Privacy Policy

Effective date: 13 June 2025
Last Updated: 13 June 2025

This Privacy Policy is effective as of the date listed above and applies to all information collected by Bots Mattermost from that date forward. By using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Introduction

Welcome to Bots Mattermost (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, protect, and handle your information when you use our AI bot integration platform for Mattermost workspaces.

Bots Mattermost provides middleware services that enable seamless integration between Mattermost communication platforms and external AI tools, automation services, and intelligent applications. Our platform is designed with privacy-by-design principles, implementing comprehensive security measures to protect your data while facilitating powerful AI integrations for your team’s productivity.

This Privacy Policy applies to all users of our platform, including individual users, workspace administrators, and enterprise customers. By using Bots Mattermost, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service.

Information We Collect

Account and Authentication Information

When you create an account with Bots Mattermost, we collect essential information necessary to provide our services and maintain account security. This includes your email address, which serves as your primary account identifier and communication channel for important service updates, security notifications, and account management purposes.

For users who choose local authentication, we collect and securely store password information using industry-standard scrypt hashing with 32-byte salts, providing robust protection against unauthorized access and rainbow table attacks. Users who authenticate through Google OAuth have the option to set additional passwords for dual authentication methods, enhancing account security.

We also collect and maintain authentication session data, including secure session tokens stored in our PostgreSQL database with comprehensive security measures. All sessions implement secure cookies with CSRF protection, sameSite strict policies, 8-hour expiration periods, and httpOnly flags to prevent client-side script access and enhance security.

Workspace and Integration Data

To facilitate AI bot integrations with your Mattermost workspace, we collect specific workspace configuration information including your Mattermost server URL, workspace identification details, and integration settings that you configure through our platform. This information is essential for establishing secure connections between our middleware platform and your Mattermost environment.

We collect bot configuration data that you create and manage through our platform, including bot names, usernames, access permissions, channel restrictions, and webhook configurations. All bot access tokens and sensitive credentials are encrypted using AES-256-GCM encryption with unique salts and initialization vectors before being stored in our database, ensuring maximum security for your integration credentials.

Integration settings and preferences that you configure for your AI tools and automation platforms are collected and stored to maintain your custom configurations and ensure consistent service delivery. This includes webhook URLs, authentication methods, permission settings, and operational parameters that define how your AI integrations function within your Mattermost workspace.

Usage and Analytics Data

We collect usage analytics and operational data to monitor system performance, ensure service reliability, and improve our platform’s functionality. This includes information about how you interact with our platform, feature usage patterns, integration performance metrics, and system health indicators that help us maintain optimal service quality.

Activity logs are maintained for security and operational purposes, including user actions, system events, authentication attempts, and integration activities. These logs include IP addresses, user agent information, timestamps, and detailed action descriptions that enable us to provide security monitoring, troubleshooting support, and forensic analysis when necessary.

Performance metrics related to your AI integrations are collected to ensure optimal functionality, including response times, success rates, error frequencies, and system resource utilization. This data helps us maintain service reliability and identify opportunities for performance optimization.

Communication and Support Data

When you contact our support team or communicate with us through various channels, we collect and maintain records of these interactions to provide effective customer service and resolve technical issues. This includes support tickets, email communications, chat conversations, and any technical information you provide to help us assist you.

Feedback, feature requests, and product suggestions that you share with us are collected and analyzed to guide our product development efforts and improve our service offerings. As a new platform, we particularly value early customer input that helps shape our product roadmap and feature priorities.

How We Use Your Information

Service Provision and Platform Operations

Your information is primarily used to provide, maintain, and improve our AI bot integration services for Mattermost workspaces. We use your account information to authenticate your access, maintain your user profile, and ensure that you can securely access and manage your integrations through our platform.

Workspace and integration data is used to establish and maintain secure connections between your Mattermost environment and external AI tools. This includes processing your bot configurations, managing permissions and access controls, routing messages between systems, and ensuring that your AI integrations function reliably and securely.

We use collected data to monitor the health and performance of your integrations, providing real-time status updates, error notifications, and performance analytics through our dashboard. This enables proactive issue identification and resolution, ensuring optimal functionality of your AI-powered workflows.

