Amybot

Privacy Policy

This Privacy Policy explains how Bubobot Company Limited, a company registered in Vietnam (Business Registration No. 0318802936), with its registered office at D-00.03, Tower D, Sadora Building, No. 2, Street 13, An Khanh Ward, Ho Chi Minh City, Vietnam (“Bubobot,” “we,” “us,” or “our”), collects, uses, stores, and protects your personal information when you use the Amybot platform (“Platform”).

This Privacy Policy is issued in compliance with applicable data protection and cybersecurity laws.

Your use of the Platform is governed by this Privacy Policy and our Terms of Service. You must review and accept this Privacy Policy before using the Platform. Where we rely on consent for specific processing activities, we will obtain your explicit consent separately through our consent management interface.

This Privacy Policy is published in both English and Vietnamese. In the event of any conflict between the two versions, the English version prevails.

1. Data Controller and Entity Relationship

1.1 Data Controller

Bubobot Company Limited is the data controller responsible for personal data processed through the Platform for users located in Vietnam or otherwise subject to this policy.

1.2 Data Protection Contact

For any questions about this Privacy Policy, to exercise your data rights, to withdraw consent, or to file a complaint, contact us at:

Email: privacy@amybot.ai

Address: D-00.03, Tower D, Sadora Building, No. 2, Street 13, An Khanh Ward, Ho Chi Minh City, Vietnam

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and profile picture from your Google account (via Google OAuth sign-in).
  • Billing information: Payment details are collected and processed by our designated payment processor and merchant of record. We do not store your full credit card number. We store transaction identifiers, subscription status, and billing history. For details on our current payment processor, see our Sub-processors page.
  • API keys and credentials: Third-party API keys and authentication credentials you provide for your integrations and agent instances, stored encrypted at rest (AES-256-GCM).
  • Support communications: Content of messages you send to our support team.
  • Agent configuration: Settings, prompts, instructions, and configuration data you provide when setting up your AI agent instances.

2.2 Third-Party Integration Data

When you connect third-party services to the Platform, we collect and process data from those services to enable your AI agents to function. The types of data collected depend on the integrations you connect. This may include:

Integration CategoryData Types CollectedExamples of Platforms
Messaging platformsMessage content, conversation history, message metadata (timestamps, message IDs), user/participant identifiers, channel/group information, reactionsDiscord, Zalo, Telegram, Slack
Email servicesEmail content, subject lines, sender/recipient addresses, timestamps, attachments metadataGmail, Outlook, other email providers
Productivity & collaboration toolsDocuments, notes, task descriptions, project data, comments, file metadataGoogle Workspace, Notion, Trello, Asana
CRM & business toolsContact records, customer information, deal/opportunity data, interaction histories, notesHubSpot, Salesforce, other CRM systems
Social media platformsPosts, comments, interactions, follower/following data, profile information, engagement metricsFacebook Pages, Instagram, X (Twitter), LinkedIn
File storage servicesFile names, file metadata, document content (when accessed by agents), folder structuresGoogle Drive, Dropbox, OneDrive
Custom APIs & webhooksData payloads as configured by you, which may include any type of structured or unstructured dataUser-configured API endpoints

Important clarifications:

  • We collect only the data that is accessible through the integrations you have voluntarily connected and authorized.
  • The specific data collected depends on the permissions you grant when connecting each integration.
  • We collect this data only with your explicit consent (see Section 5).
  • This data is classified as sensitive personal data under applicable data protection law — see Section 3 for details.

2.3 Third-Party Data Subjects

When you connect integrations, the data collected may contain personal information of other individuals — for example, people you have exchanged messages with, email correspondents, CRM contacts, or social media followers (“Third-Party Data Subjects”).

Your responsibilities:

  • You represent that you have the legal authority and, where required, the consent of Third-Party Data Subjects to share their data with the Platform.
  • You are responsible for compliance with the terms of service of the third-party platforms you connect.

Our responsibilities:

  • We process Third-Party Data Subject information solely to provide AI agent functionality to you.
  • Third-Party Data Subjects may contact us at privacy@amybot.ai to: (a) inquire whether their personal data is being processed, (b) request access to their data, (c) request deletion of their data from our systems.
  • We will honor deletion requests from Third-Party Data Subjects within 30 days, and will notify you when data is removed that may affect your agent's functionality.
  • We apply the same security and data protection measures to Third-Party Data Subject information as to your own personal data.

