Privacy Policy

BayouBot ("we," "us," or "our") is an AI agency based in Houston, Texas that builds AI-powered chatbots, websites, and lead-automation systems for small businesses. Our website is bayoubot.live and our primary contact is [email protected].

This Privacy Policy explains what personal data we collect when you use our website or services, why we collect it, how we store and protect it, and the rights you have over it.

We collect personal data in the following ways:

• Contact form submissions: When you fill out our contact or demo-request form, we collect your name, email address, business name, business type, and any message you choose to provide.
• Microsoft account sign-in (SaaS clients): If you connect a Microsoft 365 account to use our outreach platform, we store your Microsoft OAuth tokens (encrypted), M365 tenant ID, and mailbox email address.
• Payment information: If you subscribe to a paid plan, payments are processed by Stripe. We do not store raw card numbers or bank details — Stripe handles and stores all payment card data under their own PCI-compliant systems.
• Usage analytics: We use Vercel Analytics to collect anonymized, aggregated data about page visits, device type, and referral source. No personally identifiable information is included in these analytics events.
• Cookies and session data: We set a session cookie (via NextAuth.js) to keep you logged in to the admin or client dashboard. See our Cookie Policy for details.

• To respond to demo requests and contact form submissions
• To deliver our AI chatbot and website services to paying clients
• To send service-related emails (confirmations, invoices, updates)
• To operate our outreach automation platform on behalf of SaaS clients
• To improve our website using aggregated, anonymized analytics
• To comply with applicable legal and financial obligations

We share data with these third-party processors only to the extent necessary to deliver our services:

• Stripe — payment processing. Governed by Stripe's Privacy Policy. PCI-DSS compliant.
• Resend — transactional email delivery. Your email address is passed to Resend solely to send you confirmation or service emails.
• Microsoft Graph / Azure AD — for SaaS clients who connect a Microsoft 365 mailbox. OAuth tokens are encrypted using AES-256-GCM before storage.
• Anthropic (Claude AI) — we send lead and campaign data to Anthropic's API to generate personalized email drafts. No raw personal credentials are transmitted. Governed by Anthropic's usage policies.
• Apify — used internally to scrape publicly available Google Places data (business names, addresses, phone numbers) for our sales pipeline. We do not sell this data to third parties.
• Vercel — website hosting and serverless infrastructure. Vercel may process request metadata (IP, headers) in accordance with their Privacy Policy.

Personal data submitted via our contact form is stored in a managed PostgreSQL database (DigitalOcean Managed Databases) with SSL/TLS encryption in transit and encryption at rest.

SaaS client data (campaigns, mailbox tokens, leads) is stored in Azure SQL with SSL-enforced connections. OAuth tokens are additionally encrypted at the application layer (AES-256-GCM) before being written to the database.

We implement role-based access controls so that only authorized BayouBot team members can access client data.

We retain contact form submissions and lead data for up to 2 years from the date of collection, or until you request deletion. SaaS client account data is retained for the duration of the active subscription plus 90 days after cancellation to allow for data export. Payment records may be retained longer as required by applicable tax and accounting laws.

We use cookies primarily for authentication (session cookies). We do not use third-party advertising cookies or tracking pixels. For a full breakdown, see our Cookie Policy.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Request that inaccurate data be corrected.
• Deletion: Request that we delete your personal data (subject to legal retention obligations).
• Portability: Request your data in a machine-readable format.
• Opt-out (CCPA): California residents have the right to opt out of the "sale" of personal information. We do not sell personal data.
• GDPR rights: EU/EEA residents have additional rights under GDPR, including the right to object to processing and the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Our services are not directed to individuals under 13 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Continued use of our site or services after changes are posted constitutes your acceptance of the updated policy. For material changes, we will notify SaaS clients by email.

For privacy-related questions, requests, or complaints, contact us at [email protected] or by mail at: BayouBot, Houston, Texas, USA.