Legal

Privacy Policy

Effective May 17, 2026 · Last updated May 21, 2026

This Privacy Policy describes how Kolorfirst LLC ("DBestChatBot", "we", "us", or "our") collects, uses, shares, and protects information when you use the DBestChatBot website at dbestchatbot.com, our chatbot widget embedded on third-party websites, our WordPress plugin, our API, and any related services (collectively, the "Services").

By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.

1. Who we are

The data controller for personal information processed through the Services is Kolorfirst LLC, a limited liability company. You can contact us at privacy@dbestchatbot.com with any privacy questions or to exercise your rights described below.

2. Information we collect

2.1 Account information

When you create an account, we collect your name, email address, password (hashed — we never store it in plain text), workspace name, and timezone. If you sign in with Google OAuth, we additionally receive your Google account ID and profile picture URL.

2.2 Billing information

When you purchase a subscription or credit pack, payment is processed by Stripe, Inc. We do not store your full card number on our servers — we only retain a Stripe customer ID, your billing email, and the last four digits of your card for receipts. See Stripe's privacy policy.

2.3 Chatbot conversation content

When end users interact with chatbots you deploy, we process the messages they send, the AI's responses, and any visitor-provided data (name, email, phone) collected via pre-chat forms. This data is stored in your workspace and is visible only to authorized members of your workspace, our limited staff for support purposes, and you.

2.4 Usage data

We log the date and time of each chat, the AI model used, token counts, the credit cost, and basic device metadata (IP address, user agent) for security, billing accuracy, and abuse prevention. We do not sell this data.

2.5 Cookies and tracking

We use strictly necessary cookies for authentication (session cookies, CSRF tokens) and analytics cookies via Google Tag Manager to understand site usage. You can disable non-essential cookies via your browser settings without breaking core functionality.

3. How we use your information

  • Provide, maintain, and improve the Services
  • Process payments and send transactional emails (receipts, password resets, account alerts)
  • Route end-user messages to your selected AI model and return responses
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and respond to lawful requests
  • Communicate product updates and educational content (you can unsubscribe at any time)

We do not use your chatbot conversations or end-user data to train AI models, and we do not sell your personal information to third parties.

4. How we share your information

4.1 AI model providers (sub-processors)

When you send a message through a chatbot, we forward the relevant content to the AI provider you selected so they can generate a response. Depending on your chatbot's configuration, this may include:

Per our agreements, these providers process data only to fulfill the AI completion request and do not use it for model training.

4.2 WhatsApp Business Platform / Meta

If you connect a chatbot to WhatsApp via Meta's WhatsApp Business Platform, message content, sender phone numbers, and delivery metadata are exchanged with Meta Platforms, Inc. and its affiliates as required to deliver messages. This integration is subject to WhatsApp's Business Policy, the Commerce Policy, and WhatsApp's Privacy Policy.

We do not share WhatsApp message content with any third party other than the AI provider you have selected to power that chatbot, and we comply with Meta's data-use, retention, and security requirements for messaging data.

4.3 Infrastructure providers

4.4 Legal compliance and safety

We may disclose information to comply with applicable law, valid legal process, or to protect the rights, property, or safety of DBestChatBot, our users, or the public.

4.5 Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before personal data becomes subject to a different privacy policy.

5. Google user data

This section specifically describes how DBestChatBot accesses, uses, stores, shares, retains, and lets you delete data obtained from Google APIs. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Sign in with Google (OAuth)

Data accessed. When you click "Sign in with Google", we request only the OpenID Connect basic-profile scopes: openid, email, and profile. From these we receive your Google account ID (a stable, opaque identifier), your verified email address, your first and last name, and your public profile picture URL. We do not request access to your Gmail, Calendar, Contacts, Drive, or any other Google service.

Data usage. This data is used solely to (a) create or sign you into your DBestChatBot account, (b) populate your display name and avatar in our dashboard, and (c) send you transactional emails (password resets, receipts, security alerts) to the email address Google verified for you. We do not use this data for advertising targeting, for training machine-learning models, or for any purpose unrelated to running your DBestChatBot account.

