Privacy Policy

TL;DR, what BotWave does and does not do with your data

BotWave is a no-code platform for running WhatsApp and Telegram bots. We do not store message content, we do not read your private DMs, we do not sell your data to advertisers, and we do not embed third-party trackers or ad networks. Your WhatsApp session runs from your own device IP via the Baileys library, which significantly reduces ban risk.

We only store the minimum data needed to keep your bot connected and your account secure: your email, hashed session credentials, plan/billing info, and aggregate usage counts (e.g. messages sent this month). Everything else, including the content of group messages your bot sees, is processed in memory and discarded after the command is handled.

What BotWave can access

• Messages in groups where the bot is active, needed to detect commands and apply moderation rules you configured.
• Your WhatsApp / Telegram session token, needed to maintain the connection from your device.
• Your email address and authentication info, for login, password reset, and billing.
• Your dashboard configuration, bot settings, welcome messages, anti-spam rules, custom commands.

What BotWave cannot do

• Read your private 1:1 messages or DMs (the bot only sees messages in chats where it is added).
• Access your WhatsApp or Telegram contacts list.
• Send messages from your number without your bot being explicitly active.
• Access your phone storage, camera, microphone, or device data.
• Share your session with other users or impersonate you elsewhere.
• Read messages in chats where the bot is not added.

How messages are processed

When a message hits a chat where your bot is active, BotWave processes it in memory only. The flow is:

• 1. Message arrives via Baileys (WhatsApp) or grammY / GramJS (Telegram).
• 2. The bot checks whether it starts with a configured command prefix (! for WhatsApp, / for Telegram bots, . for userbots).
• 3. If it is not a command, the bot ignores it. No content is logged, stored, or analysed.
• 4. If it is a command, the bot executes it (e.g. converts an image to a sticker) and replies.
• 5. After replying, the message data is dropped from memory. Only an aggregate counter, "you used 1 command", is incremented in Supabase.

Data retention windows

We keep data only as long as we need it to provide the service. Specific retention windows:

Session security

• Session credentials are stored in Supabase with Postgres row-level security (RLS), only your authenticated account can read your session row.
• All API and websocket traffic uses TLS encryption.
• No plain-text secrets are stored; tokens are encrypted at rest using AES-256 with keys rotated per deployment.
• Your QR / pairing session runs from your own device IP, not from BotWave servers, which reduces both ban risk and exposure.
• Bot containers are isolated per platform (WhatsApp vs Telegram) so a compromise of one cannot affect the other.
• Admin access to the platform is protected by 2FA and IP allowlists.

What we store about you

• Your email address (used for login, password reset, and account notices).
• A hashed password (bcrypt), we never store plaintext passwords.
• Your plan and billing info (handled by our payment processor; we only store the subscription state and last-4 of the payment method).
• Session connection status (active / disconnected / banned) and the timestamp of the last successful connection.
• Bot configuration (welcome messages, anti-spam thresholds, custom commands, command toggles).
• Aggregate usage counts (messages sent this month, AI queries this day) for plan-limit enforcement.
• Coarse-grained referrer (e.g. "google" / "twitter") if provided at signup, used for analytics rollups only.

What we never store

• Message content or chat history from any chat (private, group, or otherwise).
• Contact lists or phone numbers of group members (only your own session JID is stored).
• Media files (images, videos, stickers, voice notes, documents).
• Location data.
• Browsing history, advertising IDs, or device fingerprints.
• Banking, card, or payment instrument details (handled entirely by the payment processor).

Cookies and tracking

We use only the cookies strictly required to run the service. There are no advertising cookies, no third-party trackers, and no cross-site tracking pixels.

• Auth cookies (sb-*-auth-token, set by Supabase), keep you logged in. Strictly necessary.
• Theme preference (botwave-theme), remembers dark/light mode. First-party only.
• Language preference (botwave-lang), remembers your selected language. First-party only.
• CSRF tokens, short-lived, used to prevent cross-site request forgery on dashboard actions.
• No Google Analytics, no Facebook Pixel, no Hotjar, no third-party advertising network.

Third-party services we rely on

BotWave is built on a small set of infrastructure providers. Each has its own privacy policy; we only share with them the data strictly required for them to do their job.

• Supabase (database + auth), stores your account, session credentials, and bot config.
• Groq (default AI provider for !ai), receives AI prompts only when you explicitly invoke an AI command.
• Google Gemini (fallback AI provider, opt-in), same as above, only on explicit !ai invocation.
• Resend / Nodemailer (transactional email), sends password resets and billing notices to your email.
• Cloudflare (CDN, DDoS protection), sits in front of www.botwave.online; sees request headers but no payloads.
• Contabo (VPS hosting), physical infrastructure for the application servers and bot containers.
• GitHub Container Registry (Docker image hosting), we publish build images here for deployment.

AI providers and your prompts

When you use the !ai command, your prompt is sent to a third-party AI provider (Groq by default, Google Gemini as opt-in fallback). BotWave does not retain a copy of the prompt or response, but the AI provider may retain prompts for short periods to detect abuse, per their own policies.

If you do not want any data sent to AI providers, you can disable the !ai command for your sessions from the dashboard.

Your rights (GDPR, UK GDPR, CCPA)

Regardless of where you live, you have the following rights over your BotWave data:

• Right to access, request a copy of all personal data we hold about you.
• Right to rectification, correct any inaccurate personal data.
• Right to erasure, delete your account and all associated personal data. Trigger this yourself from Dashboard → Settings → Delete account, or email support.
• Right to data portability, export your bot configuration and account metadata in machine-readable JSON.
• Right to object, opt out of any specific processing activity.
• Right to restrict processing, temporarily pause processing while a dispute is resolved.
• Right to withdraw consent, revoke previously granted consents.
• Right to lodge a complaint with a supervisory authority (e.g. your country's data protection regulator).

Children

BotWave is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has signed up for an account, please email support and we will delete the account immediately.

International data transfers

BotWave's primary infrastructure is hosted in the European Union (Contabo, Germany). Backups and some auxiliary services (e.g. Supabase, Cloudflare) may store data in the United States or other jurisdictions. Where personal data leaves the EEA / UK / Nigeria, we rely on Standard Contractual Clauses or the relevant provider's adequacy framework as the transfer mechanism.

Security breach notification

If we ever detect a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users by email without undue delay.

Changes to this policy

We may update this policy from time to time as the service evolves. When we make material changes, e.g. adding a new third-party processor, changing how AI prompts are handled, or changing retention windows, we will update the "Last reviewed" date at the top of this page and, where the change materially affects you, notify you by email or in-dashboard banner before the change takes effect.

How to contact us about privacy

For any privacy-related question, request, or complaint, email support@botwave.online with the subject line "Privacy". We aim to respond to all privacy requests within 7 days, and to fulfil access / erasure requests within 30 days as required by GDPR.