CLOSEBOT PRIVACY POLICY

Effective Date: February 10, 2026
Last Updated: February 10, 2026
Version: 2.0

EXECUTIVE SUMMARY

CloseBot, Inc. (“CloseBot,” “we,” “us,” or “our”) provides an AI-powered lead qualification and booking platform that enables marketing agencies and businesses to build, deploy, and manage automated AI agents for customer interactions. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Services.

What We Do: We operate a drag-and-drop platform where agencies create AI agents that interact with leads through integrated CRM systems (such as HighLevel, HubSpot, and LeadConnector). Our platform processes conversations between your AI agents and end-user leads to facilitate appointment booking and lead qualification.

Key Privacy Points:

• Data We Collect: Account information, conversation data from AI agents, usage analytics, and payment information
• How We Use Data: To operate the platform, process AI agent conversations, improve our Services, and support your business operations
• Who We Share With: AI providers (when you use our keys), CRM platforms (to sync your data), payment processors, and essential service providers
• Your Rights: Access, deletion, correction, data portability, and opt-out rights depending on your location
• Data Security: Industry-standard encryption, secure Azure cloud infrastructure, and third-party security certifications

Important for Agencies: If you’re an agency using CloseBot for your clients, you are typically the data controller for your end-user lead data, while CloseBot acts as your data processor. You remain responsible for complying with privacy laws regarding your clients’ data.

Questions or Concerns? Contact us at support@closebot.ai or review the detailed sections below.

TABLE OF CONTENTS

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. AI-Specific Data Processing
4. What Legal Bases Do We Rely On?
5. When and With Whom Do We Share Personal Information?
6. International Data Transfers
7. How Long Do We Keep Your Information?
8. How Do We Keep Your Information Safe?
9. Do We Collect Information From Minors?
10. What Are Your Privacy Rights?
11. Controls for Do-Not-Track Features
12. United States Residents – Specific Privacy Rights
13. Other Regions – Specific Privacy Rights
14. Cookie Policy and Tracking Technologies
15. Updates to This Notice
16. Contact Information
17. How to Review, Update, or Delete Your Data

1. WHAT INFORMATION DO WE COLLECT?

Personal Information You Provide to Us

In Short: We collect personal information that you voluntarily provide when registering for our Services, configuring AI agents, connecting integrations, and using our platform.

Account Registration Information

When you create a CloseBot account, we collect:

• Identity Information: Full name, email address, username, password
• Business Information: Company name (optional), business type, annual revenue range, industry
• Contact Information: Phone number (optional), country, time zone, date/time format preferences
• Authentication Data: OAuth tokens if you sign in with Google or other providers

Billing and Payment Information

When you subscribe to paid plans, we collect:

• Payment Details: Credit/debit card information (processed and stored by Stripe)
• Billing Information: Cardholder name, billing address
• Transaction Data: Subscription tier, payment history, usage limits

Important: Payment card details are never stored on CloseBot servers. All payment processing is handled securely by Stripe. See Stripe’s privacy policy at: https://stripe.com/privacy

Platform Configuration Data

When you build and configure AI agents, we collect:

• AI Agent Settings: Persona configurations, job flow logic, response templates, behavior settings
• API Credentials: Your own API keys for AI providers (OpenAI, Anthropic, Gemini, Grok) if you’re on an Agency plan
• CRM Integration Data: OAuth tokens and connection settings for HighLevel, HubSpot, LeadConnector, and other integrated platforms
• Knowledge Base Content: Documents, notes, web scrapes, and files you upload to train your AI agents

Conversation and Lead Data

When your AI agents interact with leads, we process:

• Lead Information: Names, email addresses, phone numbers, and other contact details of prospects interacting with your AI agents
• Conversation Logs: Complete message histories between your AI agents and leads
• Qualification Responses: Answers to qualification questions, appointment preferences, and business inquiries
• Interaction Metadata: Timestamps, conversation duration, response patterns, and engagement metrics

Important for Agencies: If you are an agency using CloseBot, the lead data processed through your AI agents is typically owned and controlled by you. CloseBot processes this data on your behalf as a service provider.

Onboarding and Preference Data

To improve your experience, we collect:

• Usage Goals: Your stated objectives for using CloseBot
• AI Familiarity: Your comfort level with AI tools
• CRM Preferences: Which CRM systems you currently use
• Referral Source: How you heard about CloseBot
• Feature Priorities: Which capabilities are most important to your business

Information Automatically Collected

In Short: We automatically collect certain information when you use our Services, including usage data, device information, and analytics.

Technical and Usage Data

We automatically collect:

• Device Information: IP address, browser type and version, operating system, device type, unique device identifiers
• Usage Analytics: Pages viewed, features accessed, time spent on platform, agent builder interactions
• Performance Data: Load times, error reports, system diagnostics, API response times
• Location Data: Approximate geographic location based on IP address (country and city level)
• Session Information: Login timestamps, session duration, activity patterns

Tracking Technologies

We use cookies and similar technologies to collect information. Our tracking technologies include:

• Essential Cookies: For authentication, session management, and security (Clerk)
• Analytics Cookies: For usage tracking and performance monitoring (HubSpot, Google Tag Manager)
• Support Cookies: For customer service functionality (Intercom)
• Marketing Cookies: For conversion tracking and advertising optimization (Facebook Pixel, ContentSquare)
• Affiliate Cookies: For referral tracking and commission attribution (First Promoter)

For detailed information about our cookie practices, please see our Cookie Policy or visit https://closebot.com/cookie-policy/

CRM Integration Data

When you connect CRM platforms, we automatically collect:

• Synchronization Data: Contact lists, conversation histories, appointment bookings
• Webhook Data: Real-time notifications about lead activities and status changes
• API Call Logs: Records of data exchanges between CloseBot and your CRM

Information From Third Parties

In Short: We may receive limited information from third-party services you connect to our platform.

We may receive information from:

• OAuth Providers: When you sign in with Google or other authentication services, we receive your name, email address, and profile information
• CRM Platforms: When you integrate HighLevel, HubSpot, or LeadConnector, we receive contact and conversation data as configured
• AI Service Providers: Usage statistics and error logs from OpenAI, Anthropic, and other AI providers (when using CloseBot-provided API keys)

We do not purchase or acquire personal information from data brokers or list providers.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide our AI agent platform services, improve user experience, ensure security, comply with legal obligations, and support legitimate business operations.

