Privacy Policy
Effective Date: March 23, 2026 | Version: 1.1
Vietnamese version (Phiên bản tiếng Việt): Chính sách bảo mật
This Privacy Policy describes how ScapBot ("we", “Platform”) collects, uses, stores, shares, and protects your personal data when you use our services at https://scapbot.vn.
This Policy is established in compliance with Decree 13/2023/ND-CP on Personal Data Protection, the Personal Data Protection Law 2025 (No. 91/2025/QH15), the Law on Cybersecurity Information 2015, and the Cybersecurity Law 2018.
1. Data Controller
ScapBot Company is the Data Controller with respect to the personal data of Users (business owners who register to use ScapBot).
- Privacy email: privacy@scapbot.vn
- Support email: support@scapbot.vn
- Website: https://scapbot.vn
For End Customer data (consumers who send messages to businesses through ScapBot), ScapBot acts as the Data Processor — see details in Section 3.
2. Personal Data We Collect
2.1. Data You Provide Directly
| Data Type | Purpose | Required |
|---|---|---|
| Full name | Display in interface, communication | Yes |
| Email address | Login, OTP verification, notifications | Yes |
| Password (bcrypt-hashed) | Account authentication | Yes |
| Phone number | Additional verification (future) | No |
| Avatar image | Personal interface | No |
| Preferences (language, timezone, notifications) | Experience customization | No |
2.2. Automatically Collected Data
| Data Type | Purpose | Retention |
|---|---|---|
| IP address | Security, suspicious login detection | 24 months |
| Device information (OS, browser) | Login session management | 90 days |
| Geographic location (from IP, using offline GeoLite2 database) | Anomalous login detection | 24 months |
| Activity logs (login times, actions) | Security, technical support | 24 months |
| Cookies and session data | Maintaining login state | Per session |
2.3. Payment Data
| Data Type | Purpose | Notes |
|---|---|---|
| Top-up code (ScapBot Wallet) | Transaction confirmation | No card information stored |
| Transaction history | Reconciliation, support | Stored permanently (accounting requirement) |
| Currency (VND/USD) | Payment processing | Fixed after account creation |
Note: ScapBot does not store credit/debit card information. International payments are processed through PayPal and Stripe — card data is protected by these payment gateways under PCI-DSS standards.
2.4. Business Data
When using the Service, you may upload or create:
- Product information (name, description, price, images)
- Business documents (FAQs, policies, sales scripts)
- AI Assistant configuration (name, industry, response style)
- Staff information (email, access permissions)
This is data you fully control. We process this data solely for the purpose of providing the Service.
2.5. Data from Google
a) Google Sign-In
If you log in via Google, we collect:
- Google account ID (identifier, not password)
- Email linked to the Google account
- Display name and profile picture (if available)
This data is used solely to create and authenticate your ScapBot account.
b) Google Drive Sync (optional)
If you choose to connect Google Drive to sync documents into your AI Assistant’s Documents page, we collect:
| Data Type | Purpose | Notes |
|---|---|---|
| File name, file type, modification date | Display file list for you to select which files to sync | Metadata only |
| Content of files you select to sync | Build Knowledge Base for AI Assistant | Only files you actively choose |
Google Drive commitments:
- We only access your Drive in read-only mode — we do not modify, move, or delete any files on your Google Drive.
- We only access the files and folders you actively select to sync — we do not scan your entire Drive.
- File content is downloaded, encrypted (AES-256-GCM), and stored on ScapBot servers (Cloudflare R2).
- You can disconnect Google Drive at any time — all synced data will be deleted from ScapBot’s system.
- You can also revoke access at myaccount.google.com/permissions.
We do not access your contacts, calendar, Gmail, or any other Google data beyond the scope you authorize.
3. End Customer Data
3.1. ScapBot as Data Processor
When End Customers (consumers) send messages to your business through connected messaging platforms, ScapBot collects and processes:
| Data Type | Source | Purpose |
|---|---|---|
| Display name, avatar | Messaging platform | Display in conversation interface |
| Message content (text, images, files) | Messaging platform | Processed by AI to generate responses |
| Language, timezone | Messaging platform | Personalizing responses |
| Conversation history | ScapBot | AI context, reporting |
| Customer profile (5 layers) | AI analysis from conversations | Personalizing experience |
3.2. AI Analysis of End Customers
ScapBot uses AI to analyze End Customer messages to:
- Identify intent (price inquiry, complaint, order placement, etc.)
- Assess psychological state (interest level, satisfaction level)
- Classify customer stage (lead, prospect, customer, repeat, etc.)
