Privacy Policy

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Service and tells you about your privacy rights and how the law protects you.

We use your Personal Data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and definitions

Interpretation

The words whose initial letters are capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

Account means a unique account created for you to access our Service or parts of our Service, including API access.
Affiliate means an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
Company (referred to as either "the Company", "We", "Us" or "Our" in this Privacy Policy) refers to Savi Business Management LLC, Sharjah Media City, Sharjah, United Arab Emirates. Botoi is a product of Savi Business Management LLC.
Cookies are small files placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
Country refers to: United Arab Emirates
Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.
Personal Data (or "Personal Information") is any information that relates to an identified or identifiable individual. We use "Personal Data" and "Personal Information" interchangeably unless a law uses a specific term.
Service refers to the Botoi website, accessible from https://botoi.com, and the Botoi API, accessible from https://api.botoi.com.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit or API request metadata).
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Client-side tool processing

All browser-based tools on Botoi run entirely in your web browser using client-side JavaScript. The text, numbers, code, and other data you enter into any tool is processed locally on your device. No input data is transmitted to Botoi's servers or any third party.

API data processing

When you use the Botoi API, data you submit in API requests is processed on our servers to generate a response. We do not store the content of API request or response payloads beyond the duration needed to fulfill the request. API usage metadata (endpoint called, timestamp, response status, API key identifier) is logged for rate limiting, billing, and abuse prevention.

Collecting and using your Personal Data

Types of data collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

Email address (for API key registration and billing)

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

For API users, Usage Data also includes API request metadata such as endpoints accessed, request timestamps, response status codes, and rate limit counters.

Tracking technologies and cookies

We use Umami, a self-hosted, open-source analytics tool, to understand which pages receive traffic and how visitors find the site. Umami does not use cookies, does not track individual users across sessions, and does not collect personal information. All analytics data is stored on our own server and is never shared with third parties. Umami runs without requiring your consent as it qualifies for the legitimate interest exemption under GDPR.

We also use Microsoft Clarity for heatmaps and session recordings to understand how visitors interact with the site. Clarity may set cookies on your device and records anonymized browsing sessions. Clarity is loaded only after you provide consent through our cookie banner. You can learn more about how Microsoft processes your data in the Microsoft Privacy Statement.

We use Cloudflare Web Analytics for aggregated, privacy-focused traffic metrics. Cloudflare Web Analytics does not use cookies or collect personal information.

Cookie consent

When you first visit our site, a cookie consent banner asks for your permission before loading optional analytics tools. You can change your preferences at any time through the "Cookies" link in the site footer. Essential cookies required for the site to function (such as session tokens for authenticated users) do not require consent.

Use of your Personal Data

The Company may use Personal Data for the following purposes:

To provide and maintain our Service, including to monitor the usage of our Service.
To manage your Account: to manage your registration as a user of the Service. The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user.
For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services you have purchased or of any other contract with us through the Service.
To contact you: To contact you by email regarding updates or informative communications related to the functionalities, products or contracted services, including security updates, when necessary or reasonable for their completion.
To manage your requests: To attend and manage your requests to us.
For business transfers: We may use your Personal Data to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our Service users is among the assets transferred.
For other purposes: We may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

Legal bases for processing (GDPR Article 6)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for collecting and using your Personal Data depend on the specific activity:

Contract (Art. 6(1)(b)): API key issuance, authentication, rate limiting, billing, and providing paid plan features you have signed up for.
Legitimate interests (Art. 6(1)(f)): Security logging, abuse prevention, fraud detection, error tracking (Sentry), cookie-free analytics (Umami, Cloudflare Web Analytics), and service improvement. You may object at any time as described in "Your rights" below.
Consent (Art. 6(1)(a)): Heatmaps and session recordings via Microsoft Clarity. Loaded only after you accept via the cookie banner. You may withdraw consent at any time through the "Cookies" link in the footer.
Legal obligation (Art. 6(1)(c)): Tax records, accounting records, and responding to lawful requests from public authorities.

We may share your Personal Data in the following situations:

With Service Providers: We may share your Personal Data with Service Providers to monitor and analyze the use of our Service, for payment processing, and to contact you.
For business transfers: We may share or transfer your Personal Data in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
With Affiliates: We may share your Personal Data with our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include our parent company and any other subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
With your consent: We may disclose your Personal Data for any other purpose with your consent.

Retention of your Personal Data

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

We apply different retention periods to different categories of Personal Data based on the purpose of processing and legal obligations:

Account Information: Retained for the duration of your account relationship plus up to 24 months after account closure to handle any post-termination issues or resolve disputes.
API Usage Data: Request metadata (endpoint, timestamp, status) retained for up to 24 months for billing, analytics, and abuse prevention.
Server Logs: IP addresses and access times retained for up to 24 months for security monitoring and troubleshooting.
Support Correspondence: Support tickets and correspondence retained for up to 24 months from the date of ticket closure.

When retention periods expire, we securely delete or anonymize Personal Data. Residual copies may remain in encrypted backups for a limited period consistent with our backup retention schedule.

International data transfers

The Company is headquartered in the United Arab Emirates and uses service providers located in the United States, the European Union, and other regions. When we transfer Personal Data out of the EEA, United Kingdom, or Switzerland, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with processors outside the EEA.
UK International Data Transfer Addendum for data subject to UK GDPR.
Adequacy decisions where the European Commission has determined a country provides an adequate level of protection.
Technical safeguards including TLS encryption in transit and access controls.