We process your personal information for the following purposes:

Service Delivery and Platform Operations

• Account Management: Create, authenticate, and maintain your user account
• AI Agent Functionality: Process conversations between your AI agents and leads in real-time
• CRM Integration: Synchronize data between CloseBot and your connected CRM platforms
• Payment Processing: Handle subscription billing, usage-based charges, and transaction management
• Platform Access: Enable drag-and-drop agent builder, knowledge base management, and dashboard analytics
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance

AI Processing and Improvement

• Conversation Processing: Use AI models to generate responses, qualify leads, and book appointments
• Knowledge Base Enhancement: Process uploaded documents and web content to improve agent responses
• Prompt Optimization: Use conversation data to refine prompts and improve response accuracy (does not train underlying AI models)
• Performance Analytics: Monitor agent effectiveness, response quality, and user satisfaction

Business Operations and Analytics

• Usage Tracking: Monitor platform usage, feature adoption, and system performance
• Revenue Analytics: Track agency rebilling metrics, subscription usage, and revenue attribution
• Product Development: Identify feature requests, prioritize enhancements, and develop new capabilities
• Business Intelligence: Analyze aggregate trends, industry benchmarks, and market insights

Marketing and Communications

• Service Communications: Send account notifications, platform updates, and security alerts
• Marketing Messages: Deliver promotional content, feature announcements, and educational resources (with your consent)
• Targeted Advertising: Display personalized ads and retargeting campaigns based on your interests
• Referral Tracking: Attribute signups to affiliate partners and manage commission payments

Security and Compliance

• Fraud Prevention: Detect and prevent unauthorized access, abuse, and malicious activity
• Security Monitoring: Identify vulnerabilities, respond to threats, and maintain platform integrity
• Legal Compliance: Fulfill regulatory requirements, respond to legal requests, and enforce our terms
• Audit and Recordkeeping: Maintain logs for compliance, dispute resolution, and quality assurance

3. AI-SPECIFIC DATA PROCESSING

In Short: Our platform uses artificial intelligence to power conversational agents. This section explains how AI processes your data and what safeguards are in place.

How AI Agents Process Data

Conversation Flow

1. Message Receipt: Lead sends message through integrated CRM
2. CloseBot Processing: Message routes to CloseBot platform for agent matching
3. AI Provider Request: Message sent to AI provider (OpenAI, Anthropic, Gemini, Grok) with relevant context
4. Response Generation: AI generates response based on your agent configuration and knowledge base
5. Delivery: Response sent back through CRM to the lead
6. Storage: Conversation logged in CloseBot database and your CRM

Data Used for AI Processing

When processing conversations, AI models access:

• Current Message: The lead’s most recent message
• Conversation History: Previous messages in the same conversation thread
• Agent Configuration: Persona settings, job flow instructions, response guidelines
• Knowledge Base: Relevant documents, notes, and information you’ve uploaded
• Business Context: Information about your business and services
• CRM Data: Lead profile information from your connected CRM (when available)

AI Model Training and Improvement

Important Clarification on Training:

• Your Conversations Do NOT Train AI Models: When you use your own API keys (Agency plans), your conversation data is processed by your own AI provider account and follows their data retention policies. CloseBot does not use this data to train third-party AI models.
• CloseBot Product Improvement: We may use conversation data to improve CloseBot’s platform functionality, such as optimizing prompts, enhancing agent configuration options, and refining our user interface. This does not involve training the underlying AI models from OpenAI, Anthropic, or other providers.
• Knowledge Base Enhancement: When you add content to your knowledge base, this information is used to improve your specific agent’s responses. It is not shared with other CloseBot customers or used to train third-party models.

Customer-Provided API Keys

For Agency Plan Users:

• Data Isolation: When you provide your own API keys (OpenAI, Anthropic, etc.), your conversation data is processed through YOUR AI provider account
• CloseBot Storage: We store message logs in our database for platform functionality, but our AI provider accounts do not access this data
• Third-Party Policies: Your data handling follows your AI provider’s privacy policy and data processing agreement
• Key Security: API keys are encrypted at rest and in transit, with restricted access controls

For Business and Free Plan Users:

• CloseBot-Provided Keys: Conversations are processed using CloseBot’s AI provider accounts
• Shared Infrastructure: Multiple customers’ requests may use the same API credentials (but data is logically separated)
• Usage Billing: We track token usage and conversation volume for billing purposes

AI-Generated Insights and Derived Data

Our platform may generate derived data from your conversations:

• Performance Metrics: Response times, conversation completion rates, booking success rates
• Sentiment Analysis: General tone and engagement level of conversations (aggregate only)
• Lead Scoring: Qualification assessments based on conversation content
• Usage Patterns: Feature utilization, peak activity times, common workflows

This derived data is used for:

• Your dashboard analytics and reporting
• Platform performance optimization
• Aggregate market research (anonymized)
• Feature development prioritization

4. WHAT LEGAL BASES DO WE RELY ON?

In Short: We process your personal information based on contractual necessity, legitimate business interests, legal compliance obligations, and your consent where required by law.

For European Economic Area (EEA), United Kingdom (UK), and Switzerland Users

Under GDPR and UK GDPR, we rely on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide our Services under our Terms of Service:

• Account creation and authentication
• AI agent conversation processing
• CRM integration and data synchronization
• Payment processing and subscription management
• Platform access and core functionality
• Customer support and technical assistance

Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for our legitimate business interests (balanced against your rights):

• Security and Fraud Prevention: Protecting our platform, users, and data from threats
• Service Improvement: Analyzing usage patterns to enhance product features and performance
• Marketing Activities: Promoting our services to businesses that may benefit from AI automation
• Business Analytics: Understanding market trends and customer needs for strategic planning
• Customer Relationship Management: Managing business communications and support workflows

Consent (Article 6(1)(a) GDPR)

When required by law, we obtain your explicit consent for:

• Non-essential cookies and tracking technologies
• Marketing communications and promotional emails
• Targeted advertising and personalized content
• Optional data collection for enhanced features
• Third-party data sharing beyond service provision

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legal Obligation (Article 6(1)(c) GDPR)

Processing required to comply with legal requirements:

• Tax and accounting obligations
• Regulatory reporting requirements
• Law enforcement requests and court orders
• Data breach notification requirements
• Record-keeping obligations

Vital Interests (Article 6(1)(d) GDPR)

Processing necessary to protect vital interests:

• Emergency situations involving safety threats
• Preventing harm to individuals
• Critical security incidents requiring immediate action

For Canadian Users

Under Canadian privacy laws (PIPEDA and provincial equivalents):

• Express Consent: Obtained for sensitive personal information and when required by law
• Implied Consent: May be inferred for certain business communications and relationship management
• Legitimate Purposes: Processing for purposes a reasonable person would consider appropriate

Withdrawal Rights: You can withdraw consent at any time, subject to legal and contractual restrictions.

