Privacy Policy

Bota is a service operated by Zentia Labs LLC. Zentia Labs is responsible for the processing of data collected on the Bota website, contact forms, demos, onboarding flows, support, billing, and account administration.

This policy governs Zentia Labs’ own processing in relation to Bota as a B2B SaaS product. It does not replace the privacy policy that each customer must provide to its end users when deploying Bota in its own channels (website or WhatsApp).

Zentia Labs LLC processes the personal data covered by this policy from the following locations:

• United States of America: registered office of Zentia Labs and primary location of cloud infrastructure, storage, and AI-model subprocessors.
• Spain: authorized Zentia Labs personnel (product, engineering, support).
• Colombia: authorized Zentia Labs personnel (product, engineering, support).

By accepting our terms, the customer expressly authorizes these processing locations and undertakes to reflect them in the information provided to its end users whenever applicable law so requires. Safeguards for international transfers are detailed in the corresponding section.

• Sales and prospecting data: name, business email, phone number, company, fleet size, country, and operational needs.
• Account and administration data: users, roles, credentials, preferences, authentication events, and administrative activity inside the Bota B2B portal.
• Contract and billing data: legal entity details, address, tax identifiers, billing contacts, invoices, and payment references.
• Support and implementation data: tickets, emails, configurations, domains, snippets, technical incidents, and conversation samples shared by the customer for troubleshooting.
• Technical and usage data: IP address, browser, device, cookies, logs, security events, performance, and product analytics.
• End-user operational data processed on behalf of the customer: chat messages (web and WhatsApp), conversational content, booking intents, contact details, attachments, and other data that the customer chooses to route through Bota.

Bota allows users to sign in via email and password, magic link, or Google OAuth ("Sign in with Google").

When you choose to sign in with Google, we access your email address, name, and profile picture through the Google OAuth 2.0 openid, email, and profile scopes. This data is used solely to create or link your user account in Bota and to verify your identity on each sign-in.

We do not access your contacts, calendar, Drive files, or any other data from your Google account.

You can revoke Bota access to your Google account at any time from your Google account security settings at myaccount.google.com.

Bota's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Respond to commercial requests, demos, product evaluations, and onboarding.
• Create and manage customer accounts, authorized users, and permissions.
• Provide the contracted chatbot service, host the infrastructure, process messages through AI (LLM), and operate the automations enabled by the customer.
• Configure integrations, domains, web widgets, and messaging channels (including WhatsApp Business) activated by the customer.
• Provide support, maintenance, monitoring, security, and fraud or abuse prevention.
• Manage the contractual relationship, billing, collections, and accounting or tax obligations.
• Send service communications and, where a valid basis exists, reasonable B2B communications about Bota.

• Performance of pre-contractual steps or the contract for demos, onboarding, Bota provision, support, and billing.
• Compliance with legal obligations relating to accounting, tax, security, and valid requests from authorities.
• Legitimate interests for security, abuse prevention, product improvement, B2B relationship management, and reasonable professional communications.
• Consent for non-essential cookies, certain optional marketing actions, and any other processing that requires it.
• For end-user operational data handled inside Bota (chat messages, WhatsApp conversations, booking intents), the customer generally acts as controller and Zentia Labs processes that data under documented instructions and the applicable data processing agreement.

To deliver the service, Zentia Labs relies on providers and subprocessors belonging to the following standard technology categories, the use of which the customer authorizes by accepting our terms: AI model providers, cloud infrastructure and hosting, messaging platform (WhatsApp Business), payment gateways and providers, transactional email, analytics, and observability.

• Infrastructure, hosting, authentication, email, support, monitoring, analytics, and technology providers needed to deliver Bota.
• Language model providers (Anthropic Claude) to generate the AI conversational responses.
• Payment processors and billing providers to manage collections, subscriptions, and payment incidents.
• Messaging platforms activated by the customer, such as WhatsApp Business, when the customer configures them in Bota.
• Professional advisers and public authorities where there is a legal obligation, defence need, or valid request.
• The complete and up-to-date list of sub-processors (with service provided, data processed, and location) is available at https://www.bota-chat.com/en/sub-procesadores.

Zentia Labs will notify the customer with reasonable advance notice of any material change of subprocessors with impact on the processing of personal data; the customer may object on reasonable, justified grounds. Zentia Labs does not sell personal data and does not independently determine the business purposes of customer end-user conversational content.