- Recommend relevant products/services
This analytical data is under the control of the User (business). Users are responsible for informing End Customers about AI usage as required by law.
3.3. User Responsibilities
As the Data Controller for End Customer data, you are obligated to:
- Have your own privacy policy informing End Customers about the use of ScapBot.
- Have a lawful legal basis for collecting and processing End Customer data.
- Cooperate with ScapBot when End Customers exercise their data rights.
4. Purposes of Data Processing
We process your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract |
| Account authentication and session security | Performance of contract + Legitimate interest |
| Payment processing and reconciliation | Performance of contract + Legal obligation |
| Sending service notifications (OTP, security, maintenance) | Performance of contract |
| Sending product information and promotions | Consent (opt-out available) |
| Fraud detection and system protection | Legitimate interest |
| Improving Service quality | Legitimate interest |
| Improving AI models (aggregated, anonymized data) | Legitimate interest |
| Website traffic analysis (Google Analytics) | Legitimate interest |
| Advertising effectiveness measurement (Meta Pixel) | Consent |
| Complying with government authority requests | Legal obligation |
5. Sharing Data with Third Parties
5.1. Service Providers
We share data with the following third parties to operate the Service:
| Third Party | Data Shared | Purpose | Country |
|---|---|---|---|
| Google (Gemini AI) | Message content, documents (during AI processing) | AI response generation, vector embedding | USA |
| Google (Drive API) | Metadata and content of files you select to sync | Document sync into Knowledge Base | USA |
| Cloudflare (R2) | Documents, images | File storage | Global |
| Facebook/Meta | Messages (via API) | Sending/receiving Messenger messages | USA |
| Zalo (VNG) | Messages (via API) | Sending/receiving Zalo OA messages | Vietnam |
| Telegram | Messages (via API) | Sending/receiving Bot messages | UAE/Global |
| WhatsApp (Meta) | Messages (via API) | Sending/receiving WhatsApp Business messages | USA |
| Viber (Rakuten) | Messages (via API) | Sending/receiving Viber Bot messages | Luxembourg |
| Line | Messages (via API) | Sending/receiving Line Bot messages | Japan |
| PayPal | Transaction information | USD payment processing | USA |
| Stripe | Transaction information | USD payment processing | USA |
| Google Analytics | Anonymized browsing behavior data (IP anonymization) | Website traffic analysis | USA |
| Meta Pixel | Browsing behavior data | Advertising effectiveness measurement, remarketing | USA |
5.2. Cross-Border Data Transfer
Some service providers have servers located outside Vietnam. In accordance with Decree 13/2023/ND-CP and the Cybersecurity Law 2018:
- We maintain a copy of Vietnamese users’ personal data on servers in Vietnam.
- Data transferred abroad is limited to the scope necessary for operating the Service.
- We have prepared a Cross-Border Data Transfer Impact Assessment as required by regulation.
5.3. Government Authorities
We may provide data to competent government authorities upon written request in accordance with applicable law.
5.4. Commitment
We do not sell, rent, or trade your personal data to any third party for commercial purposes.
6. AI Data Processing
6.1. Data Sent to AI Models
When AI processes messages, the following data is sent to the AI provider (Google Gemini):
- End Customer message content
- Conversation context (recent messages)
- Related product/document information
- AI Assistant response configuration
6.2. AI Commitments
- Data sent to AI is processed according to the AI provider’s privacy policy.
- ScapBot does not use personally identifiable data to train AI models.
- Data used to improve AI is in aggregated, anonymized form (conversation patterns containing no personal information).
- You have the right to turn off AI mode at any time — when disabled, no data is sent to AI models.
6.3. Vector Embedding
ScapBot converts documents and images into vector representations (embeddings) for semantic search purposes. Vector embeddings:
- Cannot be reverse-converted back to original content.
- Are stored alongside original data on servers in Vietnam.
- Are deleted when you delete the corresponding document or product.
7. Security Measures
7.1. Technical Security
| Measure | Details |
|---|---|
| Password encryption | bcrypt cost 12 — original passwords are never stored |
| Transport encryption | HTTPS/TLS for all connections |
| Document encryption | AES-256-GCM client-side encryption (configurable) |
| Authentication | JWT (Access Token 15 minutes, Refresh Token 7 days) |
| Secure cookies | HttpOnly, Secure, SameSite=Lax |
| Unknown device detection | SHA256 device fingerprint + email alerts |
| CSRF protection | SameSite cookies + HMAC verification |
| Rate limiting | Rate limiting for API and login attempts |
| Webhook verification | HMAC-SHA256 signature for all webhooks |
7.2. Organizational Security
- Data access follows the principle of least privilege.
- All system access is logged (audit log).