For United States Users

We process personal information based on:

• Contractual Relationship: To fulfill our agreement to provide Services
• Business Purposes: As defined under CCPA/CPRA and state privacy laws
• Legitimate Business Interests: Including service improvement, security, and marketing
• Consent: When required by specific state laws or sectoral regulations

5. WHEN AND WITH WHOM DO WE SHARE PERSONAL INFORMATION?

In Short: We share information with service providers necessary to operate our platform, CRM systems you integrate, AI providers processing your conversations, and in specific legal or business situations.

Service Providers and Third-Party Partners

We share personal information with the following categories of third parties who perform services on our behalf:

Essential Platform Services

Provider	Purpose	Data Shared	Location
Stripe	Payment processing	Name, billing address, payment card info, transaction details	United States
Clerk	Authentication and user management	Email, name, OAuth tokens, login credentials	United States
Microsoft Azure	Cloud hosting and infrastructure	All platform data (encrypted)	United States

AI and Machine Learning Providers

Data is processed through CloseBot’s API Keys for the below listed AI Providers with appropriate data processing agreements in place.

Provider	Purpose	Data Shared
OpenAI	GPT model access for conversations	Conversation messages, prompts, agent context
Anthropic	Claude model access for conversations	Conversation messages, prompts, agent context
Google (Gemini)	Gemini model access for conversations	Conversation messages, prompts, agent context
Grok	Grok model access for conversations	Conversation messages, prompts, agent context

CRM and Integration Partners

When you connect external platforms, we share data as necessary for integration:

Platform	Purpose	Data Shared
HighLevel/LeadConnector	Lead management and messaging	Contact data, conversation logs, appointments
HubSpot	CRM synchronization	Contact information, conversation history, engagement data
Other CRM Integrations	As you configure	Depends on your integration settings

You Control These Integrations: Data sharing occurs only for CRMs you explicitly connect, and you can disconnect at any time.

Analytics and Performance Monitoring

Provider	Purpose	Data Shared	Your Control
HubSpot Analytics	Marketing analytics, form tracking	Email, name, usage behavior, signup source	Opt-out available
Google Tag Manager	Analytics and conversion tracking	Usage data, page views, events	Cookie settings
ContentSquare	Session recording and UX analytics	Session behavior, clicks, navigation patterns	Cookie settings
Facebook Pixel	Ad conversion tracking	Page visits, events, ad interactions	Cookie settings

Customer Support and Communication

Provider	Purpose	Data Shared
Intercom	Live chat and customer support	Name, email, conversation history, usage context
First Promoter	Affiliate tracking and management	Referral source, affiliate links, commission data

Business Intelligence and Feedback

Provider	Purpose	Data Shared
Canny	Feature requests and product feedback	Email, name, feedback content, voting data

Data Sharing with CRM Platforms

Critical Understanding for Agencies:

• Bidirectional Sync: When you connect a CRM, conversation data flows TO your CRM for storage and lead management
• CRM as Data Controller: Your CRM (HighLevel, HubSpot, etc.) becomes the primary storage location for lead data
• CloseBot as Processor: We process messages in real-time but rely on your CRM for long-term storage
• CRM Privacy Policies: Lead data in your CRM is subject to their privacy policies and your data processing agreements

Business Transfers

We may share or transfer personal information in connection with:

• Mergers or Acquisitions: Sale of CloseBot or substantial assets
• Corporate Restructuring: Changes in business structure or ownership
• Bankruptcy Proceedings: As required by bankruptcy law
• Due Diligence: During evaluation of potential business transactions

User Notification: We will notify affected users and provide information about how to exercise rights under new ownership.

Legal Requirements and Safety

We may disclose personal information when required or permitted by law:

• Legal Process: Subpoenas, court orders, search warrants, or legal proceedings
• Law Enforcement: Requests from government agencies or regulatory authorities
• Legal Rights: To enforce our Terms of Service, protect our rights, or defend legal claims
• Safety: To prevent harm, investigate suspected fraud, or address security threats
• Compliance: To fulfill legal, regulatory, or contractual obligations

We review all legal requests and disclose only the minimum information necessary to comply with valid legal obligations.

Affiliates and Business Partners

• Corporate Affiliates: We may share information with parent companies, subsidiaries, or entities under common control (currently none exist)
• Marketing Partners: Limited sharing for joint promotions or co-marketing activities (with your consent)
• Reseller Partners: If you purchase through a reseller, they may have access to account and billing information

Aggregate and Anonymized Data

We may share aggregated or anonymized data that cannot reasonably identify you:

• Industry Reports: Market trends, usage statistics, benchmark data
• Public Research: Anonymized insights for AI and automation research
• Marketing Materials: General statistics about platform effectiveness
• Investor Relations: Business performance metrics and growth data

This anonymized data is not considered “personal information” under privacy laws.

6. INTERNATIONAL DATA TRANSFERS

In Short: Your personal information is processed primarily in the United States on Microsoft Azure infrastructure. If you are located outside the US, your data will be transferred internationally with appropriate safeguards.

Primary Data Processing Location

United States (Microsoft Azure):

• All CloseBot platform data is hosted on Microsoft Azure servers located in the United States
• Real-time message processing occurs on US-based infrastructure
• Database storage and backups are maintained in US data centers

International Access and Team

Global Team Access:

• US-based employees: 10 employees with access to production systems
• Canadian contractor: Virtual assistant services (limited data access)
• UK team member: Development and support role (limited data access)
• Remote team: ~20 virtual team members globally

Access Controls: All team members with data access are subject to confidentiality obligations and access only the minimum data necessary for their roles.

Transfers from the European Economic Area (EEA), UK, and Switzerland

Legal Basis for Transfers

When we transfer personal information from the EEA, UK, or Switzerland to the United States, we rely on:

1. Adequacy Decisions

• Where applicable, we rely on adequacy decisions recognizing equivalent data protection standards
• Currently, direct US adequacy decisions are limited; we primarily use SCCs

2. Necessity for Contract Performance

• Transfers necessary to provide Services you have requested
• Cannot fulfill service obligations without cross-border data processing

Supplementary Measures

To protect data transferred to the US:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access with multi-factor authentication
• Data Minimization: Transfer only necessary data for specified purposes
• Monitoring: Continuous security monitoring and threat detection
• Transparency: We notify users if we receive government data requests where legally permitted

Transfers to Other Third Countries

AI Provider Data Processing

When using AI providers, data may be processed in:

• OpenAI: United States (SCCs in place)
• Anthropic: United States (SCCs in place)
• Google (Gemini): United States and global Google infrastructure (SCCs in place)
• Grok: [Specify location – likely China] (appropriate safeguards required)

Important for EU Users: If using your own API keys with providers outside the US/EEA, ensure you have appropriate transfer mechanisms with those providers.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We retain personal information as needed while your account is active. Upon account deletion, we remove all data instantly, with limited exceptions for legal compliance and marketing data.

Active Account Data Retention

While Your Account is Active:

• As Needed Retention: All account data, conversation logs, agent configurations, and usage data are retained as needed
• Operational Necessity: Retention supports platform functionality, historical analytics, and service continuity
• User Control: You can delete specific conversations or content at any time

Rationale: Given the nature of lead qualification and business operations, customers typically need long-term access to historical conversation data, agent performance metrics, and lead interaction history.

Account Deletion and Data Removal

Exception – CRM Disconnection:

• When CRM Integration Disconnected: All lead data and messages associated with that specific CRM connection are immediately removed
• Scope: Only affects data tied to the disconnected integration
• Other Data: Account and other integration data remains intact

Legal Compliance Retention

We may retain certain information longer when required by law:

• Tax Records: Up to 7 years as required by US tax law
• Accounting Records: As required by applicable accounting standards
• Legal Disputes: During pendency of litigation or regulatory investigations
• Regulatory Requirements: As mandated by financial services, consumer protection, or other applicable regulations

Current Practice: We currently delete billing/transaction records on account deletion but can implement extended retention if needed for tax/accounting compliance.

Backup and Archive Data

System Backups:

• Purpose: Disaster recovery and system integrity
• Retention: Backups may retain deleted data for up to 30 days
• Access: Backup data is not accessible for normal operations or rights requests
• Security: Backups are encrypted and stored on secure Azure infrastructure

Important: While backups may temporarily contain deleted data, this data is inaccessible and will be permanently removed when backups expire.

Anonymization vs. Deletion

Anonymized Data:

• We may retain aggregated, anonymized data indefinitely for analytics and research
• Anonymized data cannot reasonably identify any individual
• This data is outside the scope of privacy rights requests

True Deletion:

• Personal data deletion means permanent removal from production databases
• Data cannot be recovered after deletion (except from temporary backups)
• You can request confirmation of deletion by contacting support@closebot.ai

Special Retention Scenarios

Fraud Prevention:

• If account terminated for Terms of Service violations or fraud, we may retain identifying information to prevent re-registration
• Limited to email address, payment information hash, and IP address
• Retained for 2 years maximum

Legal Hold:

• If data is subject to legal hold, preservation notice, or pending litigation, retention continues until legal obligation ends
• We will notify you if legally permitted

Business Transfer:

• In the event of merger, acquisition, or sale, data retention policies may change
• We will notify users and provide opt-out options if materially different retention periods apply

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We implement industry-standard technical and organizational security measures to protect your personal information, though no system can be guaranteed 100% secure.

Technical Security Measures

Infrastructure Security

Microsoft Azure Cloud Platform:

• Tier: Enterprise-grade cloud infrastructure with SOC 2 Type II and ISO 27001 certifications
• Physical Security: Azure data centers with 24/7 monitoring, biometric access controls, and redundant systems
• Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Compliance: Azure complies with GDPR, HIPAA, FedRAMP, and other security frameworks

Data Encryption

Data at Rest:

• Encryption Standard: AES-256 encryption for all stored data
• Database Encryption: Transparent Data Encryption (TDE) for SQL databases
• File Storage: Encrypted blob storage for uploaded documents and knowledge base content
• API Keys: Customer-provided API keys encrypted with separate encryption keys

Data in Transit:

• TLS 1.3: All data transmission uses Transport Layer Security 1.3
• HTTPS Only: Platform accessible only via encrypted HTTPS connections
• API Security: Encrypted API calls between CloseBot and third-party services
• Certificate Management: Automated SSL/TLS certificate renewal and monitoring

Access Controls

Authentication:

• Multi-Factor Authentication (MFA): Available for all user accounts (recommended)
• OAuth 2.0: Secure authentication with Google and other providers
• Password Requirements: Strong password policies with complexity requirements
• Session Management: Secure session tokens with automatic expiration

Authorization:

• Role-Based Access Control (RBAC): Least-privilege access for team members
• API Key Management: Encrypted storage and restricted access to customer API keys
• Admin Controls: Limited number of employees with production access
• Audit Logging: All administrative actions logged for security review

Organizational Security Measures

Internal Policies and Procedures

Employee Training:

• Security awareness training for all team members
• Data privacy and handling procedures for employees with data access
• Regular updates on emerging threats and best practices

Access Management:

• Background checks for employees with data access
• Confidentiality agreements and data protection clauses in employment contracts
• Immediate access revocation upon employee departure
• Regular access reviews and recertification

Incident Response:

• Defined procedures for security incident detection and response
• Quick notification protocols for affected users
• Coordination with third-party security providers (Azure, Clerk, HubSpot)
• Post-incident analysis and remediation

Data Breach Response Procedures

In the Event of a Data Breach:

1. Detection and Assessment:
   • Identify scope and nature of the breach
   • Assess which data and users are affected
   • Contain the breach and prevent further unauthorized access
   • Document all relevant details and evidence
2. Notification Process:
   • Regulatory Notification: Notify supervisory authorities within a certain timeframe if required by law
   • User Notification: Notify affected users via email and platform banner if required by law
   • Third-Party Coordination: Inform relevant service providers (Azure, Clerk, HubSpot) if their systems are involved
   • Public Disclosure: Publish incident details if legally required or affecting large numbers of users
3. Remediation (Ongoing):
   • Implement fixes to address vulnerabilities
   • Enhanced monitoring for follow-on attacks
   • Update security procedures to prevent recurrence
   • Provide support resources for affected users

Current Capabilities:

• Email and Banner Notifications: Quick deployment of breach notifications
• Third-Party Coordination: Established communication channels with Azure, Clerk, and HubSpot
• Case-by-Case Response: Front-end vulnerabilities handled with immediate containment procedures

Security Limitations and Acknowledgments

No Guarantee of Perfect Security:

• Despite our best efforts, no electronic system is completely secure
• Unauthorized access, hacking, or data breaches can potentially occur
• Internet transmission carries inherent security risks
• Third-party service vulnerabilities may affect our platform

Your Responsibility:

• Strong Passwords: Create unique, complex passwords for your account
• Account Security: Enable multi-factor authentication and protect login credentials
• Secure Environment: Access CloseBot only from secure networks and devices
• Suspicious Activity: Report any unauthorized access or unusual activity immediately
• API Key Protection: Safeguard your own AI provider API keys and never share them

Reporting Security Issues: If you discover a security vulnerability, please report it to: support@closebot.ai

• We appreciate responsible disclosure
• Do not publicly disclose vulnerabilities before we can address them
• We will investigate all reports promptly and provide updates

9. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect personal information from individuals under 18 years of age. Our Services are intended for business users only.

