digiBotics
Start free
Legal · Privacy Policy

Privacy Policy

Last updated: 5 May 2026

This Privacy Policy explains how VM6 Networks Ltd (“we”, “us”) collects, uses, and protects your information when you use digiBotics. We are the “data controller” for your account data and the “data processor” for chat transcripts you generate using the Service.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO).

1. Data we collect

a) Account data

  • Email address and password (hashed using bcrypt)
  • Business name and optional billing address
  • Stripe customer ID and subscription status (no card details — those are held by Stripe)
  • Login timestamps and IP addresses

b) Bot training data

  • The URLs you submit for crawling and the page contents we retrieve from them
  • Configuration settings (persona, language, rules.py content, integration credentials)

c) Chat data

  • Customer messages sent to your bot
  • Bot replies (and any operator replies during takeover)
  • Visitor session metadata: IP address, country (derived from IP), browser, device type, pages visited

d) Cookies

We use a single first-party session cookie to keep you logged in. The chat widget uses two localStorage entries (visitor session ID and chat session ID) — these are random IDs, not tracking identifiers.

2. Where your data is stored

All data is stored on infrastructure we own and operate, located in the United Kingdom. Our database servers, application servers, and AI agent servers are physically hosted at VM6 Networks data centres. We do not use AWS, GCP, Azure, or any other public cloud provider for the storage of customer data.

3. Encryption

We take encryption seriously:

  • In transit: All connections use TLS 1.3.
  • Passwords: Hashed with bcrypt, never stored in plain text.
  • API keys for third-party integrations (Zendesk, HubSpot, Telegram tokens, WhatsApp credentials, SMTP passwords, etc.): Encrypted with AES-256-GCM. The encryption key is stored on a separate filesystem location and is not accessible from the database — even a complete database compromise would not expose your integration credentials.
  • 2FA secrets and recovery codes: Encrypted at rest.

4. AI processing — honest disclosure

We use the DeepSeek API to generate the AI portion of bot replies. When a customer sends a message to your bot, the relevant slice of your knowledge base plus the conversation context is sent to DeepSeek's servers for processing. The response is returned to us and delivered to your customer.

What we do to protect your data when calling DeepSeek:

  • The connection to DeepSeek uses TLS encryption.
  • We use DeepSeek's zero-retention API contract: under their published terms, requests are not used to train their models and are not logged after processing.
  • We do not send DeepSeek your account information, your customer's identity, or any data unrelated to the immediate request.
  • The customer’s IP address is not transmitted to DeepSeek.

What we cannot guarantee: DeepSeek is a third-party processor in China. Their published policies state zero retention, but we cannot directly audit their servers. If you handle data subject to specific transfer restrictions (e.g., GDPR Schrems II concerns regarding non-adequacy countries), please contact us — we are evaluating self-hosted models as an alternative for sensitive use cases.

Other AI/processor relationships:

  • Cloudflare: CDN and DDoS protection (UK datacentres routing).
  • Stripe: Payment processing (PCI-DSS Level 1 compliant; we do not see your card data).
  • DB-IP: GeoIP lookups (offline database; no live API calls; no IP data leaves our servers).

5. How we use your data

We use your data only for the following purposes:

  • To provide and maintain the Service (training your bot, serving chat replies, processing payments)
  • To send service-critical emails (account verification, password resets, billing notices, trial expiry warnings)
  • To communicate with you about your account when you contact support
  • To detect and prevent abuse, fraud, and security incidents
  • To comply with legal obligations

We do not use your data to train AI models. We do not sell your data. We do not share it with advertisers.

6. Marketing

We may send you occasional emails about product updates, new features, or tips. You can opt out of these any time using the unsubscribe link in every marketing email. Service-critical emails (billing, security, password resets) cannot be opted out of while your account is active.

7. Data retention

DataRetention period
Account record (email, password, settings)For the lifetime of your account, plus 30 days after closure
Bot training contentFor the lifetime of your account; deletable on demand
Chat transcriptsRetained while your account is active; pruning to last 12 months can be enabled on request
Visitor tracking sessions30 days, then automatically deleted
Login IP logs90 days
Billing records (invoices)7 years (HMRC requirement)

8. Your rights under UK GDPR

You have the right to:

  • Access — ask us for a copy of the data we hold about you (Subject Access Request)
  • Rectify — correct inaccurate data
  • Erase — ask us to delete your data (subject to legal retention requirements)
  • Restrict — ask us to stop processing your data while we resolve a dispute
  • Port — receive your data in a machine-readable format (we provide JSON exports)
  • Object — ask us to stop using your data for marketing
  • Complain — file a complaint with the ICO at ico.org.uk

To exercise any of these rights, email privacy@digibotics.co.uk. We will respond within 30 days.

9. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay. We maintain an incident response procedure and review it annually.

10. Children’s data

The Service is not directed to children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us so we can delete it.

11. International transfers

As noted in section 4, we use DeepSeek (China) for AI processing. This involves a transfer of customer messages outside the UK. We rely on DeepSeek’s zero-retention API and the technical safeguards described above (TLS, no identity data, no IP transmission). If you require an alternative, contact us.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email at least 14 days before they take effect.

13. Contact us

For privacy questions or to exercise your rights:

Email: privacy@digibotics.co.uk
Post: VM6 Networks Ltd, Hampshire, United Kingdom
ICO complaints: ico.org.uk