Privacy Policy

1. Introduction

Welcome to BerryDesk ("we," "our," or "us"). We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI chatbot platform and services. By using BerryDesk, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect several types of information from and about users of our services:

2.1 Personal Information

• Account Information: Name, email address, company name, and password when you create an account
• Payment Information: Billing address, payment method details (processed securely through Stripe)
• Profile Information: Optional profile photo, job title, company information
• Contact Information: Email address, phone number (if provided)

2.2 Usage Data

• Conversation Logs: Messages exchanged between your AI agents and end users
• Training Data: Documents, web pages, text, and files you upload to train your AI agents
• Analytics Data: Usage metrics, feature interactions, session duration, pages viewed
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Access times, error logs, API requests, system events

2.3 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to:

• Maintain your session and authentication state
• Remember your preferences and settings
• Analyze usage patterns and improve our services
• Provide personalized content and features
• Track conversions and marketing effectiveness

2.4 Third-Party Data

• OAuth Information: When you sign in with Google, Discord, or Slack, we receive your basic profile information
• Integration Data: Data from connected services like WhatsApp Business, Instagram, Google Drive, Notion
• Payment Data: Transaction information from Stripe (we do not store full credit card numbers)

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Delivery

• Create and manage your account and workspaces
• Process your AI agent configurations and training data
• Generate AI responses using third-party models (GPT-4, Claude, Gemini)
• Store and retrieve conversation logs and analytics
• Enable integrations with third-party platforms
• Process payments and manage subscriptions

3.2 Service Improvement

• Analyze usage patterns to improve features and user experience
• Develop new features and functionality
• Monitor and improve AI model performance and accuracy
• Optimize platform performance and reliability
• Conduct research and data analysis

3.3 Communication

• Send magic link authentication emails
• Send workspace invitations and notifications
• Provide customer support and respond to inquiries
• Send service updates, security alerts, and administrative messages
• Send marketing communications (with your consent, which can be withdrawn)

3.4 Security and Compliance

• Detect, prevent, and address fraud, abuse, and security issues
• Enforce our Terms of Service and acceptable use policies
• Comply with legal obligations and regulatory requirements
• Protect our rights, privacy, safety, and property

4. Data Sharing and Disclosure

We may share your information in the following circumstances:

4.1 Third-Party AI Providers

When you use our service, your conversation data and training data may be processed by third-party AI providers including OpenAI (GPT-4), Anthropic (Claude), and Google (Gemini). These providers process data according to their own privacy policies and terms of service. We do not allow these providers to use your data to train their general AI models without your explicit consent.

4.2 Service Providers

We share data with trusted service providers who assist us in operating our platform:

• Convex: Backend database, real-time sync, and file storage
• Cloudflare: CDN, edge computing, and DDoS protection
• Stripe: Payment processing and billing management
• AWS SES: Email delivery service
• Sentry: Error tracking and performance monitoring
• PostHog: Product analytics and feature flags
• Google Analytics: Web analytics and traffic analysis
• Firecrawl: Web scraping for training data collection

4.3 Workspace Members

Information within a workspace (agents, conversations, analytics, training data) is shared with all members of that workspace. Workspace owners and admins have access to all workspace data and can invite or remove members.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoenas, court orders, warrants)
• Law enforcement requests
• National security requirements
• Requests to protect our rights, property, or safety
• Requests to protect the rights and safety of our users

4.5 Business Transfers

If BerryDesk is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our platform of any change in ownership or use of your personal information.

4.6 Aggregated Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This may include usage statistics, industry benchmarks, or research findings.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data in transit is encrypted using TLS 1.3. Sensitive data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls, multi-factor authentication, and least-privilege principles
• Authentication: Secure magic link authentication, OAuth 2.0, and session management
• Infrastructure Security: Cloudflare DDoS protection, Web Application Firewall (WAF), and rate limiting
• Monitoring: 24/7 security monitoring, intrusion detection, and incident response procedures
• Vendor Security: All third-party providers are vetted for security compliance (SOC 2, ISO 27001)

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active and for 90 days after deletion
• Conversation Logs: Retained according to your plan limits or until you delete them
• Training Data: Retained until you delete it or close your account
• Analytics Data: Aggregated analytics retained for up to 2 years
• Billing Records: Retained for 7 years for tax and accounting purposes
• Support Tickets: Retained for 3 years for customer service quality

You can request deletion of your data at any time by contacting us at privacy@berrydesk.com. Some data may be retained in backups for up to 30 days after deletion.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 General Rights

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (right to be forgotten)
• Portability: Request a machine-readable copy of your data
• Objection: Object to processing of your information for certain purposes
• Restriction: Request restriction of processing in certain circumstances

7.2 GDPR Rights (European Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority
• Right to know the legal basis for data processing
• Right to know about automated decision-making and profiling

7.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, please contact us at privacy@berrydesk.com. We will respond to your request within 30 days.

8. Cookies and Tracking

We use the following types of cookies and tracking technologies:

8.1 Essential Cookies

Required for authentication, security, and basic functionality. These cannot be disabled.

8.2 Analytics Cookies

Used by PostHog, Google Analytics, and Sentry to understand how users interact with our platform.

8.3 Preference Cookies

Remember your settings, language preferences, and UI customizations.

You can control cookies through your browser settings. However, disabling certain cookies may limit functionality.

9. International Data Transfers

BerryDesk is operated in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your country.

We use appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.

10. Children's Privacy

BerryDesk is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information as soon as possible. If you believe we have collected information from a child, please contact us at privacy@berrydesk.com.

11. AI and Automated Decision-Making

BerryDesk uses AI models to power conversational agents. These AI systems process your training data and user conversations to generate responses. We want to be transparent about how AI affects your data:

• AI models process conversation data in real-time to generate responses
• Your training data is used to create embeddings (vector representations) for semantic search
• We do not use your data to train third-party AI models unless you explicitly opt in
• AI responses are not reviewed by humans unless you explicitly request support
• You maintain full control over your AI agent's behavior through configuration settings

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other reasons. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice on our platform

Your continued use of BerryDesk after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using our services.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Team: privacy@berrydesk.com
• Data Protection Officer: dpo@berrydesk.com
• General Support: hello@berrydesk.com
• Website: www.berrydesk.com

For GDPR-related requests, please include "GDPR Request" in your email subject line. For CCPA-related requests, please include "CCPA Request" in your email subject line.