Legal · privacy
Your data, in plain English.
What we collect, why, and what we never do.
Babots Privacy Policy
Version: 2026-07-04
This policy describes what data Babots collects, how we use it, and the choices you have.
1. What we collect
- Account fields: email, display name, password hash (bcrypt cost 12), handle, tier, signup IP and user-agent (for abuse forensics only), date of birth (used solely to refuse under-13 registrations and never shown in your public profile), consent to these terms.
- Phone number, if you verify one: stored in international (E.164) format and used for one-time-passcode verification and anti-abuse checks. We never use your phone number for marketing.
- Telegram chat id, if you link Telegram: the numeric identifier Telegram assigns to your chat with our bot, used only to route your babot's messages and account-link codes to you on Telegram.
- Babot data you create: name, persona, voice sample, boundaries, memories, drafts (both pending and decided). Memories are stored encrypted at rest under AES-256-GCM.
- Email mailbox credentials, if you connect an email inbox: the IMAP/SMTP host, port, username and password for the mailbox you connect. The password is encrypted at rest under AES-256-GCM and is never logged or shown back to you; when you disconnect the channel the stored credentials are scrubbed.
- Email you receive after connecting an inbox: once you connect a mailbox, your babot reads new messages that arrive in your inbox AFTER you connect — it does not read your existing mail or your history. Each new message's sender address and text body are stored so your babot can draft a reply you approve before it sends. This necessarily includes messages from people who write to you and who do not have a Babots account; see "Other people's data" below.
- Web Push subscriptions, if you opt in: when you explicitly enable notifications on a device, we store that device's push subscription — the push-service endpoint URL and the two encryption keys (p256dh and auth) the browser issues. These are used only to send the notifications described in section 4.
- Visitor email addresses left on a public profile: if someone messages your babot from your public profile page and leaves an email address to receive your approved reply, we store that address as the counterparty for that conversation. It is used only to deliver replies you approve; see section 4.
- Safety classifications: automated labels our systems attach to content as it is processed — for example, a signal that a message may describe a crisis (so we can offer resources), or that content may violate our content rules. These labels, and in narrow cases the content that triggered them, are used only for safety as described in section 6.
- Audit log entries for every authentication, consent change, and Sanctum decision — tamper-evident hash chain (ADR-003).
- Telemetry counts (draft generated / approved / declined / deflect issued / locked / reverted / autonomous attempted / succeeded / rollback) with no message bodies attached.
2. What we never do
- We never sell personal data to third parties. The Live Transparency Report on /trust shows zero records sold and stays at zero by contract — if it ever moves, our PII-sold counter ticks and we owe you a public explanation.
- We never train a public model on your private memory rows.
- We never share content with advertisers.
- We never proactively monitor, profile, or report your lawful activity to law enforcement or anyone else. We disclose content to authorities only when we are legally compelled to, and only as described in section 6. The one exception the law does not let us make is child sexual abuse material, which we are required to report.
3. Storage and retention
Memory is permanent for the life of your account (ADR-006). You can remove individual memories with the Forget gesture (irreversible). On account deletion all data enters a 30-day grace window, after which the hard-purge completes within 7 days. The hard-purge removes your account, your babots and their memories, drafts and channels, your connected mailbox credentials, and your Web Push subscriptions.
The one exception to this timeline is a legal hold: if specific content has been preserved because we are legally required to keep it, or in order to respond to valid legal process, that content may be retained beyond the deletion timeline for as long as the law requires, and then deleted. A legal hold is narrow — it covers only the specific records under obligation, not your account as a whole. See section 6.
4. Other people's data
Two features cause Babots to hold data about people who are not Babots users:
- The email channel: when your babot reads new mail that arrives in your connected inbox, the sender's address and the message text are stored and processed by our LLM subprocessors (section 5) so your babot can draft a reply. We minimize this: text only, no attachments, quoted reply-history is stripped, automated and no-reply messages are skipped, and only a bounded number of new messages are read per check. This data is held under your account; you delete it by deleting the relevant babot or your account. People who write to you are not separately notified by us and have no self-serve deletion path of their own — to ask about data a Babots user holds about you, contact privacy@babots.ai.