Age Restrictions

Minimum Age Requirement:

• 18 Years or Older: You must be at least 18 years old to create a CloseBot account
• Business Use Only: Our Services are designed for business and commercial purposes, not personal or consumer use

No Intentional Collection from Minors

Our Commitment:

• We do not knowingly solicit data from individuals under 18
• We do not knowingly market our Services to minors

Important Note About Lead Data: If your AI agents interact with leads through CRM platforms, those leads may include individuals under 18. As the agency or business deploying AI agents, you are responsible for:

• Complying with children’s privacy laws (COPPA, GDPR Article 8, etc.) for your lead interactions
• Obtaining appropriate parental consent if collecting information from minors
• Implementing age verification for your lead qualification processes

CloseBot does not control or verify the age of leads interacting with your AI agents. This is your responsibility as the data controller for your business operations.

If Minor Data is Discovered

Our Response:

• If we learn that personal information from users under 18 has been collected without proper verification, we will:
  • Deactivate the account immediately
  • Delete such data from our records promptly
  • Take reasonable measures to prevent future collection

How to Report: If you become aware that we have collected data from anyone under 18, please contact us immediately at: support@closebot.ai

Include:

• The email address or username of the account
• Explanation of how you know the user is under 18
• Any relevant documentation

COPPA Compliance (United States)

Children’s Online Privacy Protection Act:

• CloseBot does not operate websites or services directed at children under 13
• We do not knowingly collect “personal information” as defined by COPPA from children under 13
• If you are a parent and believe your child under 13 has provided information to us, contact support@closebot.ai

International Children’s Privacy Laws

GDPR (EU) – Article 8:

• Children under 16 (or lower age set by member states) require parental consent for information society services
• Our Services are not offered directly to children under 16 in the EU

Other Jurisdictions: We comply with applicable children’s privacy laws in all jurisdictions where we operate, including age-appropriate consent requirements.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your location, you have various rights regarding your personal information, including access, deletion, correction, data portability, and opt-out rights. This section explains how to exercise these rights.

Rights Available to Some Users

CloseBot users may:

Account Information Management:

• Access: View your account information, agent configurations, and platform usage
• Correction: Update your profile details, billing information, and preferences
• Settings Control: Manage notification preferences, integrations, and platform settings

To manage your account:

1. Log in to your CloseBot dashboard
2. Navigate to Account Settings
3. Update information as needed
4. Contact support at support@closebot.ai for assistance

European Economic Area (EEA), United Kingdom (UK), and Switzerland Rights

Under GDPR, UK GDPR, and Swiss data protection laws, you have the following rights:

Right of Access (Article 15 GDPR)

What You Can Request:

• Confirmation of whether we process your personal data
• Access to a copy of your personal data
• Information about processing purposes, categories, recipients, and retention periods
• Details about international transfers and safeguards

How to Exercise:

• Email support@closebot.ai with subject line: “GDPR Access Request”
• We will respond within 30 days (extendable by 2 months for complex requests)

Right to Rectification (Article 16 GDPR)

What You Can Do:

• Correct inaccurate personal information
• Complete incomplete personal data

How to Exercise:

• Update directly in Account Settings, or
• Email support@closebot.ai with corrections

Right to Erasure / “Right to be Forgotten” (Article 17 GDPR)

When Available:

• Data no longer necessary for original purposes
• You withdraw consent (where consent was the legal basis)
• You object to processing based on legitimate interests
• Data processed unlawfully
• Legal obligation requires erasure

Exceptions:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest

How to Exercise:

• Delete your account through platform settings, or
• Email support@closebot.ai requesting deletion
• Response Time: Instant deletion upon account termination

Right to Restriction of Processing (Article 18 GDPR)

When Available:

• You contest the accuracy of personal data
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data, but you need it for legal claims
• You have objected to processing pending verification of legitimate grounds

How to Exercise:

• Email support@closebot.ai with specific restriction request
• We will inform you before lifting any restriction

Right to Data Portability (Article 20 GDPR)

What You Can Request:

• Receive your personal data in a structured, commonly used, machine-readable format
• Transmit your data to another controller

Scope:

• Applies to data you provided to us
• Where processing is based on consent or contract
• Where processing is carried out by automated means

How to Exercise:

• API Access: Use our API to export account data programmatically
• Email Request: Contact support@closebot.ai for data export assistance
• Format: Data provided in JSON or CSV format

Limitations:

• Billing information and receipts are viewable in-platform only
• Complex exports may require additional time to prepare

Right to Object (Article 21 GDPR)

Direct Marketing:

• Absolute right to object to direct marketing at any time
• Includes profiling related to direct marketing

Processing Based on Legitimate Interests:

• Right to object on grounds relating to your particular situation
• We must demonstrate compelling legitimate grounds that override your interests

How to Exercise:

• Click “unsubscribe” in marketing emails
• Email support@closebot.ai to object to other processing
• Adjust cookie preferences for tracking and advertising

Rights Related to Automated Decision-Making (Article 22 GDPR)

Our Practices:

• We do not make solely automated decisions with legal or similarly significant effects
• AI agent responses are configured by you and do not constitute automated decisions about you as a user
• Lead qualification performed by your AI agents is your responsibility as the controller

Right to Withdraw Consent

When Applicable:

• Where processing is based on consent (marketing, non-essential cookies, optional features)

How to Exercise:

• Update cookie preferences in Cookie Settings
• Unsubscribe from marketing communications
• Email support@closebot.ai to withdraw specific consents

Effect:

• Withdrawal does not affect lawfulness of processing before withdrawal
• May limit access to certain features dependent on consent

Right to Lodge a Complaint

Supervisory Authorities: If you believe we have violated your privacy rights, you can complain to your data protection authority:

EU Member States: See list at https://edpb.europa.eu/about-edpb/board/members_en

UK: Information Commissioner’s Office (ICO)

• Website: https://ico.org.uk
• Phone: 0303 123 1113

Switzerland: Federal Data Protection and Information Commissioner (FDPIC)

• Website: https://www.edoeb.admin.ch
• Email: info@edoeb.admin.ch

We encourage you to contact us so we can address your concerns directly.

