This policy explains how DRAGbot ("we," "us," "the Platform") collects, uses, and protects information. We've written this to be understood, not to obscure.
1. Who This Policy Covers
This policy covers:
- You: Users who create accounts and deploy bots on DRAGbot
- End Users: People who interact with bots you deploy
If you deploy bots for your organization, you are responsible for informing your end users about data practices.
2. Information We Collect
2.1 Account Information
When you create an account:
| Data | Purpose | Retention |
|---|---|---|
| Email address | Authentication, notifications | Until account deletion |
| Name / Preferred name | Display in dashboard and team features | Until account deletion |
| Organization name | Multi-user organization features | Until account deletion |
| Role (admin/contributor) | Access control | Until account deletion |
2.2 Documents You Upload
| Data | Purpose | Retention |
|---|---|---|
| Document files (PDF, DOCX, etc.) | RAG retrieval for your bots | Until you delete them |
| Extracted text | Search and summarization | Until you delete the document |
| LLM-generated summaries | Semantic retrieval fallback | Until deployment deletion |
Documents are stored in Supabase (our database provider) and copied to your bot containers at deployment time.
2.3 Bot Configuration
| Data | Purpose | Retention |
|---|---|---|
| Bot names and settings | Platform functionality | Until deployment deletion |
| Deployment history | Audit trail, troubleshooting | 90 days after deployment deletion |
| API keys (encrypted) | LLM provider authentication | Until you delete them |
2.4 Conversations (End User Data)
Conversations between end users and your bots are stored in each bot's individual container database.
| Data | Where Stored | Who Can Access |
|---|---|---|
| Chat messages | Bot container (Fly.io) | You, via dashboard |
| Timestamps | Bot container | You, via dashboard |
| Session identifiers | Bot container | You, via dashboard |
| Integrity hashes | Bot container | You, via dashboard |
Important: We do not aggregate conversations across customers. Each deployment has isolated storage.
2.5 Ghostform Data (What We Don't Collect)
When you use Ghostform mode for form collection:
| Data | Where It Goes | Does DRAGbot See It? |
|---|---|---|
| Form field values (email, phone, etc.) | Directly to your webhook | No |
Structural markers ({email_filled}) | To our servers and LLM | Yes (but not actual values) |
This is architectural, not policy-based. The actual form values never transit our infrastructure.
2.6 Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP addresses | Security, abuse prevention | 30 days |
| Browser/device info | Debugging, compatibility | 30 days |
| Error logs | Troubleshooting | 30 days |
| Usage analytics | Product improvement | Aggregated, indefinite |
3. How We Use Information
| Use | Legal Basis |
|---|---|
| Providing the service | Contract (you signed up) |
| Security and fraud prevention | Legitimate interest |
| Product improvement | Legitimate interest (anonymized/aggregated) |
| Responding to support requests | Contract |
| Legal compliance | Legal obligation |
| Communicating service changes | Contract / Legitimate interest |
We do not:
- Sell your data
- Use your documents to train AI models
- Share data with advertisers
- Access your conversations except for support (with your permission) or legal requirement
4. Data Sharing
4.1 Service Providers
We use third-party services to operate the platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, storage | Account data, documents |
| Fly.io | Bot container hosting | Bot configurations, conversations |
| Resend | Transactional email | Email addresses |
| Your LLM Provider | AI responses | Prompts, documents (per your configuration) |
These providers process data on our behalf under appropriate agreements.
4.2 Your LLM Provider
When your bot makes AI requests, data is sent to your chosen LLM provider (OpenAI, Anthropic, Google, Cohere). This is governed by:
- Your API key and account with that provider
- That provider's terms and privacy policy
- Your configuration choices
We do not control how LLM providers handle data. Review their policies.
