Effective Date: September 4, 2025

MoyaHost B.V. (“MoyaHost,” “we,” “us,” or “our”), a company incorporated under the laws of the Netherlands and registered with the Dutch Chamber of Commerce (KVK), is committed to protecting the privacy of individuals (“Users,” “you,” or “your”) who interact with the chatbot service (“Service”) provided to our clients (“Client”) and embedded on their websites. This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). It applies to Users interacting with the chatbot and Clients providing website content for the Service.

1. Who We Are

• Identity: MoyaHost B.V., a Dutch B.V. registered with the KVK.
• Contact: For questions or to exercise your GDPR rights, contact our support team at [email protected].
• Role: MoyaHost acts as a data processor on behalf of the Client (the data controller), who determines the purposes and means of processing personal data via the Service. For Client-provided website content, MoyaHost is a data controller.

2. Data We Collect

The Service currently does not collect personal data from Users, as it only answers FAQs based on indexed website pages. In the future, if the Client upgrades to features like WhatsApp Integration, Customer Story, Call Me Back, Booking Agent, or Custom Solution, the following personal data may be collected:

• User-Provided Data:
  • WhatsApp Integration: Name, phone number, WhatsApp ID, and message content.
  • Customer Story: Name, email, feedback, or testimonials provided voluntarily.
  • Call Me Back: Name, phone number, and preferred call-back time.
  • Booking Agent: Name, email, phone number, booking details (e.g., appointment dates, times, or preferences).
  • Custom Solution: Any personal data required for tailored functionality (e.g., order numbers, user preferences), as specified by the Client.
• Automatically Collected Data:
  • Usage data (e.g., interaction logs, timestamps, device type, browser, IP address) for analytics and service improvement.
  • Cookies or similar technologies (if enabled) to maintain preferences or analyze usage, as detailed in our [Cookie Notice, if applicable].
• Client-Provided Data: Website content (e.g., publicly available pages) used to create the knowledge base, which may include non-personal data or, if applicable, personal data with Client’s authorization.

3. How We Collect Data

• Directly from Users: Through chatbot interactions (e.g., form submissions for Call Me Back or Booking Agent features).
• Automatically: Via Botpress’s cloud platform (e.g., usage logs, IP addresses).
• From Clients: Website content provided for indexing, which may contain personal data if explicitly authorized by the Client.

4. Why We Process Data (Legal Bases)

We process data based on the following GDPR-compliant legal bases:

• Consent (Article 6(1)(a)): For personal data collected via future features (e.g., WhatsApp messages, booking details), we will obtain explicit, informed consent through opt-in mechanisms (e.g., checkboxes, in-chat confirmations).
• Contract (Article 6(1)(b)): To provide the Service to the Client (e.g., indexing website content) or fulfill User requests (e.g., booking appointments).
• Legitimate Interests (Article 6(1)(f)): For usage analytics, service improvement, and security (e.g., detecting unusual activity), provided it does not override Users’ rights. A Legitimate Interests Assessment is available upon request.
• Legal Obligation (Article 6(1)(c)): To comply with GDPR or other legal requirements (e.g., responding to data subject requests).

5. How We Use Data

• To operate the Service (e.g., answering FAQs, processing bookings).
• To enable future features (e.g., WhatsApp communication, call-back scheduling, or custom solutions).
• To improve the Service through analytics (e.g., usage patterns).
• To ensure security (e.g., monitoring for data breaches).
• To comply with legal obligations (e.g., GDPR rights fulfillment).

Data is processed only for the purposes specified and not beyond what is necessary (data minimization principle, Article 5(1)(c)).

6. Data Sharing and Storage

• Data Processor: The Service is hosted on Botpress’s cloud servers, which act as a sub-processor. Botpress complies with GDPR, and we have a Data Processing Agreement (DPA) in place. Data is stored in [EU-approved locations, as per Botpress’s terms].
• Third Parties: We do not share personal data with third parties except:
  • With Botpress for hosting and processing.
  • With Client (data controller) for their business purposes (e.g., fulfilling bookings).
  • As required by law (e.g., to government authorities).
• Data Transfers: If data is transferred outside the EU/EEA, we ensure adequate safeguards (e.g., Standard Contractual Clauses) per GDPR Article 46.
• Storage Duration: Data is stored only as long as necessary for the purpose (e.g., until service termination or User request for deletion). Chat logs and personal data are deleted within 30 days of termination or request, unless required by law.

7. Your GDPR Rights

As a User, you have the following rights under GDPR (Articles 15–22):

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate data.
• Erasure (Right to be Forgotten): Request deletion of your data (e.g., via “delete my data” in-chat command, if enabled).
• Restriction: Limit how we process your data.
• Portability: Receive your data in a machine-readable format.
• Object: Object to processing based on legitimate interests.
• Automated Decision-Making: The Service does not currently involve automated decision-making with legal or significant effects. If enabled (e.g., via Custom Solution), human oversight will be ensured per Article 22.

To exercise these rights, contact [email protected] or use in-chat options (if available). We will respond within one month, extendable by two months for complex requests (Article 12(3)). If we cannot fulfill a request, we will explain why.

8. Consent and Withdrawal

For future features collecting personal data (e.g., WhatsApp Integration, Booking Agent), we will obtain explicit consent via clear opt-in mechanisms (e.g., checkboxes, in-chat confirmations) before processing. You may withdraw consent at any time by contacting [email protected] or using in-chat options, without affecting the lawfulness of prior processing (Article 7(3)).

9. Data Security

We implement technical and organizational measures to protect data, including:

• Encryption of data in transit and at rest (via Botpress’s infrastructure).
• Access controls to limit data access to authorized personnel.
• Regular audits to detect vulnerabilities. In case of a data breach, we will notify the Client and, if required, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, and affected Users per Article 34.

10. Cookies and Tracking

The Service currently does not use cookies. If cookies or similar technologies are enabled for future features, we will provide a Cookie Notice and obtain consent per the ePrivacy Directive.

11. Complaints

If you believe we have not addressed your concerns, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl or via [email protected].

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify Users via the Client’s website or in-chat notifications at least 30 days before significant changes take effect. Continued use of the Service constitutes acceptance.

Contact: For questions or to exercise your rights, contact [email protected]