Canadian User Rights

Under PIPEDA and provincial privacy laws (including Quebec’s Law 25), you have:

Access Rights:

• Right to access personal information we hold about you
• Right to know how your information is used

Correction Rights:

• Right to challenge the accuracy and completeness of your information
• Right to have inaccurate information corrected

Withdrawal of Consent:

• Right to withdraw consent for processing (subject to legal/contractual restrictions)

Complaint Rights:

• Right to file complaints with the Privacy Commissioner of Canada
• Website: https://www.priv.gc.ca
• Phone: 1-800-282-1376

How to Exercise: Email support@closebot.ai or use the contact information in Section 16.

Australian and New Zealand User Rights

Under Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020:

Access and Correction:

• Right to request access to personal information
• Right to correct inaccurate or incomplete information

Complaint Rights:

• Australia: Office of the Australian Information Commissioner (OAIC)
  • Website: https://www.oaic.gov.au
  • Phone: 1300 363 992
• New Zealand: Office of the Privacy Commissioner
  • Website: https://www.privacy.org.nz
  • Phone: 0800 803 909

How to Exercise: Email support@closebot.ai with your request.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

In Short: We do not currently respond to Do-Not-Track (DNT) browser signals due to lack of industry-wide standards, but you can control tracking through our Cookie Settings and browser controls.

Do-Not-Track Signal Status

Current Industry Landscape:

• No uniform technology standard for recognizing and implementing DNT signals has been finalized
• Browsers and websites interpret DNT differently
• Regulatory guidance on DNT compliance is evolving

Our Current Practice:

• We do not automatically respond to DNT signals from web browsers or mobile operating systems
• However, we provide alternative methods to control tracking (see below)

How to Control Tracking

Cookie Preference Center:

1. Visit our Cookie Settings page
2. Adjust your preferences for:
   • Performance/Analytics cookies
   • Marketing/Advertising cookies
   • Functional cookies
3. Save your preferences

Browser Controls:

• Configure cookie blocking in your browser settings
• Use private/incognito browsing mode
• Install browser extensions for enhanced tracking protection

Opt-Out of Specific Tracking:

• Google Analytics: https://tools.google.com/dlpage/gaoptout
• Facebook Ads: https://www.facebook.com/ads/preferences
• Industry Opt-Outs: http://optout.aboutads.info and http://optout.networkadvertising.org

Global Privacy Control (GPC): We are monitoring the development of GPC and may implement support for this emerging standard.

12. UNITED STATES RESIDENTS – SPECIFIC PRIVACY RIGHTS

In Short: Residents of California, Colorado, Connecticut, Utah, and Virginia have specific privacy rights under state laws, including rights to know, delete, correct, and opt-out of certain data practices.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

Category	Examples	Collected
A. Identifiers	Name, email, postal address, phone number, IP address, account name, unique identifiers	YES
B. Customer Records (Cal. Civ. Code § 1798.80(e))	Name, contact info, financial information, employment info	YES
C. Protected Classifications	Age, gender, race, citizenship, marital status	NO
D. Commercial Information	Purchase history, transaction information, payment details	YES
E. Biometric Information	Fingerprints, voiceprints, facial recognition data	NO
F. Internet/Network Activity	Browsing history, search history, interaction with websites/applications	YES
G. Geolocation Data	Precise physical location	NO (only approximate city/country from IP)
H. Sensory Information	Audio, video, call recordings	YES (conversation logs from AI agents)
I. Professional/Employment Info	Job title, work history, business contact details	YES (business type, industry)
J. Education Information	Student records, directory information	NO
K. Inferences	Profiles reflecting preferences, characteristics, behavior	YES (usage patterns, agent performance metrics)
L. Sensitive Personal Information	See detailed breakdown below	LIMITED

Sensitive Personal Information

What We Do NOT Collect:

• Social Security numbers, driver’s license numbers, passport numbers
• Precise geolocation data
• Racial or ethnic origin, religious beliefs, union membership
• Genetic data or biometric identifiers for unique identification
• Personal information from known children under 13

What We MAY Collect (Limited):

• Account login credentials (username, password – encrypted)
• Financial account information (through Stripe for payment processing – we don’t store card details)
• Email and text message content (only conversation logs from your AI agents interacting with leads)

Important: We do NOT process sensitive personal information for purposes other than those permitted under CCPA/CPRA without obtaining consent.

Sources of Personal Information

We collect personal information from:

1. Directly from you: Account registration, agent configuration, platform usage
2. Automatically: Cookies, analytics tools, usage monitoring
3. Third-party integrations: CRM platforms you connect (HubSpot, HighLevel)
4. OAuth providers: Google, other authentication services
5. Your AI agents: Conversation data from lead interactions you conduct

Business and Commercial Purposes for Collection

We use personal information for:

• Service Delivery: Operating the platform, processing AI conversations, CRM integration
• Business Operations: Customer support, billing, account management, fraud prevention
• Product Improvement: Analytics, feature development, performance optimization
• Marketing: Promotional communications, targeted advertising, conversion tracking
• Security: Fraud detection, abuse prevention, security monitoring
• Compliance: Legal obligations, regulatory requirements, Terms of Service enforcement

Data Sharing and Disclosure

We have disclosed the following categories to third parties for business purposes in the past 12 months:

• Category A (Identifiers): To service providers, CRM platforms, AI providers, analytics services
• Category B (Customer Records): To payment processors, CRM platforms, support services
• Category D (Commercial Information): To payment processors, billing services
• Category F (Internet Activity): To analytics providers, marketing platforms
• Category H (Sensory Information): To AI providers, CRM platforms (your conversation data)
• Category I (Professional Info): To CRM platforms, marketing analytics

We have NOT:

• Sold personal information for monetary consideration in the past 12 months
• Shared personal information for cross-context behavioral advertising (beyond standard ad conversion tracking with your consent)

California Residents – CCPA/CPRA Rights

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know

What You Can Request:

• Categories of personal information collected
• Specific pieces of personal information we hold about you
• Categories of sources from which information was collected
• Business or commercial purposes for collection
• Categories of third parties with whom we share information
• How long we retain each category of information

How to Exercise:

