Privacy Policy
Last updated: March 15, 2026
This Privacy Policy describes how Kosmo Labs VCC ("we", "us", or "the Company"), a variable-capital company registered in Bulgaria (UIC 208421213, VAT BG208421213), collects, uses, and protects your personal data when you use the Botyard platform ("the Service") available at botyard.sh.
We are committed to protecting your privacy in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable Bulgarian data protection legislation.
1. Data Controller
| Company | Kosmo Labs VCC (Космо Лабс) |
| UIC | 208421213 |
| Address | ul. Marin Drinov 7, 4017 Plovdiv, Bulgaria |
| privacy@botyard.sh |
2. What Data We Collect
2.1 Account Data
- Email address — used for authentication (magic-link sign-in), account identification, and transactional communications.
- Display name — optionally provided by you for personalisation.
2.2 Billing Data
Payment processing is handled entirely by Stripe, Inc. We do not store your credit card number or full payment details on our servers. We receive and store:
- Stripe Customer ID
- Subscription IDs and plan details
- Billing address and tax ID (collected by Stripe during checkout)
- Invoice and payment status
2.3 Bot Configuration Data
- Bot names, template selections, and deployment settings.
- Third-party API keys and tokens you provide to power your bots (e.g., LLM provider keys, Slack/Discord/Telegram tokens). These are stored encrypted on our infrastructure and are never shared with other users.
- Secrets audit logs (action type, key prefix, timestamp) for your security.
2.4 Technical Data
- IP address, browser type, and operating system (collected automatically via server logs).
- Bot deployment status, port assignments, and container metadata.
2.5 Data We Do Not Collect
We do not use cookies for tracking or advertising. We do not embed third-party analytics services (such as Google Analytics) in the Botyard frontend. We do not sell, rent, or trade your personal data.
3. How We Use Your Data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (magic links, billing receipts) | Performance of contract (Art. 6(1)(b)) |
| Prevent fraud and ensure security | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Improve the Service | Legitimate interest (Art. 6(1)(f)) |
4. Third-Party Service Providers
We share data only with processors necessary to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscriptions, invoicing | USA (EU SCCs) |
| Supabase, Inc. | Database hosting (PostgreSQL) | EU region |
| Resend, Inc. | Transactional email delivery | USA (EU SCCs) |
| Vercel, Inc. | Frontend hosting and CDN | Global (EU SCCs) |
| Hostinger International Ltd. | Backend server and bot container hosting | EU |
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent safeguards to ensure adequate protection of your data.
5. Data Retention
- Account data — retained for the duration of your account and for 30 days after deletion to allow recovery.
- Billing records — retained for the period required by applicable tax and accounting laws (typically 10 years under Bulgarian legislation).
- Bot configuration and secrets — deleted when the associated bot or account is deleted.
- Server logs — retained for up to 90 days for security and debugging purposes.
- Magic-link tokens — expire and are purged within 24 hours of issuance.
6. Your Rights Under GDPR
As a data subject, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Restriction — request that we limit processing of your data in certain circumstances.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@botyard.sh. We will respond within 30 days as required by the GDPR.
You also have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg, or with the supervisory authority in your EU Member State of residence.
7. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) for all connections to our services.
- Encrypted storage of third-party API keys and secrets.
- Access controls and audit logging for sensitive operations.
- Regular security reviews of our infrastructure.
No system is perfectly secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by the GDPR.
8. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.
10. Contact
For questions about this Privacy Policy or our data practices, contact us at:
Kosmo Labs VCC
ul. Marin Drinov 7
4017 Plovdiv, Bulgaria
privacy@botyard.sh