Privacy Policy

Knobot is managed by Burrow Studio LLC, a Florida limited liability company. This policy explains what data we collect, how we use it, and the choices you have.

Privacy questions: support@knobot.org.

This policy covers two situations:

• Your direct use of knobot.org — sign-up, dashboard, billing, and the preview widget on our marketing site.
• Your interaction with a Knobot-powered chatbot embedded on a third party's website.

From Customer accounts (knobot.org users). Identifiers (email, phone, name — any may be null since phone-only and email-only signup are supported). Authentication metadata (verified-email and verified-phone flags, OAuth provider linkage where you sign in with Google, session version). Commercial information (business name, plan tier, subscription status, Stripe customer and subscription IDs, billing period dates). Configuration (scrape root URLs, allowed domains, widget customization, notification preferences). Internet activity (token usage counters, message counters, SMS counters).

From bot-widget visitors. A randomly generated visitorId stored in your browser's local storage (not tied to your real identity). Conversation messages — both your input and the bot's replies — and chat-event metadata (model used, response time, retrieval scores) used for service operation and quality monitoring. If you voluntarily provide them in a bot conversation: name, email, phone, and any other fields the Operator's bot is configured to capture (collected on behalf of the Operator).

IP addresses. Visitor IP addresses appear in three places, each disclosed below: (a) short-lived infrastructure access logs, where IPv4 addresses are truncated to /24 and IPv6 addresses are truncated to /48 (the last octet or segment is removed); (b) widget session tokens, which exist in memory for the duration of an active chat session (typically up to one hour) and bind the session to the visitor's IP to prevent abuse; and (c) abuse and rate-limit event records, where the full IP is retained for up to 30 days and then automatically deleted. We do not store full IP addresses persistently in conversation, lead, or analytics records.

We do not collect browser user-agent strings, geolocation, advertising identifiers, or device fingerprints.

From cookies (knobot.org only).

• knobot_session — Authentication session; category: essential; duration: session / 30 days; surface: dashboard.
• knobot_csrf — CSRF protection; category: essential; duration: session; surface: dashboard.
• cf_clearance — Cloudflare Turnstile bot protection; category: essential; duration: session; surface: widget; third party: Cloudflare.
• knobot_remember — Remember-me persistent login; category: essential; duration: 365 days; surface: dashboard.
• google_oauth_state — CSRF protection for Google OAuth flow; category: essential; duration: session; surface: dashboard.
• google_code_verifier — PKCE code verifier for Google OAuth flow; category: essential; duration: session; surface: dashboard.
• kbz_home — Dashboard home tab preference; category: functional; duration: session; surface: dashboard.

From browser storage (localStorage / sessionStorage; transmitted to Knobot only as part of normal API calls):

• knobot_conversation_id — Persist conversation across page loads; storage: localStorage; surface: widget.
• knobot_session_token — Widget session for re-identification; storage: localStorage; surface: widget.
• knobot.conversationId — Active conversation ID persisted across page loads; storage: localStorage; surface: widget.
• knobot_phone_country — Phone input country selection preference; storage: localStorage; surface: dashboard.
• knobot.conversations.pageSize — Conversations list page size preference; storage: localStorage; surface: dashboard.
• knobot_widget_session — Widget PoW session token cached for the tab lifetime; storage: sessionStorage; surface: widget.
• knobot.conversations.* (e.g. knobot.conversations.<widgetKey>) — Per-widget conversation history cache (suffix is the widgetKey); storage: localStorage; surface: widget.
• knobot.visitorId — Persistent anonymous visitor identifier; storage: localStorage; surface: widget.
• knobot.chatConsent.* (e.g. knobot.chatConsent.<widgetKey>) — Records that the visitor accepted the pre-chat consent gate (suffix is the widgetKey; value is the consent version); storage: localStorage; surface: widget.

For California residents: the categories of personal information we collect, as defined by Cal. Civ. Code §1798.140, are identifiers (e.g., email, phone, IP address), commercial information (e.g., subscription details), internet or other electronic network activity information (e.g., conversation messages, chat-event telemetry), and customer records (account profile data).

• To operate, secure, and improve the service.
• To deliver leads to the Operator that owns the bot.
• To send transactional email and SMS (sign-in codes, lead notifications, billing receipts).
• To detect and prevent abuse, fraud, and rate-limit violations.
• To send prompts to AI sub-processors (Google Gemini for generation, Voyage AI for embeddings) for the purpose of generating bot responses.

We do not use Customer Content (including conversation transcripts, lead data, or knowledge-base content) to train, fine-tune, evaluate, or improve any AI/ML model in a manner that benefits any other Customer or any third party. Customer Content is used only to operate the Service for the Customer that owns the bot.

