GDPR Data Rights Center
Your privacy is your right. Under the General Data Protection Regulation (GDPR), you have specific rights over your personal data. This page explains each right and how to exercise it.
Applies to residents of the European Economic Area (EEA), United Kingdom, and Switzerland
48h
Acknowledgment Time
30 days
Response Time
Free
No Charge
Your 8 Data Rights Under GDPR
Click on any right below to learn more about what it means and how to exercise it.
👁️Right to Access
Art. 15 GDPR
Right to Access
Art. 15 GDPR
Request a complete copy of all personal data we hold about you, along with information about how it is being processed.
How to exercise: Email privacy@botnflow.com with subject "GDPR Access Request" and your registered email address.
✏️Right to Rectification
Art. 16 GDPR
Right to Rectification
Art. 16 GDPR
Correct any inaccurate or incomplete personal data we hold about you.
How to exercise: Update your profile in account settings, or email privacy@botnflow.com specifying what needs correction.
🗑️Right to Erasure
Art. 17 GDPR
Right to Erasure
Art. 17 GDPR
Request deletion of your personal data ("Right to be Forgotten"). Note: some data may be retained for legal obligations.
How to exercise: Email privacy@botnflow.com with subject "GDPR Erasure Request" or delete your account from settings.
⏸️Right to Restriction
Art. 18 GDPR
Right to Restriction
Art. 18 GDPR
Temporarily limit how we process your data while accuracy is contested or while we review an objection.
How to exercise: Email privacy@botnflow.com explaining which processing you want restricted and why.
📦Right to Data Portability
Art. 20 GDPR
Right to Data Portability
Art. 20 GDPR
Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transfer it to another service.
How to exercise: Use the "Export Data" feature in your account settings, or email privacy@botnflow.com.
✋Right to Object
Art. 21 GDPR
Right to Object
Art. 21 GDPR
Object to processing of your data for direct marketing, profiling, or processing based on legitimate interest.
How to exercise: Click "Unsubscribe" in marketing emails, or email privacy@botnflow.com specifying your objection.
🤖Right Against Automated Decisions
Art. 22 GDPR
Right Against Automated Decisions
Art. 22 GDPR
Right not to be subject to decisions based solely on automated processing that significantly affects you, including profiling.
How to exercise: Email privacy@botnflow.com to request human review of any automated decision.
↩️Right to Withdraw Consent
Art. 7(3) GDPR
Right to Withdraw Consent
Art. 7(3) GDPR
Withdraw your consent at any time for any consent-based data processing. Withdrawal does not affect prior lawful processing.
How to exercise: Manage consents in account settings, or email privacy@botnflow.com to withdraw specific consents.
Submit a Data Request
To exercise any of your GDPR rights, send us an email with the following information:
Your full name and email address
Must match your BotnFlow account
The specific right you want to exercise
e.g., Access, Erasure, Portability
Any additional details or specifications
e.g., specific data types, date range, reason
Identity Verification: To protect your privacy, we may ask you to verify your identity before processing your request. This typically involves confirming your email address or answering security questions.
Our Data Processing Roles
Understanding our role in data processing helps clarify responsibilities.
As Data Controller
We determine the purpose and means
BotnFlow acts as the Data Controller for data we collect directly from you:
- •Your account registration information
- •Billing and payment records
- •Support communications and tickets
- •Website analytics and cookies
- •Marketing and newsletter preferences
As Data Processor
We process on your behalf
BotnFlow acts as the Data Processor for data you send through our platform:
- •Your customers' contact information
- •Conversation messages and media
- •Data collected through your chatbot flows
- •Integration data from connected services
- •Conversation analytics and reports
For Business Customers: We offer a Data Processing Agreement (DPA) that outlines our obligations as a Data Processor. Contact legal@botnflow.com to request or execute a DPA.
Our Sub-Processors
We use the following sub-processors to deliver our services. All have appropriate data protection agreements in place.
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloud Provider | Infrastructure & hosting | US / EU | SCCs, SOC 2 |
| Stripe | Payment processing | US | SCCs, PCI DSS |
| Meta (WhatsApp) | WhatsApp Business API | US / EU | SCCs, DPA |
| Email Provider | Transactional emails | US | SCCs, SOC 2 |
| Analytics Provider | Product analytics | EU | GDPR compliant |
| AI/ML Provider | AI model inference | US | SCCs, DPA |
We notify customers at least 30 days before adding new sub-processors. You may object to new sub-processors within that period.
Frequently Asked Questions
How long does it take to process a GDPR request?
We acknowledge all requests within 48 hours and fulfill them within 30 days, as required by GDPR. Complex requests may take up to 60 days with prior notification.
Is there a fee for exercising my data rights?
No. All GDPR data requests are processed free of charge. We may charge a reasonable fee only for manifestly unfounded or excessive requests.
What format will my data export be in?
We provide data exports in machine-readable JSON and CSV formats. You can also request specific formats depending on the data type.
Can I request deletion of specific data only?
Yes. You can request deletion of specific data types (e.g., conversation history only) without deleting your entire account. Specify what you want deleted in your request.
What about my customers' data rights?
As a Data Processor, we process your customers' data on your behalf. You are the Data Controller and are responsible for handling your customers' data rights requests. We provide tools in the platform to help you fulfill those requests.
Not Satisfied With Our Response?
If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
Find your local Data Protection Authority →Related: Privacy Policy • Terms of Service • Security