Privacy Policy

Last Updated: December 12, 2025

1. Introduction

Welcome to Botlist ("we", "our", or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our bot traffic detection and management service.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

  • GDPR (General Data Protection Regulation) - European Union
  • CCPA (California Consumer Privacy Act) - California, United States
  • LGPD (Lei Geral de Proteção de Dados) - Brazil
  • Other applicable privacy laws in jurisdictions where we operate

By using Botlist, you consent to the data practices described in this Privacy Policy. If you do not agree, please discontinue use of our service.

2. Information We Collect

2.1 Information You Provide Directly

When you register and use Botlist, we collect:

  • Account Information: Email address, password (encrypted), organization name
  • Profile Information: User role (admin/user), account preferences
  • Domain Information: Website domains you wish to monitor for bot traffic
  • Integration Credentials: OAuth tokens for Google Ads, Facebook Ads, TikTok Ads (stored securely)
  • Payment Information: Billing details processed by third-party payment processors (we do not store full credit card numbers)
  • Communication Data: Messages sent to our support team, feedback submissions

2.2 Information Collected Automatically

When you use our service, we automatically collect:

  • Cloudflare Log Data: IP addresses, bot scores (0-100), geolocation data, user agents, HTTP request metadata, request timestamps, gclid parameters (Google Click IDs)
  • Service Usage Data: Pages viewed, features used, report generation history, API calls made
  • Device Information: Browser type, operating system, screen resolution, language preferences
  • Analytics Data: Session duration, click patterns, navigation paths, error logs

2.3 Information from Third-Party Platforms

When you connect advertising accounts, we receive:

  • Google Ads Data: Account IDs, campaign names, customer IDs, suppressed IP lists, campaign performance metrics
  • Facebook Ads Data: Ad account IDs, pixel IDs, custom audience data, campaign information, page information
  • TikTok Ads Data: Advertiser IDs, campaign data, custom audience information

This data is accessed via OAuth 2.0 authorization and is subject to the privacy policies of the respective platforms.

2.4 Sensitive Personal Information

We do NOT intentionally collect:

  • Social Security Numbers or government-issued ID numbers
  • Financial account credentials (beyond what payment processors handle)
  • Health or medical information
  • Biometric data
  • Information about children under 13 years of age

If we inadvertently receive such data, we will delete it promptly upon discovery.

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

  • Analyze Cloudflare log data to identify bot traffic patterns
  • Generate IP reports and bot behavior analytics
  • Automatically suppress suspicious IP addresses in connected advertising campaigns
  • Manage OAuth connections to Google Ads, Facebook Ads, and TikTok Ads
  • Sync campaign data and IP exclusion lists with advertising platforms

3.2 Service Improvement

  • Improve bot detection algorithms and accuracy
  • Develop new features and functionality
  • Conduct research and analysis on bot traffic trends
  • Optimize service performance and user experience

3.3 Communication

  • Send service-related notifications (bot alerts, report summaries, system updates)
  • Respond to support requests and customer inquiries
  • Send billing and payment confirmations
  • Notify you of Terms of Service or Privacy Policy changes
  • Send optional marketing communications (with your consent, opt-out available)

3.4 Security and Compliance

  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations and law enforcement requests
  • Enforce our Terms of Service and protect user rights
  • Conduct audits and quality assurance testing

3.5 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

  • Contractual Necessity: Processing required to provide the service you requested
  • Legitimate Interests: Improving service quality, preventing fraud, ensuring security
  • Consent: Marketing communications, optional features (consent can be withdrawn at any time)
  • Legal Obligation: Compliance with applicable laws and regulations

4. How We Share Your Information

We do NOT sell your personal information to third parties. We may share your information in the following limited circumstances:

4.1 Advertising Platforms (Service Provision)

We share data with advertising platforms you've connected:

  • Google Ads: IP addresses for exclusion lists, campaign IDs for targeting
  • Facebook Ads: Hashed contact information for custom audiences, IP data for exclusions
  • TikTok Ads: Hashed contact information for custom audiences, IP data for exclusions

This sharing is necessary to provide bot suppression services and is governed by each platform's privacy policy and terms.

4.2 Service Providers

We work with third-party service providers who process data on our behalf:

  • Cloud Hosting: AWS, Heroku (infrastructure and data storage)
  • Database Services: PostgreSQL hosting providers
  • Payment Processors: Stripe, PayPal (billing and payment processing)
  • Email Services: SendGrid, Mailgun (transactional emails, notifications)
  • Analytics Tools: Google Analytics, Mixpanel (service usage analytics)

All service providers are contractually obligated to protect your data and use it only for the services they provide to us.

