Legal

Privacy Policy

Last updated: March 2026

Overview

EsyBot ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and the choices you have about it.

By using EsyBot's platform, dashboard, or website, you agree to the practices described here. If you don't agree, please don't use our services.

Data we collect

We collect information in two ways: information you provide directly, and information collected automatically.

Information you provide:

  • Account information: name, email address, password (hashed - never stored in plain text)
  • Business information: company name, billing details
  • Process configuration: Google Drive folder IDs, OneDrive paths, bot configuration, vault credentials
  • Communications: messages sent via the contact form

Information collected automatically:

  • Usage data: which features you use, bot run logs, error messages
  • Technical data: IP address, browser type, operating system (for security purposes)
  • Session tokens: encrypted JWT tokens stored in your browser session

Note on Drive credentials: When you provide a Google or Microsoft service account JSON, it is encrypted with AES-256 at rest using a Fernet key. We never read your files - we only detect new file arrivals in the configured folders.

How we use your data

  • To operate and improve the EsyBot platform
  • To authenticate your identity and protect your account
  • To monitor configured Drive/OneDrive folders and trigger bot runs
  • To generate billing summaries and usage reports
  • To send transactional emails (e.g. OTP codes, billing notifications)
  • To comply with legal obligations

We do not sell your data to third parties, use it for advertising, or share it beyond what's necessary to deliver the service.

Cookies

EsyBot uses minimal cookies and browser storage:

  • Session storage: Your JWT token is stored in sessionStorage and cleared when you close the tab.
  • Local storage: UI preferences like language setting (esy_lang) are stored in localStorage.
  • We do not use advertising cookies or third-party tracking pixels.

Third-party services

EsyBot integrates with the following third-party services. Your use of those features is also subject to their respective privacy policies:

  • Google Drive API - Used to monitor folders for new files. We request read-only access and only access the folders you explicitly configure. Google Privacy Policy.
  • Microsoft OneDrive API - Same scope as Google Drive, read-only, configured folders only. Microsoft Privacy Statement.
  • UiPath - Bot execution requests are sent to UiPath Orchestrator on your behalf using credentials stored in the vault. We don't store UiPath credentials beyond your encrypted vault entry.
  • Resend (email) - Used to send transactional emails such as OTP verification codes. Only your email address is shared with Resend for delivery purposes.

Security

We take security seriously:

  • All passwords are hashed using bcrypt before storage
  • Sensitive credentials in the vault are encrypted at rest with AES-256 (Fernet)
  • API communication is protected by JWT tokens with configurable expiry
  • The server applies rate limiting and audit logging on sensitive actions
  • Two-factor authentication (OTP via email) is available for all accounts

Despite our precautions, no system is 100% secure. If you discover a vulnerability, please contact us at security@esybot.com before disclosing it publicly.

Your rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Ask us to correct inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to certain types of processing

To exercise any of these rights, contact us at privacy@esybot.com. We'll respond within 30 days.

Data retention

We retain your data for as long as your account is active or as needed to provide the service. Specifically:

  • Run logs and audit trails: 12 months rolling
  • Billing records: 7 years (legal requirement in Costa Rica)
  • Account data: until account deletion is requested
  • After deletion, data may persist in backups for up to 90 days

Policy changes

We may update this policy from time to time. When we do, we'll revise the "Last updated" date at the top and, for material changes, notify active users by email. Continued use of EsyBot after changes constitutes acceptance.

Contact us

Questions about this policy? Reach us at: