Privacy Policy

Effective Date: April 28, 2026 | Version: 1.2

Vietnamese version (Phiên bản tiếng Việt): Chính sách bảo mật

This Privacy Policy describes how ScapBot ("we", “Platform”) collects, uses, stores, shares, and protects your personal data when you use our services at https://scapbot.vn.

This Policy is established in compliance with Decree 13/2023/ND-CP on Personal Data Protection, the Personal Data Protection Law 2025 (No. 91/2025/QH15), the Law on Cybersecurity Information 2015, and the Cybersecurity Law 2018.

1. Data Controller

ScapBot Company is the Data Controller with respect to the personal data of Users (business owners who register to use ScapBot).

• Privacy email: privacy@scapbot.vn
• Support email: support@scapbot.vn
• Website: https://scapbot.vn

For End Customer data (consumers who send messages to businesses through ScapBot), ScapBot acts as the Data Processor — see details in Section 3.

2. Personal Data We Collect

2.1. Data You Provide Directly

2.2. Automatically Collected Data

2.3. Payment Data

Note: ScapBot does not store credit/debit card information. International payments are processed through PayPal and Stripe — card data is protected by these payment gateways under PCI-DSS standards.

2.4. Business Data

When using the Service, you may upload or create:

• Product information (name, description, price, images)
• Business documents (FAQs, policies, sales scripts)
• AI Assistant configuration (name, industry, response style)
• Staff information (email, access permissions)

This is data you fully control. We process this data solely for the purpose of providing the Service.

2.5. Data from Google

a) Google Sign-In

If you log in via Google, we collect:

• Google account ID (identifier, not password)
• Email linked to the Google account
• Display name and profile picture (if available)

This data is used solely to create and authenticate your ScapBot account.

b) Google Drive Sync (optional)

If you choose to connect Google Drive to sync documents into your AI Assistant’s Documents page, we collect:

Google Drive commitments:

• We only access your Drive in read-only mode — we do not modify, move, or delete any files on your Google Drive.
• We only access the files and folders you actively select to sync — we do not scan your entire Drive.
• File content is downloaded, encrypted (AES-256-GCM), and stored on ScapBot servers (Cloudflare R2).
• You can disconnect Google Drive at any time — all synced data will be deleted from ScapBot’s system.
• You can also revoke access at myaccount.google.com/permissions.

We do not access your contacts, calendar, Gmail, or any other Google data beyond the scope you authorize.

3. End Customer Data

3.1. ScapBot as Data Processor

When End Customers (consumers) send messages to your business through connected messaging platforms, ScapBot collects and processes:

3.2. AI Analysis of End Customers

ScapBot uses AI to analyze End Customer messages to:

• Identify intent (price inquiry, complaint, order placement, etc.)
• Assess psychological state (interest level, satisfaction level)
• Classify customer stage (lead, prospect, customer, repeat, etc.)
• Recommend relevant products/services

This analytical data is under the control of the User (business). Users are responsible for informing End Customers about AI usage as required by law.

3.3. User Responsibilities

As the Data Controller for End Customer data, you are obligated to:

• Have your own privacy policy informing End Customers about the use of ScapBot.
• Have a lawful legal basis for collecting and processing End Customer data.
• Cooperate with ScapBot when End Customers exercise their data rights.

3.4. Facebook Messenger Profile Data (Business Asset User Profile Access)

When End Customers send messages to a Facebook Page connected to ScapBot, we read the following profile fields through Meta’s “Business Asset User Profile Access” feature, strictly within the scope of the connected business asset:

Storage and retention specific to Facebook profile data:

• The avatar image is downloaded once and re-hosted on Cloudflare R2 for instant loading. The cache is signed with a presigned URL valid for 7 days, matching the original Facebook CDN TTL, and is automatically refreshed on the next inbound message from the same customer or after 24 hours, whichever comes first.
• The name, id, and ids_for_business fields are stored in the connected business’s database partition only — never aggregated across businesses, never indexed for cross-business search.
• All Facebook profile data is permanently deleted within 24 hours when the business disconnects the Facebook Page in ScapBot Dashboard → Settings → Connections → Facebook → Disconnect.
• Facebook profile data is never used for advertising, never sold, never licensed, never shared with any third party, and is visible only to the staff of the specific business that connected the Page.
• Facebook profile data is excluded from any AI model training pipeline — names and avatars are display-only and are not part of the data used to improve AI quality.

Compliance reference: This usage falls within the “in-app business experience” scope defined by Meta for the Business Asset User Profile Access feature (Meta Developer Documentation).

4. Purposes of Data Processing

We process your personal data for the following purposes:

5. Sharing Data with Third Parties

5.1. Service Providers

We share data with the following third parties to operate the Service:

5.2. Cross-Border Data Transfer

Some service providers have servers located outside Vietnam. In accordance with Decree 13/2023/ND-CP and the Cybersecurity Law 2018:

• We maintain a copy of Vietnamese users’ personal data on servers in Vietnam.
• Data transferred abroad is limited to the scope necessary for operating the Service.
• We have prepared a Cross-Border Data Transfer Impact Assessment as required by regulation.

5.3. Government Authorities

We may provide data to competent government authorities upon written request in accordance with applicable law.

5.4. Scope of Meta Pixel and Other Advertising Cookies

Meta Pixel and equivalent advertising cookies are loaded only on our public marketing pages (the homepage, blog, pricing pages on https://scapbot.vn) to measure the effectiveness of our own marketing campaigns. They are strictly excluded from:

• The authenticated application area (any page under /{lang}/assistants/..., /{lang}/dashboard, etc.)
• Any data flow involving End Customer profile information (Facebook Messenger names, avatars, PSIDs, conversations, CRM records)
• Any data exchange with the messaging platforms (Facebook, Zalo, Telegram, WhatsApp, Viber, Line)

End Customer data is therefore never used to power advertising, regardless of whether the Meta Pixel is enabled on our marketing pages.

5.5. Commitment

We do not sell, rent, or trade your personal data — whether yours as a User or that of any End Customer who messages your business — to any third party for commercial purposes.

6. AI Data Processing

6.1. Data Sent to AI Models

When AI processes messages, the following data is sent to the AI provider (Google Gemini):

• End Customer message content
• Conversation context (recent messages)
• Related product/document information
• AI Assistant response configuration

6.2. AI Commitments

• Data sent to AI is processed according to the AI provider’s privacy policy.
• ScapBot does not use personally identifiable data to train AI models.
• Data used to improve AI is in aggregated, anonymized form (conversation patterns containing no personal information).
• You have the right to turn off AI mode at any time — when disabled, no data is sent to AI models.

6.3. Vector Embedding

ScapBot converts documents and images into vector representations (embeddings) for semantic search purposes. Vector embeddings:

• Cannot be reverse-converted back to original content.
• Are stored alongside original data on servers in Vietnam.
• Are deleted when you delete the corresponding document or product.

7. Security Measures

7.1. Technical Security

7.2. Organizational Security

• Data access follows the principle of least privilege.
• All system access is logged (audit log).
• Data isolation between Users (multi-tenant isolation — all queries scoped via assistant_id).

7.3. Data Breach Response

In the event of a personal data breach:

1. Within 72 hours: Notify the Cybersecurity Department (A05), Ministry of Public Security as required by regulation.
2. As soon as possible: Notify affected Users via email, clearly stating: scope of breach, data affected, remediation measures, and contact point.
3. Remediation: Implement containment and remediation measures immediately.

8. Data Retention Periods

After service termination, you have 30 days to export your data. After this period, personal data will be permanently deleted, unless legally required to retain longer.

9. Your Data Rights

Under Decree 13/2023/ND-CP and the Personal Data Protection Law 2025, you have the following rights:

9.1. Right to Be Informed

You have the right to be informed about the processing of your personal data, including the types of data, purposes, and processing methods.

9.2. Right to Consent

You have the right to consent or not consent to the processing of your personal data, except where otherwise provided by law.

9.3. Right of Access

You have the right to request a copy of your personal data that we hold.

9.4. Right to Withdraw Consent

You have the right to withdraw consent previously given. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

9.5. Right to Erasure

You have the right to request the deletion of your personal data, unless we have a legal obligation to retain it.

9.6. Right to Restrict Processing

You have the right to request restriction of processing of your personal data in certain circumstances.

9.7. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

9.8. Right to Object

You have the right to object to the processing of your personal data for direct marketing purposes or processing based on legitimate interests.

9.9. Right to Complain

You have the right to file a complaint with ScapBot or the competent government authority (Cybersecurity Department — A05, Ministry of Public Security) if you believe your personal data has been processed unlawfully.

9.10. Right to Compensation

You have the right to seek compensation for damages when your personal data has been processed in violation of the law.

How to exercise your rights: Send a request to privacy@scapbot.vn with identity verification information. We will respond within 15 business days.

9.11. Rights of End Customers (Facebook Messenger Users)

If you are a Facebook user who messaged a Facebook Page connected to ScapBot and want to access, correct, or delete the profile data we hold about you, you may exercise your rights through any of the following channels:

Channel A — Email request to ScapBot directly:

1. Email privacy@scapbot.vn with subject line “Data Deletion Request — Facebook Messenger”.
2. Include either (a) your Facebook Page-Scoped User ID (PSID), or (b) the name of the Facebook Page you messaged, plus the approximate date range.
3. We process the request within 30 days and email you a confirmation.

Channel B — Ask the business that operates the Page: The business is the Data Controller for your conversation. You may request the business to disconnect the Page from ScapBot — once disconnected, ScapBot automatically purges all profile data within 24 hours.

Channel C — Step-by-step guide: A complete walkthrough — including the exact email template, the disconnection flow on the business side, identity verification, and appeals — is in Section 14 below.

