1. Introduction

At Bravos AI, we take the protection of your personal data very seriously. This Privacy Policy explains what information we collect, how we use it, and what your rights are under the General Data Protection Regulation (GDPR) and applicable data protection legislation.

2. Data Controller

Identity: Global Online Mapps Ltd (trading as "Bravos AI")
Company Number: 9909303 (Companies House, England and Wales)
Registered office: Suite 7 Midshires House, Smeaton Close, Aylesbury, England HP19 8HL
Email: [email protected]

3. What Data We Collect

3.1 Data You Provide Directly

• Account information: Name, email, password (encrypted with bcrypt)
• Optional contact data: Information you choose to share voluntarily (phone number, company, etc.)
• Billing information: Processed by Stripe (we do not store card details)
• Chatbot content: Texts, documents, images, and files you upload to train your bots
• Support messages: Communications you have with our team

3.2 Automatically Collected Data

• Usage data: Pages visited, features used, time of use
• Technical data: IP address, browser, operating system
• Cookies: For essential functionality and analytics

3.3 End User Data (Widget)

When visitors to your website interact with your chatbots:

• Conversation messages
• Shared media files (paid plans only, automatically deleted after 24 hours)
• Anonymous session identifier (fingerprint)

Important: You (the Customer) are the data controller for this data. Bravos AI acts as the data processor. As the chatbot owner, you have access to your users' conversations for customer service, monitoring, and service improvement purposes. It is your responsibility to inform your website users about the use of the chatbot in your privacy policy.

4. Legal Basis for Processing

We process your personal data based on:

• Contract performance: To provide you with the service you have subscribed to
• Consent: For marketing communications (you may withdraw it at any time)
• Legitimate interest: To improve our services and prevent fraud
• Legal obligation: To comply with tax and legal requirements

5. How We Use Your Data

• Provide and maintain the Bravos AI service
• Process payments and manage subscriptions
• Send important notifications about your account
• Provide technical support
• Improve and optimize our services
• Comply with legal obligations
• Prevent fraud and abuse
• Send marketing communications (only with your consent)

Commitment: We do not use End User conversations or Customer training data to train or improve general-purpose AI models. Data is processed solely to provide the contracted service. Our AI providers are subject to equivalent contractual restrictions.

6. Who We Share Your Data With

We do not sell your personal data. We only share information with trusted third parties necessary to operate the service:

Sub-processors:

Provider	Purpose	Location	Safeguards
OpenAI, LLC	AI processing (chatbot response generation)	USA	DPA + SCCs
Hetzner Online GmbH	Server and database hosting	Germany (EU)	DPA
Stripe, Inc.	Payment processing	USA	EU-US DPF + DPA
Resend, Inc.	Transactional email delivery	USA	DPA + SCCs
Meta Platforms Ireland Ltd	Message delivery via WhatsApp Cloud API and advertising conversion measurement (Meta Pixel and Conversions API)	Ireland (EU) and USA	DPA + SCCs
Google Ireland Ltd / Google LLC	Analytics and advertising measurement (Google Analytics 4 and Google Ads Conversion Tracking)	Ireland (EU) and USA	EU-US DPF + SCCs

All our providers are subject to data protection agreements and commit to processing personal data in accordance with applicable regulations. Personal data submitted through the chatbot may be processed by our AI providers solely for the purpose of generating responses, never for general-purpose model training.

7. Messaging Integrations (WhatsApp Business)

When a Customer connects their WhatsApp Business account to Bravos AI through Meta's Embedded Signup flow, we process the following data:

7.1 Data Processed

• Messages: text, images, audio, and documents exchanged between end users and the chatbot
• Contact identifiers: phone number and WhatsApp display name of the end user
• Integration metadata: WABA ID, connected number, and connection status

7.2 Purpose

To generate automatic chatbot responses, display conversations in the Customer's dashboard, and maintain a message history for service analysis and traceability.

7.3 Encryption and Retention

Messages and media files are stored encrypted on our EU-based servers (Hetzner, Germany). Inactive conversations are automatically deleted after 90 days. Media files are deleted 24 hours after receipt.

7.4 Data Deletion by End Users

An end user whose data has been processed via WhatsApp Business can request deletion by emailing [email protected] indicating the phone number from which they wrote. We process requests within 30 days as required by the GDPR.