Security and Fraud Prevention

Your information is used to implement and maintain comprehensive security measures that protect your account and data. This includes monitoring for suspicious activities, detecting potential security threats, preventing unauthorized access attempts, and maintaining audit trails for security analysis and compliance purposes.

Authentication data is used to verify your identity and ensure that only authorized users can access your workspace integrations and sensitive configuration data. Our multi-layered authentication system uses this information to provide secure access while maintaining user convenience and operational efficiency.

Activity logs and usage patterns are analyzed to identify potential security incidents, unusual access patterns, or system anomalies that might indicate security threats or technical issues requiring immediate attention.

Platform Improvement and Development

Usage analytics and performance data are used to understand how our platform is being utilized, identify areas for improvement, and guide our product development efforts. This analysis helps us optimize system performance, enhance user experience, and develop new features that address real user needs and use cases.

Customer feedback and support interactions provide valuable insights into user challenges, feature requests, and improvement opportunities. As a new platform, this information is particularly crucial for shaping our product roadmap and ensuring that we build features that deliver maximum value to our users.

Error logs and system performance data are analyzed to identify and resolve technical issues, optimize system reliability, and prevent future problems that could impact service quality or user experience.

Communication and Customer Support

We use your contact information to provide important service communications, including security notifications, system updates, maintenance announcements, and account-related information that affects your use of our platform.

Support and communication data is used to provide effective customer service, resolve technical issues, answer questions about our platform, and ensure that you can successfully implement and maintain your AI integrations.

As a new platform, we may use your contact information to share product updates, new feature announcements, and opportunities to provide feedback that helps us improve our service offerings.

Data Sharing and Disclosure

No Data Sharing Policy

Bots Mattermost maintains a strict no data sharing policy. We do not sell, rent, lease, or otherwise share your personal information, workspace data, integration configurations, or any other information collected through our platform with third parties for commercial purposes.

Your data remains under your control and is used exclusively to provide our integration services to you. We do not monetize your data through advertising, marketing partnerships, or data brokerage arrangements. Our business model is based solely on subscription fees for our integration platform services.

We do not share aggregated or anonymized data with third parties, ensuring that your usage patterns, integration configurations, and operational data remain completely private and confidential.

Limited Service Provider Access

We may share limited information with essential service providers who assist us in operating our platform, but only to the extent necessary for them to provide their services to us. These service providers are contractually bound to maintain the confidentiality and security of your information and are prohibited from using your data for any purpose other than providing services to us.

Current service providers include our hosting infrastructure provider, payment processing service (Stripe), and essential operational tools required for platform maintenance and security. All service providers are carefully vetted for security practices and data protection compliance.

Any service provider access to your data is governed by strict contractual agreements that include data protection requirements, security standards, and limitations on data use that align with our privacy commitments.

Legal and Regulatory Compliance

We may disclose your information if required by law, legal process, or government request, but only to the extent necessary to comply with such requirements. In such cases, we will make reasonable efforts to notify you of the disclosure unless prohibited by law or court order.

We may also disclose information if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests that meet legal standards for disclosure.

Any legal disclosure will be limited to the specific information requested and will not include broader access to your account or integration data unless specifically required by the legal process.

Business Transfers

In the unlikely event of a merger, acquisition, or sale of all or a portion of our business, your information may be transferred as part of that transaction. However, any such transfer would be subject to the same privacy protections outlined in this policy, and you would be notified of any changes to data handling practices.

Data Security and Protection

Comprehensive Security Architecture

Bots Mattermost implements enterprise-grade security measures designed to protect your data at every level of our platform. Our security architecture follows industry best practices and addresses all OWASP Top 10 vulnerabilities through multiple layers of protection and continuous monitoring.

All sensitive data, including access tokens and integration credentials, is encrypted using AES-256-GCM encryption with unique salts and initialization vectors before being stored in our database. This encryption includes authentication tags for integrity verification and automatic encryption/decryption processes that ensure your sensitive information remains protected even in the event of unauthorized database access.

Our authentication system implements multi-layered security with both local password-based and Google OAuth authentication options. All sessions use secure cookies with CSRF protection, sameSite strict policies, 8-hour expiration periods, and httpOnly flags to prevent client-side script access and session hijacking attempts.

Access Control and Authorization

We maintain a comprehensive role-based access control system with three distinct authorization levels: regular users, workspace administrators, and super administrators. Super administrator access is restricted exclusively to authorized personnel, and all protected routes require authentication middleware to ensure that only authorized users can access sensitive functionality.

Workspace isolation ensures that users can only access data and configurations belonging to their own workspace, preventing unauthorized access to other customers’ information or integration settings. Every API operation verifies resource ownership against the authenticated user’s workspace before allowing access to any data or functionality.

Parameter validation and ownership verification are implemented at every API endpoint, ensuring that bot IDs, workspace identifiers, and all other resource references are properly validated and belong to the requesting user before any operations are performed.

Input Validation and Attack Prevention

All API endpoints implement comprehensive input validation using Zod validation schemas with strict type checking, length limits, and regex patterns. This validation prevents injection attacks, data corruption, and system exploitation through malformed or malicious input data.

Our sanitization systems automatically remove XSS characters, JavaScript protocols, and event handlers from all user inputs, preventing cross-site scripting attacks and ensuring that user-provided content cannot compromise system security or other users’ data.

SQL injection prevention is achieved through exclusive use of Drizzle ORM with parameterized queries, eliminating the possibility of SQL injection vulnerabilities throughout our database operations.

Network and Infrastructure Security

All external communications, including webhook URLs and API connections, require HTTPS encryption to ensure that data in transit is protected from interception or manipulation. Our production deployment uses secure proxy configurations with proper trust proxy settings for accurate IP detection behind load balancers.

Comprehensive security headers are implemented through Helmet.js, providing Content Security Policy directives, X-Frame-Options, X-Content-Type-Options, and other security headers that prevent XSS attacks, clickjacking, and content type confusion attacks.

Rate limiting is implemented at multiple levels, including general API limits of 100 requests per 15 minutes and stricter authentication limits of 5 attempts per 15 minutes. This prevents brute force attacks, denial of service attempts, and automated abuse of our platform.

File Upload and Content Security

Our file upload system implements strict validation that restricts uploads to image formats only (JPEG, PNG, GIF, WebP) with 5MB size limits enforced at multiple validation points. MIME type verification prevents file type spoofing attacks that could potentially compromise system security.

Secure filename generation using timestamps and random strings prevents path traversal attacks and ensures that uploaded files cannot overwrite system files or access unauthorized directories. Automatic cleanup of failed uploads prevents disk space attacks and maintains system performance.

Monitoring and Incident Response

Comprehensive activity logging maintains detailed audit trails of all user actions, security events, and system operations. These logs include IP addresses, user agents, timestamps, and detailed action descriptions that enable effective security monitoring and forensic analysis.

Real-time bot connection monitoring with health checks every 30 seconds ensures immediate detection of service disruptions or security incidents. Automatic reconnection with exponential backoff prevents service degradation while maintaining security protocols.

Our security monitoring systems provide continuous surveillance for suspicious activities, unusual access patterns, and potential security threats, enabling rapid response to any security incidents that might affect your data or service availability.

Data Retention and Deletion

Retention Periods and Policies

We retain your personal information and account data for as long as your account remains active and you continue to use our services. This retention is necessary to provide ongoing service, maintain your integration configurations, and ensure that your AI bots continue to function as configured.

Activity logs and security monitoring data are retained for a period of 12 months to enable effective security analysis, incident investigation, and compliance with security best practices. After this period, detailed logs are automatically purged, though summary security metrics may be retained for longer periods in anonymized form.

Integration configuration data, including bot settings and webhook configurations, is retained for the duration of your account plus an additional 30 days after account closure to allow for potential account reactivation or data recovery needs.

Account Deletion and Data Removal

When you choose to delete your account, we will remove your personal information and account data within 30 days of your deletion request. This includes your profile information, authentication credentials, integration configurations, and all associated workspace data.

Some information may be retained for longer periods if required for legal compliance, fraud prevention, or security purposes, but such retention will be limited to the minimum necessary information and duration required by applicable laws or regulations.

Backup systems may retain copies of your data for up to 90 days after deletion to ensure system reliability and disaster recovery capabilities, but these backups are securely stored and will be permanently purged according to our data retention schedule.

Data Portability and Export

Upon request, we can provide you with a copy of your personal information and account data in a structured, commonly used, and machine-readable format. This includes your profile information, integration configurations, and activity history associated with your account.

Data export requests are processed within 30 days of receipt and verification of your identity. The exported data will be provided through secure download links or encrypted email delivery, depending on the size and sensitivity of the requested information.

You have the right to request correction of any inaccurate personal information we maintain about you, and we will make reasonable efforts to correct such information within 30 days of receiving a verified correction request.

Your Privacy Rights

Access and Control Rights

You have the right to access, review, and update your personal information at any time through your account dashboard. This includes your profile information, integration configurations, workspace settings, and privacy preferences that control how your data is used within our platform.

You can modify or delete your integration configurations, bot settings, and workspace connections at any time through our user interface. Changes to your configurations take effect immediately and are reflected across all your active integrations.

Account deletion can be initiated at any time through your account settings or by contacting our support team. Upon account deletion, your access to the platform will be immediately terminated, and your data will be removed according to our data retention policies.

Communication Preferences

You have control over the types of communications you receive from us, including service notifications, security alerts, product updates, and marketing communications. These preferences can be managed through your account settings or by following unsubscribe links in our communications.

Essential service communications, including security notifications and critical system updates, cannot be disabled as they are necessary for account security and service operation. However, you can control the delivery method and frequency of non-essential communications.

Data Correction and Accuracy

You have the right to request correction of any inaccurate or incomplete personal information we maintain about you. We will investigate and respond to correction requests within 30 days and make necessary updates to ensure the accuracy of your information.

If you believe that any information we maintain about you is inaccurate or outdated, you can update most information directly through your account dashboard or contact our support team for assistance with corrections that cannot be made through the user interface.

Complaint and Dispute Resolution

If you have concerns about our privacy practices or believe that your privacy rights have been violated, you can contact us directly through our support channels. We are committed to investigating and resolving privacy concerns promptly and fairly.

For users in jurisdictions with specific privacy regulations, you may also have the right to file complaints with relevant data protection authorities. We will cooperate fully with any regulatory investigations and work to resolve any identified privacy issues.

International Data Transfers and Compliance

Data Processing Locations

Bots Mattermost processes and stores data primarily within secure data centers located in the United States. Our hosting infrastructure and database systems are maintained by reputable service providers who implement enterprise-grade security measures and comply with industry standards for data protection.

When you use our services from outside the United States, your information may be transferred to and processed in the United States. We ensure that any international data transfers comply with applicable privacy laws and regulations through appropriate safeguards and contractual protections.

Our service providers are contractually required to implement appropriate technical and organizational measures to protect your data and comply with applicable privacy regulations, regardless of the geographic location of data processing.

Regulatory Compliance

We are committed to complying with applicable privacy laws and regulations, including the General Data Protection Regulation (GDPR) for users in the European Union and the California Consumer Privacy Act (CCPA) for California residents.

For GDPR compliance, we serve as a data controller for account and authentication information and as a data processor for workspace and integration data that you control. We implement appropriate technical and organizational measures to ensure GDPR compliance and protect the rights of EU data subjects.

California residents have specific rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information and provide mechanisms for California residents to exercise their privacy rights.

Cross-Border Data Protection

We implement appropriate safeguards for international data transfers, including contractual protections, security measures, and compliance frameworks that ensure your data receives adequate protection regardless of where it is processed.

Our data processing agreements with service providers include specific provisions for international data transfers, data protection requirements, and compliance with applicable privacy regulations in all relevant jurisdictions.

We monitor changes in international privacy laws and regulations to ensure ongoing compliance and may update our data handling practices as necessary to maintain compliance with evolving legal requirements.

Cookies and Tracking Technologies

Essential Cookies and Session Management

Bots Mattermost uses essential cookies that are necessary for the proper functioning of our platform and cannot be disabled without significantly impacting your ability to use our services. These cookies include authentication session cookies that maintain your login state and security tokens that protect against cross-site request forgery attacks.

Our session cookies are configured with secure settings including httpOnly flags to prevent client-side script access, sameSite strict policies to prevent cross-site request inclusion, and 8-hour expiration periods to limit exposure in case of session compromise.

Authentication cookies are essential for maintaining your login state across multiple page visits and ensuring that you can access your account and manage your integrations without repeatedly entering your credentials.