10. Cookies

10.1. Cookies We Use

10.2. Managing Cookies

• Essential cookies are required for the Service to function — they cannot be disabled.
• Functional cookies can be managed through your browser settings.
• Analytics cookies (Google Analytics) collect anonymized data to improve your experience. You may opt out via Google Analytics Opt-out.
• Advertising cookies (Meta Pixel) are only activated with your consent via the cookie consent banner. You may withdraw consent at any time through the cookie settings on our website or via Facebook Ad Preferences.

11. Minors

ScapBot is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you discover that we have inadvertently collected data from a person under 18, please contact us immediately at privacy@scapbot.vn so that we can delete such data.

12. Changes to This Policy

• We may update this Privacy Policy. Material changes will be communicated via email at least 30 days in advance.
• The latest version is always available at /en/privacy-policy/.
• Change history is recorded at the bottom of this page.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights:

• Privacy email: privacy@scapbot.vn
• Support email: support@scapbot.vn
• Website: https://scapbot.vn

14. Data Deletion Instructions

This section is the public Data Deletion instructions referenced in our Meta Developer App settings. The instructions are organized by who you are: an end customer who messaged a Facebook Page connected to ScapBot, or a business user with a ScapBot account.

14.1. For End Customers (Facebook Messenger Users)

You sent a message to a Facebook Page that is connected to ScapBot. The business operating that Page is the Data Controller; ScapBot acts as the Data Processor on the business’s behalf. You have three channels to request deletion of your data.

Channel A — Email request to ScapBot directly

This is the recommended path if you cannot reach the business or want a paper trail.

1. Send an email to privacy@scapbot.vn with the exact subject line: Data Deletion Request — Facebook Messenger
2. Include in the body either of the following identifiers (either one is sufficient):
   • Your Facebook Page-Scoped User ID (PSID) — a numeric identifier visible in your conversation with the Page (advanced users), or
   • The name of the Facebook Page you messaged, plus the approximate date range when you messaged it
3. We acknowledge receipt within 3 business days and complete the deletion within 30 calendar days. You receive a confirmation email when the deletion is complete.

Email template (copy-paste):

To: privacy@scapbot.vn
Subject: Data Deletion Request — Facebook Messenger

Hello,

I am a Facebook user who messaged the Page "[NAME OF THE PAGE]"
between approximately [START DATE] and [END DATE].

I request that ScapBot delete all personal data it holds about
me, including my name, profile picture, Page-Scoped User ID,
and any conversation history collected on behalf of that
business.

[Optional: PSID = ...]

Thank you.

[Your Facebook display name]

Channel B — Ask the business operating the Page

The business is the Data Controller. If you trust the business, you can simply ask them to:

• Disconnect the Facebook Page from ScapBot, or
• Delete the conversation with you on their side

When the business disconnects the Page (Dashboard → Settings → Connections → Facebook → Disconnect), ScapBot automatically purges all profile data and conversations for that Page within 24 hours without any further action from you.

Channel C — Revoke ScapBot’s access via Facebook

You may also revoke any permissions ScapBot has been granted on your Facebook account:

1. Visit https://www.facebook.com/settings?tab=apps
2. Find any business app that uses ScapBot
3. Click Remove
4. After removal, ScapBot can no longer fetch your profile data; any cached avatar expires within 7 days; any associated PSID record becomes inaccessible to ScapBot’s APIs

14.2. For Business Users (ScapBot Account Holders)

You registered an account at https://scapbot.vn for your business.

Self-service deletion (recommended)

1. Login at https://scapbot.vn/en/login
2. Navigate to Settings → Account
3. Click Delete Account
4. Confirm the action

This deletion takes effect within 24 hours and removes:

• Your account, password, and login sessions
• All connected Facebook Pages, Zalo OAs, Telegram bots, WhatsApp Business numbers, Viber bots, Line accounts
• All conversations, messages, and customer profiles received through your connected channels
• All AI Assistants you created, along with their configurations and knowledge bases
• All uploaded documents and product images on Cloudflare R2
• All Google Drive sync state

Email request

If you prefer, email privacy@scapbot.vn from the address registered on your account, with the subject Data Deletion Request — ScapBot Account. We process the request within 30 calendar days.

Records we are required to retain

By Vietnamese tax and accounting law, we retain the following even after account deletion:

• Transaction history (for accounting purposes — at least 5 years)
• Aggregated, anonymized usage statistics (with no personally identifying information)

These records do not contain your full name, email, or any other identifier that could be linked back to you.

14.3. Response Timelines

14.4. Identity Verification

To prevent fraudulent deletion requests, we may ask you to verify your identity:

• End Customers: confirmation message sent through Facebook Messenger from your account, or a screenshot of the conversation with the Page
• Business Users: OTP sent to the email address on your ScapBot account

We never ask for your password.

14.5. Appeals

If you are not satisfied with our response, you may:

• Reply to our confirmation email with your concerns
• File a complaint with the Cybersecurity Department (A05), Ministry of Public Security of Vietnam
• For Facebook-specific issues, you may also contact Meta directly through https://www.facebook.com/help/contact

15. Version History