We share data only with the service providers required to operate Knobot. Our current sub-processor list — including each vendor's purpose, region, DPF certification status, and DPA execution status — is published at /sub-processors and updated whenever we add, replace, or remove a vendor.

Use of Google Vertex AI / Gemini and Voyage AI is governed by their respective API terms; we contract and configure those services to prohibit use of customer prompts for model training. See our DPA for the exact contractual flow-down.

We do not sell personal data. We do not share data with advertising networks. We do not run third-party advertising trackers.

No advertising or analytics trackers. Knobot does not use advertising or analytics tracking tools. We do not use Google Analytics, Meta Pixel, Microsoft Clarity, advertising pixels, session-recording tools, behavioral segmentation, or any cross-context tracking. The only third-party services loaded in a visitor's browser when visiting knobot.org are Google Fonts (typography) and Cloudflare Turnstile (anti-bot). If we add any analytics or advertising tools in the future, we will update this list, notify active customers by email, and (where required by state law) provide opt-out controls.

When you chat with a Knobot-powered bot embedded on a business's website, that business is the data controller for your lead data and conversation. They independently determine retention, internal sharing, and downstream use. Direct privacy requests for those interactions to the business operating the bot.

Knobot currently serves visitors located in the United States only. Visitors outside the United States will see a "chat unavailable in your region" notice and no personal data is processed from those visitors.

Should Knobot expand internationally in the future, this section will be updated to describe the applicable transfer mechanisms, supplementary measures, and supervisory contacts.

Customer may request immediate deletion of the account and associated personal data at any time by emailing support@knobot.org or by using the account-closure flow in the dashboard. Deletion is processed within 30 days of the request. Customer is solely responsible for exporting any data Customer wishes to retain (including lead records and conversation transcripts) before requesting deletion; the dashboard provides export tooling. After the 30-day window, all personal data is deleted from Knobot's systems and from sub-processor systems, except for: (i) the clickwrap acceptance archive described above, retained as legal-records evidence of consent; and (ii) data Knobot is required to retain by applicable law.

Depending on jurisdiction, you may have rights to access, correct, delete, port, or object to processing of your personal data, and to lodge a complaint with a supervisory authority.

• California (CCPA / CPRA): the rights above plus the right to know the categories of personal information collected (see Section 03) and the right to opt out of the sale or sharing of personal information.

Do Not Sell or Share My Personal Information. We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required because the conduct does not occur. This statement is provided to satisfy the disclosure requirement under California law.

To exercise any right, email support@knobot.org. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

• TLS 1.2+ in transit (terminated by Vercel and Cloudflare).
• Encryption at rest where supported by underlying providers (MongoDB Atlas).
• Access controls: API keys scoped per provider, environment-isolated.
• Breach notification: we will notify you without undue delay upon discovery of a security incident affecting your data.

The cookies we set on knobot.org and the local-storage entries used by the chat widget are listed in Section 03 above. We use them to keep you signed in, to remember your conversation across page loads, and to recognize returning devices.

Clearing your browser's cookies and local storage removes all client-side state. We do not use cookies for advertising or third-party analytics.

If your browser sends a Global Privacy Control (GPC) signal, we record a compliance event noting the signal was honored and we suppress non-essential processing of any visitor identifier. See our Widget Data Notice for the details on widget-side storage.

The widget's visitorId is created in memory at iframe load and persisted to your browser's localStorage only after you affirmatively engage with the chat (first message sent or explicit click of a chat call-to-action).

Knobot is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. We do not implement an age gate at sign-up; if you believe a child has provided us with personal information, contact support@knobot.org and we will delete it.

We may update this Privacy Policy. Material changes will be communicated to active Customers by email. The effective date at the top of this page is updated whenever the policy changes. Continued use after the effective date constitutes acceptance.

If you do not agree to material changes to this Privacy Policy, you may close your account before the effective date.

Privacy questions: support@knobot.org.

Data Protection Contact: privacy@knobot.org.

Mailing: Burrow Studio LLC, 7901 4th St N, Suite 300, St. Petersburg, FL 33702, USA.

Knobot does not knowingly collect, use to infer health status, sell, or share consumer health data as defined by Washington RCW 19.373. Operators are prohibited from configuring the Service to collect consumer health data. If you believe consumer health data was inadvertently processed through the Service, please contact privacy@knobot.org to submit a deletion or access request.

When you interact with a Knobot-powered chat embedded on a business's website, Knobot acts as a "service provider" to that business as defined in Cal. Civ. Code §1798.140(ag). The business is the "business" as defined in §1798.140(d). Privacy requests regarding your interactions with that chat should be directed to the business, with copy to Knobot at support@knobot.org if you would like Knobot to assist.