GDPR Policy

Last Updated: July 1, 2026

Citobots is committed to complying with the EU General Data Protection Regulation (GDPR) and equivalent data protection laws, including India's Digital Personal Data Protection Act, 2023 (DPDP Act), for customers and end users located in jurisdictions where these laws apply.

1. Our Role

  • Data Controller: Citobots acts as a data controller for account and billing information relating to our business customers.
  • Data Processor: Citobots acts as a data processor for end-user (customer-of-our-customer) data submitted through chatbot conversations, processed on behalf of, and under the instructions of, the business that deploys the chatbot.

2. Legal Basis for Processing

  • Performance of a contract, to provide and maintain the Citobots service.
  • Legitimate interests, such as improving platform performance, security, and fraud prevention.
  • Consent, where required, such as for optional marketing communications or certain cookies.
  • Compliance with a legal obligation, where applicable.

3. Data Subject Rights

    Individuals whose personal data is processed by Citobots have the right to:

  • Access the personal data we hold about them.
  • Request correction of inaccurate or incomplete data.
  • Request erasure (“right to be forgotten”), subject to legal retention requirements.
  • Restrict or object to certain processing activities.
  • Request data portability in a structured, commonly used format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with a supervisory data protection authority.

Requests relating to end-user data collected through a customer's chatbot should first be directed to that business, as the data controller for its own customers. Requests relating to Citobots account holders may be sent to [privacy@citobots.com].


4. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or the customer's home jurisdiction, Citobots relies on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under applicable law, and, where available, regional data residency options.


5. Sub-Processors

Citobots may engage trusted third-party sub-processors (such as cloud hosting, payment processing, and messaging platform providers) to support the service. A current list of sub-processors is available upon request. Sub-processors are bound by data protection obligations no less protective than those set out in this policy.


6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Citobots will notify affected customers without undue delay, and in any event within the timeframe required by applicable law (for example, 72 hours under GDPR, where feasible).


7. Data Protection Officer / Contact

    For GDPR-related inquiries, please contact our Data Protection team at [privacy@citobots.com] or [Company Registered Address].