Privacy Policy

Platform Administrator Data:

• Full name, business email, job title, and company name
• Authentication credentials and multi-factor authentication settings
• Billing and invoice information
• Activity logs, API call history, and bot configuration records

Employee Data (processed as data processor):

• Employee identifiers, employment status, and organizational unit
• Benefits enrollment data, plan selections, and utilization records
• Life event data provided for benefits updates (where applicable)
• HRIS data fields imported via integration connectors

We process platform administrator data under the following legal bases:

• Contract Performance: Processing necessary to fulfill our service agreement
• Legitimate Interest: Security monitoring, fraud prevention, and service improvement
• Legal Obligation: Compliance with applicable regulatory requirements

Employee data is processed under our enterprise Data Processing Agreement (DPA) in which your organization acts as controller and we act as processor, processing only as directed.

When bots are deployed, they process employee data in automated pipelines. All bot data processing occurs within your configured environment. BotBenefitsAlign does not use customer employee data to train shared AI models or derive insights for third parties. Bot activity logs are retained for audit purposes and are accessible to your administrators.

We engage vetted sub-processors to deliver our services. All sub-processors are bound by strict DPAs and meet our security certification requirements. Categories of sub-processors include:

• Cloud infrastructure and compute providers
• Enterprise monitoring and observability tools
• Secure payment processing services
• Encrypted email and notification services

We maintain a current, auditable sub-processor list available to enterprise clients upon request. We notify enterprise clients of sub-processor changes with at least 14 days' advance notice.

Our security infrastructure is designed for enterprise-grade protection:

• AES-256 encryption for all data at rest; TLS 1.3 for all data in transit
• Zero-trust network architecture with strict identity verification
• Role-based access control (RBAC) with least-privilege enforcement
• Annual third-party penetration testing and SOC 2 Type II audit
• Automated threat detection and real-time incident response
• Isolated customer data tenants with no cross-tenant data access

Platform administrator data is retained for the subscription term plus 12 months. Employee data processed by bots is retained only as long as required to deliver the contracted service. Upon contract termination, all customer data is purged within 30 days. Deletion certificates are available upon request for enterprise clients with compliance requirements.

For data subject requests (DSRs) related to employee data, your organization as data controller is responsible for receiving and responding to individual requests. BotBenefitsAlign will assist by providing data exports or deletion confirmations as required under our DPA. For platform administrator data, you may submit DSRs directly to our privacy team. We respond within 30 days.

Data may be processed in the United States or other jurisdictions where our infrastructure and sub-processors operate. Cross-border transfers are governed by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms under applicable data protection law.

In the event of a confirmed data breach affecting customer data, BotBenefitsAlign will notify affected enterprise clients within 72 hours of becoming aware of the breach, as required under applicable law. Notifications will include the nature of the breach, categories of data affected, and remediation steps taken.

Material changes to this Privacy Policy will be communicated to enterprise account holders at least 30 days in advance. Non-material changes (such as contact information updates) will be reflected on this page with an updated revision date.