Privacy Policy

Effective date: 30 March 2026

Controller: Web Bamboo Ltd.
Address: Varna, Bulgaria
Privacy contact: contact@webbamboo.net

This Privacy Policy describes how Web Bamboo Ltd. (“we”) processes personal data when you use PressPilot AI, including our website, licensing / customer portal, APIs, and (where applicable) managed AI proxy features.

This policy is a draft for publication. It is not legal advice. Have it reviewed by qualified counsel before reliance.

1. Scope

This policy covers processing we carry out as a controller for our own business purposes. When you use BYOK mode, your chosen AI provider processes prompts on their terms as well.

2. Data we collect

A. Account, licensing, and billing (stored in our systems)

We process data needed to sell licenses and run accounts, including:

• Email address (license purchase, license records, customer account login, transactional emails).
• License key, subscription / plan edition, expiry, billing interval, and related Stripe identifiers (e.g. checkout session, subscription id, customer id where applicable).
• Hashed password for customer accounts (we do not store plaintext passwords).
• Billing profile fields you optionally provide in the account area (such as name, company, VAT/tax id, address).
• Invoice records (e.g. invoice number, amounts, currency, customer email, Stripe references).
• Invite / setup tokens (stored as hashes, not the raw link in the database).
• License activations: normalized WordPress site URL and first seen timestamp, tied to your license, to enforce plan limits.
• Managed-plan usage (aggregated): daily request counts per license for our proxy feature—not full prompts stored for that counter.

B. Content you send for AI processing (managed plans)

If you use managed AI features, the plugin sends us request payloads (for example model parameters and text/images/embeddings inputs as you configure the plugin) and we forward them to OpenAI to obtain a response. Our application database stores aggregated usage counts for billing and capacity purposes; standard server logs, error logs, or provider-side retention may still apply.

C. Website, support, security

• Contact form: name, email, message; may be delivered by email to our inboxes. If email is not configured, submissions may be logged on the server in a limited way for troubleshooting.
• Security / abuse prevention: e.g. IP address may be sent to Google reCAPTCHA v3 for verification, and may appear in server logs.
• Cookies / similar tech: session and security cookies for login areas; analytics tags (e.g. Google Tag Manager, Google Ads measurement) as implemented on our site.

3. Purposes and legal bases (GDPR)

Depending on the activity, we rely on:

• Contract (Art. 6(1)(b)): providing the service, licenses, account, payments, activations, invoices, support responses.
• Legitimate interests (Art. 6(1)(f)): security, abuse prevention, analytics, product improvement—balanced against your rights.
• Consent (Art. 6(1)(a)): where required for non-essential cookies or similar technologies, if we rely on consent in your jurisdiction.
• Legal obligation (Art. 6(1)(c)): tax/accounting or lawful requests.

4. Recipients / processors

We use service providers that process data on our instructions, including for example:

• Stripe (payments and subscription management)
• OpenAI (managed AI API processing)
• Google (e.g. Tag Manager, conversion/ads measurement, reCAPTCHA v3, and fonts loaded from Google)
• Email delivery provider as configured in our environment

Their privacy terms apply in addition to ours.

5. International transfers

Some providers may process data in the United States or other countries. Where required, we implement appropriate safeguards (such as Standard Contractual Clauses) and/or rely on adequacy decisions as applicable.

6. Retention

We retain personal data as long as needed to provide the service, meet legal/tax requirements, resolve disputes, and enforce agreements. Technical logs may be kept for shorter periods depending on hosting configuration. Aggregated proxy usage may be kept to understand usage patterns.

7. Your rights (EEA/UK and similar laws)

You may have rights to access, rectification, erasure, restriction, portability, and objection, and to withdraw consent where processing is consent-based. You may lodge a complaint with your local supervisory authority. Contact: contact@webbamboo.net.

8. Security

We implement appropriate technical and organizational measures appropriate to the risk. No method of transmission or storage is 100% secure.

9. Children

The service is not directed to children under 16 (or lower age required locally). We do not knowingly collect children’s data; contact us if you believe otherwise.

10. Changes

We may update this policy and change the effective date. Material updates will be posted here (and where legally required, notified).