Privacy Policy

This Privacy Policy explains how CM Bot ("CM Bot", "we", "us", or "our") collects, uses, and shares information when you use the CM Bot platform at cm-bot.io (the "Service"). By using the Service, you agree to the practices described here.

1. Who we are

CM Bot is a software service that helps operators ("you" or "operator") run AI-assisted growth marketing -- including content generation, cold outreach, social posting, and paid advertising on third-party platforms such as Meta. CM Bot is currently operated as CM Bot, an unincorporated operating name. The data controller for the operator account information described in this policy is CM Bot.

You can reach us at [email protected] for any privacy-related question, request, or complaint.

2. Scope and the two roles you may have

This policy describes two distinct relationships:

• Operator account. When you sign in to CM Bot to use the platform, we collect information about you as an operator. For this data, CM Bot is the data controller and this policy governs how we handle it.
• Operator audience. When you use CM Bot to manage your own marketing -- e.g., emailing prospects, deploying paid ads, hosting a blog with our subscriber and analytics features -- you (the operator) are the data controller for that audience data. We act as a data processor on your behalf. You are responsible for having a lawful basis for collecting and using your audience's information and for complying with the laws that apply to you (see Section 13).

3. Information we collect

3.1 Information you provide to us as an operator

• Account identity. When you sign in with Google OAuth, we receive your name, email address, Google account ID, and profile picture URL.
• Business and workspace information. Information you enter to configure a "connected app" -- business name, description, domain, industry, target audience, value proposition, physical address, notification email, notification phone number, webhook URL, brand and theme configuration.
• Connected platform credentials. Access tokens, refresh tokens, and account identifiers you provide to authorize CM Bot to act on third-party platforms (e.g., your Meta Ads access token, Meta Page ID, Meta Ad Account ID). These tokens are stored encrypted at rest using Rails ActiveRecord encryption.
• Customer avatars (ideal customer profiles). Free-text descriptions, pain points, goals, demographic targeting (age range, gender, geography, locales), and channel preferences you create to describe the audiences you want to reach.
• Marketing content. Posts, ad scripts, hook text, email templates, lead magnets, brand voice configurations, author personas, and any other content you create, upload, or generate inside CM Bot.
• HeyGen render configuration. Avatar and voice selections used to generate UGC video ads.
• Audience records you import or enter directly. If you upload prospects or subscribers manually, the contact information in those records.

3.2 Information we collect automatically

• Authentication and session cookies. A Rails session cookie identifying your signed-in operator account, plus a CSRF token for form protection.
• First-party analytics cookie. A cookie named _cm_vid set for one year on visitor sessions across CM Bot and operator-owned sites that use our analytics. Used to correlate visits and page views to a single visitor without using third-party fingerprinting.
• Visit and page-view records. IP address, full user-agent string, parsed device type, browser and operating system, referrer, first-touch UTM parameters, landing path, exit path, session duration, and page view count for each session (30-minute timeout).
• Behavioral analytics events. Anonymous events such as CTA clicks, form starts, form abandons, scroll milestones, time on page, and scroll depth. We store the field names involved in a form interaction but not the field values you type (except: when you submit a lead-capture form, we store the email domain only -- not the full email -- in event metadata).
• Tracking link click events. When someone clicks a CM-tracked link (used in operator emails, social posts, and ads), we record the click's IP address, truncated user-agent (up to 1000 characters), referrer, and UTM parameters.
• Email open events. When a CM-sent email is opened, a 1x1 tracking pixel records the IP, user agent, and referrer (no email content, no recipient identification beyond what the operator already has).
• Session recordings on the operator dashboard. The CM Bot operator dashboard (not public marketing pages) embeds Crazy Egg, which may record mouse movements, clicks, scroll behavior, and form interactions to help us debug and improve the product. Sensitive form fields are masked by Crazy Egg's default rules.

3.3 Information we collect from third parties

• Google. Profile information returned during OAuth sign-in (name, email, account ID, image URL).
• AI-assisted research. When you run a cold-outreach agent, we send a description of your ideal customer to OpenAI's web-search-enabled models. The results we receive back may include names, email addresses, phone numbers, social profile URLs, and other publicly available business contact information for the individuals our research identifies. We store those records in your operator workspace as "prospects."
• Meta Ads insights. When you deploy paid ads, we periodically pull aggregated performance data from Meta's Marketing API (impressions, reach, clicks, spend, CTR, CPC). This is aggregated platform data, not individual viewer information.

4. How we use information

• Operate the Service. Generate AI content, deploy ads on your behalf, send outreach, render videos, host your blog, run your analytics dashboard, and process insights.
• Account communications. Send you transactional notifications (renders complete, deploys succeed or fail, ad budgets reached, etc.).
• Product improvement and security. Investigate bugs, prevent abuse, monitor reliability, and develop new features.
• Legal and safety. Comply with applicable law, respond to lawful requests, enforce our Terms, and protect our and others' rights.
• Our own marketing. Aggregate, anonymized usage information may inform our product marketing. We do not sell your personal information.

