LangBot User Privacy Policy
Version: 1.0 Effective Date: TBD Last Updated: January 27, 2025
Table of Contents
- Introduction
- Definitions and Scope
- Data Controller
- Information We Collect
- How We Collect Information
- Purpose and Legal Basis for Information Use
- Information Sharing and Disclosure
- Cross-Border Data Transfers
- Data Storage and Retention
- Data Security
- Your Rights
- Cookies and Tracking Technologies
- Automated Decision-Making and Artificial Intelligence
- Protection of Minors
- Self-Hosted Instances
- Plugins and Third-Party Services
- Changes to This Privacy Policy
- Contact Us
- Region-Specific Terms
1. Introduction
Welcome to LangBot (hereinafter referred to as "we", "us", or "the Platform"). We understand the importance of your personal information and are committed to protecting your privacy. This Privacy Policy (hereinafter referred to as "this Policy") is designed to explain how we collect, use, store, share, and protect your personal information, as well as the rights available to you.
Please read and fully understand this Policy before using our services. If you do not agree with any terms of this Policy, please stop using our services. By continuing to use our services, you acknowledge that you have read, understood, and agreed to be bound by this Policy.
This Policy is formulated in accordance with the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and other applicable laws and regulations, while also referencing the requirements of the EU General Data Protection Regulation (GDPR).
2. Definitions and Scope
2.1 Definitions
| Term | Definition |
|---|---|
| LangBot | The intelligent chatbot platform software and related services developed and operated by the LangBot Team |
| LangBot Core | The open-source bot core program that can be self-deployed |
| LangBot Space | The plugin marketplace, cloud service platform, and related online services operated by us |
| Personal Information | Various information recorded electronically or by other means that relates to identified or identifiable natural persons, excluding anonymized information |
| Sensitive Personal Information | Personal information that, once leaked or illegally used, may easily lead to infringement of the dignity of natural persons or harm to personal or property safety, including biometric data, religious beliefs, specific identities, medical health, financial accounts, location tracking, and personal information of minors under 14 years of age |
| User / You | Natural persons who use our services |
| Instance Operator | Individuals or organizations that deploy and operate self-hosted LangBot Core instances |
| Bot End User | Instant messaging platform users who interact with LangBot bots |
| Processing | Operations performed on personal information, including collection, storage, use, processing, transmission, provision, disclosure, and deletion |
2.2 Scope
This Policy applies to the following services:
| Service Type | Description | Data Controller |
|---|---|---|
| LangBot Space Platform | Plugin marketplace, cloud services (Cloud Pods), developer services | LangBot Team |
| Officially Hosted LangBot Instances | Bot services directly operated by us | LangBot Team |
| Self-Hosted LangBot Core | Open-source software deployed by users | Instance Operator (not us) |
Important Note: For self-hosted LangBot Core instances, the data controller is the instance operator, not the LangBot Team. We are only responsible for anonymous data collected through opt-in telemetry features. See Section 15 for details.
3. Data Controller
3.1 LangBot Space Platform
For LangBot Space platform services, the data controller is:
LangBot Team
Contact Email: privacy@langbot.app
3.2 Self-Hosted Instances
For LangBot Core instances self-hosted using our open-source software:
- Data Controller: Instance Operator
- Our Role: Software provider (not involved in data processing)
We do not control or bear responsibility for the data processing practices of third-party operated LangBot instances. Please consult the relevant instance operator for their privacy policy.
4. Information We Collect
4.1 LangBot Space Platform User Information
4.1.1 Account Information
| Information Type | Details | Necessity |
|---|---|---|
| Basic Account Info | Email address, username, password (encrypted) | Required |
| Profile | Nickname, avatar, language preference | Optional |
| Third-Party Login Info | GitHub username/email, Google email/name | Required when using third-party login |
4.1.2 Service Usage Data
| Information Type | Details | Collection Purpose |
|---|---|---|
| Access Logs | IP address (aggregated), access time, request endpoints | Security, service optimization |
| Plugin Usage | Download records, installation statistics | Service improvement |
| Resource Usage | Credit balance, Pod usage | Service provision |
4.1.3 Payment Information
| Information Type | Details | Notes |
|---|---|---|
| Order Information | Order number, amount, purchase content, transaction time | Stored by us |
| Payment Credentials | Third-party payment ID | Processed by payment providers; we only store transaction identifiers |
We do not store: Bank card numbers, payment passwords, complete payment credentials, or other sensitive payment information.