Important: As with the web widget, the Customer (the company connecting their WhatsApp Business account) is the data controller for their end users' data. Bravos AI acts as the data processor. It is the Customer's responsibility to inform their end users in their own privacy policy about the use of automated chatbots through WhatsApp.

8. International Transfers

Some of our providers are located outside the European Economic Area. In such cases:

• We use EU Standard Contractual Clauses (SCCs) approved by the European Commission
• We verify participation in the EU-US Data Privacy Framework where applicable
• We implement appropriate technical and organizational measures

9. How Long We Retain Your Data

• Account data: While your account is active + 30 days after cancellation
• Billing data: 10 years (legal tax requirement)
• Chatbot content: Until you delete it or cancel your account
• Widget conversations: 90 days from creation (automatically deleted)
• Widget media files: 24 hours (automatically deleted)
• Technical logs: 90 days

10. Your Rights (GDPR)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Restrict the processing of your data
• Portability: Receive your data in a structured format
• Objection: Object to the processing of your data
• Withdraw consent: At any time, without affecting prior processing

To exercise these rights, contact: [email protected]

You also have the right to file a complaint with the relevant data protection authority, such as the Information Commissioner's Office (ICO) in the United Kingdom.

11. Data Security

We implement technical and organizational measures to protect your data:

• Data encryption in transit (HTTPS/TLS)
• Password encryption (bcrypt)
• Restricted access to personal data
• Regular and secure backups
• Security monitoring

No system is 100% secure. Although we implement industry best practices, we cannot guarantee absolute security.

12. Cookies, Pixels and Similar Technologies

We use three categories of cookies and tracking technologies:

• Essential: Authentication, session and basic functionality. No consent required since they are strictly necessary for the service to work.
• Analytics: Help us understand how the service is used in aggregate (pages visited, time spent). On the public website, they require your consent through the cookie banner.
• Marketing and advertising: Allow us to measure the effectiveness of our advertising campaigns and optimise them. On the public website, they require your consent through the cookie banner.

12.1 Specific tools we use

• Google Analytics 4 (analytics) — provider: Google Ireland Ltd / Google LLC. Identifies your device pseudonymously to measure aggregate use of the service.
• Google Ads Conversion Tracking (advertising) — provider: Google Ireland Ltd / Google LLC. Measures conversions from our ads and enables campaign optimisation and remarketing lists.
• Meta Pixel (advertising) — provider: Meta Platforms Ireland Ltd. Measures conversions from our ads on Facebook and Instagram and enables campaign optimisation, custom audiences and lookalikes.

12.2 Server-side conversion measurement (Meta Conversions API)

To complement the above, when you complete certain actions on our service (for example, starting a trial or activating a subscription), we send a conversion event from our servers directly to Meta's servers through the Meta Conversions API (CAPI). This transmission allows us to measure conversions reliably and deduplicate them against those received via the Meta Pixel.

The data transferred to Meta via the Conversions API is:

• SHA-256 hash of your email address (we do not transmit the plain email)
• Your IP address and browser user-agent at the time of the conversion
• Event type (for example, "start trial" or "subscribe") and a unique event identifier to prevent duplicates

12.3 Legal basis

• On the public website (anonymous visits): we rely on your consent, collected through the cookie banner (Art. 6.1.a GDPR). If you reject the banner, we do not load Meta Pixel, Google Analytics or Google Ads.
• In the user panel after sign-up: we rely on our legitimate interest (Art. 6.1.f GDPR) to measure conversions of our own product and optimise our advertising investment, balanced against your rights. This is standard practice in SaaS companies.

12.4 How to object or withdraw your consent

• You can reject analytics and advertising cookies in the banner that appears when you enter the website.
• You can configure your browser to block cookies or use the privacy controls offered by Google and Meta directly.
• If you are a registered user and wish to object to the transmission of your data via the Meta Conversions API or any other advertising measurement tool, please email us at [email protected]. We process your request within a maximum of 30 days as required by the GDPR.

You can also configure your browser to block cookies, although this may affect the functionality of the service.

13. Minors

Bravos AI is not intended for individuals under the age of 16. We do not knowingly collect data from minors. If you are a parent or guardian and believe your child has provided us with data, please contact us to have it removed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice in the service. The "Last updated" date will be updated accordingly.

15. Contact

For any inquiries regarding this Privacy Policy or the processing of your data:

Email: [email protected]
Registered office: Suite 7 Midshires House, Smeaton Close, Aylesbury, England HP19 8HL