A plain-language summary of how BossBot addresses TCPA, CCPA, GDPR, data storage, and HIPAA for US customers. Legal terms are on the Privacy and Terms pages; this page explains the compliance surface in the language buyers actually care about.
TCPA regulates SMS and voice calls to US phone numbers. BossBot does not send SMS and does not place voice calls. All customer communication runs through WhatsApp Business API, Telegram Bot API, or Viber — each of which handles opt-in at the platform layer per its own terms.
This is a real advantage for US customers switching from SMS-based platforms (Podium, Heymarket, Textline, SimpleTexting). The TCPA opt-in workflow those platforms require you to run — express written consent, opt-out language on every message, DNC list scrubbing — does not apply to conversations conducted through BossBot's supported channels, because those channels are not SMS.
BossBot honors California residents' CCPA rights:
Requests: email [email protected]. We respond within the 45-day CCPA statutory window.
BossBot is operated by KZENOFFRAME STUDIO LLC, a US-registered LLC (Wyoming, USA). Customer data is stored on European VPS infrastructure, so GDPR and UK GDPR apply to processing; EU + UK customers benefit from those standards. Data-subject rights (access, deletion, portability, objection) are honored within 30 days. A Data Processing Addendum is available on request for customers who need one to close their own compliance loop.
Primary customer data (conversations, contacts, appointments, billing) is stored on encrypted European VPS infrastructure. The operating company (KZENOFFRAME STUDIO LLC) is US-registered in Wyoming, USA, but the data itself is processed in the EU and subject to GDPR / UK GDPR. Some sub-processors necessarily transfer data across regions per their own architecture — most notably the AI providers (Google Gemini and OpenAI GPT-4) which serve requests from US-based infrastructure — consistent with their own DPAs and Standard Contractual Clauses.
BossBot relies on the following sub-processors to deliver the service. Full list, purpose, and location are available on request; material changes are announced in the Changelog.
BossBot is not a HIPAA-compliant messaging platform for Protected Health Information (PHI). We have not signed Business Associate Agreements with our sub-processors as HIPAA-covered vendors have.
US healthcare businesses can use BossBot for non-PHI workflows (reception FAQs, general appointment booking without sensitive details, patient-facing marketing), but PHI-carrying messages should stay on a platform with a signed BAA and HIPAA-compliant infrastructure — Textline offers this for SMS, for example.
BossBot does not store, process, or transmit customer credit card numbers. All card payments to BossBot are handled by Stripe (PCI DSS Level 1). BossBot's own database never sees card numbers.
Email [email protected]. Please include the type of request (CCPA / GDPR access / GDPR deletion / DPA / sub-processor list) and the account email of the affected data subject. Response within 45 days for CCPA, 30 days for GDPR / UK GDPR.