We're a small team in Dhaka. BondhuBot is an AI customer-support tool we built — under the trade name Bondhu Labs — to handle repeat questions on our own Facebook Page, FABRIENDZ, while we get ready to offer the service to other Bangladeshi businesses. This policy is our plain-language answer to three questions: what data do you see, what do you do with it, and how do I get it back?
When a customer interacts with a Facebook Page that uses BondhuBot, we receive the following data through Meta's Messenger Platform API:
When you visit bondhubot.com, our web server and CDN (Cloudflare) automatically log your IP address, user-agent string, requested URL, and response status code. We use these logs for debugging, uptime monitoring, and preventing abuse.
We do not receive your IP address, device identifiers, or browsing history from Messenger interactions — Meta does not forward that information to us. What we receive via the Messenger Platform API is listed in §1.1 above.
We share your data only in these specific circumstances:
bondhubot.com sits behind Cloudflare for CDN and DDoS protection. We use UptimeRobot for uptime monitoring.Conversation data is retained for up to 24 months from the date of last interaction, unless earlier deletion is requested. Older data is purged routinely.
Where a conversation results in a transaction (an order, return, or complaint), the underlying transaction record — order date, items, and amount — is kept for as long as required by Bangladesh tax, accounting, and legal compliance (typically six years). On request, we scrub the personal information (name, phone, address) attached to those records so the entry remains but cannot be linked back to you. Where applicable law requires us to retain a specific identifying field on a transaction record (for example, a delivery address on a sales invoice), we will retain only the specific field required and no more.
Our database is backed up nightly and backups are kept on a 7-day rolling window. Deleted records are not re-processed inside older backups; instead, they age out naturally as the rolling window advances. A deletion request is therefore fully reflected across all backups within seven (7) days.
Aggregated, de-identified analytics may be retained indefinitely for service improvement purposes.
We take reasonable technical and organisational steps to protect your data:
As a small team, we do not run formal third-party security audits or penetration tests, and application-layer encryption of specific sensitive tokens (beyond the hosting provider's block-storage encryption) is on our roadmap. We will adopt more structured controls as the service grows.
No system is completely secure. If we become aware of a data breach that materially affects your personal data, we will notify you by email (or via Facebook Messenger if we do not have your email) within a reasonable time after discovery — aiming for 72 hours where feasible — and we will notify Meta and any applicable Bangladeshi regulator as required by law.
Depending on your jurisdiction, you may have the right to:
To exercise any of these rights, email us at [email protected]. We aim to respond to verified requests within 30 days. If we need longer — for example, where we must verify your identity or the request is complex — we will let you know and give you an updated timeline.
Your data is processed on servers outside Bangladesh. In particular:
We rely on each provider's published privacy and data-protection commitments; we do not currently have bespoke data-processing agreements (DPAs) in place with these providers. If you are in a jurisdiction that requires specific cross-border transfer safeguards before your data may be processed abroad, please contact us at [email protected] before using the service.
BondhuBot is not directed at individuals under 13 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact [email protected].
We may update this Privacy Policy periodically. Material changes will be communicated by posting the updated policy on this page and updating the "Last updated" date above. For significant changes, we will provide additional notice via email or in-product notification. Continued use of the service after changes take effect constitutes acceptance of the revised policy.