SIGN IN START TRACKING
REF.PRIV-001

privacy
policy.

EFFECTIVE 16 JUN 2026 VERSION 1.0

This policy explains what personal data we collect when you use the BotScope website and service, how and why we use it, who we share it with, and the rights you have. KOJI STUDIO LTD is the data controller responsible for your personal data.

TL;DR — PLAIN ENGLISH
  • We collect the data we need to run your account, bill you, operate scans, and keep the service secure — plus standard website analytics.
  • We do not sell your personal data.
  • To run AI-visibility scans, we send the queries you configure to third-party AI providers — so avoid putting personal data into your watchlist queries.
  • You have rights under UK GDPR — access, correction, deletion and more — and you can complain to the ICO.

This summary is for convenience only. The full policy below is what governs.

CONTENTS
  1. 01 — Who we are
  2. 02 — Scope
  3. 03 — What we collect
  4. 04 — How & why we use it
  5. 05 — Cookies & analytics
  6. 06 — Sharing & sub-processors
  7. 07 — Scans & third-party AI
  8. 08 — International transfers
  9. 09 — How long we keep it
  10. 10 — Your rights
  11. 11 — Security
  12. 12 — Children
  13. 13 — Changes
  14. 14 — Contact & complaints

SECT.01 Who we are.

BotScope is operated by KOJI STUDIO LTD, a company registered in England and Wales under company number 17126448, with its registered office at Flat 24, Ferrymans Court, Queen Street, Bristol BS2 0JB ("BotScope", "we", "us" or "our"). For the purposes of UK data protection law, we are the data controller for the personal data described in this policy.

If you have any questions about this policy or how we handle your data, contact us at [email protected] or, for security and data-incident matters, [email protected].

SECT.02 Scope.

This policy covers personal data we process through our marketing website (botscope.ai), our application (app.botscope.ai), and our API (api.botscope.ai), together the "Service". It does not cover third-party websites we link to, or the AI providers whose outputs we observe — each operates under its own privacy policy.

BotScope is a business tool. Most of the personal data we hold is business-contact information about the people who create and use accounts, rather than data about members of the public.

SECT.03 What we collect.

  • Account data — your name, email address, password (stored only in hashed form, via our authentication provider), and your organisation, workspace and role details.
  • Billing data — your plan, billing contact, and transaction history. Card payments are processed directly by Stripe; we do not see or store full card numbers.
  • Service data — the watchlists you configure (the brands, domains, and queries you ask us to monitor), your scan results, settings, and any content you submit to the Service.
  • Usage & technical data — IP address, device and browser type, pages and features used, timestamps, and server log data.
  • Cookie data — identifiers set by us and our analytics provider, as described in section 5.
  • Communications — messages you send us through the contact form, by email, or in support conversations.

SECT.04 How & why we use it.

We use personal data for the purposes below, relying on the lawful bases set out for each under the UK GDPR:

  • To provide and operate the Service — including running scans and generating reports. Lawful basis: performance of our contract with you.
  • To take payment and manage subscriptions. Lawful basis: performance of our contract, and our legal obligations (e.g. tax and accounting).
  • To secure, monitor, debug and improve the Service. Lawful basis: our legitimate interests in running a safe, reliable product.
  • To respond to enquiries and provide support. Lawful basis: our legitimate interests and performance of our contract.
  • To send service messages such as billing, security and important account notices. Lawful basis: performance of our contract and our legitimate interests.
  • To send marketing about BotScope where you have not opted out. Lawful basis: consent or our legitimate interests; you can unsubscribe at any time.
  • To comply with the law and enforce our terms. Lawful basis: our legal obligations and legitimate interests.

SECT.05 Cookies & analytics.

We use a small number of cookies and similar technologies. Strictly necessary cookies keep you logged in, maintain your session, and protect our forms from abuse (via Cloudflare Turnstile). These are always on because the Service cannot work without them.

