Botly — Privacy Policy
Effective date: 26 June 2026
Last updated: 26 June 2026
1. Who we are and what this policy covers
Botly ("Botly", "we", "us", "our") provides a software platform that lets businesses build, test, and deploy AI assistants ("assistants") that answer their customers over WhatsApp, for customer service and sales.
This policy is operated by Botly / בוטלי, operated as a licensed self-employed business (עוסק מורשה) in Israel. You can contact us at support@botlynow.com.
This policy explains how we handle personal data across all of our surfaces:
- the Botly website / landing page (
botlynow.comand related pages); - the Botly web platform (the app where you sign in, create assistants, edit knowledge documents, and test chats);
- the knowledge-document service that reads your public website to build your assistant's knowledge base;
- the in‑app and WhatsApp test chats; and
- the production WhatsApp chatbot service that operates your live assistant for your customers.
If you have any questions, contact us at support@botlynow.com (see Section 14).
2. The two roles we play (this matters)
Privacy law distinguishes between the party that decides why and how data is processed (the controller / "owner of a database" under Israeli law) and the party that processes data on someone else's behalf (the processor / "holder").
Botly acts in two different roles depending on the data:
| Context | Who is the controller | Botly's role |
|---|---|---|
| You using Botly — your account, sales/leads data, your assistant's settings and knowledge document, billing, and usage logs | Botly | Controller |
| Your assistant talking to your customers — the WhatsApp messages, phone numbers, and conversation content of the end-users your business serves | You (the business customer) | Processor, acting only on your documented instructions under our terms / Data Processing Addendum (DPA) |
In other words: for your own data, we are the controller. For your customers' data, you are the controller and we are your processor. Our processing of your customers' data is governed by our customer terms and DPA, not solely by this policy.
3. What we collect, why, and on what basis
Israeli law does not use the GDPR's "legal bases" framework, but we describe a basis below for clarity. We rely on consent, performance of a contract / taking steps to enter into one, and our legitimate interests in operating, securing, and improving the service.
3.1 Account & authentication data (Botly = controller)
Sign-in is via Google only. When you sign in we receive, from Google, your name, email address, profile image, your Google account identifier, and OAuth tokens. We request only basic profile and email scopes — we do not access your Gmail, Google Drive, contacts, or other Google data. Purpose: create and secure your account, identify you, and operate the platform. Basis: performance of contract; consent (Google sign-in).
3.2 Sales & leads data (Botly = controller)
When you submit a leads / contact form (on the landing page or in the platform) or speak with us through WhatsApp or a phone/sales call, we collect the details you provide — for example your name, business name, email, phone / WhatsApp number, website URL, platform, and the contents of your message or our conversation — and notes from the sales process. Purpose: respond to your enquiry, qualify and onboard you, provide quotes, and manage the sales relationship. Basis: taking steps to enter into a contract at your request; legitimate interest in selling and supporting our service; consent where applicable.
3.3 Assistant & knowledge content (Botly = controller of the service config; see §2)
To build and run your assistant we process: the website URL you submit, content read ("scraped") from your publicly available website, the generated knowledge document, any edits you make to it, the assistant's name and platform tag, and the messages you send when testing the assistant in the browser or on the WhatsApp sandbox. Purpose: build, operate, test, and improve your assistant. Basis: performance of contract. We use your content to provide and improve your assistant. We do not sell your content.
3.4 Production chatbot data — your customers' data (Botly = processor; you = controller)
When your assistant is live, we process, on your behalf and on your instructions:
- your business WhatsApp number and the integration credentials you provide or that we configure for you (e.g. WhatsApp/Twilio messaging credentials, and Slack credentials used for the human-handoff/notification feature);
- your end-users' WhatsApp phone numbers, the content of the messages they exchange with the assistant, and the AI conversation thread associated with each end-user; and
- handoff / notification events when a human representative on your side takes over a conversation. Purpose: operate your live WhatsApp assistant, deliver and receive messages, generate AI responses, support human takeover, and translate messages where needed. Controller: you. You are responsible for the lawful basis, notices, and consents owed to your own customers (see Sections 5 and 4).