Data sharing. We do not sell, rent, or share your Google profile data with third parties. The only entities that may incidentally process it are our sub-processors strictly necessary to operate the Services (OVHcloud for hosting, Postmark for email delivery, Stripe for billing) — see Section 4 above. We never share it with advertisers, data brokers, or analytics providers.

5.2 Google Ads API (for users who connect a Google Ads account)

Workspace owners on our Agency plan may optionally connect a Google Ads account to enable conversion-tracking and automated bid recommendations. This is opt-in and most customers never use it.

Data accessed. If you choose to connect, we request the https://www.googleapis.com/auth/adwords scope. With your authorization we read your campaign, ad-group, keyword, and conversion-action metadata, and we write conversion uploads (telling Google when a Stripe checkout completed so your bid strategies can optimize). We do not read your Google account profile, billing instruments, or any other Google product through this scope.

Data usage. Google Ads data is used solely to (a) display campaign performance in your DBestChatBot dashboard, (b) generate AI-assisted optimization recommendations that you review and approve, and (c) upload offline conversion events you have configured. We never use Google Ads data to train AI/ML models, and we never use it to enable advertising to or by third parties.

Data sharing. Google Ads data stays inside your workspace. We do not share it with any other customer, advertiser, broker, or analytics provider. The only third party that processes it is Google itself (when we call the Google Ads API on your behalf). Our infrastructure sub-processors (OVHcloud) handle it solely as encrypted data at rest.

5.3 Google Calendar API (for users who connect a Google Calendar to enable the Book Appointment skill)

Workspace owners may optionally connect a Google account to enable our Book Appointment skill, which lets visitors of your chatbot pick a time slot and have a calendar event created automatically. This is opt-in and only active for chatbots where the merchant has explicitly enabled the skill.

Data accessed. If you choose to connect, we request the single scope https://www.googleapis.com/auth/calendar.events. With your authorization we (a) list events on the calendar you designate, within the booking-window date range, in order to compute which time slots are still free, (b) create new calendar events when a visitor confirms a booking, and (c) delete or update those events if the booking is cancelled or rescheduled. We do not request access to your Gmail, Contacts, Drive, Tasks, Photos, or any other Google product. We do not request the broader calendar.readonly or calendar scopes, and we do not read the content of pre-existing events you did not create through DBestChatBot — we only read event start/end times and busy-status to avoid double-bookings.

Data usage. Google Calendar data is used solely to (a) show your visitors which slots are still available, (b) write the resulting bookings to your calendar with the visitor as an attendee, and (c) display upcoming and past bookings inside your DBestChatBot dashboard. We never use Google Calendar data to train AI/ML models, to target advertising, or for any purpose beyond operating the Book Appointment feature on your behalf.

What we store. For each connected Google account: the long-lived OAuth refresh token, a short-lived access token, the Google email address and account ID of the connected account, and the list of granted scopes. For each booking made through your chatbot: the visitor's name, email, phone (if provided), the slot time, the chosen calendar id, the resulting Google event id, and (if enabled) the Google Meet link. We do not cache the full list of your existing calendar events — those are fetched on demand and discarded after the slot computation.

Google Meet. If you enable the "Add a Google Meet link" option on your chatbot, each booking creates its own fresh Meet conference via Google's conferenceData.createRequest. We do not create static or reused meeting links; each booking gets a unique room for the privacy of both parties.

Data sharing. Google Calendar data stays inside your workspace. We do not share it with any other DBestChatBot customer, advertiser, broker, or analytics provider. The only third party that processes it is Google itself (when we call the Calendar API on your behalf to read availability or create events). Our infrastructure sub-processors (OVHcloud) handle it solely as encrypted data at rest. Visitors who book an appointment receive a calendar invite from Google directly (via sendUpdates=all), not from us.

