Privacy Policy

1. General

This Privacy Policy describes how Landbot processes the Users’ personal information to perform the Services offered in the Website, under the domain www.landbot.io (“Services”).

Users must read and expressly consent to the data treatment referred by this Privacy Policy, before using the Services.

2. Data Controller

The Controller of the data collected through this Website is HELLO UMI, S.L., entity of Spanish nationality with professional address at Barcelona, Av. Josep Tarradellas, 20, Floor 6, CP 08029, provided with Tax Identification Number ESB98767551 (hereinafter “Landbot”).

3. Purposes of the Processing and Legal Basis

Landbot will process the personal data of the User of this Website for the following purposes:

  • Enable the maintenance, development and management of the Services, business relationship formalized by contracting products and/or services through this Website, which includes carrying out operations that relate to the management of customers concerning the contracts, orders, deliveries and invoices, and manage the unpaid invoices and possible disputes about the use of our products and services. The data processed for this purpose will be kept as long as said business relationship is maintained and, once it ends, during the periods of conservation and prescription of responsibilities legally established. The legal basis of the treatment is the execution of a contract in which the User is a party.
  • Respond to requests for information and/or queries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is it is the legitimate interest of Landbot in responding to the User.
  • Keep the User informed, including by electronic means, about Landbot products, services and news. The data processed for this purpose will be kept until the moment the User withdraws his consent given to receive said communications and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the consent of the User.

    If the User does not consent to the processing of your data for this purpose, please inform Landbot in writing, or check the box enabled for this purpose. The advertising exclusion systems set forth on the website www.aepd.es are available to the User. 

Failure to accept this Privacy Policy will imply that all the Services rendered and Website content offered by Landbot shall not be made available, and that the system subscription process shall be interrupted or terminated.

4. Categories of data

The User must complete all required field forms with truthful, complete and up-to-date information, except for details where completion is indicated as optional, for being strictly required by Landbot in order to be capable of complying with the beforenamed purposes. Otherwise, Landbot reserves the right to not provide the Services.  

Users guarantee that the personal details given to Landbot are true, and are responsible for notifying   any modification in these details, by editing the information in the platform or informing Landbot.  

The data relating to bank cards are stored no longer than the time necessary to allow the fulfillment of the transaction, except in the case of a recurrent subscription, to facilitate the payment of regular customers. In that case, bank card data will be  stored for the whole duration of your subscription and at least until the date at which you carry out your last transaction. Such storage is implemented by Landbot’s secured payment service providers, Stripe and Braintree. By subscribing to the services offered on the Website, you expressly agree to this storage. Data relating to the visual cryptogram or CVV2 on the back of your bank card are not stored. In the case of a payment by bank card, however, data relating to the bank card may be stored as intermediary archives for evidence purposes regarding the current legal obligations.

5. Automated Decision-Making

Landbot informs the Users that by using the Services they will be object to automated decision-making, including profiling. The aim of this treatment is the adequacy of the listed purposes named herein.

6. Recipients and Personal Data Transfers

The data may be communicated to the following third party recipients:

Public Administrations for the fulfilment of legal obligations and to banking institutions for the management of collections and payments. The data may also be communicated to the following categories of data processors: providers of electronic communications, office automation, hosting, housing, computer maintenance, management, accounting, auditing, consultancy and legal representation. These providers may be located outside the European Economic Area, in which case Landbot will have previously adopted the appropriate safeguards.

7. Rights of the Users

Users are, at any time, entitled to exercise their rights of access, rectification, erasure, restriction of processing, data portability, not to be object to a decision based solely on automated processing, including profiling, and object, by contacting Landbot and sending a written notification to legal@landbot.io, attaching a copy of their National Identity Document or another equivalent identity document identifying them as a User. 

The Users have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The Users also have the right to lodge a complaint with a supervisory authority.

8. Landbot as data processor


In the event that the User purchases a license to use the Services, Landbot will need to process certain personal data on behalf of the licensee (whether the licensee is the User itself or a legal entity represented by the User). For these purposes, the User shall be considered the Data Controller and Landbot shall be considered the Data Processor.

The following clauses constitute the regulation of the relationship between the Controller and the Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR2) and Article 33 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”).

8.1. Processing of data to be carried out by the Data Processor

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

8.2. Identification of the information concerned

For the performance of the Services, the Controller shall make available to the Processor the information described below:

Data of an identifying nature
Personal characteristics data 
Data on social circumstances
Academic and professional data
Employment details
Economic, financial and insurance details
Transactions in goods and services data
Health data
Data revealing racial or ethnic origin
Data revealing political opinions 
Data revealing religious or philosophical convictions
Data concerning sex life or sexual orientation 

8.3. Obligations of the Processor

The Data Processor undertakes to:

a. Use the personal data undergoing processing, or that it collects for the purpose of their inclusion, only for the strict provision of the Services. Under no circumstances may it use the data for its own purposes.

b. Process the data in accordance with the instructions of the Controller. If the Processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the Processor shall immediately inform the Controller thereof.

c. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

d. Not to communicate the data to third parties, except with the express authorisation of the Data Controller, in the legally admissible cases.The Data Processor may communicate the data to other data processors of the same Data Controller, in accordance with the instructions of the latter. In this case, the Data Controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.If the Controller must transfer personal data to a third country or to an international organisation, pursuant to Union or Member State law applicable to it, it shall inform the Controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

e. Not to subcontract any of the services that form part of the Services and involve the processing of personal data.If it is necessary to subcontract any processing, the Controller must be given prior written notice of this fact, at least 20 calendar days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the Controller does not express its opposition, in writing, within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established herein for the Data Processor and the instructions issued by the Data Controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the initial processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial Processor shall remain fully liable to the Controller for compliance with the obligations.The Controller authorises the Processor to carry out the following subcontracting necessary to provide the Services: see list of suprocessors.

