Privacy Policy

This Privacy Policy describes how Kolorfirst LLC ("DBestChatBot", "we", "us", or "our") collects, uses, shares, and protects information when you use the DBestChatBot website at dbestchatbot.com, our chatbot widget embedded on third-party websites, our WordPress plugin, our API, and any related services (collectively, the "Services").

By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.

1. Who we are

The data controller for personal information processed through the Services is Kolorfirst LLC, a limited liability company. You can contact us at privacy@dbestchatbot.com with any privacy questions or to exercise your rights described below.

2. Information we collect

2.1 Account information

When you create an account, we collect your name, email address, password (hashed — we never store it in plain text), workspace name, and timezone. If you sign in with Google OAuth, we additionally receive your Google account ID and profile picture URL.

2.2 Billing information

When you purchase a subscription or credit pack, payment is processed by Stripe, Inc. We do not store your full card number on our servers — we only retain a Stripe customer ID, your billing email, and the last four digits of your card for receipts. See Stripe's privacy policy.

2.3 Chatbot conversation content

When end users interact with chatbots you deploy, we process the messages they send, the AI's responses, and any visitor-provided data (name, email, phone) collected via pre-chat forms. This data is stored in your workspace and is visible only to authorized members of your workspace, our limited staff for support purposes, and you.

2.4 Usage data

We log the date and time of each chat, the AI model used, token counts, the credit cost, and basic device metadata (IP address, user agent) for security, billing accuracy, and abuse prevention. We do not sell this data.

2.5 Cookies and tracking

We use strictly necessary cookies for authentication (session cookies, CSRF tokens) and analytics cookies via Google Tag Manager to understand site usage. You can disable non-essential cookies via your browser settings without breaking core functionality.

3. How we use your information

• Provide, maintain, and improve the Services
• Process payments and send transactional emails (receipts, password resets, account alerts)
• Route end-user messages to your selected AI model and return responses
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and respond to lawful requests
• Communicate product updates and educational content (you can unsubscribe at any time)

We do not use your chatbot conversations or end-user data to train AI models, and we do not sell your personal information to third parties.

4. How we share your information

4.1 AI model providers (sub-processors)

When you send a message through a chatbot, we forward the relevant content to the AI provider you selected so they can generate a response. Depending on your chatbot's configuration, this may include:

• OpenAI, L.L.C. (GPT-4o, GPT-4o-mini, DALL-E) — privacy policy
• Anthropic PBC (Claude) — privacy policy
• Google LLC (Gemini) — privacy policy
• DeepSeek — privacy policy

Per our agreements, these providers process data only to fulfill the AI completion request and do not use it for model training.

4.2 WhatsApp Business Platform / Meta

If you connect a chatbot to WhatsApp via Meta's WhatsApp Business Platform, message content, sender phone numbers, and delivery metadata are exchanged with Meta Platforms, Inc. and its affiliates as required to deliver messages. This integration is subject to WhatsApp's Business Policy, the Commerce Policy, and WhatsApp's Privacy Policy.

We do not share WhatsApp message content with any third party other than the AI provider you have selected to power that chatbot, and we comply with Meta's data-use, retention, and security requirements for messaging data.

4.3 Infrastructure providers

• OVHcloud — hosting (Roubaix, France) — privacy policy
• Stripe, Inc. — payment processing — privacy policy
• Postmark (ActiveCampaign) — transactional email — privacy policy
• Google LLC — Tag Manager, OAuth, fonts — privacy policy

4.4 Legal compliance and safety

We may disclose information to comply with applicable law, valid legal process, or to protect the rights, property, or safety of DBestChatBot, our users, or the public.

4.5 Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before personal data becomes subject to a different privacy policy.

5. Google user data

This section specifically describes how DBestChatBot accesses, uses, stores, shares, retains, and lets you delete data obtained from Google APIs. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Sign in with Google (OAuth)

Data accessed. When you click "Sign in with Google", we request only the OpenID Connect basic-profile scopes: openid, email, and profile. From these we receive your Google account ID (a stable, opaque identifier), your verified email address, your first and last name, and your public profile picture URL. We do not request access to your Gmail, Calendar, Contacts, Drive, or any other Google service.

Data usage. This data is used solely to (a) create or sign you into your DBestChatBot account, (b) populate your display name and avatar in our dashboard, and (c) send you transactional emails (password resets, receipts, security alerts) to the email address Google verified for you. We do not use this data for advertising targeting, for training machine-learning models, or for any purpose unrelated to running your DBestChatBot account.

Data sharing. We do not sell, rent, or share your Google profile data with third parties. The only entities that may incidentally process it are our sub-processors strictly necessary to operate the Services (OVHcloud for hosting, Postmark for email delivery, Stripe for billing) — see Section 4 above. We never share it with advertisers, data brokers, or analytics providers.