5.4 Data storage and protection

Google profile data and Google Ads OAuth tokens are stored on our servers in the European Union (OVHcloud, Roubaix, France). All data is encrypted in transit with TLS 1.3 and at rest with AES-256. OAuth refresh tokens are additionally encrypted at the application layer using Laravel's authenticated encryption (AES-256-GCM) before being written to the database, so even direct database access does not reveal usable tokens. Access to production data is limited to a small number of staff under role-based access control with multi-factor authentication, and is logged.

5.5 Data retention and deletion

  • Google profile data (name, email, account ID, avatar URL) is retained for the lifetime of your DBestChatBot account. When you delete your account, this data is deleted from our primary database within 30 days and purged from encrypted backups within 90 days.
  • Google Ads OAuth tokens are deleted immediately when you (a) disconnect the Google Ads integration from your DBestChatBot dashboard, (b) revoke access at myaccount.google.com/permissions, or (c) delete your DBestChatBot account. Cached Google Ads performance data is deleted on the same schedule.
  • Google Calendar OAuth tokens are deleted immediately when you (a) disconnect Google Calendar from your DBestChatBot Skills tab, (b) revoke access at myaccount.google.com/permissions, or (c) delete your DBestChatBot account. Appointment records (visitor name/email/phone, slot time, Google event id, Meet link) are retained for the lifetime of your workspace so you can refer back to past bookings, and are deleted within 30 days of account deletion. To delete an individual appointment record sooner, cancel it from the Appointments page in your dashboard and then email us to request hard deletion.
  • You can request deletion at any time by visiting our Data Deletion page or emailing privacy@dbestchatbot.com from the address associated with your account. We acknowledge within 7 days and complete deletion within 30 days.

5.6 Limited Use compliance

DBestChatBot affirmatively confirms, in compliance with the Google API Services User Data Policy's Limited Use requirements, that data obtained from Google APIs is:

  • Used only to provide or improve user-facing features that are prominent in the requesting application's user interface;
  • Not transferred to others except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
  • Not used or transferred for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • Not used to train or fine-tune any generalized or non-personalized AI/ML models. Data obtained through Google Workspace APIs is never used to develop, improve, or train generalized AI/ML models.
  • Not read by humans except (a) with your explicit consent for a specific support request, (b) for security purposes such as investigating abuse, or (c) to comply with applicable law.

6. Data retention

  • Account data — retained while your account is active and for up to 90 days after closure for refund / dispute handling, then deleted or anonymized.
  • Chatbot conversations — retained for the duration of your subscription. You can delete individual conversations at any time from your dashboard.
  • WhatsApp message content — stored only as long as necessary to deliver and display the conversation, and in accordance with Meta's required retention windows.
  • Billing records — retained for 7 years for tax and accounting compliance.
  • Server logs — retained for up to 90 days for security and debugging.

7. Your rights

7.1 EEA / UK (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (right to be forgotten)
  • Restrict or object to certain processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

7.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and share
  • Request deletion of your personal information
  • Opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising)
  • Non-discrimination for exercising your privacy rights

To exercise any right, email privacy@dbestchatbot.com from the address associated with your account. We respond within 30 days.

8. International data transfers

Our servers are located in the European Union (OVHcloud, France). If you access the Services from outside the EU, your data will be transferred to and processed in the EU. Where data is transferred to non-EU sub-processors (such as US-based AI providers), we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

9. Children's privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided personal data to us, please contact us and we will delete it.

10. Security

We implement industry-standard technical and organizational measures to protect your data: TLS 1.3 encryption in transit, AES-256 encryption at rest for sensitive credentials, role-based access control, multi-factor authentication for staff accounts, automated security monitoring, and regular backups. No system is 100% secure — if you believe your account has been compromised, contact us immediately.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice via email or a banner on the Services. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact us

For privacy-related questions, requests, or complaints:

  • Email: privacy@dbestchatbot.com
  • Company: Kolorfirst LLC
  • Postal:
    Kolorfirst LLC
    c/o Tax Stitch LLC (Registered Agent) — Edward Styrczula, CPA
    8381 Archer Ave
    Willow Springs, IL 60480
    United States