Conxbot

Privacy Policy

Last updated: February 25, 2026

1. Introduction & Scope

Welcome to Conxbot. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our multi-tenant SaaS platform for contact communication via AI-powered email generation.

Company: Conxbot
Service Description: Multi-tenant SaaS platform for contact communication through AI-powered email generation, campaign tracking, and Gmail integration.
Contact: privacy@conxbot.com

By using Conxbot, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Account Information

  • Full name and company name
  • Business email address (required for registration)
  • Organization domain

2.2 Authentication Data

  • Login credentials managed via Supabase Auth (passwords are hashed and never stored in plain text)
  • OAuth tokens for Gmail integration (see Section 3 for details)

2.3 Gmail API Data

  • Email content (messages you send through our platform)
  • Email metadata (sender, recipient, subject, timestamp)
  • Email replies to campaigns you send
  • Email organization data (labels, folders)

2.4 Contact Data

  • Contact names, email addresses, phone numbers
  • Custom fields and tags you create
  • Lead sources and notes
  • Communication history and engagement metrics

2.5 Usage Data

  • Feature usage patterns
  • Campaign performance metrics (open rates, reply rates)
  • Contact interaction history

2.6 Technical Data

  • IP addresses
  • Browser type and version
  • Device information
  • Access timestamps

3. Gmail API Data Usage - Limited Use Requirements

Conxbot accesses your Gmail account only with your explicit consent through Google's OAuth 2.0 authorization. We request the following Gmail API scopes:

  • gmail.readonly: To monitor replies to your email campaigns and track contact engagement
  • gmail.send: To send emails on your behalf through our platform directly from your Gmail account
  • gmail.modify: To organize emails by applying labels, archiving messages, and managing folders based on campaign tracking
  • userinfo.email: To identify which Gmail account is connected for multi-tenant credential management

LIMITED USE REQUIREMENTS COMPLIANCE

Conxbot's use and transfer of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We will NOT use Gmail data for AI model training or evaluation
  • We will NOT use Gmail data for advertising purposes
  • We will NOT sell or share Gmail data with third parties
  • Gmail data is used ONLY for the core functionality you authorize: sending campaign emails, tracking replies, and organizing messages
  • You can revoke access at any time through your Google Account settings at myaccount.google.com/permissions

4. How We Use Your Information

4.1 Service Delivery

  • Email campaign management and generation
  • Reply tracking and engagement monitoring
  • Contact profile management
  • Campaign analytics and reporting

4.2 Account Administration

  • Authentication and access control
  • Billing and subscription management
  • Customer support
  • Account recovery

4.3 Product Improvement

  • Usage analytics (anonymized and aggregated)
  • Feature optimization
  • Bug detection and fixing

4.4 Legal Compliance

  • Legal obligations
  • Fraud prevention
  • Security monitoring

5. Third-Party Data Sharing

We do not sell your personal information to third parties.

We share data only with the following service providers necessary for platform operation:

5.1 Infrastructure Partners

  • Docker Containers: Self-hosted infrastructure for data processing
  • Supabase: PostgreSQL database hosting and authentication
  • nginx: Reverse proxy for secure routing

5.2 Email Services

  • Gmail API: Email sending and receiving (authorized by you via OAuth)

5.3 Payment Processing

  • Stripe: Payment processing for Pro and Enterprise plans (we do not store credit card details)

6. Data Retention & Deletion

  • Account Data: Retained while your account is active
  • Gmail OAuth Tokens: Stored encrypted in PostgreSQL, revocable anytime via Google Account settings
  • Tenant Data: Deleted within 30 days of account termination
  • Backup Retention: Up to 90 days for disaster recovery purposes
  • Email Content: We do not permanently store copies of your Gmail messages; only metadata for reply tracking is retained

7. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: AES-256 encryption for sensitive settings including Gmail OAuth tokens
  • Encryption in Transit: HTTPS/TLS 1.2+ for all communications
  • Per-Tenant Data Isolation: PostgreSQL schemas prevent cross-tenant data access
  • OAuth Token Security: Refresh tokens encrypted, never logged or exposed in URLs
  • Access Controls: Role-based permissions (owner, admin, member)
  • Password Security: Bcrypt hashing via Supabase Auth
  • Security Monitoring: Automated logging and anomaly detection

8. Your Rights (GDPR & CCPA Compliance)

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Deletion: Request deletion of your account and all associated data
  • Right to Correction: Update or correct your account information
  • Right to Portability: Export your data in machine-readable format (JSON/CSV)
  • Right to Opt-Out: Unsubscribe from marketing emails (service emails required for account operation)
  • Right to Revoke Gmail Access: Disconnect Gmail integration at any time via Settings or Google Account

To exercise these rights, contact: privacy@conxbot.com
We will respond to your request within 30 days.

9. Cookies & Tracking

9.1 Essential Cookies

  • Authentication tokens (localStorage)
  • Session management
  • CSRF protection

9.2 Third-Party Cookies

  • Google OAuth (for Gmail authentication)
  • Stripe (for payment processing)

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

10. International Data Transfers

Data Processing Location: United States

Our servers are hosted in the United States. By using Conxbot, you consent to the transfer and processing of your data in the United States. We ensure appropriate safeguards are in place to protect your data in accordance with applicable data protection laws.

11. Children's Privacy (COPPA Compliance)

Conxbot is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@conxbot.com, and we will delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Sending an email to your registered email address
  • Posting a notice on our platform
  • Updating the "Last Updated" date at the top of this policy

Continued use of Conxbot after changes indicates acceptance of the updated Privacy Policy.

13. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Inquiries: privacy@conxbot.com

General Support: support@conxbot.com

Data Protection Officer: Available upon request via privacy@conxbot.com

We are committed to protecting your privacy and will respond to all legitimate requests within 30 days.