5. Legal bases for processing (EEA, UK, and similar jurisdictions)

If you're in a jurisdiction that requires us to identify a legal basis under GDPR or similar law, we rely on the following:

• Contract (Article 6(1)(b)): to provide the Service you've signed up for.
• Legitimate interests (Article 6(1)(f)): to secure the Service, prevent abuse, improve the product, and run analytics on our own marketing pages.
• Consent (Article 6(1)(a)): where we ask for it, including your acceptance of this policy at sign-up.
• Legal obligation (Article 6(1)(c)): to comply with law.

6. How we share information

We share information in these circumstances:

• With service providers and subprocessors who help us run the Service (listed below).
• At your direction. When you instruct CM Bot to publish content, send an email, or deploy an ad, we transmit that content to the destination platform you've selected (e.g., Meta, your blog webhook, an email recipient).
• For legal reasons. If required by law, subpoena, or to protect rights, safety, or property.
• In a business transfer. If CM Bot is acquired, merged, or its assets are sold, your information may transfer to the acquirer subject to this policy.
• With your consent for any other purpose.

We do not sell your personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

7. Service providers and subprocessors

The Service uses these third parties to function. Each acts as our data processor under contract.

If you operate blogs or landing pages served through CM Bot, those public pages may also load the Meta Pixel, LinkedIn Insight Tag, and X (Twitter) Pixel when those features are configured by you or by us. Those vendors process visitor data under their own privacy policies.

8. Cookies and tracking technologies

CM Bot uses a small set of first-party cookies that are necessary or strongly tied to the Service:

• Rails session cookie -- keeps you signed in. Cleared on sign-out.
• _cm_vid first-party analytics cookie -- random UUID that lets us correlate page views into sessions and visitors. Expires after one year. Not linked to your account name or email unless you submit a lead-capture form.
• CSRF token -- a standard Rails security cookie.

On the operator dashboard we additionally load Crazy Egg, which sets its own cookies for session recording. On operator-owned public pages we may load the Meta Pixel, LinkedIn Insight Tag, and X Pixel when those features are enabled; those vendors set their own cookies.

You can disable cookies through your browser settings. Disabling cookies will sign you out and break parts of the Service that depend on session state.

9. International data transfers

CM Bot is operated from the United States and our service providers are predominantly located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our providers operate. We rely on standard contractual safeguards or the appropriate Article 46 GDPR transfer mechanisms when applicable.

10. Data retention

We retain information for as long as your operator account is active and for a reasonable period afterward to comply with our legal obligations, resolve disputes, and enforce our agreements.

• Operator account data persists until you ask us to delete it.
• Content, prospects, and audience records remain in your workspace until you (the operator) delete them or delete the workspace.
• Analytics events and tracking-link click data are not automatically purged. Operators can request bulk deletion at any time by emailing [email protected].
• Encrypted backups may contain copies of data for a rolling window after deletion.

11. Your privacy rights

Depending on where you live, you may have some or all of the following rights. To exercise them, email [email protected] from the address on your operator account.

For all users

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your personal information (subject to our right to retain data we need for legal, security, or contractual reasons).
• Export your personal information in a portable format.

If you live in the European Economic Area or the United Kingdom

You additionally have the right to restrict or object to certain processing, withdraw consent at any time, and lodge a complaint with your local data protection authority.

If you live in California, Virginia, Colorado, Connecticut, or another US state with a comprehensive privacy law

You additionally have the right to know what categories of personal information we collect, the right to opt out of "sale" or "sharing" for cross-context behavioral advertising (we do neither), and the right to non-discrimination for exercising your rights.

12. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

13. Operator responsibilities for audience data

When you use CM Bot to reach your own audience, you are the data controller for that audience's information and CM Bot acts as your processor. You are responsible for:

• Having a lawful basis (consent, legitimate interest, contract, or another applicable basis) for collecting and using the personal information of every prospect, subscriber, lead, and ad recipient you target through the Service.
• Providing your audience with a privacy notice that meets the legal requirements where they live.
• Honoring opt-out, unsubscribe, deletion, and access requests from your audience promptly.
• Complying with applicable anti-spam and marketing laws including the US CAN-SPAM Act, Canada's CASL, the EU ePrivacy Directive and GDPR, and any state-level laws that apply (California, Virginia, etc.).
• Not using the Service for harassment, illegal targeting, or unlawful collection of contact information.

We provide tools to help -- automatic unsubscribe links in outreach emails, an unsubscribe token system, opt-out tracking, and per-prospect consent state -- but the legal compliance obligation rests with you. We may suspend or terminate accounts that violate this section.

14. Security

We protect your information with industry-standard practices including TLS encryption in transit, Rails ActiveRecord encryption at rest for credentials and other sensitive fields, and role-scoped access to production systems. No security program is perfect; we cannot guarantee absolute security, but we take this responsibility seriously and will notify you of any incident that affects your data as required by law.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we bump the version date at the top of this page. Material changes will trigger an in-app re-acceptance prompt the next time you sign in, so you always know what you've agreed to. We will additionally notify you by email at the address on your account for changes that meaningfully reduce your rights.

16. Contact us

For privacy questions, requests under any of the rights listed above, or to ask about a Data Processing Addendum, email [email protected]. We aim to respond within 30 days.