5.2 Google Ads API (for users who connect a Google Ads account)

Workspace owners on our Agency plan may optionally connect a Google Ads account to enable conversion-tracking and automated bid recommendations. This is opt-in and most customers never use it.

Data accessed. If you choose to connect, we request the https://www.googleapis.com/auth/adwords scope. With your authorization we read your campaign, ad-group, keyword, and conversion-action metadata, and we write conversion uploads (telling Google when a Stripe checkout completed so your bid strategies can optimize). We do not read your Google account profile, billing instruments, or any other Google product through this scope.

Data usage. Google Ads data is used solely to (a) display campaign performance in your DBestChatBot dashboard, (b) generate AI-assisted optimization recommendations that you review and approve, and (c) upload offline conversion events you have configured. We never use Google Ads data to train AI/ML models, and we never use it to enable advertising to or by third parties.

Data sharing. Google Ads data stays inside your workspace. We do not share it with any other customer, advertiser, broker, or analytics provider. The only third party that processes it is Google itself (when we call the Google Ads API on your behalf). Our infrastructure sub-processors (OVHcloud) handle it solely as encrypted data at rest.

5.3 Data storage and protection

Google profile data and Google Ads OAuth tokens are stored on our servers in the European Union (OVHcloud, Roubaix, France). All data is encrypted in transit with TLS 1.3 and at rest with AES-256. OAuth refresh tokens are additionally encrypted at the application layer using Laravel's authenticated encryption (AES-256-GCM) before being written to the database, so even direct database access does not reveal usable tokens. Access to production data is limited to a small number of staff under role-based access control with multi-factor authentication, and is logged.

5.4 Data retention and deletion

• Google profile data (name, email, account ID, avatar URL) is retained for the lifetime of your DBestChatBot account. When you delete your account, this data is deleted from our primary database within 30 days and purged from encrypted backups within 90 days.
• Google Ads OAuth tokens are deleted immediately when you (a) disconnect the Google Ads integration from your DBestChatBot dashboard, (b) revoke access at myaccount.google.com/permissions, or (c) delete your DBestChatBot account. Cached Google Ads performance data is deleted on the same schedule.
• You can request deletion at any time by visiting our Data Deletion page or emailing privacy@dbestchatbot.com from the address associated with your account. We acknowledge within 7 days and complete deletion within 30 days.

5.5 Limited Use compliance

DBestChatBot affirmatively confirms, in compliance with the Google API Services User Data Policy's Limited Use requirements, that data obtained from Google APIs is:

• Used only to provide or improve user-facing features that are prominent in the requesting application's user interface;
• Not transferred to others except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
• Not used or transferred for serving advertisements, including retargeting, personalized, or interest-based advertising;
• Not used to train or fine-tune any generalized or non-personalized AI/ML models. Data obtained through Google Workspace APIs is never used to develop, improve, or train generalized AI/ML models.
• Not read by humans except (a) with your explicit consent for a specific support request, (b) for security purposes such as investigating abuse, or (c) to comply with applicable law.

6. Data retention

• Account data — retained while your account is active and for up to 90 days after closure for refund / dispute handling, then deleted or anonymized.
• Chatbot conversations — retained for the duration of your subscription. You can delete individual conversations at any time from your dashboard.
• WhatsApp message content — stored only as long as necessary to deliver and display the conversation, and in accordance with Meta's required retention windows.
• Billing records — retained for 7 years for tax and accounting compliance.
• Server logs — retained for up to 90 days for security and debugging.

7. Your rights

7.1 EEA / UK (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (right to be forgotten)
• Restrict or object to certain processing
• Data portability — receive your data in a machine-readable format
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your local data protection authority

7.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and share
• Request deletion of your personal information
• Opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising)
• Non-discrimination for exercising your privacy rights

To exercise any right, email privacy@dbestchatbot.com from the address associated with your account. We respond within 30 days.

8. International data transfers

Our servers are located in the European Union (OVHcloud, France). If you access the Services from outside the EU, your data will be transferred to and processed in the EU. Where data is transferred to non-EU sub-processors (such as US-based AI providers), we rely on Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

9. Children's privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided personal data to us, please contact us and we will delete it.

10. Security

We implement industry-standard technical and organizational measures to protect your data: TLS 1.3 encryption in transit, AES-256 encryption at rest for sensitive credentials, role-based access control, multi-factor authentication for staff accounts, automated security monitoring, and regular backups. No system is 100% secure — if you believe your account has been compromised, contact us immediately.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice via email or a banner on the Services. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact us

For privacy-related questions, requests, or complaints:

• Email: privacy@dbestchatbot.com
• Company: Kolorfirst LLC
• Postal:
  Kolorfirst LLC
  c/o Tax Stitch LLC (Registered Agent) — Edward Styrczula, CPA
  8381 Archer Ave
  Willow Springs, IL 60480
  United States