BondhuBot
← Back to home
— Legal

Privacy Policy

Last updated: April 22, 2026 · Effective immediately

We're a small team in Dhaka. BondhuBot is an AI customer-support tool we built — under the trade name Bondhu Labs — to handle repeat questions on our own Facebook Page, FABRIENDZ, while we get ready to offer the service to other Bangladeshi businesses. This policy is our plain-language answer to three questions: what data do you see, what do you do with it, and how do I get it back?

1. Information We Collect

1.1 From Facebook Messenger

When a customer interacts with a Facebook Page that uses BondhuBot, we receive the following data through Meta's Messenger Platform API:

  • Facebook User ID (page-scoped identifier, not global Facebook ID)
  • Message content sent to the connected Page
  • Public profile information (name, profile picture) as permitted by Facebook's platform policies
  • Message timestamps and delivery receipts
  • Optional: referral context if the customer arrived via an ad or m.me link

1.2 Collected automatically (marketing site only)

When you visit bondhubot.com, our web server and CDN (Cloudflare) automatically log your IP address, user-agent string, requested URL, and response status code. We use these logs for debugging, uptime monitoring, and preventing abuse.

We do not receive your IP address, device identifiers, or browsing history from Messenger interactions — Meta does not forward that information to us. What we receive via the Messenger Platform API is listed in §1.1 above.

2. How We Use Your Information

  • To operate, maintain, and improve the BondhuBot platform
  • To process and respond to customer messages on the FABRIENDZ Facebook Page
  • To review conversation patterns (with personal identifiers removed) and improve BondhuBot's replies over time — for example, by updating our knowledge base or tuning how the bot phrases answers. We do not fine-tune AI models with your conversations.
  • To generate internal analytics and improve response quality
  • To send service-related communications (account alerts, security notices, product updates)
  • To detect and prevent fraud, abuse, and violations of our Terms
  • To comply with legal obligations under applicable law
We do not sell personal data to third parties. We do not share your conversations with other businesses, and we do not use them to fine-tune any AI model.

3. Data Sharing & Third Parties

We share your data only in these specific circumstances:

  • Internal access: Conversation data is accessible only to us — Bondhu Labs, as the operator of the FABRIENDZ Facebook Page. We do not share it with other businesses.
  • Meta (Facebook): We use Meta's Messenger Platform API to receive and send messages. Data handling is additionally governed by Meta's Data Policy.
  • AI providers (Anthropic, OpenAI): To generate replies, the text of your messages is sent to large-language-model APIs operated by Anthropic and OpenAI, processed in the United States. OpenAI is additionally used for voice-message transcription (Whisper) and for search over our own product and FAQ content (embeddings). We use these providers on their standard API tiers; we do not have a signed enterprise or zero-retention agreement with either. Both providers state that, by default, API inputs are not used to train their publicly available models — see Anthropic's commercial terms and OpenAI's API data usage policy.
  • Hosting infrastructure: the service runs on DigitalOcean (Singapore). The public marketing site bondhubot.com sits behind Cloudflare for CDN and DDoS protection. We use UptimeRobot for uptime monitoring.
  • Legal compliance: When required by law, a Bangladeshi court order, or valid legal process.

4. Data Retention

Conversation data is retained for up to 24 months from the date of last interaction, unless earlier deletion is requested. Older data is purged routinely.

Where a conversation results in a transaction (an order, return, or complaint), the underlying transaction record — order date, items, and amount — is kept for as long as required by Bangladesh tax, accounting, and legal compliance (typically six years). On request, we scrub the personal information (name, phone, address) attached to those records so the entry remains but cannot be linked back to you. Where applicable law requires us to retain a specific identifying field on a transaction record (for example, a delivery address on a sales invoice), we will retain only the specific field required and no more.

Our database is backed up nightly and backups are kept on a 7-day rolling window. Deleted records are not re-processed inside older backups; instead, they age out naturally as the rolling window advances. A deletion request is therefore fully reflected across all backups within seven (7) days.

Aggregated, de-identified analytics may be retained indefinitely for service improvement purposes.

5. Data Security

We take reasonable technical and organisational steps to protect your data:

  • Transport encryption over HTTPS using TLS 1.2 and TLS 1.3 for all traffic to and from the service.
  • At-rest encryption of server disks and database storage is provided by our hosting provider (DigitalOcean's always-on block-storage encryption).
  • Production servers and the database run in DigitalOcean's Singapore region; access is limited to authorised Bondhu Labs personnel.
  • Secrets and API keys are stored in restricted-permission files on the production server, outside source control.
  • We follow standard secure-development practices — code review, dependency updates, minimal production access.

As a small team, we do not run formal third-party security audits or penetration tests, and application-layer encryption of specific sensitive tokens (beyond the hosting provider's block-storage encryption) is on our roadmap. We will adopt more structured controls as the service grows.

No system is completely secure. If we become aware of a data breach that materially affects your personal data, we will notify you by email (or via Facebook Messenger if we do not have your email) within a reasonable time after discovery — aiming for 72 hours where feasible — and we will notify Meta and any applicable Bangladeshi regulator as required by law.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your data (see our Data Deletion page)
  • Object to or restrict certain types of processing
  • Receive a copy of your data in a portable format
  • Withdraw consent at any time

To exercise any of these rights, email us at [email protected]. We aim to respond to verified requests within 30 days. If we need longer — for example, where we must verify your identity or the request is complex — we will let you know and give you an updated timeline.

7. International Data Transfers

Your data is processed on servers outside Bangladesh. In particular:

  • Application servers, database, and file storage sit on DigitalOcean in Singapore.
  • AI providers (Anthropic, OpenAI) process message content in the United States.
  • Cloudflare serves cached public marketing pages from globally distributed edge locations.

We rely on each provider's published privacy and data-protection commitments; we do not currently have bespoke data-processing agreements (DPAs) in place with these providers. If you are in a jurisdiction that requires specific cross-border transfer safeguards before your data may be processed abroad, please contact us at [email protected] before using the service.

8. Children's Privacy

BondhuBot is not directed at individuals under 13 years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact [email protected].

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated by posting the updated policy on this page and updating the "Last updated" date above. For significant changes, we will provide additional notice via email or in-product notification. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

10. Contact Us

Bondhu Labs Email: [email protected]
General inquiries: [email protected]
Dhaka, Bangladesh
© 2026 BondhuBot · All rights reserved