• Email: support@closebot.ai with subject “California Privacy Rights Request”
• Online: Visit https://app.closebot.ai/signin/self/ (functionality to be clarified)
• Response time: 45 days (extendable by 45 days for complex requests)

Right to Delete

What You Can Request:

• Deletion of personal information we collected from you

Exceptions (we may deny deletion if necessary for):

• Completing transactions or providing requested services
• Security and fraud detection
• Debugging and error correction
• Exercising free speech or legal rights
• Compliance with legal obligations
• Internal uses reasonably aligned with consumer expectations

How to Exercise:

• Delete your account through platform settings (instant deletion)
• Email: support@closebot.ai
• Our Response: Instant deletion upon account termination

Right to Correct

What You Can Do:

• Request correction of inaccurate personal information

How to Exercise:

• Update directly in Account Settings
• Email: support@closebot.ai with corrections

Right to Opt-Out of Sale/Sharing

Our Practices:

• We do NOT sell personal information for monetary consideration
• We MAY share information for targeted advertising purposes (via cookies and pixels)

How to Opt-Out:

• Use our Cookie Settings to disable marketing/advertising cookies
• Opt-out links: See Section 14 – Cookie Policy

“Do Not Sell or Share My Personal Information” Link: Available in our website footer and at https://lp.closebot.com/do-not-sell-or-share-my-information

Right to Limit Use of Sensitive Personal Information

Our Practices:

• We do NOT use sensitive personal information beyond purposes permitted by law without consent
• Account credentials used only for authentication
• Payment information used only for billing (processed by Stripe)

Currently: No additional limitations needed as we only use sensitive information for permitted purposes

Right to Non-Discrimination

Our Commitment:

• We will NOT discriminate against you for exercising CCPA/CPRA rights
• We will NOT:
  • Deny goods or services
  • Charge different prices or rates
  • Provide different quality of services
  • Suggest you will receive different pricing or quality

Verification Process

To Verify Your Identity:

For Account Holders:

1. Log in to your CloseBot account (verifies identity through authentication)
2. Submit request through authenticated session

For Non-Account Holders or Additional Verification:

1. Provide matching information: name, email address, and account details
2. We may request additional information to match against our records
3. For sensitive requests (deletion, specific data access), we may require:
   • Email verification via link sent to registered email
   • Account-specific information only you would know
   • In some cases, government-issued ID (redacted to show only name and last 4 digits of ID number)

Current Limitation: We do not yet have a formal identity verification procedure documented. Verification is handled case-by-case through email correspondence.

We will NOT:

• Request excessive information beyond what’s necessary for verification
• Require account creation to submit privacy requests
• Charge fees for verifying or responding to requests (except as permitted by law for excessive/manifestly unfounded requests)

Authorized Agents

Designating an Agent: You may authorize someone to submit requests on your behalf.

Requirements:

• Written Authorization: Signed permission authorizing the agent
• Proof of Identity: Agent must provide proof they are authorized
• Your Verification: We may still require you to verify your identity and confirm authorization

To Use an Authorized Agent: Email support@closebot.ai with:

• Written authorization document
• Agent’s contact information
• Your identifying information for verification

Appeal Rights (CPRA)

If We Deny Your Request:

• You have the right to appeal our decision
• We will provide explanation for denial
• You can submit an appeal by emailing support@closebot.ai with subject “CPRA Appeal”
• We will respond to appeals within 45 days

Other California Rights

“Shine the Light” Law (Cal. Civ. Code § 1798.83):

• Permits California residents to request information about disclosures to third parties for direct marketing
• Email support@closebot.ai with subject “Shine the Light Request”

Minors Under 18:

• If under 18, California resident, and have publicly posted content, you can request removal
• Contact support@closebot.ai with account email and confirmation of California residency
• Content may not be completely removed from backups/archives

Colorado Residents – Colorado Privacy Act (CPA)

Your Rights:

• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt-out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling for significant effects

How to Exercise:

• Email: support@closebot.ai
• Online: https://app.closebot.ai/signin/self/
• Response Time: 45 days (extendable by 45 days)

Appeal Process:

• Email support@closebot.ai with subject “Colorado Privacy Appeal”
• Response within 45 days of appeal receipt

Connecticut Residents – Connecticut Data Privacy Act (CTDPA)

Your Rights:

• Right to confirm data processing
• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt-out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling with significant effects

How to Exercise:

• Email: support@closebot.ai
• Online: https://app.closebot.ai/signin/self/
• Response Time: 45 days (extendable by 45 days)

Appeal Process:

• Email support@closebot.ai with subject “Connecticut Privacy Appeal”
• Response within 60 days of appeal receipt

Utah Residents – Utah Consumer Privacy Act (UCPA)

Your Rights:

• Right to know if we process your personal data
• Right to access personal data
• Right to delete personal data
• Right to data portability
• Right to opt-out of:
  • Targeted advertising
  • Sale of personal data

How to Exercise:

• Email: support@closebot.ai
• Online: https://app.closebot.ai/signin/self/
• Response Time: 45 days (extendable by 45 days)

Note: Utah law does not provide a formal appeal process

Virginia Residents – Virginia Consumer Data Protection Act (VCDPA)

Definition of “Consumer”: Virginia residents acting in individual or household context (not commercial or employment context)

Your Rights:

• Right to know if we process your personal data
• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability
• Right to opt-out of:
  • Targeted advertising
  • Sale of personal data
  • Profiling with significant effects

How to Exercise:

• Email: support@closebot.ai
• Online: https://app.closebot.ai/signin/self/
• Response Time: 45 days (extendable by 45 additional days)

Verification:

• We may request additional information to verify identity
• Authorized agents must provide proof of authorization

Appeal Process:

• Email support@closebot.ai with subject “Virginia Privacy Appeal”
• Response within 60 days
• If appeal denied, you may contact the Virginia Attorney General:
  • Website: https://www.oag.state.va.us/consumer-protection/privacy
  • Phone: 804-786-2071

13. OTHER REGIONS – SPECIFIC PRIVACY RIGHTS

Australia and New Zealand

Privacy Act 1988 (Australia) and Privacy Act 2020 (New Zealand)

Your Rights:

• Right to access personal information we hold about you
• Right to correct inaccurate or incomplete information
• Right to complain about privacy breaches

Effect of Non-Provision: If you choose not to provide necessary personal information, we may not be able to:

• Create or maintain your account
• Provide our AI agent platform services
• Process payments or subscriptions
• Respond to support requests
• Verify your identity for security purposes

How to Exercise Rights: Email support@closebot.ai with your request

Complaint Process:

