Back to home
Legal

Privacy Policy

Effective date: May 20, 2026

1. Introduction

BYV ("we", "our", or "us") operates byvbd.com and the BYV Widget-Builder platform — a SaaS service that lets businesses upload documents and deploy AI-powered chat widgets on their websites.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding that data. By using our platform you agree to the practices described here.

2. Data We Collect

2.1 Account & Identity Data

When you register or accept a team invitation we collect:

  • Email address
  • First and last name (optional at registration)
  • Password (stored as a bcrypt hash — never in plain text)
  • Role within your organisation (Owner, Admin, Member)
  • Google OAuth profile data if you sign in with Google

2.2 Organisation (Tenant) Data

  • Organisation name and slug
  • Subscription plan and billing status
  • Allowed widget domains you register

2.3 Documents You Upload

When you upload a PDF or other document to build a knowledge base, we store the file temporarily to process it. The document is chunked, embedded, and indexed in our vector database. The original file is deleted after processing. Document content is used solely to answer questions from your widget visitors.

2.4 Chat & Usage Data

  • Messages sent through your widget or the playground (stored per tenant)
  • Token usage counts (prompt and completion tokens per session)
  • Session identifiers for conversation continuity
  • Widget visitor session IDs (anonymous — no PII collected from visitors)

2.5 Payment Data

Payments are processed by SSLCommerz. We do not store card numbers or banking credentials. We store transaction IDs, payment status, amount, and plan purchased for billing history and dispute resolution.

2.6 Technical & Log Data

  • IP addresses (used for rate limiting and abuse prevention)
  • Browser and device type (from request headers)
  • API key usage timestamps (last used, not the key itself)
  • Audit logs of significant account actions (document upload, member invite, etc.)
  • Email open events via tracking pixel (for transactional emails only)

2.7 Anonymous Trial Data

If you use the "Try before signup" feature, we create a temporary session tied to your IP address. Trial documents and chat history are stored for 24 hours and then permanently deleted unless you claim the session by creating an account.

3. How We Use Your Data

  • To provide, operate, and improve the BYV platform
  • To authenticate you and enforce role-based access control
  • To process payments and manage your subscription
  • To send transactional emails (welcome, usage warnings, plan renewal reminders) via Resend
  • To enforce plan limits (document count, token usage, monthly quotas)
  • To detect and prevent abuse, fraud, and security threats
  • To respond to support requests
  • To comply with legal obligations

We do not use your document content or chat history to train AI models. We do not sell your data to third parties.

4. Data Isolation & Multi-Tenancy

Every customer account is a separate tenant. Your documents, knowledge bases, chat history, and user data are strictly isolated by tenant ID at the database level. No tenant can access another tenant's data. API keys are scoped to your tenant and hashed before storage — the raw key is shown only once.

5. Data Sharing

We share data only with the following categories of sub-processors:

  • OpenAI — AI language model inference (your document content and chat messages are sent to OpenAI for processing)
  • Cohere — document embedding and reranking
  • SSLCommerz — payment processing
  • Resend — transactional email delivery
  • Cloud infrastructure providers — hosting, database, and Redis services

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security standards.

6. Data Retention

  • Account data is retained for the lifetime of your account plus 30 days after deletion
  • Chat history is retained until you delete it or close your account
  • Trial session data is deleted after 24 hours if not claimed
  • Payment records are retained for 7 years for legal and tax compliance
  • Audit logs are retained for 12 months
  • Expired API keys are purged after 90 days

7. Security

We implement industry-standard security measures including:

  • TLS encryption in transit for all API and widget traffic
  • Passwords hashed with bcrypt
  • JWT access tokens with 15-minute expiry; refresh tokens with 30-day expiry
  • API keys stored as SHA-256 hashes
  • Rate limiting on all public endpoints via Redis
  • Domain allowlist enforcement for widget embedding
  • Role-based access control enforced at both API and database layers

No system is perfectly secure. If you discover a vulnerability, please report it to [email protected].

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Objection — object to certain processing activities
  • Restriction — request that we limit processing of your data

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

9. Cookies

We use minimal cookies. For full details see our Cookie Policy.

10. Children

BYV is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. When we do, we will update the effective date at the top and, for material changes, notify you by email. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests, contact us at:

BYV

[email protected]

byvbd.com