4.3 Your Webhooks (Ghostform)
Form data submitted via Ghostform goes directly from end users to your designated webhook. This transmission is:
- Not routed through DRAGbot
- Your responsibility to secure
- Subject to your own privacy practices
4.4 Legal Requirements
We may disclose data if required by:
- Valid legal process (subpoena, court order)
- Law enforcement request (we will notify you unless legally prohibited)
- Protection of safety or rights
5. Data Security
5.1 Encryption
| Data | Encryption |
|---|---|
| Data in transit | TLS 1.2+ |
| API keys at rest | AES-256-GCM |
| Database | Supabase encryption at rest |
| Bot containers | Fly.io infrastructure encryption |
5.2 Access Controls
- Row-Level Security (RLS) enforces data isolation between customers
- Bot Space membership controls team access
- Authentication required for all dashboard access
- API keys are never logged or displayed after initial entry
5.3 Integrity Verification
Conversations include SHA-256 hash chains that allow you to verify data hasn't been tampered with. This is for your audit purposes, not confidentiality.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Documents | Until you delete them |
| Active deployments | Until you destroy them |
| Conversations | Until deployment is destroyed |
| Destroyed deployment records | 90 days (for support/audit) |
| Backups | 30 days rolling |
| Logs | 30 days |
6.1 Deletion
You can delete your account directly from the Settings page in your dashboard. Before deletion, you will see a preview of all data that will be removed.
For Contributors:
- Your deployments (bots) are destroyed, including Fly.io containers
- Your documents, API keys, and profile data are deleted
- Your bot space memberships are removed (bot spaces themselves remain for other members)
For Admins:
- All your deployments (bots) are destroyed, including Fly.io containers
- All bot spaces in your organization are deleted
- Contributor accounts that belong only to your organization are also deleted
- Contributors who have memberships in other organizations retain their accounts
When you delete data:
- Documents: Removed from storage and database
- Deployments: Container destroyed, database deleted
- Account: All associated data deleted within 30 days
Account deletion requires email confirmation for security purposes.
Some data may persist in backups for up to 30 days after deletion.
7. Your Rights
Depending on your jurisdiction, you may have rights to:
| Right | How to Exercise |
|---|---|
| Access your data | Dashboard export features or contact us |
| Correct inaccurate data | Edit in dashboard or contact us |
| Delete your data | Settings → Delete Account (self-service) |
| Export your data | Dashboard export features |
| Object to processing | Contact us |
| Withdraw consent | Contact us or adjust settings |
Account deletion is available as a self-service feature in Settings. You will see a preview of affected data before confirming.
To exercise rights not available in the dashboard, contact admin@dragbot.io.
We will respond within 30 days (or sooner if required by law).
8. International Transfers
DRAGbot infrastructure is hosted in North America (United States and Canada). If you access the service from other regions:
- Data may be transferred to our hosting regions
- We rely on Standard Contractual Clauses for transfers from the EU/UK where required
- Supabase and Fly.io maintain their own transfer mechanisms
9. End Users of Your Bots
You are responsible for:
- Providing privacy notices to your end users
- Obtaining necessary consent for data collection
- Responding to end user privacy requests
- Determining lawful bases for processing
We act as a data processor on your behalf for end user conversation data. You are the data controller.
If an end user contacts us directly about data in your bot, we will direct them to you.
10. Children
DRAGbot is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child has provided data, contact us for removal.
If you deploy bots that may interact with children, you are responsible for compliance with COPPA and similar laws.
11. Cookies and Tracking
11.1 Essential Cookies
We use cookies necessary for:
- Authentication (keeping you logged in)
- Security (CSRF protection)
- Preferences (dashboard settings)
These cannot be disabled while using the service.
11.2 Analytics
We use minimal analytics for understanding usage patterns. This data is:
- Aggregated
- Not used for advertising
- Not shared with third parties
11.3 No Advertising
We do not use advertising cookies or tracking pixels. We do not share data with ad networks.
12. Changes to This Policy
When we update this policy:
- Material changes: 30 days notice via email
- Minor changes: Posted here with updated date
Continued use after notice period constitutes acceptance.
13. Contact
For all inquiries: admin@dragbot.io
Toronto, ON, Canada
14. Jurisdiction-Specific Provisions
14.1 California (CCPA)
- We do not sell personal information
- We do not share personal information for cross-context behavioral advertising
- California residents may request disclosure of data collected and request deletion
14.2 European Union / UK (GDPR)
- Legal bases for processing are listed in Section 3
- You have rights under Articles 15-22
- Supervisory authority complaints: Your local data protection authority
14.3 Other Jurisdictions
We aim to comply with applicable privacy laws. Contact us if you have jurisdiction-specific questions.
Summary
| Question | Answer |
|---|---|
| Do you sell my data? | No |
| Do you train AI on my data? | No |
| Can I export my data? | Yes |
| Can I delete my data? | Yes |
| Do you see Ghostform submissions? | No (architectural) |
| How long do you keep data? | Until you delete it |
| Who can access my conversations? | You and your Bot Space members |
Questions? Contact admin@dragbot.io. We're happy to clarify.