Privacy Policy
Last updated: March 22, 2026 | Effective: March 22, 2026
Data Controller: KZENOFFRAME STUDIO LLC · [email protected]
BossBot is a product operated by KZENOFFRAME STUDIO LLC.
KZENOFFRAME STUDIO LLC ("we", "us", "our") operates the bossbot.uk website and the BossBot WhatsApp AI assistant service. This policy explains how we collect, use, store, and protect personal data when you use our services.
1. Data We Collect
We collect the following categories of personal data:
- Business owner data: Name, email address, phone number, business name, and service details provided during onboarding.
- End-user (patient/customer) data: Phone number, name (as provided via WhatsApp), message content, appointment details, and conversation history.
- Technical data: IP address, browser type, and access timestamps for our web dashboard.
- Billing data: Payment information processed by Stripe (we do not store card numbers directly).
2. How We Store Your Data
All conversation data is encrypted with AES-256-GCM — the same standard used by banks and government agencies. Data is stored in encrypted SQLite databases on our secured European VPS infrastructure.
- Encryption at rest: AES-256-GCM for all message content and personal identifiers.
- Encryption in transit: TLS 1.3 for all API communications.
- Database: Encrypted SQLite with per-client isolation.
- Backups: Encrypted and stored separately with 30-day retention.
3. Who Has Access
Access to personal data is strictly limited to:
- The clinic/business owner who contracted BossBot for their business.
- BossBot AI system (automated processing only — no human reads your messages).
- BossBot administrators may access system logs for debugging, but conversation content remains encrypted and inaccessible without the client's encryption key.
We never sell, rent, or share personal data with advertisers or data brokers.
4. Data Retention
- Active accounts: Data is retained for the duration of the service agreement.
- Conversation logs: Configurable retention period (default 12 months, adjustable per LGPD/GDPR requirements).
- After account cancellation: All data is deleted within 30 days, or exported upon request within 24 hours.
- ZeroTrace audit logs: Retained for the legally required compliance period (minimum 5 years for healthcare data where applicable).
5. Your Rights (GDPR & LGPD)
You and your end-users have the right to:
- Access: Request a full copy of all stored personal data.
- Rectification: Correct any inaccurate personal data.
- Deletion: Request complete erasure of personal data ("right to be forgotten").
- Portability: Receive data in a structured, machine-readable format (JSON export).
- Consent withdrawal: Withdraw consent at any time without affecting prior processing legality.
- Objection: Object to processing based on legitimate interests.
To exercise any of these rights, contact: [email protected]
We respond to all data requests within 15 business days (LGPD) or 30 days (GDPR).
6. ZeroTrace Audit Logging
Every access to personal data within BossBot is recorded in our ZeroTrace cryptographic audit chain. This is a tamper-proof, append-only ledger that creates a hash-linked record of every data access event. ZeroTrace enables:
- Verifiable proof of who accessed what data and when.
- Tamper detection — any modification to audit records is mathematically detectable.
- Compliance audits for GDPR Article 30 and LGPD Article 37 record-keeping requirements.
7. Third-Party Services
We use the following third-party services to operate BossBot:
- WhatsApp Cloud API (Meta): Message delivery. Subject to WhatsApp Privacy Policy.
- Google Gemini AI: Natural language processing for generating responses. Conversation data is sent to Google's API for processing but is not used to train Google's models (per our enterprise agreement).
- Stripe: Payment processing. Subject to Stripe Privacy Policy. We never store credit card numbers.
- Telegram Bot API: Escalation notifications to business owners.
8. Cookies
Our website uses only essential functional cookies (language preference, session). We do not use tracking cookies or third-party analytics cookies.
9. Children's Privacy
BossBot is a B2B service. We do not knowingly collect data from individuals under 16. If a minor's data is inadvertently collected through WhatsApp conversations, the business owner is responsible for obtaining parental consent as required by applicable law.
10. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email to all active account holders at least 15 days before taking effect.
11. Contact
For privacy-related questions, data requests, or complaints:
Data Protection Contact: [email protected]
If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local supervisory authority (e.g., ANPD in Brazil, CNIL in France, ICO in the UK).