2.4 Information Collected Automatically

  • Usage data: Instance status, deployment timestamps, agent execution logs, and service interactions.
  • Device and browser information: IP address, browser type, operating system, and pages visited. This data is collected as part of providing the Platform (authentication, security, and service delivery) and is covered under the Platform usage consent described in Section 5.
  • Cookies: We use essential cookies required for authentication and Platform functionality. We do not use tracking or advertising cookies.

2.5 Information We Do Not Collect

We do not intentionally collect personal information such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, or sexual orientation — except to the extent such information may incidentally appear within Third-Party Integration Data that you connect to the Platform. We do not knowingly collect personal information from children under 18.

3. Classification of Personal Data

Under applicable data protection law, we process two categories of personal data:

3.1 Basic Personal Data

  • Account information (name, email, profile picture)
  • Device and browser information
  • Usage data
  • Support communications
  • Billing records (transaction IDs, subscription status)

3.2 Sensitive Personal Data

The following data receives enhanced security protections on our Platform:

  • Third-Party Integration Data — Data collected from your connected third-party services, which may reflect your activities and interactions across online services
  • API keys and authentication credentials — Digital identity and access credentials

Enhanced protections applied:

  • Encryption at rest (AES-256-GCM) and in transit (TLS)
  • Strict internal access control with documented authorization
  • Access logging and audit trails
  • Separate, explicit consent before collection
  • Regular security audits

4. Legal Bases for Processing

We process your personal data on the following legal bases:

Processing ActivityLegal Basis
Account creation and authenticationContractual necessity
Payment processing and subscription managementContractual necessity + Legal obligation
Collecting and processing Third-Party Integration DataExplicit consent (separate consent required)
AI agent functionality using your integration dataExplicit consent (separate consent required)
Cross-border data transferExplicit consent (separate consent required)
Sharing data with AI model providers for inferenceExplicit consent (separate consent required)
Platform improvement via anonymized, aggregated dataExplicit consent (separate consent required)
Fraud detection and securityLegal obligation + Contractual (per Terms of Service security obligations)
Legal compliance (tax, regulatory)Legal obligation
Responding to support requestsContractual necessity

Important: Applicable law does not recognize “legitimate interest” as a legal basis for processing. We rely on your explicit consent for processing activities that are not strictly necessary for contractual performance or legal compliance.

5. Consent Mechanism

5.1 How We Obtain Your Consent

Before using the Platform, you must accept this Privacy Policy and our Terms of Service. For specific processing activities involving sensitive personal data, we obtain separate, granular consent through our consent management interface. You will be asked to provide separate consent for each of the following:

  1. Third-Party Integration Data consent — Collection and processing of data from connected third-party services (messaging, email, productivity, CRM, social media, file storage, custom APIs) for AI agent functionality
  2. Cross-border data transfer consent — Transfer of your personal data to servers and service providers in other jurisdictions (see Section 8)
  3. AI model provider data sharing consent — Sharing of your integration data with third-party AI model providers (as listed on our Sub-processors page) for AI inference and response generation
  4. Analytics consent — Use of your usage patterns for Platform improvement (note: only pseudonymized data is used; see Section 6.2)

Each consent is independent. You may accept or decline each separately. Declining a consent may limit specific Platform functionality as described in the consent interface.

5.2 Per-Integration Consent

In addition to the general consents above, each time you connect a new third-party integration, we will present you with a specific disclosure showing:

  • The types of data that will be collected from that integration
  • The purposes for which the data will be used
  • Which AI model providers may receive the data
  • The applicable retention period

You must explicitly authorize each integration connection before any data is collected.