- Public-profile replies: a visitor who leaves an email address to get your approved reply has that address stored as the conversation counterparty and used only to send replies you approve. These sends are rate-limited per babot and per recipient. The address can be suppressed: a visitor can send "STOP" with their address from your public profile page, after which we never email it again; an address that hard-bounces is also suppressed automatically. We do not verify that the person who typed an address controls it, so we keep these emails purpose-limited and clearly marked.
5. Subprocessors
- LLM providers — Anthropic, OpenAI, Google (Gemini), DeepSeek, and xAI — process inference requests, which include the content of the conversations your babot handles, including email your babot reads on the email channel. Which provider receives a given request depends on the model routing in effect for that request; we use your bring-your-own-key when supplied.
- Twilio receives your phone number to deliver one-time verification codes.
- Telegram receives the messages your babot exchanges on the Telegram surface and the one-time codes used to link your account, when you connect a Telegram chat.
- Resend delivers our transactional email — account-activity digests, onboarding messages, and the public-profile reply emails described in section 4 — and therefore receives the recipient address and the email content for those messages. Mail your babot SENDS from your own connected mailbox does NOT go through Resend; it is sent directly through your own email provider over SMTP.
- Our Postgres database is hosted on Neon.
We publish the current subprocessor list on /trust.
6. Safety, law enforcement, and legal preservation
Keeping you and other people safe sometimes means our systems look at content for a narrow set of harms. This section describes exactly what that means and, just as importantly, what it does not.
Automated safety classification. As content is processed, automated classifiers check it for a small set of safety signals: indications that someone may be in crisis or at risk of self-harm (so your babot can offer support resources rather than anything else); content that may be sexual or otherwise against our content rules (so we can enforce those rules); and credible threats of violence or attempts to organise serious unlawful harm to others. These checks are automated and purpose-limited. A crisis signal is used to help, not to penalise you.
We are reactive, not a surveillance service. We do not build profiles of you for law enforcement, we do not monitor your lawful activity, and we do not volunteer your content to authorities. We disclose your content to law enforcement or a government authority only when we are legally compelled to by valid legal process — such as a subpoena, court order, or warrant that we have reviewed — or where we reasonably believe disclosure is necessary to prevent imminent physical harm to a person. When the law permits, we will try to notify you of a request before responding.
Legal preservation ("legal hold"). If content is flagged for a credible threat of violence or serious unlawful activity, or if we receive a lawful preservation request, we may preserve the specific relevant records — a "legal hold" — so that we can respond if we later receive valid legal process. Held records are kept separately, limited to what is necessary, retained only for as long as the law requires, and then deleted. A legal hold is the one case where specific content may outlive the deletion timeline in section 3; it never suspends deletion of the rest of your account.
The child-safety exception. The single category where the law requires us to act proactively rather than only on request is child sexual abuse material (CSAM). We detect it and report it to the National Center for Missing & Exploited Children (NCMEC) and equivalent authorities, as we are legally required to do. This is the only content we report without being asked.
Legal basis (EU/EEA residents). Where we retain or disclose content under this section, our lawful basis under the GDPR is compliance with a legal obligation (Article 6(1)(c)) and/or our legitimate interests and the protection of the vital interests of others and the establishment, exercise or defence of legal claims. This is a permitted exception to the right to erasure under Article 17(3) — it is why a legal hold can lawfully outlive an erasure request, and it applies only to the specific records concerned.
7. Your rights
You can export your data at any time from Settings → Export. The export includes your account fields, babots, boundaries, memories, drafts, friends, connected-integration metadata, and credits history; it does not currently include the individual inbound messages your babot has received. You can delete your account from Settings → Delete. EU residents have GDPR Article 17 erasure rights honored: after the 30-day grace window the hard-purge completes within 7 days, subject only to the narrow legal-hold exception in sections 3 and 6. You can turn off Web Push for a device in Settings → Notifications, and disconnect a mailbox in Settings → Integrations.
8. Children
Under-13 users are prohibited (COPPA). In the EEA we honor the local digital-consent age (16 unless lowered by a member state).
9. Cookies
We use httpOnly cookies for refresh and access tokens. We do not use third-party analytics cookies, advertising trackers, or session recorders.
10. Contact
privacy@babots.ai.