4.1.4 Developer Information
| Information Type | Details | Applicable To |
|---|---|---|
| Plugin Submission Info | Author name, plugin description, contact information | Plugin developers |
| API Keys | API Key (encrypted) | API users |
4.2 Telemetry Data (from Self-Hosted Instances)
When telemetry is enabled on self-hosted instances (enabled by default, can be disabled), we collect the following anonymous statistical data:
| Data Item | Description | Contains Personal Information |
|---|---|---|
| Instance ID | Randomly generated unique identifier | No |
| Software Version | LangBot version number | No |
| Adapter Type | Platform used (e.g., QQ, Telegram) | No |
| Model Usage | LLM model name | No |
| Processing Time | Request response time | No |
| Plugin List | Names of installed plugins | No |
| Error Information | Sanitized error types | No |
Telemetry data does not include:
- User message content
- User nicknames or IDs
- Real IP addresses
- Any personally identifiable information
Disabling Telemetry: You can set space.disable_telemetry: true in the configuration file to completely disable telemetry data transmission.
4.3 Bot End User Information (Official Hosted Instances Only)
For bot instances officially operated by us, the following information may be collected:
| Information Type | Details | Storage Method |
|---|---|---|
| Platform Identifier | Platform-assigned user ID, group ID | Database |
| Display Information | Nickname (during session) | Memory (not persisted) |
| Message Content | Conversation text, images, etc. | Configurable |
| Session Data | Conversation history, context | Memory / Database |
| Usage Statistics | Message count, invocation count | Database |
5. How We Collect Information
5.1 Information You Directly Provide
- Information filled in when registering an account
- Information provided when completing your profile
- Information authorized when logging in with a third-party account
- Information filled in when submitting plugins
- Information provided when contacting support or submitting feedback
5.2 Automatically Collected Information
- Access logs and usage data
- Device and browser information (via cookies)
- Telemetry data (can be disabled)
5.3 Information from Third-Party Sources
- Public information provided by OAuth login providers (GitHub, Google)
- Transaction status information returned by payment providers
6. Purpose and Legal Basis for Information Use
6.1 Purposes of Use
| Purpose | Description | Information Types Involved |
|---|---|---|
| Service Provision | Account management, plugin distribution, Cloud Pods operation | Account info, usage data |
| Identity Verification | Login authentication, permission management | Account info, session data |
| Payment Processing | Order creation, credit management | Payment info |
| Security Protection | Fraud prevention, abuse detection, security auditing | Access logs, IP addresses |
| Service Improvement | Performance optimization, feature development | Telemetry data, usage statistics |
| Troubleshooting | Technical support, error diagnosis | Log data, error information |
| Notifications | Service announcements, security alerts | Contact information |
6.2 Legal Basis
Under Article 13 of the Personal Information Protection Law, we process your personal information based on the following legal bases:
| Legal Basis | Applicable Scenarios | Regulatory Reference |
|---|---|---|
| Your Consent | Marketing communications, optional features | PIPL Art. 13(1) |
| Contract Performance | Providing services you request | PIPL Art. 13(2) |
| Legal Obligations | Tax records, security compliance | PIPL Art. 13(3) |
| Legitimate Interests | Security protection, service improvement | PIPL Art. 13(6) |
7. Information Sharing and Disclosure
7.1 We Do Not Proactively Share Your Personal Information
Except in the following circumstances, we will not share your personal information with third parties:
7.2 Sharing with Your Consent
With your explicit consent, we may share your information with third parties.
7.3 Service Providers
We may engage the following types of service providers to process your information:
| Service Type | Provider | Shared Data | Purpose |
|---|---|---|---|
| OAuth Authentication | GitHub, Google | Email, username | Account login |
| Payment Processing | Alipay, WeChat Pay, Stripe, PayPal | Order amount, order number | Payment completion |
| Cloud Infrastructure | [Cloud provider] | Encrypted user data | Service hosting |
| Content Delivery | [CDN provider] | Static resource requests | Access acceleration |
We require all service providers to comply with strict data protection obligations.
7.4 Legally Required Disclosure
We may disclose your information in the following circumstances:
- To comply with laws, regulations, court orders, or mandatory government requirements
- To protect the rights, property, or safety of us, our users, or the public
- To detect, prevent, or address fraud, security, or technical issues
7.5 Business Transfers
In the event of a merger, acquisition, or asset sale, your personal information may be transferred as a transaction asset. We will notify you before the transfer and ensure the recipient continues to comply with this Policy.
