Policy

Privacy Policy

Last updated 6 June 2026

youami.ai ("we") operates the BitBot WordPress plugin and the dashboard at youami.ai. This page explains what we collect, why, where it lives, and how you delete it. Plain English. Whatever feels vague — write to support@youami.ai and we'll answer.

1. What we collect

Website content

On activation BitBot crawls your sitemap and reads your published pages, posts, page titles, URLs, and the basic site metadata WordPress exposes. This is the content the chatbot answers from.

Chat data

When a visitor uses the chat widget on your site, we store: the messages (questions + responses), a per-session identifier, the visitor's IP address, and timestamps. IPs are kept against the conversation row and automatically anonymised after 90 days. Earlier on request.

Account information

For subscriptions: your email address, payment information processed by Stripe (we never see card numbers), and rolled-up usage counts (chat messages, posts generated this month).

Google Search Console data (optional integration)

If you connect Google Search Console in the BitBot Integrations panel, we request your authorisation via Google OAuth 2.0 and collect: your Google account email, the OAuth access + refresh tokens (encrypted at rest with AES-256-GCM using a key we never log), the list of Search Console properties your account can access, and — only at query time — the search performance rows for the property you selected (queries, pages, clicks, impressions, CTR, position, by date / country / device).

Scopes requested: https://www.googleapis.com/auth/webmasters.readonly plus userinfo.email and openid for account identification. No write access is ever requested. Disconnecting from the Integrations panel immediately deletes the stored tokens and email on our side.

2. How we use it

  • Run the chatbot. Visitor content + your indexed pages → the answer they see, plus citations back to your site.
  • Draft content. Topics, URLs, or files you supply → blog drafts and FAQs in your dashboard.
  • Capture leads. Form submissions and chatbot handovers → the Leads inbox.
  • Answer admin questions. On the Agent tier, the dashboard agent reads your own data so you can ask "top queries this week", "draft a follow-up to this lead" and have it work.
  • Bill the subscription. Via Stripe.
  • Improve the product. Aggregate usage metrics — no personally identifying content.

3. Third-party services we use

Anthropic (Claude AI)

The chatbot brain. Your indexed pages and chat messages pass through Claude to generate replies. Anthropic does not train on this content per their privacy policy.

OpenAI

Used for the embedding model that powers semantic search over your pages. OpenAI privacy policy.

Stripe

Handles payments. We never store card details. Stripe privacy policy.

Supabase

Hosts the database (Postgres + pgvector) and runs our edge functions. Supabase privacy policy.

Google (only if you connect Search Console)

Used only for the Search Console integration. Tokens are stored on our side encrypted. Disconnect from Integrations to wipe immediately, or revoke at myaccount.google.com/permissions.

Meta — Facebook Messenger and Instagram (only if you connect a Page)

If you, as a site owner, connect your Facebook Page to BitBot, we receive Direct Messages sent to that Page so the visitor agent can answer them on your behalf. We process the following Facebook data:

  • Page Access Token — stored encrypted (AES-256-GCM), used only to send replies and read messaging events for the connected Page. Revoked when you disconnect.
  • Page ID and Page name — used to route inbound messages to the right tenant.
  • Visitor Page-Scoped IDs (PSID) and Instagram-Scoped IDs (IGSID) — used to thread replies back to the same visitor. Not shared with any other site.
  • Visitor profile fields — first name, last name, profile picture URL, locale, timezone, gender — cached on first message so the agent can personalise replies (“Hi Marlowe”). Refreshed periodically; deleted on disconnect or visitor deletion request.
  • Message content — visitor messages and agent replies stored in the same conversation table as the website widget. Used for context within the conversation, future replies, and (optionally) lead capture.

We never send promotional or marketing messages to Facebook / Instagram users on a Page's behalf. The agent only replies to messages a user initiated. Page admins can disconnect at any time from BitBot → Integrations → Facebook Messenger in their WordPress admin, which unsubscribes our webhook and deletes the encrypted Page Access Token. Visitors can request their data be removed via the data deletion page. Meta privacy policy.

4. Retention and deletion

Site content + chat history are retained while your subscription is active. Visitor IPs anonymise after 90 days. Disconnect Search Console → tokens deleted that second. Email support@youami.ai to delete an individual visitor (or all of them) on request — we honour that within 7 days and confirm by email.

5. Security

Transport encryption (HTTPS) end to end. Database encrypted at rest. OAuth tokens additionally encrypted at the application layer with AES-256-GCM. No method is 100% — we publish breaches if they happen, on this page, dated.

6. Your rights

You can:

  • Access the personal data we hold on you.
  • Correct anything inaccurate.
  • Delete it.
  • Object to processing.
  • Request portability (we'll send you a JSON export).
  • Withdraw consent at any time.

Reach us at support@youami.ai or use the self-service deletion form for the fastest turnaround. We answer in days, not weeks.

7. AI training

Your website content, chat conversations, Google Search Console data, and form submissions are not used to train AI models. Not ours, not Anthropic's, not OpenAI's. Data is read at query time to answer the specific question — nothing more.

8. Google API Services User Data Policy

BitBot's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, with respect to data obtained from Google APIs (including Google Search Console):

  • Limited Use. We only use Google user data to provide and improve user-facing features prominent in BitBot's UI — answering the site owner's questions about their organic search performance.
  • No advertising. We do not use Google user data for serving advertisements of any kind.
  • No selling. We do not sell Google user data.
  • No human reading. We do not allow humans (including our staff) to read Google user data, except (a) with your explicit consent for specific data, (b) to comply with applicable law, (c) for security purposes such as investigating abuse, or (d) when the data has been aggregated and anonymised.
  • No AI/ML training. We do not use Google user data to train or improve generalised or non-personalised AI / ML models. Search Console data is read at query time only and not added to any training corpus.
  • No transfer. We do not transfer Google user data to third parties except as necessary to provide BitBot's user-facing features, or as required by law.

9. Children

BitBot is not directed to anyone under 18. We don't knowingly collect data from children.

10. Changes

Material changes get a dated update on this page. If they affect data we already hold on you, we email you first.

11. Reach us

Email: support@youami.ai
Site: youami.ai