Privacy Policy

Last updated: March 31, 2026 · Effective: March 31, 2026

Botstrapp.ai ("Service", "we", "us") is operated by Informattach LLC. This Privacy Policy describes how we collect, use, and protect your information when you use our AI gateway and character engine services.

1. Information We Collect

1.1 Information You Provide

• Account Information: Email address, date of birth (for age verification), and authentication credentials when you create an account.
• Payment Information: When you purchase ICO credits, payment is processed by Stripe. We do not store your credit card numbers. We receive transaction identifiers and purchase amounts from Stripe.
• Conversation Data: Messages you send to AI models through our gateway. The extent to which we store this data depends on your chosen consent level (see Section 3).
• Character Data: If you use our character engine, information about characters you create or interact with, including personality parameters and conversation history.

1.2 Information Collected Automatically

• Usage Analytics (Anonymous): At all consent levels, we collect anonymous, aggregated statistics that cannot identify you. This includes: model used, response latency, intent category, and quality metrics. This data contains no user identifiers, IP addresses, or message content.
• Technical Data: IP address (for rate limiting only, not stored long-term), browser type, and device information as necessary for service operation and security.

1.3 Information We Do NOT Collect

• Biometric data (voiceprints, facial recognition, etc.)
• Precise geolocation
• Data from third-party social media profiles (beyond OAuth authentication)
• Behavioral advertising profiles

2. How We Use Your Information

• To Provide the Service: Routing your messages to AI model providers, managing your ICO credit balance, and operating the character engine.
• To Improve the Service: Anonymous usage statistics help us optimize model routing, identify performance issues, and improve response quality. No personally identifiable information is used for this purpose.
• To Ensure Safety: Age verification, content moderation, and crisis detection protocols (see Section 7).
• To Process Payments: Managing ICO credit purchases and maintaining transaction records.
• To Communicate: Sending service-related notifications, security alerts, and (with your opt-in) product updates.

We do NOT use your personal information or conversation data to train AI models. Your messages are passed through to third-party AI providers for real-time processing only.

3. Your Consent Levels

We operate a three-tier consent system. You choose your level during registration and may change it at any time:

• Level 0 — Anonymous: We collect only truly anonymous statistics (model, latency, intent category). No messages, no user identifiers are stored. You cannot use the character engine at this level.
• Level 1 — Smart: In addition to anonymous statistics, we store intent summaries (not raw messages) and enable the character engine. Your actual message text is not stored.
• Level 2 — Full: Full message history is stored (auto-purged after 30 days), enabling complete character memory, personalization, and cross-device synchronization.

Anonymous statistics (model usage, latency, intent category) are collected at all levels. This data is truly anonymous as defined by applicable law — it cannot reasonably be used to identify any individual.

4. Third-Party AI Providers

When you send a message, we route it to one of our AI providers for processing:

• OpenAI (GPT models)
• Anthropic (Claude models)
• Google (Gemini models)
• Groq (Llama, Mixtral models)
• xAI (Grok models)
• OpenRouter (aggregated providers)

Each provider has its own privacy policy governing how they handle the data during processing. We recommend reviewing their respective policies. We select providers based on their commitment to not using customer data for model training.

5. Data Retention

• Anonymous Statistics: Retained indefinitely (cannot identify individuals).
• Level 1 Intent Summaries: Retained for 90 days, then automatically deleted.
• Level 2 Full Messages: Retained for 30 days, then automatically purged (metadata retained, message content replaced with '[purged]').
• Account Information: Retained for the duration of your account. Deleted upon account deletion request.
• Payment Records: Retained for 7 years as required by tax and financial regulations.
• Character Data: Retained for the duration of your account. Deleted upon request.

6. Children's Privacy (COPPA Compliance)

This Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will promptly delete such information.

Users between 13 and 17 years of age must have verifiable parental consent to use the Service. We implement age verification through date of birth collection during registration and payment-based verification.

We do NOT:

• Use any user data (including minors') to train AI models
• Share children's data with third parties for advertising
• Create behavioral profiles of minor users
• Enable targeted advertising for any users

If you believe your child has used our Service without proper consent, please contact us at privacy@informattach.com.

7. Crisis & Safety Protocols

Our Service includes automated safety monitoring. If conversations indicate potential self-harm or crisis situations, we may:

• Display crisis hotline information (988 Suicide & Crisis Lifeline)
• Provide referrals to appropriate support resources
• Limit certain conversation patterns for user safety

We do not monitor or store conversation content for this purpose — safety protocols operate in real-time without data retention (except at Consent Level 2).

8. Your Rights

You have the right to:

• Access: Request a copy of all data we hold about you (GET /v1/user/data).
• Delete: Request deletion of all your data (DELETE /v1/user/data).
• Modify Consent: Change your consent level at any time (PUT /v1/user/consent).
• Portability: Export your data in a machine-readable format.
• Object: Opt out of any data processing beyond what is necessary for service operation.

California Residents (CPRA)

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA), including the right to know what categories of personal information are collected, the right to delete, and the right to opt-out of the sale or sharing of personal information. We do not sell or share your personal information.

9. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest
• Row-Level Security (RLS) on all database tables
• API key security and access controls
• Regular security audits and vulnerability monitoring
• Input validation and prompt injection protection

10. Payment Processing

Payments are processed by Stripe, Inc. We do not collect, store, or process credit card numbers or financial account details. Stripe's privacy policy governs the handling of your payment information. Stripe is PCI DSS Level 1 certified.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, by email notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices:

• Email: privacy@informattach.com
• Entity: Informattach LLC