Australia – Office of the Australian Information Commissioner (OAIC):

• Website: https://www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

New Zealand – Office of the Privacy Commissioner:

• Website: https://www.privacy.org.nz
• Phone: 0800 803 909
• Email: enquiries@privacy.org.nz

Republic of South Africa

Protection of Personal Information Act (POPIA)

Your Rights:

• Right to access personal information
• Right to correct, delete, or destroy personal information
• Right to object to processing
• Right to lodge complaints

How to Exercise Rights: Email support@closebot.ai with your request

Complaint Process – Information Regulator (South Africa):

• General Enquiries: enquiries@inforegulator.org.za
• POPIA Complaints: POPIAComplaints@inforegulator.org.za
• PAIA Complaints: PAIAComplaints@inforegulator.org.za
• Form Required: Complete POPIA/PAIA Form 5

Brazil

Lei Geral de Proteção de Dados (LGPD)

If you are a Brazilian resident, you have rights under LGPD including:

• Confirmation of processing and access to data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion
• Data portability
• Information about data sharing
• Objection to processing

How to Exercise Rights: Email support@closebot.ai

Supervisory Authority – Autoridade Nacional de Proteção de Dados (ANPD):

• Website: https://www.gov.br/anpd

Other Jurisdictions

General Rights: We comply with applicable privacy laws in all jurisdictions where we operate. If you are located in a jurisdiction not specifically mentioned, you may have rights to:

• Access your personal information
• Correct inaccurate information
• Request deletion (subject to legal exceptions)
• Object to or restrict certain processing
• Lodge complaints with local data protection authorities

To Exercise Rights: Email support@closebot.ai with details of your location and specific request.

14. UPDATES TO THIS NOTICE

In Short: We update this Privacy Policy as necessary to reflect changes in our practices, legal requirements, or platform features. Material changes will be prominently communicated.

How We Update This Policy

Regular Reviews:

• We review this Privacy Policy at least annually
• Updates made when we add new features, integrations, or services
• Revisions to comply with new or changed privacy laws
• Clarifications based on user questions or regulatory guidance

Types of Changes:

Non-Material Changes:

• Clarifications of existing practices
• Contact information updates
• Minor wording improvements
• Formatting or organizational changes
• Notification: Updated “Last Updated” date at top of policy

Material Changes:

• New types of personal information collected
• New purposes for processing
• Changes to data sharing practices
• Significant changes to user rights
• Changes to international data transfers
• Notification Methods:
  • Prominent notice on platform dashboard
  • Email notification to registered users
  • Banner notification for 30 days
  • Updated policy with “Revised” date

Your Acceptance of Changes

Continued Use = Acceptance:

• Your continued use of CloseBot after policy changes constitutes acceptance
• If you disagree with changes, you should discontinue use and may delete your account

Consent Re-Collection:

• For certain material changes (especially affecting cookie/tracking practices), we may require you to affirmatively accept updated terms
• You will be prompted upon login if affirmative consent is required

How to Stay Informed

Check Regularly:

• Review the “Last Updated” date at the top of this policy
• Bookmark this page: https://closebot.com/privacy-policy/
• Check your email for update notifications

Version History:

• Previous versions available upon request
• Email support@closebot.ai to request historical policy versions
• We maintain archives of all policy versions with effective dates

Legal Requirements

Regulatory Updates: We will update this policy promptly to comply with:

• New privacy laws or regulations
• Changes to existing laws (e.g., GDPR, CCPA amendments)
• Regulatory guidance or enforcement actions
• Court decisions affecting privacy practices

Emergency Updates: In rare cases (security incidents, urgent legal requirements), we may update this policy immediately and notify users as soon as practically possible.

15. CONTACT INFORMATION

In Short: Contact us with questions, concerns, or to exercise your privacy rights using the information below.

General Privacy Inquiries

Email: support@closebot.ai
Subject Line: “Privacy Inquiry” or “Privacy Rights Request”

Mailing Address:
CloseBot, Inc.
Attn: Privacy Team
2817 Wetmore Ave
Everett, WA 98201
United States

Response Time: We aim to respond to all privacy inquiries within 5 business days, with full responses to rights requests within timelines specified by applicable law (typically 30-45 days).

Exercise Your Privacy Rights

For GDPR, CCPA, or Other Privacy Rights Requests:

Online Portal: https://app.closebot.ai/signin/self/
(Note: Current functionality of this portal is limited; we are working to enhance self-service privacy rights tools)

Email: support@closebot.ai
Subject Line: “[Your State/Country] Privacy Rights Request”

Include in Your Request:

• Your full name and email address associated with your account
• Specific right you wish to exercise (access, deletion, correction, etc.)
• Any additional information to help us verify your identity
• Preferred format for data delivery (if requesting access/portability)

APPENDIX A: DEFINITIONS AND GLOSSARY

Personal Information / Personal Data: Any information relating to an identified or identifiable individual.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Data Controller: The entity that determines the purposes and means of processing personal data. For agency users, you are typically the controller of your lead data.

Data Processor: The entity that processes personal data on behalf of the controller. CloseBot typically acts as a processor for agency users.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Legitimate Interest: A legal basis for processing where the controller has a legitimate reason that does not override individual rights.

Data Subject: An individual whose personal data is being processed.

Sensitive Personal Information: Categories of data requiring heightened protection (health, financial, biometric, precise geolocation, etc.).

Cross-Context Behavioral Advertising: Targeted advertising based on personal information from different businesses or services.

Anonymization: The process of removing or altering information so that individuals cannot be identified.

Aggregated Data: Combined data from multiple individuals that does not identify specific individuals.

APPENDIX B: LEGAL BASIS SUMMARY TABLE

Processing Activity	Legal Basis (GDPR)	Legal Basis (US)
Account creation and authentication	Contract Performance (Art. 6(1)(b))	Contractual Relationship
AI conversation processing	Contract Performance (Art. 6(1)(b))	Contractual Relationship
Payment processing	Contract Performance (Art. 6(1)(b))	Contractual Relationship
Platform analytics and improvement	Legitimate Interest (Art. 6(1)(f))	Legitimate Business Interest
Marketing communications	Consent (Art. 6(1)(a))	Consent
Targeted advertising	Consent (Art. 6(1)(a))	Consent
Fraud prevention and security	Legitimate Interest (Art. 6(1)(f))	Legitimate Business Interest
Legal compliance	Legal Obligation (Art. 6(1)(c))	Legal Obligation
Cookie and tracking technologies	Consent (Art. 6(1)(a)) for non-essential	Consent where required