5.3 Information Disclosed Before Consent

Before you provide any consent, we will clearly inform you of:

  • The specific types of personal data to be collected
  • The specific purposes for collection and processing
  • The entities that will process your data (including sub-processors)
  • Your rights under applicable law, including the right to withdraw consent
  • Whether data will be transferred to other jurisdictions, and to which ones
  • The retention period for each category of data

5.4 Withdrawal of Consent

You may withdraw any or all consents at any time by:

  • Using the consent management settings in your Platform dashboard
  • Disconnecting specific integrations to stop further data collection from those services
  • Contacting us at privacy@amybot.ai

Withdrawal of consent is as easy as giving consent. Upon withdrawal:

  • We will immediately stop the relevant processing activities (new data collection ceases).
  • Data restriction and segregation: Integration data subject to consent withdrawal will be restricted from all processing except retention for legal compliance. This data will be segregated from operational systems and accessible only to legal/compliance personnel.
  • Deletion timeline: Restricted data will be permanently deleted within 30 days of consent withdrawal, except where a longer retention period is required by law (see Section 10.2 for details on how we reconcile deletion obligations with mandatory retention under applicable law).
  • Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
  • Withdrawing consent for core integration data may result in your AI agents losing access to historical context and reduced functionality.

5.5 New Consent on Material Changes

A new consent is required each time we materially change how your data is processed, including: new processing purposes, new sub-processors, new cross-border transfer destinations, or new integration types.

5.6 Consent Records

We maintain records of all consents, including: the specific consent given, the timestamp, the version of the Privacy Policy in effect, the specific integrations authorized, and the method of consent. These records are available to you upon request within 30 days.

6. How We Use Your Information

6.1 Primary Purposes

  • Provide the Platform: Authenticate your identity, provision and manage your AI agent instances, and deliver the Services.
  • AI agent functionality: Process data from connected third-party integrations to enable your AI agents to understand context, generate responses, retrieve information, and perform tasks on your behalf.
  • Process payments: Manage subscriptions, process billing transactions through our payment processor, and send receipts.
  • Communications: Send transactional emails (account confirmations, billing receipts, service notifications) and respond to support requests.

6.2 Secondary Purposes (with separate consent)

  • Improve the Platform: Analyze pseudonymized usage patterns to fix issues and improve the Services. We do not use your raw integration data for platform improvement — only pseudonymized, aggregated metrics derived from usage patterns (e.g., feature usage frequency, error rates). If this data cannot be fully anonymized, we obtain your consent before use.

6.3 What We Do NOT Do

  • We do not sell your personal data.
  • We do not use your Third-Party Integration Data to train AI models. Your data is used only for real-time inference (generating responses for your agents).
  • We do not share your personal data for advertising or marketing purposes.
  • We do not profile you based on your integration data for purposes unrelated to providing the Platform.
  • We do not access integration data beyond what your agent configuration requires.

7. How We Share Your Information

We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:

7.1 Service Providers (Sub-processors)

CategoryPurposeData SharedData Location
Payment processingBilling and subscription management (merchant of record)Billing information (non-sensitive)United Kingdom / EU
AuthenticationOAuth sign-inAccount information (non-sensitive)United States
Database hostingData storage (PostgreSQL)Account data, instance metadata (non-sensitive)US / as configured
Application hostingContainer hosting for AI agent instancesInstance metadata, agent execution data (non-sensitive)Global (region selected at deployment; default: US)

For the current list of sub-processors by name, see our Sub-processors page.

Note: Third-Party Integration Data (sensitive data) is stored on designated servers in accordance with applicable data localization requirements and is not stored on any of the above sub-processors' infrastructure.

Each sub-processor is bound by data processing agreements specifying their obligations under applicable data protection law.

Sub-processor changes: We will notify you at least 14 days before engaging a new sub-processor that will process your personal data. If you object, you may contact us at privacy@amybot.ai and we will work in good faith to address your concerns.

7.2 AI Model Providers

When your AI agents process integration data, the relevant portions may be transmitted to third-party AI model providers for inference. The specific provider used depends on your agent configuration and API keys. Data shared with AI model providers is limited to the context necessary for generating responses.

For the current list of AI model providers, see our Sub-processors page. If we add support for additional providers, we will update our Sub-processors page and, where required, obtain new consent before enabling them.

7.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request from a competent authority, or to protect our rights, safety, or the safety of others.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you at least 30 days before your data becomes subject to a different privacy policy and provide the opportunity to delete your data before the transfer.

8. Cross-Border Data Transfer

Your personal data may be transferred to and processed in countries other than where your data is stored, including the United States and other jurisdictions where our service providers operate.

