Privacy Policy

Verbox Technologies LLC («Verbox», «we», «us», or «our») is a limited liability company incorporated and registered in Dubai, United Arab Emirates. We operate an AI-powered chatbot platform and are committed to safeguarding the personal data of our users, visitors, customers, and any individuals whose data is processed through our systems.

This Privacy Policy applies to all personal data processed by Verbox in connection with the operation of our website at verbox.com, our SaaS platform, our APIs, our mobile applications, and all related services (collectively, the «Platform»). It also governs personal data processed on behalf of our customers when they deploy Verbox chatbots to their end users.

We process personal data in compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data («UAE PDPL»), the EU General Data Protection Regulation 2016/679 («GDPR») where applicable to data subjects in the European Economic Area, the UK General Data Protection Regulation, and all other applicable data protection and privacy laws across the jurisdictions in which we operate.

This policy does not apply to third-party websites, products, or services even if they link to or from our Platform. We encourage you to review the privacy policies of any third parties before providing them with your personal data.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, you should discontinue use of the Platform and contact us to request deletion of your data.

Account and Registration Data: When you create an account, we collect your full name, business email address, job title, company name, country of residence, and account password (stored as a salted cryptographic hash). For organizational accounts, we additionally collect billing contact information, registered business address, and VAT or tax identification numbers where applicable.

Usage and Interaction Data: We record your interactions with the Platform including pages visited, features accessed, chatbots created and configured, training documents uploaded, API calls made, conversation logs (where you are the account operator), message volumes, session durations, and feature engagement metrics. This data is used for service delivery, billing, and product improvement.

Technical and Device Data: Our servers automatically receive and log your IP address, browser type and version, operating system, device type and identifiers, screen resolution, referring URLs, access timestamps, and HTTP request headers. We use this information for security monitoring, platform optimization, and fraud prevention.

Payment and Billing Data: Payment transactions are handled by our third-party payment processor. We receive and store only tokenized payment identifiers, the last four digits of your card, card brand, billing address, and transaction history records. We do not store full card numbers, CVV codes, or raw banking details on our servers.

Communications Data: If you contact us via email, our support portal, live chat, or social media, we retain the content of those communications, metadata such as timestamps and sender information, and any attachments you provide. This includes support tickets, feature requests, and sales correspondence.

Knowledge Base and Training Content: Documents, URLs, text files, FAQs, and any other content you upload to train your chatbots. You retain ownership of this content. We process it solely to generate embeddings and provide the AI retrieval service.

End-User Conversation Data: When your end users interact with chatbots deployed via our Platform, we collect and process the conversation transcripts, session identifiers, and any metadata configured by you as the account operator. Processing of this data is governed by our Data Processing Agreement.

Survey and Research Data: If you voluntarily participate in user research, surveys, or beta programs, we collect your responses, feedback, and any supplementary information you provide in that context.

Performance of Contract (GDPR Art. 6(1)(b) / UAE PDPL): The majority of our processing is necessary to deliver the services you have contracted for, including account management, chatbot hosting, API services, billing, and technical support. Without this processing, we cannot provide the Platform.

Legitimate Interests (GDPR Art. 6(1)(f) / UAE PDPL): We process certain data on the basis of legitimate interests, including fraud prevention, network and information security, product analytics, internal research and development, and corporate governance. We conduct a legitimate interests assessment to ensure our interests do not override your fundamental rights.

Legal Obligation (GDPR Art. 6(1)(c) / UAE PDPL): We process personal data where required to comply with applicable laws including financial record-keeping obligations under UAE Commercial Companies Law, AML/CFT regulations, and responses to lawful requests from competent authorities.

Consent (GDPR Art. 6(1)(a) / UAE PDPL): Where we process personal data for marketing communications, non-essential cookies, or voluntary research participation, we rely on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Vital Interests (GDPR Art. 6(1)(d)): In exceptional circumstances, we may process personal data where necessary to protect the vital interests of a person, such as in an emergency situation affecting the safety of an individual.

Service Delivery: To provision, configure, maintain, and host your chatbots and knowledge bases; to process API requests; to generate analytics reports; to manage your subscription and billing; and to provide all features included in your plan.

Platform Improvement and Research: To analyze aggregated and anonymized usage patterns for product development, to train and improve our internal machine learning models for features such as intent classification and response quality scoring, and to conduct internal benchmarking. We anonymize data before using it for model improvement and never use your proprietary training content to train models for other customers.

Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, fraudulent transactions, and other malicious activities; to enforce our Acceptable Use Policy; and to protect the rights, property, and safety of Verbox, our customers, and their end users.