In addition to the processing activities described in the purposes above, Zentia Labs may process aggregated, anonymized, or pseudonymized data derived from use of the service for the following additional purposes:

• Provision and technical improvement of the service: debugging, performance, reliability, and quality of response.
• Internal training and evaluation of the AI models used by the service, as well as tuning of prompts, instructions, and heuristics.
• Aggregated statistical analyses of the vehicle-rental sector (for example, demand metrics, sentiment, types of queries) that do not allow identification of specific natural persons.
• Development of new features and adjacent services that may benefit existing and future customers.

In no case do we use identifiable end-customer conversational content to train AI models of third-party providers for purposes other than the provision of the contracted service. When models from external providers (subprocessors) are used, the contractual agreements and usage policies of those providers apply, which prohibit the use of customer data to train the provider’s own models unless there is an explicit opt-in.

Provision of the service involves processing personal data across the United States – Spain – Colombia triangle, as described in the "Processing locations" section. Additionally, certain subprocessors may operate from other countries outside the European Economic Area.

To legitimize these international transfers we apply the safeguards recognized by applicable law, in particular:

• Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision (EU) 2021/914, Module 2 (Controller to Processor), for transfers from Spain or any other EEA country to the United States and Colombia.
• Model contractual clauses published by the Colombian Superintendence of Industry and Commerce (SIC) for international transfers originating in Colombia.
• United States legal framework applicable to Zentia Labs LLC as a company incorporated in the State of Wyoming, including the contractual obligations undertaken in the data processing agreement.
• Adequacy decisions, recognized certifications, or reasonable supplementary technical measures where applicable.

The data processing agreement (DPA) incorporated into the terms of service constitutes, by itself, the contractual safeguard mechanism for transfers between the customer and Zentia Labs, since it incorporates obligations, guarantees, and rights equivalent to those provided by the safeguards above. For additional transfers to subprocessors, Zentia Labs relies on the DPAs and transfer clauses published by those providers.

In the future, Bota may offer the customer additional cross-selling functionality for its end users (for example, accommodation, tourist activities, insurance, transfers, or other services complementary to vehicle rental).

The activation of any cross-selling functionality involving commercial communications to end users will require the customer’s prior written approval, together with the information and consents required by applicable law. Until such activation, end-user personal data is not used for cross-selling purposes.

• Leads, forms, and B2B sales conversations: up to 24 months from the last interaction, unless there is an objection or a contract is signed.
• Account, contract, and billing data: while the commercial relationship exists and afterwards for the periods required by law.
• Support and implementation tickets: usually up to 3 years after case closure.
• Security and access logs: usually up to 12 months, unless investigation or reinforced retention is required.
• Customer end-user operational data (chat messages, WhatsApp conversations, and associated AI usage records) in identifiable form: retained for 90 days from the last message. After that period, transcripts, messages, and associated usage records are deleted or anonymized.
• Data derived from service use in aggregated, anonymized, or pseudonymized form: may be retained for up to 24 additional months for service improvement and defence of claims, after which they will be irreversibly deleted or anonymized, except where legal retention obligations apply.

End users wishing to exercise erasure rights over identifiable conversations should first contact the rental company operating the chatbot, which will process the request through Bota’s admin tooling.

• We apply reasonable technical and organizational measures, including access controls, encryption in transit, event logging, and vendor review.
• Internal data access is limited to authorized personnel with a functional need and confidentiality obligations.
• The processor relationship for customer operational data is governed through contract and the applicable data processing agreement, including subprocessors and security commitments.

Where applicable, you may exercise rights of access, rectification, erasure, objection, restriction, and portability with respect to data that we process as our own controller.

If the request relates to end-user data collected through Bota deployed by a customer, the primary route should be that customer as controller. Nevertheless, data subjects may also direct their requests subsidiarily to Zentia Labs; in that case we will forward the request to the customer without undue delay and assist with its resolution in our role as data processor.

• Requests about leads, accounts, billing, support, or use of our website: contact us at privacy@bota-chat.com.
• Requests about chat conversations, WhatsApp messages, or end-customer data belonging to a rental company: contact that rental company first.
• The full step-by-step procedure (admin operators, end customers, and Facebook revocation) is documented on the dedicated data deletion page: https://www.bota-chat.com/en/data-deletion.

We may update this policy to reflect legal, technical, or product changes. The current version will be published on this page together with its last update date.