Privacy Policy.
BotKhmer ("we", "us") operates a SaaS platform that lets small businesses in Cambodia connect their Facebook Pages to an automated Messenger chatbot. This Privacy Policy explains what we collect from two distinct groups — business customers who sign up for the service, and end userswhose Facebook conversations with our customers' Pages flow through us.
1. Information we collect from business customers
When you create a BotKhmer account, we store:
- Your email address and a securely-hashed password (bcrypt).
- An optional display name.
- Plan and trial expiration data so we know what you can access.
- For Pages you connect via Facebook Login: your Page Access Tokens, encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256), plus Page name, Page ID, and the chatbot flows you author.
2. Information we collect from end users
When someone messages a Facebook Page operated through BotKhmer, Meta delivers webhook events to us. From those events we store, in our database:
- The user's Page-Scoped ID (PSID) — a value tied to that specific Page, issued by Meta.
- First name, last name, locale, and profile picture URL, as provided by Meta's User Profile API for that PSID.
- Message contentthe user sends to the Page, the bot's replies, and structured data (form answers, custom field values) the user enters into the chatbot.
- Conversation metadata such as timestamps, tags, and a count of interactions.
We do not receive your real Facebook account name beyond first/last name, your email, your phone (unless you explicitly type it into a form), your friends list, or any other Facebook profile data outside what Meta provides via the Messenger Profile API.
3. How we use the information
- Operate the chatbot service — match keyword and postback triggers, send replies, log conversations for the business customer's dashboard.
- Provide each business customer with a view of their own subscribers and conversations. We do not share data between business customers.
- Provide aggregated, anonymous service health metrics for our own engineering — no individual user content is included in those metrics.
- Comply with our legal obligations and with Meta's Platform Terms.
4. Who we share data with
We share data only with Meta Platforms, Inc. (Facebook) — both to receive incoming messages and to send replies back through the Send API. We do not sell or rent any data to advertisers, brokers, or third parties.
Our infrastructure runs on Vultr in Singapore, and we use Cloudflare R2 for media storage. Both are sub-processors; neither has access to readable user content (DB is on private network; media is opaque to the storage layer).
5. How long we keep it
We retain end-user data for as long as the business customer continues to operate the connected Page through BotKhmer. When a business customer cancels or deletes their account, we delete all associated subscriber and conversation data within 30 days.
Individual end users can request deletion at any time — see section 8 below.
6. Security
Page Access Tokens are encrypted at rest. Passwords are hashed with bcrypt. All traffic between you, our service, and Meta is TLS-encrypted. Database access is restricted to our application servers; there is no public DB exposure.
7. Your rights
You can request a copy of, correction to, or deletion of your data at any time by emailing hello@botkhmer.com. We respond within 30 days.
8. Data deletion
To remove your data from BotKhmer:
- If you're a Facebook user who messaged a BotKhmer-operated Page: remove BotKhmer from your Facebook account at facebook.com/settings → Business Integrations. Meta will notify us automatically and we will delete your data, then return a confirmation code you can verify at /data-deletion.
- If you're a business customer:log in, go to Account Settings, and click "Delete account". All your Pages, flows, and subscribers will be removed within 30 days.
- For any other request, email hello@botkhmer.com.
9. Cookies and tracking
BotKhmer uses a single session cookie (JWT) to keep business customers logged into the dashboard. We do not use third-party analytics, advertising pixels, or trackers on the marketing site or in the dashboard.
10. Children
BotKhmer is not directed to children under 13. Business customers must be at least 18 to sign up. We do not knowingly collect data from children; if you believe a child has interacted with a Page via our service, please contact us so we can remove the data.
11. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced via email to the address on your account.
12. Contact
BotKhmer · Phnom Penh, Cambodia · hello@botkhmer.com