We also use Google Analytics 4, loaded through Google Tag Manager, to understand how the site and app are used. The _ga cookie is scoped across our botscope.ai subdomains so we can understand the journey from the marketing site into the app. We ask for your consent to non-essential cookies through our consent banner, and you can change or withdraw your choice at any time using that banner.

SECT.06 Sharing & sub-processors.

We do not sell your personal data. We share it only with service providers who process it on our behalf under contract ("sub-processors"), and where we are required to by law. Our current sub-processors include:

  • Supabase — database hosting and authentication.
  • Amazon Web Services (AWS) — cloud hosting and file storage.
  • Vercel — hosting for the application front end.
  • Cloudflare — content delivery, DNS, and bot protection (Turnstile), and hosting for the marketing site.
  • Stripe — payment processing and subscription billing.
  • Resend — delivery of transactional and service emails, and our product-update and marketing emails (including managing your subscription preferences and unsubscribes).
  • Google — website analytics (Google Analytics / Tag Manager) and AI model access.
  • AI model providers — including OpenAI, Anthropic, Google, Perplexity, and Microsoft, used to run visibility scans (see section 7).
  • Web data providers — Bright Data, used to observe public AI interfaces.

We may update this list as the Service evolves; a current list is available on request. We may also disclose personal data to comply with a legal obligation, to enforce our terms, to protect our rights or the safety of others, or in connection with a merger, acquisition or sale of assets (in which case we will tell you).

SECT.07 Scans & third-party AI.

To measure AI visibility, the Service submits the queries you configure to third-party AI models, and may observe their public interfaces through web data providers. Those queries are generally about brands and domains rather than individuals, and they are processed by the relevant AI providers under their own terms and privacy policies.

Because we cannot control how AI providers handle data submitted to them, you should not include personal data in your watchlist queries unless you are content for it to be processed by those providers.

SECT.08 International transfers.

We host our core infrastructure in the European Economic Area (currently AWS in Ireland). Some of our sub-processors are based in the United States or other countries. Where we transfer personal data outside the UK, we rely on UK "adequacy" regulations where they apply, or on appropriate safeguards such as the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses). You can ask us for more detail about the safeguards we use.

SECT.09 How long we keep it.

We keep your account and Service data for as long as your account is active and for a reasonable period afterwards — to handle queries, enforce our terms, and meet our legal and accounting obligations (financial records are typically kept for up to seven years). After your account is closed, we make your data available for export for a reasonable period (normally 30 days), after which we delete or anonymise it in the ordinary course, except where we must retain it by law. Analytics data is retained according to our analytics provider's settings.

SECT.10 Your rights.

Under the UK GDPR you have the right to access your personal data; to have it corrected or erased; to restrict or object to its processing; to data portability; and to withdraw consent where we rely on it (including objecting to direct marketing at any time). Exercising these rights will not affect the lawfulness of processing carried out before you did so.

To exercise any of these rights, email [email protected]. We will respond within one month. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk — though we would appreciate the chance to resolve your concern first.

SECT.11 Security.

We take the security of your data seriously and describe our approach in more detail on our security page. In short, we encrypt data in transit, isolate each customer's data, and limit internal access to those who need it. If you believe you have found a security issue, please contact [email protected].

SECT.12 Children.

The Service is intended for business use and is not directed at children. It is not for anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

SECT.13 Changes.

We may update this policy from time to time. When we make a material change, we will update the effective date above and, where appropriate, notify you by email or through the Service. We encourage you to review this page periodically.

SECT.14 Contact & complaints.

This policy is issued by KOJI STUDIO LTD, registered office Flat 24, Ferrymans Court, Queen Street, Bristol BS2 0JB. For data protection enquiries or to exercise your rights, email [email protected]; for security matters, email [email protected].

The supervisory authority for data protection in the UK is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk.

YOUR DATA

questions about privacy?

Every email is read by a human, usually within a working day. Ask us anything about how we handle your data.

CONTACT US →