8.1 Transfers We Make

Data CategoryDestinationRecipient CategoryPurpose
Account and instance metadata (non-sensitive)United StatesDatabase hosting providerDatabase hosting
Instance metadata (non-sensitive)Various regionsApplication hosting providerContainer hosting
Billing data (non-sensitive)United Kingdom / EUPayment processorPayment processing
Integration data for inferenceUnited StatesAI model providersAI response generation (transient — not stored overseas)

For the current named list of recipients, see our Sub-processors page.

Important: Third-Party Integration Data is stored on designated servers in accordance with applicable data localization requirements. When your AI agent processes integration data, relevant portions are transmitted to AI model providers for inference only. This transfer is initiated by your use of the Platform and your choice of AI model configuration. The data is used for real-time processing and is not permanently stored outside the designated storage location.

8.2 Safeguards

For all cross-border transfers, we implement the following safeguards:

  • Consent: We obtain your consent for cross-border data transfers (Section 5.1, item 2)
  • Data processing agreements: All overseas recipients are bound by contractual obligations providing appropriate data protection
  • Encryption: All data is encrypted in transit (TLS) and at rest (AES-256-GCM for sensitive data)
  • Data minimization: Only the minimum data necessary for AI inference is transmitted; sensitive data is not permanently stored outside the designated storage location
  • User-initiated transfers: Cross-border data processing for AI inference is initiated by your use of the Platform and your configuration choices

8.3 Your Right Regarding Transfers

You have the right to be informed about cross-border transfers and to withdraw consent for such transfers. Withdrawing consent for cross-border transfers may affect Platform functionality, as our infrastructure relies on international service providers.

9. Data Localization

9.1 Data Localization Obligations

As required by applicable law, we may be subject to data localization and retention obligations. We comply with all applicable data localization requirements in the jurisdictions where we operate.

9.2 Our Approach

  • Data storage: All Third-Party Integration Data (sensitive data) is stored on designated servers in compliance with applicable data localization requirements.
  • Data retention: We retain personal data (including Third-Party Integration Data) for the periods specified in Section 10, which meet or exceed the minimum retention periods under applicable law.
  • Non-sensitive data: Basic account data and operational metadata may be processed on infrastructure in other jurisdictions (see Section 7.1 and 8.1 for details).
  • Cooperation with authorities: We will cooperate with lawful requests from competent authorities in accordance with applicable law.

9.3 Ongoing Compliance

We monitor regulatory developments and enforcement guidance regarding data localization requirements and will update this policy and our infrastructure as necessary to maintain compliance.

10. Data Retention

10.1 Retention Periods

Data CategoryRetention PeriodLegal Basis
Account dataDuration of active account. Deleted within 30 days after account closure (30-day window allows account recovery from accidental deletion and completion of pending transactions).Contractual necessity
Billing records7 years after transactionLegal obligation (tax/accounting)
Third-Party Integration DataDuration of active account or until consent withdrawal, whichever is earlier. Subject to Section 10.2 below.Consent
Agent execution logs24 monthsLegal obligation
Usage logs12 months, then deletedContractual necessity (service delivery)
Support communications24 months after resolutionLegal obligation
Consent recordsDuration of account + 3 yearsLegal obligation (accountability)

10.2 Reconciling Consent Withdrawal with Mandatory Retention

Applicable law creates a potential tension between your right to withdraw consent and delete your data and mandatory data retention requirements.

How we handle this:

When you withdraw consent for Third-Party Integration Data processing:

  1. Immediate action: All active processing stops. No new data is collected. Your AI agents can no longer access the data.
  2. Data restriction: The data is immediately segregated from operational systems and placed in a restricted legal-hold environment.
  3. Access limitation: Only authorized legal/compliance personnel can access restricted data, and only for the purpose of complying with mandatory retention obligations.
  4. Automatic deletion: Upon expiry of the applicable mandatory retention period (up to 24 months under applicable data retention law), the restricted data is permanently deleted.
  5. Transparency: You will be informed of the specific mandatory retention period that applies and the expected deletion date.

This approach balances your data protection rights (data is no longer processed for any purpose beyond legal compliance) with legal retention obligations.

