Privacy Policy

1. Introduction & Our Dual Data Role

OpBot (“OpBot,” “we,” “us”) operates the OpBot platform at opbot.io. This Privacy Policy explains how we collect, use, store, and protect personal data.

OpBot serves two distinct data roles:

• Data Controller — for data we collect directly from coaches, operators, and team members who create accounts on OpBot (account data, billing data, usage data).
• Data Processor — for lead data collected through coaches’ funnel pages. Coaches are the Data Controllers for their leads, and OpBot processes this data only on the coach’s documented instructions.

Our processing of lead data is governed by our Data Processing Agreement, which supplements this Privacy Policy.

2. Account Data We Collect

When you create an OpBot account, we collect:

• Identity data: Full name, email address, avatar/profile photo.
• Business data: Business name, business slug, timezone, industry/niche, target audience descriptions, and onboarding interview responses (18 questions covering your coaching business, services, pricing, and ideal client profile).
• Brand assets: Logo, headshot, brand colors, and font preferences uploaded during onboarding.
• Team data: Names, emails, roles, and avatars of team members you invite.
• Operator data: Subaccount configurations, whitelabel settings, invite records.

3. Payment Data

Payment processing is handled entirely by Stripe. We never store your credit card numbers, CVV, or full payment card details on our servers. We retain:

• Stripe customer ID and subscription ID (for billing management).
• Subscription status, plan tier, and billing cycle dates.
• Usage credit purchase history and deduction logs.
• Last four digits of your card (as provided by Stripe for display purposes).

4. Usage Data

We collect data about how you interact with the OpBot platform:

• Funnel creation and publishing activity.
• AI generation requests (funnel builds, regenerations, email sequence generation).
• Email sending activity (sequences, broadcasts, delivery status).
• CRM actions (lead stage changes, dispositions, bookings).
• Login timestamps, feature usage patterns, and session duration.

5. Lead Data (Processed on Coach’s Behalf)

When leads submit information through a coach’s funnel pages, we collect on the coach’s behalf:

• Name, email address, and phone number.
• Qualification form responses (answers to coach-defined questions).
• Lead score (calculated from form responses).
• Booking details (date, time, status, outcome).
• Pipeline stage and disposition data.
• Email interaction data (unsubscribe status).
• SMS consent records (consent timestamp, method, and IP address) and SMS opt-out status.

Lead personal data is never sent to the AI engine. Only anonymized business context (coaching niche, service description, general audience profile) is transmitted to Anthropic for content generation. Individual lead names, emails, phone numbers, and form answers are never included in AI prompts.

6. Device & Browser Data

For public funnel pages, we collect anonymous analytics events including:

• Page views with anonymized visitor IDs.
• Browser type and version.
• Device type (desktop/mobile).
• Referrer URL and UTM parameters.
• IP address (processed for analytics, not stored long-term).

We do not fingerprint browsers or track users across websites.

7. Cookies

OpBot uses essential cookies only:

• Authentication cookies — Managed by Supabase Auth to maintain your logged-in session.
• Active business cookie — Stores your currently selected business/subaccount ID for operators managing multiple accounts.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies from services like Google Analytics, Facebook Pixel, or similar platforms. No cookie consent banner is required because we only use strictly necessary cookies.

8. AI Data Processing

OpBot uses Anthropic’s Claude API to generate funnel content. Here is exactly what we send and do not send:

Per Anthropic’s data policy, data sent via the API is not used to train their models.

9. How We Use Data

We use the data we collect for the following purposes:

• Service delivery: Generating funnels, managing leads and bookings, sending emails, processing payments, and providing the CRM and dashboard.
• Account management: Authentication, billing, subscription management, and usage metering.
• Communications: Sending booking confirmations, reminders, payment receipts, and service announcements.
• Analytics and improvement: Understanding how the platform is used to improve features and performance.
• Security: Detecting and preventing fraud, abuse, and unauthorized access.
• Legal compliance: Meeting our obligations under applicable laws and regulations.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

10. Legal Bases for Processing (GDPR Article 6)

For users in the EU/EEA, we process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service (account creation, funnel generation, lead management, billing).
• Legitimate interests (Art. 6(1)(f)): Analytics, security monitoring, fraud prevention, and platform improvement, where our interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and other legal requirements.
• Consent (Art. 6(1)(a)): Where we send optional marketing communications (you may withdraw consent at any time).

11. Sub-Processors

We share data with the following sub-processors, each bound by data processing agreements:

We will provide 30 days’ notice before adding new sub-processors. You may object to a new sub-processor as described in our DPA.

12. International Data Transfers

OpBot is based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. We protect international transfers using the following mechanisms:

• EU/EEA transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor), supplemented by transfer impact assessments where required.
• UK transfers: International Data Transfer Agreement (IDTA) as approved by the UK Information Commissioner’s Office (ICO), or the UK Addendum to the EU SCCs.
• Other jurisdictions: We comply with applicable local data transfer requirements and will implement appropriate safeguards as needed.

13. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Specific retention periods:

After the retention period expires, data is permanently deleted from production systems. Backup copies may persist for up to 90 days following production deletion before they are purged.