8. Cross-Border Data Transfers
8.1 Data Storage Locations
| Service | Primary Storage Location |
|---|---|
| LangBot Space | [Data center location] |
| Telemetry Data | [Data center location] |
8.2 Cross-Border Transfer Scenarios
When we need to transfer your personal information abroad, we will:
- Conduct Security Assessments: Perform data export security assessments as required by national cyberspace authorities
- Sign Standard Contracts: Enter into standard contracts formulated by national cyberspace authorities with overseas recipients
- Obtain Your Separate Consent: Clearly inform you and obtain your separate consent before the transfer
8.3 Information Disclosure
When transferring data abroad, we will inform you of:
- The name and contact information of the overseas recipient
- The purpose and method of processing
- The types of personal information involved
- The methods and procedures for exercising your rights with the overseas recipient
9. Data Storage and Retention
9.1 Storage Methods
| Data Type | Storage Method | Security Measures |
|---|---|---|
| Account Information | PostgreSQL Database | Encrypted storage, access control |
| Session Data | Redis Cache | Auto-expiration, memory isolation |
| Payment Records | PostgreSQL Database | Encrypted storage, audit logs |
| Telemetry Data | PostgreSQL Database | Anonymization |
| Plugin Files | S3 Object Storage | Encrypted transmission, access control |
9.2 Retention Periods
| Data Type | Retention Period | Notes |
|---|---|---|
| Account Information | Duration of account + 30 days | Retained for 30 days after deletion for recovery |
| Payment Records | 7 years | Tax regulation compliance |
| Access Logs | 90 days | Security audit requirements |
| Telemetry Data | 12 months | Statistical analysis |
| Session Data | Cleared after session ends | Maximum 24 hours |
| Conversation History | Configured by instance operator | Self-hosted scenarios |
9.3 Data Deletion
When the retention period expires or you request deletion, we will:
- Delete or anonymize your personal information
- Notify third parties who have received the information to delete it
- Except where retention is required by law
10. Data Security
10.1 Security Measures
We take the following measures to protect your personal information:
| Category | Measures |
|---|---|
| Technical Measures | HTTPS transmission encryption, database encryption, Argon2id password hashing, encrypted API key storage |
| Access Control | Role-based permission management, principle of least privilege, multi-factor authentication (admin panel) |
| Network Security | Firewalls, DDoS protection, intrusion detection |
| Audit Logs | Sensitive operation logging, anomaly monitoring |
| Personnel Management | Confidentiality agreements, security training, access approval |
10.2 Security Incident Response
In the event of a personal information security incident, we will:
- Respond Immediately: Activate emergency plans to prevent further damage
- Assess Impact: Determine the scope of affected data and users
- Notify Regulators: Report to relevant regulatory authorities as required by law
- Notify Users: Inform affected users via email, in-app notifications, or other means
- Remediate: Take measures to mitigate damage and prevent recurrence
11. Your Rights
Under the Personal Information Protection Law and related legislation, you have the following rights:
11.1 Right to Know and Right to Decide
You have the right to know how we process your personal information and the right to decide whether to consent to specific processing activities.
11.2 Right of Access and Right to Copy
You have the right to access and copy your personal information. You can exercise this right by:
- Logging into your account to view your profile
- Contacting us to obtain a copy of your data
11.3 Right to Rectification and Supplementation
When you discover that your personal information is inaccurate or incomplete, you have the right to request correction or supplementation:
- Modify directly in account settings
- Contact us for assistance
11.4 Right to Deletion
You have the right to request deletion of your personal information in the following circumstances:
- The processing purpose has been achieved or is no longer necessary
- You withdraw consent and there is no other legal basis
- We process information in violation of laws, regulations, or our agreement with you
- Other circumstances specified by laws and regulations
Limitations on Deletion Requests:
- Information required to be retained by laws and regulations (e.g., payment records)
- Information related to public interest
- Information necessary for contract performance
11.5 Right to Withdraw Consent
For personal information processed based on your consent, you have the right to withdraw consent at any time:
- Disable telemetry: Set
space.disable_telemetry: true - Unsubscribe from marketing: Click the "unsubscribe" link in emails
- Delete account: Apply in account settings
Withdrawal of consent does not affect the lawfulness of processing carried out based on consent prior to withdrawal.
11.6 Right to Data Portability
You have the right to obtain your personal information in a structured, commonly used format and to request that we transfer it to a third party you designate (where technically feasible).
11.7 Right to Refuse Automated Decision-Making
For decisions made entirely through automated decision-making that significantly affect your rights and interests, you have the right to request an explanation and the right to refuse decisions made solely through automated means.