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

  • Subpoenas, court orders, or legal processes
  • Law enforcement or government agency requests
  • Protection of our rights, property, or safety
  • Prevention of fraud or security threats
  • Compliance with regulatory obligations

4.4 Business Transfers

If Botlist is involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal information.

4.5 With Your Consent

We may share your information with other third parties when you explicitly consent to such sharing.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

  • Account Data: Retained while your account is active, deleted 90 days after account termination (unless legally required to retain)
  • Cloudflare Log Entries: Retained for up to 365 days for analytics and reporting purposes, then automatically deleted
  • Generated Reports: Retained for 365 days, then archived or deleted based on your preferences
  • Suppressed IP Records: Retained while IP remains suppressed in campaigns, plus 90 days for audit purposes
  • Billing Records: Retained for 7 years to comply with tax and financial regulations
  • Communication Logs: Support tickets retained for 2 years for quality assurance purposes

You may request earlier deletion of your data by contacting us at privacy@botlist.io, subject to legal and contractual retention requirements.

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

  • Encryption in Transit: All data transmitted via HTTPS/TLS 1.3
  • Encryption at Rest: Database encryption for sensitive data
  • Password Security: Bcrypt hashing with salt for user passwords
  • OAuth Token Security: Secure storage of refresh tokens, automatic token rotation
  • Data Hashing: Contact information hashed (SHA-256) before transmission to advertising platforms

6.2 Organizational Safeguards

  • Access Controls: Role-based access controls (admin/user roles), principle of least privilege
  • Employee Training: Regular security and privacy training for all staff
  • Data Processing Agreements: Contracts with all third-party processors ensuring GDPR/CCPA compliance
  • Incident Response: Security breach notification procedures (within 72 hours as required by GDPR)
  • Regular Audits: Quarterly security audits and penetration testing

6.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users via email within 72 hours of discovery
  • Describe the nature of the breach and data affected
  • Provide steps you can take to protect yourself
  • Notify relevant data protection authorities as required by law

7. Your Privacy Rights

7.1 Rights for All Users

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Data Portability: Request export of your data in a machine-readable format (JSON/CSV)
  • Opt-Out: Unsubscribe from marketing communications (opt-out link in every email)

7.2 Additional Rights for GDPR Users (EEA/UK)

  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (does not affect prior processing)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority
  • Automated Decision-Making: Request human review of automated decisions (bot detection scoring)

7.3 Additional Rights for CCPA Users (California)

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information (with exceptions for legal compliance)
  • Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: privacy@botlist.io
  • Account Settings: Manage data preferences in your account dashboard
  • Support Ticket: Submit a request via our support portal

We will respond to your request within:

  • GDPR: 30 days (may be extended to 60 days for complex requests)
  • CCPA: 45 days (may be extended to 90 days with notification)

We may ask for verification of your identity before processing requests to protect your privacy.

8. International Data Transfers

Botlist is based in the United States. If you access our service from outside the U.S., your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

8.1 EEA/UK Data Transfers

For users in the European Economic Area (EEA) or United Kingdom, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements with service providers
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
  • Data Processing Agreements: GDPR-compliant contracts with all third-party processors

8.2 Data Transfer Safeguards

When transferring data internationally, we ensure:

  • Encryption during transmission (TLS 1.3)
  • Encryption at rest in destination systems
  • Contractual obligations for recipient organizations to protect data
  • Your rights remain enforceable regardless of where data is processed

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

  • Essential Cookies: Required for authentication, session management, and core functionality (cannot be disabled)
  • Performance Cookies: Collect anonymous usage statistics to improve service performance
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Google Analytics, Mixpanel for aggregated usage analytics (can be opted out)

9.2 Advertising Platform Pixels

When you enable integrations, we may install tracking pixels on your monitored websites:

  • Facebook Pixel: Tracks website visitors for custom audience creation and bot detection
  • TikTok Pixel: Similar functionality for TikTok Ads integration
  • Google Ads Conversion Tracking: Tracks ad click conversions

Important: You are responsible for obtaining proper user consent before enabling pixel tracking, as required by GDPR, CCPA, and other privacy laws. You must disclose pixel usage in your own website's privacy policy.

9.3 Managing Cookies

You can control cookies through:

  • Browser settings (most browsers allow blocking third-party cookies)
  • Opt-out tools: Google Analytics Opt-Out
  • Cookie consent management platforms (if you implement one on your website)

Note: Disabling essential cookies may impair service functionality (e.g., inability to stay logged in).

