Privacy Policy
BotForge Privacy Policy
Effective date: 2026-04-15
Last updated: 2026-04-15
Draft — pending formal lawyer review under PIPEDA (Ontario). Contact privacy@getbotforge.com with questions.
Who we are
BotForge ("we", "us", "our") is a sole proprietorship operated by Akash Trivedi in Thunder Bay, Ontario, Canada. We build and host AI-powered Agents for small and mid-sized businesses.
Contact: privacy@getbotforge.com
What this policy covers
Visitors to getbotforge.com and app.getbotforge.com; businesses that purchase a BotForge Agent ("Clients"); and end users who chat with BotForge-powered widgets embedded on Client websites ("End Users").
Information we collect
From Clients
- Business name, email, phone
- Business website URL
- Industry, business hours, services offered
- Payment details (handled by Shopify, not stored by us)
- Logo and brand imagery (provided by Client)
- Content scraped from the Client's public website (used to train the Agent)
From End Users
- Message content they type
- A hashed IP address (rate limiting; not reversible to identity)
- Browser type (for debugging)
- Optional lead-form submissions: name, email, phone, message
- A consent signal indicating whether they agreed to logging
We do not collect: financial account information, government ID numbers, medical records, precise location, or facial/biometric data.
Why we collect it
| Purpose | Legal basis (PIPEDA) |
|---|---|
| Provide the service (train and host an Agent) | Contract performance |
| Improve AI quality through sampled review | Legitimate interest |
| Detect abuse and enforce rate limits | Legitimate interest |
| Comply with law | Legal obligation |
| Send service emails (delivery, incident, updates) | Contract performance |
| Send marketing emails | Consent (opt-in) |
Who we share it with
We share only what's necessary with the following processors:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic PBC | AI model inference | USA |
| Supabase | Primary data store | Canada (ca-central-1) |
| Vercel Inc. | API and static hosting | USA (global edge) |
| Firecrawl | Website scraping | USA |
| Railway | Secondary scraping + Action Bot | USA |
| GitHub Inc. | Configuration fallback | USA |
| n8n GmbH | Automation workflows | EU |
| Shopify Inc. | Storefront and payments | Canada / USA |
| Jotform Inc. | Intake forms | USA |
| UptimeRobot | Monitoring | USA |
We do not sell personal information to anyone.
Cross-border transfers
Most processors store or process data in the United States. By using our service you acknowledge that information may be transferred to and processed in the USA, which may have different privacy protections than Canada.
Retention
| Data | Retention |
|---|---|
| Client account (business) | Life of account + 2 years |
| Conversation logs | 90 days, then purged |
| Lead submissions | 2 years, then purged |
| Audit log | 1 year, then purged |
| Scraped website content | Refreshed each rebuild; old content purged |
| Billing records (Shopify) | 7 years (tax obligation) |
Automated cron jobs enforce retention.
Security
- Encryption in transit (HTTPS everywhere)
- Encryption at rest (Supabase managed)
- Row-level security policies on all client-facing tables
- Rate limiting to prevent abuse
- Secrets rotated on 90/180-day cadence
- Access restricted to founder only
No system is perfectly secure. See breach notification below.
Your rights
Under PIPEDA you have the right to:
- Access — request a copy of your personal information
- Correct — ask us to fix inaccurate information
- Withdraw consent — for marketing; service consent cannot be withdrawn without terminating the service
- Complain — to us at privacy@getbotforge.com or to the Office of the Privacy Commissioner of Canada
We respond within 30 days.
Cookies
-
getbotforge.comstorefront: Shopify session cookies (required for checkout) -
app.getbotforge.comAPI: no cookies set by us - Embedded widget: a small
localStorageentry for conversation continuity per session; no third-party cookies
A consent banner on the widget asks before any conversation logging. Declining disables logging; chat still works.
Children
We do not knowingly collect information from children under 13. If you believe a child has used our service, contact us and we will delete the information.
Breach notification
If we experience a breach that creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner within a reasonable time, consistent with PIPEDA.
Changes to this policy
We will post updates here and notify active Clients by email at least 30 days before material changes take effect.
Questions
Email privacy@getbotforge.com.