01Who we are
Botardo AG ("Botardo", "we", "us") operates this website and the Botardo bot-detection service. When the service runs on a customer's website, that customer is the data controller for any personal data processed there, and we act as their processor under a signed Data Processing Addendum.
02What we collect
From visitors on customer sites
- Behavioural telemetry: keystroke and pointer timings (intervals, not contents), focus transitions between fields, scroll cadence, viewport metrics, and a small entropy sample from the runtime.
- Session metadata: the user agent, header set, and the visitor's full IP address. We retain this data until deletion is requested by the organization or the user.
- A session identifier: a random 22-character string stored in
localStoragefor the duration of the visit.
From Console users
- Account fields: name, work email, role, organization.
- Authentication metadata: hashed password (Argon2id), MFA enrolment.
- Audit log: a record of admin actions inside the Console, retained for the life of the account.
- Billing: held by Stripe; we receive only a customer id.
03What we don't collect
The Botardo snippet does not read the values of <input>, <textarea>, or any other field. We don't load third-party ad pixels, social trackers, fingerprinting libraries, or session-replay tools.
We do not link visitor sessions to any external identity graph, advertising id, or cross-site profile.
04Why we collect it
We have two lawful bases under GDPR Art. 6:
- Legitimate interest (Art. 6(1)(f)): protecting customer forms from automated abuse: fake signups, credential stuffing, contact-form spam.
- Contract (Art. 6(1)(b)): for Console account data, processing is necessary to provide the service you signed up for.
We do not process special-category data and we don't make automated decisions that produce legal effects on visitors.
06Retention & deletion
- Raw behavioural telemetry: retained until deletion is requested by the organization or the user.
- Session metadata (full IP, UA, headers): retained until deletion is requested by the organization or the user.
- Console account data: kept for the life of the account, then wiped promptly upon closure.
- Backups: encrypted snapshots purged on a rolling basis.
Deletion is irreversible. Once deleted, we have no engineering capability to recover the data.
07Your rights
Depending on where you live, you have the right to access, correct, delete, port, or restrict the processing of your personal data. For Console accounts, exercise these rights from your profile or by emailing [email protected].
Access
Ask for a copy of the personal data we hold about you. We aim to reply promptly.
Erasure
Have us delete your data. Backups are purged on a rolling schedule after deletion.
Portability
Export your data as machine-readable JSON or CSV from the Console.
Correction
Fix inaccurate or incomplete account data. Most fields are self-serve.
Objection
Object to processing based on legitimate interests. We will weigh and respond.
Complaint
Lodge a complaint with your local data protection authority at any time.
09Children
Botardo is a B2B product. The Console isn't directed at children, and we don't knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email [email protected] and we'll delete it.
10International transfers
All customer data is hosted on European bare-metal hardware, with an encrypted standby. For transfers from the EEA or UK we rely on Standard Contractual Clauses.
11Changes to this notice
We'll post material changes on this page with advance notice before they take effect and email account admins. Editorial changes (typos, link updates) we'll just fix.
12Contact us
Privacy questions, data subject requests, or anything else: [email protected].