10. Third-Party Links and Services

Our service may contain links to third-party websites, products, or services:

  • Google Ads platform
  • Facebook/Meta Business Suite
  • TikTok Ads Manager
  • Documentation and help resources

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

When you authorize OAuth connections to advertising platforms, you are also agreeing to their privacy policies:

11. Children's Privacy

Botlist is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA).

If we discover that we have inadvertently collected information from a child under the applicable age, we will:

  • Delete the information immediately
  • Terminate the associated account
  • Notify the account holder (if contact information is available)

If you believe we have collected information from a child, please contact us immediately at privacy@botlist.io.

12. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes.

Notice: We do NOT share personal information with third parties for their direct marketing purposes. Therefore, this law does not apply to Botlist users.

13. Nevada Privacy Rights

Nevada residents have the right to opt-out of the sale of their personal information.

Notice: We do NOT sell personal information as defined under Nevada law. If our practices change in the future, we will update this Privacy Policy and provide Nevada residents with the required opt-out mechanism.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service functionality.

When we make material changes, we will notify you by:

  • Email notification to your registered email address (at least 30 days before changes take effect)
  • Prominent notice on our website and in the application
  • Updating the "Last Updated" date at the top of this policy

Your continued use of Botlist after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you must discontinue use and may request deletion of your account and data.

We maintain an archive of previous Privacy Policy versions. Contact us at privacy@botlist.io to request access to historical versions.

15. Contact Information and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@botlist.io
Support: support@botlist.io
Data Protection Officer: dpo@botlist.io
Mailing Address: Botlist, Inc., [Address to be added], United States

15.1 EU Representative (GDPR Article 27)

For users in the European Economic Area, our EU representative for GDPR matters is:

[EU Representative contact information to be added if required based on business operations]

15.2 Data Protection Authority

If you are located in the EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

16. Advertising Platform-Specific Privacy Practices

16.1 Google Ads Data Usage

Botlist's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only access Google Ads data necessary to provide bot suppression services
  • We do NOT transfer Google user data to third parties (except as required for service provision)
  • We do NOT use Google data for advertising or marketing purposes
  • We do NOT allow humans to read Google user data unless:
    • You explicitly consent
    • It's necessary for security purposes (e.g., investigating abuse)
    • Required to comply with applicable law
  • Google Ads data is encrypted in transit and at rest

16.2 Facebook/Meta Ads Data Usage

When you connect your Facebook/Meta Ads account:

  • We access only the permissions necessary for bot suppression (custom audiences, campaign management)
  • Contact information (emails, phone numbers) is hashed (SHA-256) before transmission to Meta
  • We comply with Meta's Data Policy and Platform Terms
  • You are responsible for obtaining proper user consent before we create custom audiences on your behalf
  • Custom audiences are used solely for exclusion targeting (not for ad delivery or remarketing)

16.3 TikTok Ads Data Usage

When you connect your TikTok Ads account:

  • We comply with TikTok's Business Products (Data) Terms
  • Contact details are hashed before transmission to protect privacy
  • You must provide clear notice to users regarding data collection via Device Data Collection Tools (DDCTs)
  • We act as a data processor; you remain the data controller responsible for lawful data collection
  • TikTok data is used only for bot exclusion purposes, not for other advertising or analytics

17. Data Processing Agreement (DPA)

For customers subject to GDPR, CCPA, or other data protection regulations, we offer a Data Processing Agreement (DPA) that formalizes our role as a data processor.

The DPA includes:

  • Data processing scope and instructions
  • Security measures and breach notification procedures
  • Sub-processor list and approval process
  • Data subject rights assistance obligations
  • Data deletion and return procedures upon termination
  • Standard Contractual Clauses for international transfers (if applicable)

To request a signed DPA, contact us at legal@botlist.io.

18. Consent Management for Website Tracking

Important Notice for Website Owners:

If you enable Facebook Pixel, TikTok Pixel, or other tracking technologies on your monitored websites via Botlist, YOU are responsible for:

  • Implementing a GDPR/CCPA-compliant cookie consent banner
  • Obtaining explicit user consent before loading tracking pixels (where required by law)
  • Providing clear privacy disclosures about what data is collected and how it's used
  • Honoring user opt-out requests and "Do Not Track" signals
  • Updating your own website's privacy policy to reflect tracking pixel usage

Recommended consent management platforms:

Botlist is not liable for your failure to obtain proper user consent for tracking technologies deployed on your websites.

Terms of Service | Back to Home