f. Maintain the duty of secrecy with respect to the personal data to which it has access by virtue of the provision of the Services, even after the provision of the Services has ended.

g. To ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

h. Keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.

i. Guarantee the necessary training in the protection of personal data for the persons authorised to process personal data.

j. Assist the Controller in responding to the exercise of the rights of:

1. Access, rectification, erasure and object;
2. Limitation of processing;
3. Data portability;
4. Not to be subject to automated individualised decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and object, restriction of processing, data portability and the right not to be subject to automated individualised decisions before the Data Controller, the latter must communicate this by e-mail to the Data Controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

k. Notify the Controller without undue delay and, in any event, no later than 48 hours by e-mail of any breach of security of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.

If available, at least the following information shall be provided:

1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.

2. The name and contact details of the data protection officer or other point of contact from whom further information may be obtained.

3. A description of the possible consequences of the personal data breach.

4. Description of the measures taken or proposed to be taken to remedy the personal data breach including, where appropriate, measures taken to mitigate the possible negative effects.

If it is not possible to provide the information simultaneously, to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a gradual manner without undue delay.

l. Support the Controller in carrying out data protection impact assessments, where appropriate.

m. Support the Controller in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or any other auditor authorised by it.

o. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons. In any case, it shall put in place mechanisms to:

1. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

2. Restore availability and access to personal data in a timely manner in the event of a physical or technical incident.

3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.

4. Pseudonymise and encrypt personal data, where appropriate.


p.
Appoint a Data Protection Officer and communicate his or her identity and contact details to the Controller, where appropriate.

q. While a Landbot account is active, all associated data, including personal data, will remain accessible. However, invoices related to active subscriptions will be deleted 6 years after their creation, in compliance with legal requirements.

At any time, the account administrators have the right to delete the account and the associated data. The deletion process shall be initiated from the user interface in our platform (app.landbot.io) or by contacting us through email at legal@landbot.io.

Account deletion requests will be processed in a maximum period of 30 days. However, certain data, such as payments, invoices, and billing information, may not be deleted immediately. Instead, such data will instead be blocked to fulfill legal obligations or defend against potential claims, in accordance with the legal retention periods allowed under Article 17(3) of the GDPR. During this period, such data will be preserved in a restricted manner and cannot be processed for any other purposes.

Account Deactivation: Once a subscription ends, if the account is not accessed within 6 months and the account chatbots do not have any active conversation during that period, it will be deactivated. For Sandbox accounts without any paid subscription, deactivation will occur if the account has no active chatbot conversation in the last 30 days and no agent has accessed the account during that period. Upon deactivation, all associated users will lose access to the account and all the chatbots associated with the account will stop working. Please note that account restoration will not be possible.

To ensure transparency, users will receive notifications before their account is deactivated. If users access their account or there is an active chatbot conversation during this period, the deactivation countdown will be reset.

Following account deactivation, the management of data will proceed as follows:
‍‍

  • Non-Personal Data, such as bots, metrics, and campaign metrics, will be promptly deleted upon account deactivation. This data is deleted without delay to ensure it is not retained longer than necessary and cannot be re-associated with any individual.
  • Personal data, including chat messages, integration logs, user details, and account information, will be archived and permanently deleted 3 years from the date of account deactivation.
  • Financial data, including payments, invoices, and billing information, will be archived and permanently deleted 6 years from the date of account deactivation, in compliance with applicable legal requirements for financial record-keeping.

The distinction between the retention periods for personal data (3 years) and financial data (6 years) reflects the different legal obligations applicable to each type of information. Personal data is retained for a shorter period to comply with data protection regulations, while financial data is retained for a longer period to meet accounting and fiscal requirements.

Once the data is archived, data retrieval can be requested via email at legal@landbot.io. However, such retrieval will only be permitted if there is a valid legal basis, such as compliance with a legal obligation or defense against potential claims.

We will retain archived data according to the specified periods mentioned before, ensuring it is blocked and used only as required by legal obligations or for addressing liabilities arising from service performance.

r.
Comply with the other obligations that the GDPR, the LOPDGDD and its implementing regulations establish for the Data Processor.


8.4. Obligations of the Data Controller

The Data Controller has the following obligations:
a. To provide or allow access to the data specified above by the Data Controller.
b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Controller, where applicable.
c. Conduct prior consultation as appropriate.
d. Ensure, prior to and throughout the processing, compliance with the GDPR, the LOPDGDD and its implementing regulations by the Data Processor.
e. Supervise the processing, including carrying out inspections and audits.
f. Facilitate the right to information at the time of data collection.
g. Comply with the rest of the obligations that the RGPD, the LOPDGDD and its implementing regulations establish for the Data Controller.

9. Security and Protection of Data

Landbot has adopted the Data protection security legally required, and strives to adapt additional technical measures and means within its scope to avoid the loss, misuse, alteration, unauthorised access to and theft of the personal details provided. Landbot agrees to use all of the details sent by registered Users with the utmost confidentiality and resilience.

Landbot use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

10. Changes to this Privacy Policy

Landbot reserves the right to amend this policy in order to adapt it to new regulations, case laws and industrial and/or commercial practice.

If Landbot decides to change its Privacy Policy, it will post those changes on this page. This Privacy Policy was last modified on 10/09/2024.