3.5 Billing & payment data (Botly = controller)
Current status: paid self-service subscriptions are paused. We are operating a sales-led process (leads form + WhatsApp/phone), so we are not currently collecting or processing payment-card or subscription-billing data through the platform. If and when we re-enable paid plans, billing will be handled by a third-party payment processor (e.g. PayPal). We would then store only non-card billing metadata — such as a subscription/transaction identifier, plan, status, and timestamps — while the payment processor handles the card/payment details directly. We do not store full payment-card numbers. Purpose: provide and manage paid subscriptions; prevent fraud; meet accounting/legal duties. Basis: performance of contract; legal obligation; legitimate interest (fraud prevention).
3.6 Technical & operational data (Botly = controller)
We keep operational records needed to run the service reliably and securely: server and error logs, job-status records (for the website-reading jobs), webhook delivery logs, and basic usage/diagnostic information. These may include technical identifiers such as IP-derived metadata. Purpose: security, debugging, abuse prevention, reliability, and service measurement. Basis: legitimate interest; legal obligation (security).
3.7 Cookies & similar technologies
At present we use only strictly-necessary cookies required for sign-in and session security (our authentication library). We do not currently run advertising, marketing, or third-party analytics trackers. If we add non-essential cookies or analytics in the future, we will present a cookie/consent banner and obtain consent before setting them, consistent with the Israeli Privacy Protection Authority's (PPA) cookie-consent expectations.
4. Sensitive ("specially sensitive") data
Amendment 13 broadened the category of specially sensitive data (which can include, e.g., health, biometric, genetic, financial, criminal-record, certain location and other intimate data). Botly does not require sensitive data, and we instruct customers not to enter it into knowledge documents or assistants.
Because assistants converse in free text, end-users could volunteer sensitive data in a chat. In that situation the business customer is the controller and must have a lawful basis and the appropriate notices/consents in place. We apply additional safeguards to the data we hold and reserve the right to suspend misuse.
5. AI, automated chat, and transparency
Botly assistants are automated AI systems. Consistent with the PPA's guidance on privacy in AI systems (2025):
- Disclosure that it's a bot. When an assistant is deployed, end-users must be clearly told they are interacting with an automated AI assistant, not a human. As the controller of your end-users' data, you are responsible for making this disclosure; Botly provides the means to do so (and a human representative can take over a conversation at any time).
- AI model processing. Generating answers, building knowledge documents, and powering chats involves sending the relevant text to our AI model provider (OpenAI) via its API. Data sent through the API is not used by the provider to train its models by default.
- Translation. Messages may be processed by a translation service (Google Cloud Translate) to support multi-language conversations.
6. How we share data — service providers (sub-processors)
We do not sell personal data. We share it only with vendors that help us run the service, under contracts that limit their use of the data. Our key providers, their function, and where they process data:
| Provider | What it does | Primary processing location |
|---|---|---|
| Google LLC | Google sign-in (OAuth) and Google Cloud Translate | United States / EU |
| OpenAI | AI model processing — knowledge documents, test chats, and live conversations | United States |
| Amazon Web Services (AWS) | Hosting/compute for the production chatbot system and processing services | European Union — Frankfurt (eu-central-1) and Stockholm (eu-north-1) |
| Vercel Inc. | Hosting for the Botly platform and the landing site | United States |
| Neon (via Vercel) | Managed PostgreSQL database for the platform and the document service | European Union — Frankfurt (eu-central-1) |
| Twilio Inc. | WhatsApp messaging infrastructure (sandbox test number and production messaging) | United States |
| Zyte Ltd. | Reading ("scraping") your public website to build the knowledge document | United Kingdom / EU |
| Slack | Human-handoff and conversation notifications to your team | United States |
| Payment processor (e.g. PayPal) | Subscription/payment processing — only if/when paid plans are re-enabled | United States |
We may also disclose data: to professional advisers (e.g. lawyers, accountants); to authorities, courts, or regulators where legally required; and in connection with a business transfer (merger, acquisition, reorganization), subject to this policy.
We keep an up-to-date list of sub-processors and will update it as our providers change. Where required, we put data-processing agreements and data-transfer terms in place with these providers.
