Privacy Policy

Last updated: March 19, 2026

1. Introduction

Shopibot ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform at shopibot.app and dashboard.shopibot.app (the "Service").

This policy applies to all users of our Service, including merchants who create accounts and manage shops, and end customers who interact with Telegram bots created through our platform.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form)
  • Language preference

2.2 Business Data

To provide the Service, we collect and store:

  • Business name and description
  • Product catalog data (names, descriptions, prices, images, categories, attributes)
  • Order data (order details, customer delivery information, order status)
  • Category and attribute configurations

2.3 Telegram Integration Data

When you connect your Telegram bot, we collect and store:

  • Bot tokens (encrypted at rest)
  • Channel IDs and chat IDs
  • Subscriber data (Telegram user IDs, first names, and language codes of users who interact with your bot)
  • Message and interaction data related to orders and product browsing

2.4 Usage Data

We automatically collect certain information when you use the Service:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Referring URL

2.5 Payment Data

We do not directly collect or store your payment information (credit card numbers, bank account details, etc.). All payment processing is handled by our Merchant of Record, Paddle.com Market Limited ("Paddle"). When you subscribe to a paid plan, Paddle collects and processes your payment data in accordance with their own Privacy Policy. We receive from Paddle only subscription status, plan details, and transaction IDs.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Providing the Service: To create and manage your account, operate your Telegram shop, process orders, and deliver notifications
  • Communication: To send you transactional emails (account verification, password resets, order notifications) and, with your consent, product updates and announcements
  • Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the Service
  • Security: To detect and prevent fraud, abuse, and unauthorized access
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Support: To respond to your inquiries and provide customer support

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing required to provide the Service you requested (Article 6(1)(b) GDPR)
  • Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security (Article 6(1)(f) GDPR)
  • Legal Obligation: Processing required to comply with legal obligations (Article 6(1)(c) GDPR)
  • Consent: Where you have given explicit consent for specific processing activities, such as marketing emails (Article 6(1)(a) GDPR)

5. Data Sharing and Third-Party Services

We share your data with the following third-party service providers, solely for the purpose of operating the Service:

  • Paddle (paddle.com) — Merchant of Record for payment processing, billing, tax collection, and invoicing. Paddle acts as the seller of record for all transactions and processes your payment data directly. See Paddle's Privacy Policy.
  • Telegram (telegram.org) — Messaging platform through which your shop bot operates. We interact with the Telegram Bot API to deliver messages, manage interactions, and process orders. See Telegram's Privacy Policy.
  • DigitalOcean (digitalocean.com) — Cloud infrastructure provider. Our servers, databases, and storage are hosted on DigitalOcean infrastructure in the EU region. See DigitalOcean's Privacy Policy.
  • Resend (resend.com) — Email delivery service used to send transactional emails (account verification, password resets, notifications).
  • Cloudflare (cloudflare.com) — DNS, CDN, and DDoS protection services.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Cookies

We use minimal cookies that are strictly necessary for the operation of the Service:

  • Session Cookies: Used to maintain your authenticated session while using the dashboard. These cookies are deleted when you close your browser or when your session expires.
  • Language Preference: Used to remember your preferred language across visits.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not participate in cross-site tracking.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account Data: Retained for the duration of your account and for 30 days after account closure
  • Business Data: Retained for the duration of your account. Product and order data is deleted 30 days after account closure
  • Telegram Integration Data: Bot tokens are deleted immediately upon disconnecting a bot or closing your account. Subscriber data is retained for 30 days after account closure
  • Usage Data: Retained for up to 12 months for analytics and security purposes
  • Transaction Records: Retained as required by applicable tax and accounting regulations (typically 7 years)

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of Access: You may request a copy of the personal data we hold about you
  • Right to Rectification: You may request correction of inaccurate or incomplete personal data
  • Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements
  • Right to Restriction: You may request that we restrict the processing of your data in certain circumstances
  • Right to Data Portability: You may request your data in a structured, machine-readable format
  • Right to Object: You may object to the processing of your data based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

9. Data Security

We take appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and sensitive data at rest
  • Secure password hashing
  • Regular security updates and vulnerability assessments
  • Access controls and authentication for internal systems
  • Infrastructure hosted in EU data centers with industry-standard physical security

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Our infrastructure is hosted in the EU region (DigitalOcean). However, some of our third-party service providers may process data outside the EEA. When data is transferred outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: [email protected]
Website: shopibot.app