Analytics and Performance Cookies

We use analytics cookies to collect information about how you use our platform, which features are most valuable, and how we can improve the user experience. This information is used solely for internal analysis and platform improvement purposes.

Performance monitoring cookies help us identify technical issues, optimize system performance, and ensure that our platform operates reliably for all users. These cookies collect technical information about your browser, device capabilities, and interaction patterns that help us maintain service quality.

All analytics and performance data is collected and analyzed in aggregate form and cannot be used to identify individual users or their specific activities beyond what is necessary for platform operation and improvement.

Cookie Management and Control

You can control cookie settings through your browser preferences, though disabling essential cookies may impact your ability to use certain features of our platform. Most browsers allow you to view, manage, and delete cookies through their settings menus.

We do not use third-party advertising cookies or tracking technologies for marketing purposes. Our cookie usage is limited to essential platform functionality, security, and internal analytics that help us improve our services.

If you have questions about our cookie usage or need assistance with cookie management, our support team can provide guidance on how to configure your browser settings to meet your privacy preferences while maintaining platform functionality.

Children’s Privacy

Age Restrictions and Compliance

Bots Mattermost is not intended for use by children under the age of 13, and we do not knowingly collect personal information from children under 13 years of age. Our platform is designed for business and professional use by adults who are managing AI integrations for their organizations.

If we become aware that we have collected personal information from a child under 13, we will take immediate steps to delete such information from our systems and terminate any associated account. Parents or guardians who believe that their child has provided personal information to us should contact us immediately.

Our terms of service require users to be at least 18 years of age or the age of majority in their jurisdiction, whichever is higher, to create an account and use our services. This age restriction ensures that our users have the legal capacity to enter into binding agreements and manage business integrations.

Educational and Organizational Use

In cases where our platform might be used in educational or organizational settings where minors could potentially have access, we require that such use be managed by adult administrators who are responsible for ensuring appropriate supervision and compliance with applicable privacy laws.

Any organization using our platform in an environment where minors might have access must ensure that appropriate safeguards are in place and that all data collection and processing complies with applicable laws regarding children’s privacy, including COPPA in the United States and similar regulations in other jurisdictions.

Updates to This Privacy Policy

Policy Modification Process

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or regulatory environment. When we make material changes to this policy, we will notify you through email, platform notifications, or other appropriate communication methods.

Non-material changes, such as clarifications, formatting improvements, or minor updates that do not affect your rights or our data handling practices, may be made without specific notification, though the updated policy will always be available on our platform with the revision date clearly indicated.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information and any changes to our privacy practices that might affect you.

Notification and Consent

For material changes that significantly affect how we collect, use, or protect your information, we will provide at least 30 days advance notice and may require your explicit consent to continue using our services under the updated policy.

If you do not agree to material changes in our Privacy Policy, you may choose to discontinue using our services and delete your account. Continued use of our platform after the effective date of policy changes constitutes acceptance of the updated terms.

We will maintain previous versions of our Privacy Policy for reference and will clearly indicate the effective date of any changes to help you understand what modifications have been made and when they take effect.

Contact Information and Support

Privacy Questions and Concerns

If you have questions about this Privacy Policy, our data handling practices, or your privacy rights, please contact us through the following channels:

Email: support@think3.co
Mailing Address: 84/80 McIntyre St, Hendra 4011 QLD Australia

Our privacy team is committed to responding to your inquiries promptly and thoroughly. We typically respond to privacy-related questions within 48 hours during business days and will work with you to address any concerns or clarifications you may need.

Data Subject Requests

For requests related to accessing, correcting, or deleting your personal information, please use our dedicated data subject request process through your account dashboard or by contacting our support team with specific details about your request.

We will verify your identity before processing any data subject requests to ensure that personal information is only disclosed to authorized individuals. This verification process may require additional information or documentation to confirm your identity and authority to make the request.

Security Incident Reporting

If you believe you have discovered a security vulnerability or have concerns about the security of your data on our platform, please contact us immediately through our security contact channels. We take security reports seriously and will investigate all legitimate concerns promptly.
For urgent security matters, please use our priority contact methods to ensure rapid response and appropriate action to protect your data and our platform’s security.