7. International data transfers
Botly is operated from Israel. Our primary hosting and database storage are located in the European Union (Frankfurt, Germany and Stockholm, Sweden), which is recognized as providing an adequate level of data protection for transfers from Israel. Some of our service providers — for example our AI model provider, our sign-in and translation provider, and our messaging provider — may process data in the United States or other countries.
When we transfer personal data abroad we do so in line with the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 2001 — relying on one or more of: transfer to a jurisdiction recognized as providing adequate protection (such as the EU/EEA); contractual undertakings by the recipient that ensure a comparable level of protection and restrict onward transfer; or your informed consent where appropriate. We maintain data-processing/transfer terms with our key providers.
8. Security
We maintain technical and organizational security measures aligned with the Privacy Protection Regulations (Data Security), 2017 at the level appropriate to our processing (at least the "medium" level). These include, among others:
- encryption of data in transit and at rest;
- role-based access control and least-privilege access, with multi-factor authentication for administrative access;
- logging and monitoring of access and key events;
- vendor / sub-processor security reviews;
- secret/credential management for customer integration credentials; and
- an incident-response process.
No system is perfectly secure, but we work to protect personal data and to detect and respond to incidents. In the event of a severe security incident, we will notify the PPA and, where required, affected individuals and/or our affected business customers, in accordance with the 2017 Regulations.
9. How long we keep data (retention)
We keep personal data only as long as needed for the purposes above, or as required by law:
| Data | Typical retention |
|---|---|
| Account & authentication | While your account is active, then deleted or anonymized within 90 days of account closure, subject to legal needs |
| Sales & leads data | While we pursue your enquiry and for a reasonable follow-up period of 24 months |
| Assistant & knowledge content | While the assistant exists / your account is active; deleted on assistant deletion or account closure |
| Production end-user (your customers') data | Per your instructions and our DPA; deleted/returned on termination |
| Billing metadata (if/when paid plans active) | As required for accounting/tax — typically 7 years under Israeli law |
| Technical & operational logs | A limited period of 24 months, then deleted or aggregated |
On account closure or a valid deletion request, we delete or anonymize personal data except where we must retain it for legal, accounting, security, or dispute-resolution purposes.
10. Your rights
Under the Israeli Privacy Protection Law you have the right to:
- Access the personal data we hold about you; and
- Correct personal data that is inaccurate, incomplete, or out of date.
We will also honor deletion and other requests to the extent required by law. Amendment 13 strengthened individuals' remedies, including, in certain cases, the ability to claim statutory damages without proving actual harm.
To exercise your rights, contact support@botlynow.com. We may need to verify your identity before responding, and we will respond within the timeframe required by law.
If you are an end-user of a deployed Botly assistant (i.e. a customer of one of our business customers), that business is the controller of your data — please direct access/correction requests to that business. We will support our customer in fulfilling your request.
11. Children
Botly is a business-to-business service and is not directed to children. We do not knowingly collect personal data from children through the platform. Our business customers are responsible for any age-related obligations toward their own end-users.
12. Database registration, accountability & privacy contact
We assess on an ongoing basis whether our databases require registration or notification to the PPA under the Privacy Protection Law. Based on the nature and scale of our processing — we serve a small number of business customers, we do not operate as a data broker or a direct-mailing service, we are not a public body, and processing large volumes of specially sensitive data is not our main business — our databases do not currently require registration or notification to the PPA. We keep this assessment under review as we grow.
We maintain internal records of our processing activities and apply governance and accountability measures consistent with Amendment 13, appropriate to our scale. Based on our current processing, we are not required to appoint a Data Protection Officer (DPO); our designated privacy contact is set out in Section 14, and we keep the need for a DPO under review.
13. Changes to this policy
We may update this policy from time to time. If we make a material change, we will update the "Last updated" date above and, where appropriate, notify you (for example by email or an in-app notice) before the change takes effect.
14. Contact us
Controller: Botly / בוטלי — operated as a licensed self-employed business (עוסק מורשה) in Israel
Privacy & support contact: support@botlynow.com
You also have the right to lodge a complaint with the Israeli Privacy Protection Authority (PPA).