBye ("Processor", "we", "us", or "our") and the Customer ("Controller", "you", or "your") who has accepted the Agreement.

This DPA sets out the terms that apply when Personal Data is processed by BotBye on behalf of the Customer in connection with the provision of the Services.

1. Definitions

"Data Protection Law" means all applicable data protection and privacy legislation, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act and its amendments ("CCPA"), and any other applicable data protection laws.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by BotBye on behalf of the Customer in connection with the Services.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Sub-processor" means any third-party processor engaged by BotBye to process Personal Data on behalf of the Customer.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to Article 51 of the GDPR.

2. Scope and Roles

2.1 Roles

The Customer is the Data Controller and BotBye is the Data Processor with respect to the processing of Personal Data of the Customer's end users in connection with the Services.

For data relating to the Customer's own BotBye account (registration, billing, support communications), BotBye acts as an independent Data Controller as described in the BotBye Privacy Policy.

2.2 Subject Matter and Duration

BotBye processes Personal Data for the duration of the Agreement. Upon termination of the Agreement, BotBye will handle Personal Data in accordance with Section 11 of this DPA.

2.3 Nature and Purpose of Processing

BotBye processes Personal Data solely to provide the Services to the Customer, including: real-time risk scoring, fraud detection, bot protection, abuse prevention, and related analytics — as described in the Agreement and the Documentation.

2.4 Categories of Data Subjects

End users of the Customer's websites, mobile applications, and APIs.

2.5 Types of Personal Data Processed

Category Data Elements
Network data IP address, GeoIP (country, region, city)
Device data Device name, device model, device ID
System data OS name, time zone, language
Session data Account ID (as provided by Customer's integration)

BotBye does not require and does not intentionally collect names, email addresses, passwords, payment information, or other directly identifying personal data from end users. If the Customer passes such data through custom integration fields, the Customer is responsible for ensuring the lawfulness of that processing.

3. Customer Obligations

The Customer shall:

(a) Comply with all applicable Data Protection Law in its use of the Services and in its instructions to BotBye regarding the processing of Personal Data.

(b) Ensure that it has a valid legal basis for the processing of Personal Data through BotBye, including but not limited to legitimate interest in fraud prevention under Article 6(1)(f) of the GDPR.

(c) Inform its end users about the use of BotBye as a data processor, including in the Customer's privacy policy, in accordance with Articles 13 and 14 of the GDPR.

(d) Respond to Data Subject requests and, where necessary, instruct BotBye to assist via the Privacy API.

(e) Ensure that any Personal Data provided to BotBye is accurate, relevant, and limited to what is necessary for the purposes of processing.

4. BotBye Obligations

BotBye shall:

(a) Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, BotBye shall inform the Customer of that legal requirement before processing, unless prohibited by law.

(b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.

(d) Not engage another processor (Sub-processor) without prior general written authorization of the Customer, subject to Section 8 of this DPA.

(e) Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.

(f) Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to BotBye.

(g) At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data, as described in Section 11.

(h) Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, as described in Section 10.

(i) Immediately inform the Customer if, in BotBye's opinion, an instruction from the Customer infringes Data Protection Law.

5. Data Subject Rights

5.1 Assistance with Data Subject Requests

BotBye provides a Privacy API that enables the Customer to fulfill Data Subject requests programmatically:

  • Right of access (Article 15): Retrieve end user data via GET /api/v1/{account_id}/privacy/end-users/
  • Right to erasure (Article 17): Delete end user data via DELETE /api/v1/{account_id}/privacy/end-users/
  • Right to data portability (Article 20): Export end user data in structured JSON format via the GET endpoint.

Full API documentation is available at https://api-docs.botbye.com in the Privacy section. All requests require authentication via the X-Api-Key header.

5.2 Notification

If BotBye receives a request from a Data Subject directly, BotBye will promptly notify the Customer and will not respond to the Data Subject without the Customer's instructions, unless required by applicable law.

6. Data Retention

6.1 Retention Periods

Retention of end-user request data processed by BotBye as a Processor is determined by the Customer's subscription plan:

Plan Requests TTL Sessions TTL
Free 7 days 14 days
Starter 14 days 28 days
Pro 28 days 60 days
Business 60 days 120 days
Enterprise Custom Custom

6.2 Automatic Purge

After the applicable TTL expires, data is automatically purged or anonymized. The Customer may also delete specific end user data at any time via the Privacy API.

7. Security Measures

7.1 Technical and Organizational Measures

BotBye implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

  • Encryption in transit: All data transmitted between Customer systems and BotBye is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Personal data stored in databases is encrypted at rest.
  • Access control: Role-based access control limits internal access to Personal Data to authorized personnel on a need-to-know basis.
  • Infrastructure isolation: Customer data is logically isolated between tenants.
  • Monitoring and logging: Audit logs are maintained for access to Personal Data and security-relevant events.
  • Incident response: Documented procedures for detecting, reporting, and responding to Data Breaches, as described in Section 9.

