GDPR Compliance
Last updated: June 1, 2026
MotherBot is committed to complying with the EU General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018). This page explains how we meet our GDPR obligations.
Data Controller
MotherBot Inc. acts as the Data Controller for personal data collected through our website and marketing activities.
For personal data processed through the MotherBot platform on behalf of our customers (e.g. their contacts' WhatsApp messages), MotherBot acts as a Data Processor and our customers act as the Data Controller. Our Data Processing Agreement (DPA) governs this relationship.
Controller: MotherBot
Address: Baner Business Bay, Baner, Pune Maharashtra 411045
DPO Email: hello@motherbot.io
EU Representative: Baner, Pune, Maharashtra (contact: hello@motherbot.io)
Legal Bases for Processing
We process personal data under the following legal bases (Article 6 GDPR):
What Personal Data We Collect
- Account data — name, email address, password (hashed), organization name.
- Billing data — payment method details (tokenised via Stripe — we never store card numbers), billing address, invoices.
- Usage data — features used, actions taken, timestamps, API requests.
- Communication data — messages you send to our support team.
- Technical data — IP address, browser type, device identifiers, cookies (see Cookie Policy).
- WhatsApp contact data — phone numbers and message content processed on behalf of our customers (as Data Processor).
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Billing records | 7 years (legal / tax obligation) |
| Message logs | 90 days (configurable per plan) |
| Analytics data | 26 months (aggregated, anonymised) |
| Support communications | 3 years |
| Audit logs | 12 months |
Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
Right of Access (Article 15)
You have the right to request a copy of all personal data we hold about you, and information about how we process it.
→ Submit a Subject Access Request via our Contact page.
Right to Rectification (Article 16)
If the data we hold about you is inaccurate or incomplete, you have the right to request we correct it.
→ Update your details in account Settings or contact support.
Right to Erasure / 'Right to be Forgotten' (Article 17)
You can request that we delete your personal data where there is no compelling reason for us to continue processing it.
→ Request account deletion via our Contact page.
Right to Restrict Processing (Article 18)
You can ask us to restrict how we process your data in certain circumstances, for example if you contest its accuracy.
→ Contact our DPO at hello@motherbot.io.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another controller.
→ Export your data from Settings → Data Export, or contact support.
Right to Object (Article 21)
You can object to us processing your data for direct marketing purposes, or where we rely on legitimate interests as our legal basis.
→ Unsubscribe from marketing emails or contact hello@motherbot.io.
Rights re: Automated Decision-Making (Article 22)
You have the right not to be subject to decisions made solely by automated processing that produce significant effects on you.
→ MotherBot does not use solely automated decision-making for consequential decisions.
We will respond to all rights requests within 30 days. In complex cases we may extend this by a further two months — we'll inform you if this is the case. We may need to verify your identity before processing the request.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction, including:
- AES-256 encryption at rest and TLS 1.3 in transit
- SOC 2 Type II certified infrastructure (AWS)
- Role-based access controls — staff access to production data is need-to-know only
- Automated security scanning and dependency audits
- Regular penetration testing by independent third parties
- Incident response plan with 72-hour breach notification to supervisory authorities
Lodging a Complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority:
- EU/EEA: Your national Data Protection Authority (list at edpb.europa.eu)
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- Ireland (EU Representative jurisdiction): Data Protection Commission — dataprotection.ie
We encourage you to contact us first at hello@motherbot.io so we have the opportunity to resolve your concern.