- Data isolation between Users (multi-tenant isolation — all queries scoped via
assistant_id).
7.3. Data Breach Response
In the event of a personal data breach:
- Within 72 hours: Notify the Cybersecurity Department (A05), Ministry of Public Security as required by regulation.
- As soon as possible: Notify affected Users via email, clearly stating: scope of breach, data affected, remediation measures, and contact point.
- Remediation: Implement containment and remediation measures immediately.
8. Data Retention Periods
| Data Type | Retention Period | Notes |
|---|---|---|
| Account data | Duration of use + 30 days after account deletion | Minimum 24 months per Cybersecurity Law |
| Login sessions (devices) | 90 days of inactivity → auto-deleted | |
| System logs | 30 days | Log rotation |
| Transaction history | Permanent | Accounting/tax requirement |
| Messages and conversations | Duration of use + 30 days | Minimum 24 months |
| Documents on cloud storage | Duration of use + 30 days | Deleted upon request |
| Google Drive synced data | Until you disconnect or delete | Deleted immediately upon disconnection |
| OTP and Reset Tokens | 5 minutes (OTP) / 1 hour (Reset Token) | Auto-deleted after TTL |
| Aggregated anonymized data | Indefinite | Contains no personal data |
After service termination, you have 30 days to export your data. After this period, personal data will be permanently deleted, unless legally required to retain longer.
9. Your Data Rights
Under Decree 13/2023/ND-CP and the Personal Data Protection Law 2025, you have the following rights:
9.1. Right to Be Informed
You have the right to be informed about the processing of your personal data, including the types of data, purposes, and processing methods.
9.2. Right to Consent
You have the right to consent or not consent to the processing of your personal data, except where otherwise provided by law.
9.3. Right of Access
You have the right to request a copy of your personal data that we hold.
9.4. Right to Withdraw Consent
You have the right to withdraw consent previously given. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
9.5. Right to Erasure
You have the right to request the deletion of your personal data, unless we have a legal obligation to retain it.
9.6. Right to Restrict Processing
You have the right to request restriction of processing of your personal data in certain circumstances.
9.7. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
9.8. Right to Object
You have the right to object to the processing of your personal data for direct marketing purposes or processing based on legitimate interests.
9.9. Right to Complain
You have the right to file a complaint with ScapBot or the competent government authority (Cybersecurity Department — A05, Ministry of Public Security) if you believe your personal data has been processed unlawfully.
9.10. Right to Compensation
You have the right to seek compensation for damages when your personal data has been processed in violation of the law.
How to exercise your rights: Send a request to privacy@scapbot.vn with identity verification information. We will respond within 15 business days.
10. Cookies
10.1. Cookies We Use
| Cookie Type | Name | Purpose | Duration |
|---|---|---|---|
| Essential | access_token | Login session authentication | 15 minutes |
| Essential | refresh_token | Maintaining login | 7 days |
| Functional | lang | Remembering preferred language | 1 year |
| Functional | theme | Remembering light/dark mode | 1 year |
| Analytics | _ga | User identification (Google Analytics) | 2 years |
| Analytics | ga* | Maintaining Google Analytics session state | 2 years |
| Advertising | _fbp | Browser identification (Meta Pixel) | 3 months |
| Advertising | _fbc | Facebook ad click tracking | 2 years |
10.2. Managing Cookies
- Essential cookies are required for the Service to function — they cannot be disabled.
- Functional cookies can be managed through your browser settings.
- Analytics cookies (Google Analytics) collect anonymized data to improve your experience. You may opt out via Google Analytics Opt-out.
- Advertising cookies (Meta Pixel) are only activated with your consent via the cookie consent banner. You may withdraw consent at any time through the cookie settings on our website or via Facebook Ad Preferences.
11. Minors
ScapBot is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you discover that we have inadvertently collected data from a person under 18, please contact us immediately at privacy@scapbot.vn so that we can delete such data.
12. Changes to This Policy
- We may update this Privacy Policy. Material changes will be communicated via email at least 30 days in advance.
- The latest version is always available at /en/privacy-policy/.
- Change history is recorded at the bottom of this page.
13. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights:
- Privacy email: privacy@scapbot.vn
- Support email: support@scapbot.vn
- Website: https://scapbot.vn
14. Version History
| Version | Date | Changes |
|---|---|---|
| 1.1 | March 23, 2026 | Added section 2.5b (Google Drive Sync), updated sections 5.1 and 8 |
| 1.0 | March 19, 2026 | Initial version |
Experience smart messaging management
Try ScapBot for free and discover how AI helps you serve customers better.
- No credit card required
- 14-day free trial