You may request a copy of the SCCs by emailing privacy@botoi.com.

Your rights under GDPR and UK GDPR

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights regarding your Personal Data:

Right of access (Art. 15): Request a copy of the Personal Data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your Personal Data (the "right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Art. 18): Ask us to pause processing while a dispute is resolved.
Right to data portability (Art. 20): Receive your Personal Data in a structured, machine-readable format and transmit it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
Right to withdraw consent (Art. 7): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint (Art. 77): File a complaint with your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu. UK residents can contact the Information Commissioner's Office (ICO).

To exercise any of these rights, email privacy@botoi.com. We will respond within 30 days. We may need to verify your identity before acting on a request. There is no fee for reasonable requests; we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.

Article 27(2) exemption

Under Article 27(2) of the GDPR, the obligation to appoint an EU representative does not apply to processing that is occasional, does not include large-scale processing of special categories of data (Article 9) or data relating to criminal convictions (Article 10), and is unlikely to result in a risk to the rights and freedoms of natural persons. We rely on this exemption on the following basis:

We do not process special categories of Personal Data or data relating to criminal convictions.
Personal Data collected from individuals is limited to an email address for account and billing purposes.
API request and response payloads are not stored beyond the duration needed to fulfil each request.
We do not perform profiling, advertising, or automated decision-making.

You may contact us directly at the email addresses listed in "Contact us" below regarding any matter concerning the processing of your Personal Data.

Data breach notification

If a Personal Data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay as required by Article 34.

Automated decision-making and profiling

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

Data Processing Agreements with sub-processors

We have Data Processing Agreements in place with every sub-processor that handles Personal Data on our behalf. These DPAs incorporate the European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable:

Cloudflare — DPA incorporated by reference into the Self-Serve Subscription Agreement on signup. Current version: cloudflare.com/cloudflare-customer-dpa.
Stripe — DPA incorporated by reference into the Stripe Services Agreement on signup. Available at stripe.com/legal/dpa.
Resend — DPA incorporated by reference into the Resend Terms of Service on signup. Available at resend.com/legal/dpa.
Sentry — DPA accepted in the Sentry Organization dashboard under Legal & Compliance. Available at sentry.io/legal/dpa.
Unkey — DPA executed directly with Unkey Inc.
Microsoft Clarity — Microsoft operates Clarity as an independent data controller rather than as our processor. See clarity.microsoft.com/privacy. Clarity is loaded only after you accept via the cookie banner.

Data Processing Agreement for business customers

If you are a business customer processing Personal Data of your own end users through our API, we make a Data Processing Agreement available on request. To receive a countersigned DPA, email privacy@botoi.com with your company name, billing address, and the subject line "DPA request".

Disclosure of your Personal Data

Business transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

Security of your Personal Data

The security of your Personal Data is important to us, but no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your Personal Data, we cannot guarantee its absolute security.

Detailed information on the processing of your Personal Data

The Service Providers we use may have access to your Personal Data. These third-party vendors collect, store, use, process and transfer information about your activity on our Service in accordance with their Privacy Policies.

Analytics

We use Umami, a self-hosted, open-source analytics platform. Umami collects anonymous, aggregated page view data without cookies or personal identifiers. All analytics data is stored on infrastructure we control and is never shared with third parties.

Heatmaps and session recordings

We use Microsoft Clarity to capture heatmaps and anonymized session recordings. Clarity helps us understand how visitors navigate the site so we can improve layout and usability. Clarity is loaded only after you consent via our cookie banner. Clarity may set cookies such as _clck and _clsk for session tracking. Their Privacy Policy can be viewed at https://privacy.microsoft.com/privacystatement.

Payments

We may provide paid products and/or services within the Service (including paid API plans). In that case, we use third-party services for payment processing.

We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

Stripe — Their Privacy Policy can be viewed at https://stripe.com/us/privacy

API key management

API key verification and management is handled by Unkey. Unkey processes API key identifiers and request metadata for authentication and rate limiting. Their Privacy Policy can be viewed at https://unkey.com/privacy.

Transactional email

We use Resend to send transactional email such as sign-in links, account notifications, and billing receipts. Resend processes your email address and message metadata on our behalf. Their Privacy Policy is available at https://resend.com/legal/privacy-policy.

Error tracking

We use Sentry to capture and diagnose application errors. When an error occurs in your browser or in our API, a report containing the error message, stack trace, URL, browser type, and a truncated request context may be sent to Sentry. We do not enable session replay or full-session recording in Sentry. Their Privacy Policy is available at https://sentry.io/privacy/.

Hosting and infrastructure

The Botoi website is hosted on Cloudflare Pages and the API runs on Cloudflare Workers. Cloudflare may log standard web server information such as IP addresses, browser type, and requested URLs for security and performance purposes. Their Privacy Policy can be viewed at https://www.cloudflare.com/privacypolicy/.

Children's privacy

Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information from our servers.

Links to other websites

Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact us

If you have any questions about this Privacy Policy, or to exercise any of the rights described above, you can contact us:

For privacy, data subject requests, and DPA requests: privacy@botoi.com
For general questions: hello@savibm.com
Through the contact page

Postal address: Savi Business Management LLC, Sharjah Media City, Sharjah, United Arab Emirates.