11. Data Security

We implement the following security measures to protect your data, with enhanced measures for sensitive personal data (Third-Party Integration Data):

11.1 Technical Measures

  • Encryption at rest: API keys, authentication credentials, and Third-Party Integration Data encrypted using AES-256-GCM.
  • Encryption in transit: All connections use HTTPS with TLS encryption.
  • Database security: PostgreSQL with Row-Level Security (RLS) policies ensuring users can only access their own data.
  • Instance isolation: Each user instance runs in an isolated container environment.
  • Access logging: All access to sensitive personal data is logged with audit trails.

11.2 Organizational Measures

  • Internal access control rules: Formal documented rules governing who can access sensitive personal data, under what conditions, through what procedures, and with what authorization.
  • Standard operating procedures: Documented procedures for all processing activities involving sensitive personal data.
  • Staff training: Team members who handle personal data are trained on applicable data protection obligations.
  • Regular security audits: Periodic review of access controls, encryption, and security measures.

11.3 Security Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law
  • Notify affected individuals without undue delay via email and in-Platform notification where the breach involves sensitive personal data or is likely to result in significant harm
  • Provide information about: the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken to mitigate the breach

No system is completely secure. We cannot guarantee the absolute security of your data.

12. Your Data Protection Rights

Under applicable data protection law, you have the following rights:

  1. Right to know — You have the right to know about the collection, use, and processing of your personal data.
  2. Right to consent — You have the right to give, decline, or withdraw consent for the processing of your personal data.
  3. Right to access — You have the right to access and view your personal data held by us, including receiving your data in a machine-readable format upon request.
  4. Right to correction — You have the right to request correction of inaccurate or incomplete personal data.
  5. Right to deletion — You have the right to request deletion of your personal data, subject to mandatory retention obligations (see Section 10.2).
  6. Right to restriction — You have the right to request restriction of or object to the processing of your personal data.
  7. Right to complain — You have the right to complain, denounce, and initiate lawsuits regarding violations of your personal data protection rights.
  8. Right to compensation — You have the right to request compensation for damages caused by violations of your personal data protection rights.
  9. Right regarding automated decision-making — You have the right to request explanation of automated decision-making that affects you, and to opt out of AI-driven processing that produces significant effects on you.

Exercising Your Rights

To exercise any of these rights, contact us at privacy@amybot.ai. We will respond to verified requests within 30 days.

13. Automated Decision-Making and AI Processing

The Platform hosts AI agents that process your Third-Party Integration Data to generate responses and perform tasks.

  • Amybot itself does not use automated decision-making to make significant decisions about you (such as decisions affecting employment, credit, housing, or healthcare).
  • Your AI agents process integration data to generate responses and perform actions based on your configuration. You control what your agents do with your data.
  • You have the right to request an explanation of how automated processing works and to opt out of AI-driven processing that produces significant effects on you.
  • If your AI agents make decisions that affect Third-Party Data Subjects, you are responsible for ensuring compliance with applicable laws governing automated decision-making.

14. Third-Party Platform Terms

When you connect third-party services to the Platform:

  • You are responsible for ensuring that your use of those platforms' data complies with their respective terms of service and privacy policies.
  • You represent that you have the necessary rights, permissions, and (where required) consents to share data from those platforms with us.
  • Some third-party platforms may have terms that restrict how their data can be used with AI systems — you are responsible for reviewing and complying with those terms.
  • We are not responsible for the privacy practices of third-party platforms.

15. Compliance and Assessments

We conduct internal assessments of our data processing practices to ensure appropriate protections are in place. We comply with applicable data protection requirements and update our practices as regulatory guidance evolves. For questions about our compliance measures, contact us at privacy@amybot.ai.

16. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, contact us at privacy@amybot.ai.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and through the Platform at least 30 days before they take effect. Where changes affect how your personal data is processed, a new consent will be required. The “last updated” date at the top reflects the most recent revision.

18. Contact Us

For privacy-related questions, contact us at:

Bubobot Company Limited
D-00.03, Tower D, Sadora Building, No. 2, Street 13, An Khanh Ward, Ho Chi Minh City, Vietnam

General inquiries: support@amybot.ai

Data Protection Contact: privacy@amybot.ai

If you believe your personal data protection rights have been violated, you may file a complaint with the relevant supervisory authority or initiate legal proceedings in accordance with applicable law.