Peanut Butter Bot logoPeanut Butter Bot
PricingSecurityContactSign inBook a demo

Privacy policy

Effective: 2026-04-25·Peanut Butter Bot·United States
Attorney-review pending

This document is a sensible starting point covering Stripe's activation requirements and standard SaaS terms. Have a qualified attorney review + customize before relying on it for production legal protection.

This Privacy Policy describes how Peanut Butter Bot ("we", "us") collects, uses, and protects information when you use our Service. We take privacy seriously — the data we hold is your customers' conversation history, and we treat it accordingly.

1. Information we collect

We collect three categories of information:

  • Account information — your email, name, password (stored as a bcrypt hash), and the business details you provide during onboarding (company name, seller name, local phone number).
  • Integration credentials — your Close.com API key and a per-account Anthropic API key generated by us. These are encrypted at rest using AES-256-GCM with a master key held in our hosting environment, never in our database.
  • Customer Data — conversation history (SMS messages between you and your leads), lead metadata (names, phone numbers, status), bot activity logs, and disposition states. This data is mirrored from your Close.com account and stored in your tenant's isolated database file on our hosting provider (Railway).

2. How we use your information

We use the information solely to:

  • Provide the Service (authenticate you, send messages on your behalf, mirror conversation history).
  • Process payments (via Stripe).
  • Communicate with you about your account, security incidents, or material Service changes.
  • Improve the Service (in aggregated, de-identified form only).
  • Comply with legal obligations.

We do not sell your information. We do not use Customer Data to train AI models. The bot's generation calls to Anthropic are made under your isolated Anthropic workspace; Anthropic's policy on training is documented separately.

3. Subprocessors

We use the following third-party providers ("subprocessors") to deliver the Service. Each is bound by their own privacy and security commitments:

  • Anthropic — generative AI for message composition. Per-tenant workspace isolation. Spend capped per your plan.
  • Close.com — your CRM. We authenticate via your API key. We do not see Close data outside of what your API key authorizes.
  • Stripe — payment processing. We never store full payment card data. Stripe is PCI-DSS Level 1.
  • Railway — application hosting + database. Located in the United States.
  • Resend (or equivalent transactional email provider) — sending account emails and password-reset links.

4. How we protect your information

  • Passwords are hashed with bcrypt (cost factor 12).
  • Integration API keys are encrypted at rest with AES-256-GCM. The master encryption key is stored in environment variables, never in the database.
  • Each tenant's Customer Data lives in a physically separate database file. There is no cross-tenant query path.
  • Sessions are cookie-based with httpOnly + SameSite=Lax + Secure attributes. Session tokens are stored as SHA-256 digests; raw tokens are never persisted server-side.
  • All connections are TLS-encrypted (HTTPS).
  • We log every state-changing action for forensic auditing.

5. Data retention + deletion

We retain Customer Data for the duration of your subscription. If you cancel, your data is preserved in read-only form for 30 days, then permanently deleted.

You may request immediate deletion of your account and all associated data by emailing privacy@peanutbutterbot.com. We will complete the deletion within 30 days. Audit log entries (which may reference user IDs) are retained for 7 years for compliance purposes; they do not contain Customer Data content.

6. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion (subject to legal retention requirements).
  • Receive a portable copy of your data.
  • Lodge a complaint with a data protection authority.

To exercise these rights, email privacy@peanutbutterbot.com. We will respond within 30 days.

7. Communications with leads

The Service sends SMS messages to leads in your Close.com account on your behalf. We act as a processor of these communications; you (the customer) are the controller responsible for the lawful basis of communication (TCPA consent, business-purpose exemption, etc). See our Terms of Service for your obligations.

8. Children's privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal information from minors.

9. International transfers

Our infrastructure is hosted in the United States. If you are located outside the US, your information will be transferred to and processed in the US. We use standard contractual clauses (SCCs) or equivalent safeguards where required by your jurisdiction.

10. Security incidents

In the event of a security incident affecting your data, we will notify you within 72 hours of becoming aware of the breach, consistent with applicable data protection law.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before taking effect.

12. Contact

Privacy questions or requests: privacy@peanutbutterbot.com