Politica de Privacidade
Ultima atualizacao: 22 de marco de 2026 | Vigencia: 22 de marco de 2026
Controlador de Dados: KZENOFFRAME STUDIO LLC · [email protected]
BossBot e um produto operado pela KZENOFFRAME STUDIO LLC.
KZENOFFRAME STUDIO LLC ("nos") opera o site bossbot.uk e o servico de assistente de IA para WhatsApp BossBot. Esta politica explica como coletamos, usamos, armazenamos e protegemos dados pessoais quando voce utiliza nossos servicos.
1. Dados que Coletamos
- Dados do proprietario: Nome, e-mail, telefone, nome da empresa e detalhes dos servicos fornecidos durante o cadastro.
- Dados do usuario final (paciente/cliente): Numero de telefone, nome (conforme fornecido via WhatsApp), conteudo das mensagens, detalhes de agendamento e historico de conversas.
- Dados tecnicos: Endereco IP, tipo de navegador e registros de acesso ao painel.
- Dados de cobranca: Informacoes de pagamento processadas pelo Stripe (nao armazenamos numeros de cartao).
2. Como Armazenamos Seus Dados
Todos os dados de conversas sao criptografados com AES-256-GCM — o mesmo padrao usado por bancos e governos. Os dados sao armazenados em bancos SQLite criptografados em nossa infraestrutura VPS segura.
- Criptografia em repouso: AES-256-GCM para todo conteudo de mensagens e identificadores pessoais.
- Criptografia em transito: TLS 1.3 para todas as comunicacoes de API.
- Banco de dados: SQLite criptografado com isolamento por cliente.
- Backups: Criptografados e armazenados separadamente com retencao de 30 dias.
3. Quem Tem Acesso
- O proprietario da clinica/empresa que contratou o BossBot.
- Sistema BossBot AI (processamento automatizado — nenhum humano le suas mensagens).
- Administradores BossBot podem acessar logs do sistema para depuracao, mas o conteudo das conversas permanece criptografado.
Nunca vendemos, alugamos ou compartilhamos dados pessoais com anunciantes ou corretores de dados.
4. Retencao de Dados
- Contas ativas: Dados retidos durante a vigencia do contrato.
- Logs de conversa: Periodo de retencao configuravel (padrao 12 meses, ajustavel conforme LGPD).
- Apos cancelamento: Todos os dados sao excluidos em 30 dias ou exportados mediante solicitacao em 24 horas.
- Logs de auditoria ZeroTrace: Retidos pelo periodo legalmente exigido.
5. Seus Direitos (LGPD & GDPR)
Voce e seus usuarios finais tem direito a:
- Acesso: Solicitar copia completa de todos os dados pessoais armazenados.
- Retificacao: Corrigir dados pessoais incorretos.
- Exclusao: Solicitar apagamento completo dos dados pessoais.
- Portabilidade: Receber dados em formato estruturado e legivel por maquina (exportacao JSON).
- Revogacao de consentimento: Revogar o consentimento a qualquer momento.
- Oposicao: Opor-se ao processamento baseado em interesses legitimos.
Para exercer qualquer desses direitos, entre em contato: [email protected]
Respondemos a todas as solicitacoes em ate 15 dias uteis (LGPD).
6. Auditoria ZeroTrace
Todo acesso a dados pessoais no BossBot e registrado na cadeia de auditoria criptografica ZeroTrace. Este e um registro a prova de adulteracao que cria um registro vinculado por hash de cada evento de acesso a dados.
7. Servicos de Terceiros
- WhatsApp Cloud API (Meta): Entrega de mensagens.
- Google Gemini AI: Processamento de linguagem natural para gerar respostas.
- Stripe: Processamento de pagamentos. Nao armazenamos numeros de cartao.
- Telegram Bot API: Notificacoes de escalacao para proprietarios.
8. Contato
Contato de Protecao de Dados: [email protected]
Se voce acredita que seus direitos de protecao de dados nao foram adequadamente atendidos, voce tem o direito de registrar uma reclamacao junto a ANPD (Autoridade Nacional de Protecao de Dados).