7.2 Assessment

BotBye regularly tests, assesses, and evaluates the effectiveness of its technical and organizational measures for ensuring the security of the processing, in accordance with Article 32(1)(d) of the GDPR.

8. Sub-processors

8.1 General Authorization

The Customer provides general written authorization for BotBye to engage Sub-processors to process Personal Data on the Customer's behalf.

8.2 Current Sub-processors

The current list of Sub-processors is maintained at https://botbye.com/legal/sub-processors.

8.3 Notification of Changes

BotBye will notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before engaging the new Sub-processor by sending a notification to the email address associated with the Customer's account. The Customer may object to a change on legitimate grounds within 30 days after receiving notice of the change.

If the Customer objects and BotBye cannot reasonably accommodate the objection, either party may terminate the Agreement upon written notice.

8.4 Sub-processor Obligations

BotBye shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA. BotBye remains liable to the Customer for the acts and omissions of its Sub-processors to the same extent BotBye would be liable if performing the relevant Services directly under this DPA.

9. Data Breach Notification

9.1 Notification to Customer

BotBye shall notify the Customer without undue delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Customer.

9.2 Content of Notification

The notification shall include, to the extent available:

(a) A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.

(b) The name and contact details of BotBye's contact point for further information.

(c) A description of the likely consequences of the Data Breach.

(d) A description of the measures taken or proposed to be taken by BotBye to address the Data Breach, including measures to mitigate its possible adverse effects.

9.3 Cooperation

BotBye shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. BotBye shall also assist the Customer in meeting its obligations under Articles 33 and 34 of the GDPR (notification to supervisory authorities and data subjects).

10. Audits

10.1 Information

BotBye shall make available to the Customer all information reasonably necessary to demonstrate compliance with BotBye's obligations under this DPA.

10.2 Audit Rights

The Customer, or a third-party auditor appointed by the Customer, may conduct an audit of BotBye's processing activities related to this DPA no more than once per year, subject to the following conditions:

(a) The Customer shall provide BotBye with at least 30 days' prior written notice.

(b) The audit shall be conducted during normal business hours and shall not unreasonably disrupt BotBye's operations.

(c) The Customer shall bear the costs of the audit.

(d) The auditor shall be bound by confidentiality obligations no less protective than those in the Agreement.

(e) The Customer shall promptly provide BotBye with the results of the audit and shall not disclose such results to any third party without BotBye's prior written consent, except as required by applicable law or a Supervisory Authority.

11. Data Return and Deletion

11.1 During the Term

The Customer may retrieve or delete Personal Data at any time during the Term via the Privacy API.

11.2 Upon Termination

Upon termination of the Agreement:

(a) BotBye will continue to process Personal Data in accordance with the applicable retention periods defined by the Customer's subscription plan.

(b) After the retention period expires, BotBye will delete or anonymize all Personal Data.

(c) If the Customer requests return of Personal Data before the retention period expires, BotBye will make the data available via the Privacy API in a structured, machine-readable format (JSON).

(d) BotBye may retain Personal Data to the extent required by applicable law, provided that BotBye shall ensure the confidentiality of such Personal Data and shall not actively process it for any other purpose.

12. International Data Transfers

12.1 Primary Infrastructure

BotBye's primary infrastructure is located in the European Union (Germany) via Hetzner Online GmbH.

12.2 Transfers to Third Countries

Where the provision of Services requires transfer of Personal Data to countries outside the EU/EEA that do not benefit from an adequacy decision by the European Commission, BotBye relies on appropriate safeguards as required by Chapter V of the GDPR, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission.

(b) Participation in the EU-US Data Privacy Framework by Sub-processors, where applicable.

12.3 Additional Safeguards

BotBye assesses the laws and practices of third countries to which Personal Data may be transferred and implements supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined.

13. CCPA Provisions

To the extent the CCPA applies and BotBye is acting as a "service provider" (as defined under the CCPA):

(a) BotBye shall not sell or share (as defined under the CCPA) Personal Data.

(b) BotBye shall not retain, use, or disclose Personal Data for any purpose other than providing the Services, or as otherwise permitted by the CCPA.

(c) BotBye shall not combine Personal Data received from or on behalf of the Customer with Personal Data received from other sources, except as permitted by the CCPA.

(d) BotBye certifies that it understands and will comply with its obligations under the CCPA as described in this DPA.

14. General

14.1 Precedence

In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.

14.2 Amendments

BotBye may update this DPA from time to time to reflect changes in Data Protection Law or BotBye's processing practices. BotBye will notify the Customer of material changes at least 30 days before they take effect. Continued use of the Services after the effective date of the updated DPA constitutes acceptance of the changes.

14.3 Governing Law

This DPA shall be governed by and construed in accordance with the laws of Poland, consistent with the governing law provision of the Agreement.

14.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15. Contact

For questions about this DPA or BotBye's data processing practices, contact:

BotBye Email: [email protected] Website: https://botbye.com