11.8 How to Exercise Your Rights
You can exercise the above rights through the following methods:
| Method | Description |
|---|---|
| Account Settings | View, modify, and delete certain information |
| Contact Email | privacy@langbot.app |
| Online Form | TBD |
We will respond within 15 business days of receiving your request. For complex requests, we may need to extend to 30 business days, and we will notify you in advance.
12. Cookies and Tracking Technologies
12.1 Cookies We Use
| Cookie Type | Purpose | Necessity |
|---|---|---|
| Essential Cookies | Session management, security authentication | Required (no consent needed) |
| Functional Cookies | Remember preferences, language selection | Optional |
| Analytics Cookies | Traffic statistics, performance monitoring | Optional |
12.2 Cookie Management
You can manage cookies through your browser settings:
- View and delete stored cookies
- Block specific or all cookies
- Set cookie expiration times
Note: Disabling essential cookies may cause some features to not function properly.
12.3 Similar Technologies
In addition to cookies, we may use:
- Local Storage (localStorage): Store user preferences
- Session Storage (sessionStorage): Temporary session data
13. Automated Decision-Making and Artificial Intelligence
13.1 AI Model Usage
LangBot integrates multiple large language models (LLMs) to provide intelligent conversational services.
13.2 Data Usage Statement
We do not use your data to train AI models.
| Scenario | Data Used for Training | Notes |
|---|---|---|
| LangBot Space Users | No | Your account and usage data are not used for model training |
| Self-Hosted Instances | Not applicable | Data is controlled by the instance operator |
| Third-Party LLM Calls | Depends on LLM provider | Please refer to the respective provider's privacy policy |
13.3 Automated Decision-Making
We may use automated processing for:
- Content Moderation: Detecting prohibited content
- Security Detection: Identifying abnormal behavior
- Service Recommendations: Feature recommendations based on usage
You have the right to:
- Understand the logic of automated decision-making
- Request human review of decisions that significantly affect you
- Refuse fully automated decision-making
14. Protection of Minors
14.1 Age Requirement
LangBot Space platform services are intended for users aged 14 and above. We do not intentionally collect personal information from minors under 14 years of age.
14.2 Guardian Responsibility
If you are the guardian of a minor and discover that your ward has used our services without your consent, please contact us immediately and we will take steps to delete the relevant information.
14.3 Minors Under 14
Under the Personal Information Protection Law, all personal information of minors under 14 is classified as sensitive personal information. If such information needs to be processed:
- Explicit consent from parents or guardians must be obtained
- Dedicated processing rules must be established
- Strict protective measures must be adopted
15. Self-Hosted Instances
15.1 Responsibility Allocation
For instances deployed using LangBot Core open-source software:
| Role | Responsible Party | Responsibilities |
|---|---|---|
| Data Controller | Instance Operator | Establish privacy policy, handle user requests, ensure compliance |
| Software Provider | LangBot Team | Provide secure software, fix vulnerabilities |
15.2 What We Do Not Control
For self-hosted instances, we do not control and are not responsible for:
- User data collected by the instance operator
- Storage and processing of message content
- Privacy practices of the instance operator
- Data processing by third-party LLM providers
15.3 Obligations of Instance Operators
If you deploy a LangBot Core instance, you should:
- Establish and publish your own privacy policy
- Comply with applicable data protection laws
- Be responsible for bot end user data
- Respond to user rights requests
15.4 Telemetry Data
Self-hosted instances have telemetry enabled by default, sending anonymous statistical data to LangBot Space. You can:
- Review the data being sent (see Section 4.2)
- Disable at any time: Set
space.disable_telemetry: true
16. Plugins and Third-Party Services
16.1 Plugin Marketplace
The LangBot Space plugin marketplace offers plugins published by third-party developers.
Important:
- Plugins are developed and maintained by third-party developers
- Each plugin may have its own privacy policy
- Please review the privacy terms before installing plugins
- We are not responsible for data processing by third-party plugins
16.2 Plugin Developer Responsibilities
Plugin developers must:
- Provide a privacy policy (if collecting any user data)
- Comply with our developer agreement
- Accurately disclose data collection practices
- Respond to user privacy requests
16.3 Third-Party LLM Services
LangBot supports connecting to various third-party LLM services (such as OpenAI, Anthropic, DeepSeek, etc.).
Note:
- Content sent to LLMs is processed by the respective providers
- Please refer to each LLM provider's privacy policy
- We do not control third-party LLM data processing
16.4 Instant Messaging Platforms
LangBot supports connecting to various IM platforms (QQ, WeChat, Telegram, Discord, etc.).