14. GDPR Rights (EU/EEA Users)

If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. You may request a data export by contacting support@opbot.io.
• Right to restrict processing (Art. 18): Request that we limit how we process your data.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time.
• Right to lodge a complaint: File a complaint with your local data protection authority (supervisory authority).

To exercise any of these rights, contact support@opbot.io. We will respond within 30 days. We may request identity verification before processing your request. There is no fee for exercising these rights unless requests are manifestly unfounded or excessive.

15. CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.
• Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined under the CPRA beyond what is necessary to provide the Service.

To submit a request, contact support@opbot.io. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent to make a request on your behalf.

16. Children’s Privacy

OpBot is a business-to-business platform designed for adult professionals. We do not knowingly collect personal information from anyone under the age of 18. If you are a parent or guardian and believe your child has provided personal information to OpBot, contact support@opbot.io immediately. We will delete the information promptly upon verification.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify affected users by email within 72 hours of becoming aware of the breach.
• Where required by GDPR, we will report the breach to the relevant supervisory authority within 72 hours.
• Our notification will include the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
• For coaches (Data Controllers), we will also assist in fulfilling your obligation to notify your own leads/data subjects as required by applicable law.

18. Security Measures

We implement technical and organizational measures to protect your data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
• Encryption at rest: Database storage is encrypted using AES-256 via Supabase/AWS.
• Row Level Security (RLS): Every database query is scoped by business_id, enforced at the database level by Supabase RLS policies.
• Authentication: Supabase Auth with secure session management and PKCE flow.
• HMAC-signed tokens: Lead booking access and email unsubscribe links use HMAC-SHA256 signed tokens with expiry.
• Rate limiting: Public endpoints are rate-limited to prevent abuse.
• Webhook verification: Stripe webhook signatures are verified before processing.

19. Do Not Track

OpBot does not use third-party tracking cookies or advertising pixels. We do not track users across third-party websites. As such, our behavior does not change in response to browser “Do Not Track” (DNT) signals, because we already do not engage in the cross-site tracking that DNT is designed to prevent.

20. SMS Data

20.1 Phone Numbers. We collect phone numbers provided by Leads through qualification forms, booking forms, or CSV imports. Phone numbers are stored in our database and used solely for the purpose of delivering SMS messages on behalf of the Coach or Operator who collected them.

20.2 SMS Consent Records. We store records of SMS consent including: the timestamp of consent, the method of consent (form checkbox, keyword opt-in, or import declaration), and the IP address at the time of consent. These records are maintained for the duration of the subscription plus 5 years for legal compliance purposes.

20.3 Message Logs. We retain records of SMS messages sent, delivery status, and opt-out events for compliance auditing purposes.

20.4 Third-Party Processors. SMS messages are delivered through Twilio Inc., which processes phone numbers and message content for delivery. Twilio’s privacy policy applies to their processing of this data.

20.5 Opt-Out. Recipients can opt out of SMS at any time by replying STOP to any message. Opted-out phone numbers are flagged in our system and no further messages will be sent.

20.6 No Sharing. Phone numbers and SMS consent data are never shared with third parties except our SMS delivery provider (Twilio) for the sole purpose of message delivery. Phone numbers are never sent to our AI engine.

21. Google Calendar Integration

21.1 Opt-in only. The Google Calendar integration is entirely optional. It is only activated when a coach explicitly connects their Google account in Settings. Coaches who do not connect Google Calendar are unaffected by this section.

21.2 What we access. When a coach connects their Google Calendar, we request access to create, update, and delete calendar events via the Google Calendar API (calendar.events scope). We access only the events we create on the coach’s behalf — we do not read, scan, or index existing calendar events, contacts, or other Google account data.

21.3 How calendar data is used. Google Calendar data (event creation, updates, and deletions) is used solely to reflect booking activity within OpBot: a calendar event is created when a lead books a coaching call, updated if the call is rescheduled, and deleted if the call is cancelled. This data is not used for advertising, analytics profiling, or any purpose other than managing the coach’s booking schedule.

21.4 Token storage. OAuth tokens (access token and refresh token) are stored encrypted in our database and are scoped solely to the coach’s own account. Tokens are never accessible to other users, leads, or third parties.

21.5 No sharing or retention beyond sync. Calendar event data obtained through the Google API is not shared with third parties, is not used to train AI models, and is not stored in our database beyond what is necessary to maintain the sync state (e.g., the Google event ID associated with a booking). We do not store the content of existing calendar events.

21.6 Revoking access. Coaches can disconnect the Google Calendar integration at any time from Settings. Upon disconnection, we immediately stop syncing events and remove the stored OAuth tokens. Access can also be revoked directly from Google Account Permissions.

21.7 Google API Services User Data Policy. Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not use Google user data to develop, improve, or train generalized AI or ML models. Use of the Google Calendar API is also subject to Google’s Privacy Policy.

22. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision. Continued use of the Service after the notice period constitutes acceptance of the updated policy. If you do not agree to the changes, you must stop using the Service and close your account.