Note:
- Platform messages are subject to each platform's privacy policy
- Platform-assigned user identifiers are managed by the platforms
- We only process publicly available information provided by the platforms
17. Changes to This Privacy Policy
17.1 Change Notification
We may update this Policy from time to time. When we do, we will:
- Update the "Last Updated" date at the top of this Policy
- For material changes, notify you 7 days in advance via email or in-app notification
17.2 Material Changes
The following circumstances constitute material changes:
- Significant changes to the types of information collected
- Significant changes to the purposes of information use
- Significant changes to the scope of third-party sharing
- Significant changes to your rights
17.3 Continued Use
After changes take effect, your continued use of our services constitutes acceptance of the updated Policy. If you disagree with the changes, please stop using our services and contact us to delete your account.
18. Contact Us
If you have any questions, comments, or requests regarding this Policy, please contact us through the following channels:
| Contact Method | Details |
|---|---|
| Privacy Email | privacy@langbot.app |
| General Inquiries | contact@langbot.app |
| Official Website | https://langbot.app |
| GitHub | https://github.com/langbot-app/LangBot |
Response Time:
- General inquiries: Within 3 business days
- Rights requests: Within 15 business days
19. Region-Specific Terms
19.1 Users in Mainland China
If you are a user in mainland China, the following terms specifically apply:
- Applicable Law: This Policy is governed by the Personal Information Protection Law, Cybersecurity Law, and Data Security Law of the People's Republic of China
- Dispute Resolution: Disputes arising from this Policy shall be under the jurisdiction of the competent people's court in our location
- Cross-Border Transfer: Before transferring personal information abroad, we will obtain your separate consent and complete security assessments as required by law
19.2 Users in the European Economic Area (EEA), United Kingdom, and Switzerland
If you are located in the EEA, UK, or Switzerland, the following GDPR-related terms apply:
| Right | Description | GDPR Article |
|---|---|---|
| Right of Access | Obtain a copy of personal data | Art. 15 |
| Right to Rectification | Correct inaccurate data | Art. 16 |
| Right to Erasure (Right to Be Forgotten) | Request data deletion | Art. 17 |
| Right to Restriction of Processing | Restrict data processing | Art. 18 |
| Right to Data Portability | Obtain data in machine-readable format | Art. 20 |
| Right to Object | Object to specific processing | Art. 21 |
| Right to Lodge a Complaint | Complain to a data protection authority | Art. 77 |
Data Protection Officer (DPO) Contact: dpo@langbot.app (if applicable)
19.3 Users in California, USA
If you are a California resident, under the California Consumer Privacy Act (CCPA/CPRA), you have the following additional rights:
- Right to Know: Understand the categories and purposes of personal information we collect
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
- Right to Non-Discrimination: Exercise of privacy rights will not result in discriminatory treatment
We do not "sell" your personal information (as defined by CCPA).
Appendices
Appendix A: Data Processing Activities
| Processing Activity | Data Type | Legal Basis | Retention Period |
|---|---|---|---|
| Account Registration | Email, password | Contract performance | Account duration |
| OAuth Login | Third-party authorization info | Consent | Account duration |
| Payment Processing | Order information | Contract performance, legal obligations | 7 years |
| Telemetry Collection | Anonymous statistics | Legitimate interests | 12 months |
| Security Auditing | Access logs | Legitimate interests | 90 days |
| Plugin Distribution | Developer information | Contract performance | Plugin duration |
Appendix B: Third-Party Service Providers
| Category | Provider | Purpose | Privacy Policy Link |
|---|---|---|---|
| OAuth | GitHub | Third-party login | https://docs.github.com/en/site-policy/privacy-policies |
| OAuth | Third-party login | https://policies.google.com/privacy | |
| Payment | Alipay | Payment processing | https://render.alipay.com/p/f/fd-iwntfhkl/index.html |
| Payment | WeChat Pay | Payment processing | https://pay.weixin.qq.com/index.php/public/wechatpay_legal |
| Payment | Stripe | Payment processing | https://stripe.com/privacy |
| Payment | PayPal | Payment processing | https://www.paypal.com/webapps/mpp/ua/privacy-full |
Appendix C: Glossary
| Term | Definition |
|---|---|
| PIPL | Personal Information Protection Law of the People's Republic of China |
| GDPR | EU General Data Protection Regulation |
| CCPA/CPRA | California Consumer Privacy Act and its amendments |
| DPO | Data Protection Officer |
| LLM | Large Language Model |
| OAuth | Open Authorization Protocol |
| S3 | Object Storage Service |
The LangBot Team reserves the right of final interpretation of this Privacy Policy.
Document Version: 1.0 Generated: January 27, 2025