Customer Communications: To send transactional emails such as account verification, password resets, invoices, and service notifications; to notify you of material changes to the Platform or our policies; and, where you have consented, to send product updates, newsletters, and promotional offers.

Legal and Compliance: To comply with applicable laws and regulations, including anti-money laundering obligations, tax reporting requirements, and data retention mandates; to respond to valid legal process from competent authorities; and to establish, exercise, or defend legal claims.

Support and Onboarding: To diagnose and resolve technical issues, to provide platform training and documentation, and to facilitate onboarding for enterprise customers through our success management program.

Personalization: To adapt the Platform interface to your preferences, to surface relevant feature recommendations based on your usage, and to provide contextually appropriate help content.

Infrastructure and Hosting: All production data is hosted on enterprise-grade cloud infrastructure located in the UAE and the European Union. Our hosting providers maintain SOC 2 Type II certification, ISO 27001 accreditation, and comply with applicable data residency regulations. Enterprise customers may request dedicated data residency within specific regions.

Encryption Standards: Personal data is encrypted in transit using TLS 1.3 with strong cipher suites (ECDHE-RSA-AES256-GCM-SHA384 or equivalent). Data at rest is encrypted using AES-256-GCM. Database encryption keys are managed through a dedicated hardware security module (HSM) with automatic annual rotation and audited access logs.

Access Control Architecture: Access to production systems and personal data is restricted on a strict need-to-know basis. We implement role-based access control (RBAC), mandatory multi-factor authentication for all administrative access, privileged access workstations for sensitive operations, and automatic session expiration. All internal access to customer data is logged and auditable.

Security Monitoring: We operate a 24/7 security operations center (SOC) function that monitors our infrastructure for anomalies, intrusion attempts, and data exfiltration signals. Automated alerting systems are integrated with our incident response workflows. We maintain a Security Information and Event Management (SIEM) system that aggregates logs from all platform components.

Third-Party Security Assessments: We commission independent penetration tests at least annually, covering both external attack surfaces and internal network segmentation. Findings are remediated according to a risk-prioritized schedule. We also conduct quarterly automated vulnerability scans and continuous dependency monitoring.

Business Continuity: Production databases are replicated in real time to a geographically separate standby region. Encrypted backups are taken daily and retained for 30 days, with a tested recovery time objective (RTO) of less than 4 hours. Disaster recovery procedures are documented and tested semi-annually.

Employee Security: All Verbox employees and contractors with access to personal data undergo background checks prior to engagement, complete mandatory privacy and security awareness training at induction and annually thereafter, and are bound by contractual confidentiality obligations that survive the end of their engagement.

We engage a limited number of carefully selected third-party service providers («sub-processors») to assist in the delivery of our services. Each sub-processor is vetted for security posture, data protection compliance, and contractual commitment to our data handling standards.

AI and Language Model Providers: We use enterprise-tier AI model APIs for natural language understanding and response generation. Your chatbot training data and end-user conversations are transmitted to these providers exclusively under strict data processing agreements that prohibit training on your data, require data deletion on our instruction, and mandate equivalent security standards.

Cloud Infrastructure Providers: Our cloud hosting vendors provide compute, storage, networking, and managed database services. All data processed by these vendors remains within contractually specified geographic boundaries and is governed by data processing agreements incorporating Standard Contractual Clauses where applicable.

Payment Processors: We use a PCI DSS Level 1 certified payment processor for all billing transactions. This provider processes payment card data directly and returns only tokenized references to us. Their processing is governed by their own privacy policy and our data processing agreement.

Email and Communications Providers: We use enterprise transactional email services to deliver platform notifications and support communications. These providers process email addresses and message content under strict data minimization and retention controls.

Analytics and Monitoring: We use infrastructure monitoring and product analytics tools that process aggregated, pseudonymized usage data to support platform reliability and product improvement. These tools are configured to minimize personal data collection and are prohibited from using our data for their own commercial purposes.

We do not sell, rent, lease, or otherwise disclose your personal data to third parties for their own marketing or commercial purposes. We maintain an up-to-date list of all sub-processors that is available to customers under our Data Processing Agreement upon request.

As a company headquartered in Dubai, UAE, we may transfer personal data internationally in the course of providing our services. All such transfers are conducted in compliance with applicable data protection laws, including the UAE PDPL international transfer provisions and GDPR Chapter V.

Transfers to and from the European Economic Area: For transfers of EEA personal data to countries not recognised by the European Commission as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (Module 2 for controller-to-processor transfers and Module 3 for processor-to-sub-processor transfers). We supplement these with technical measures including end-to-end encryption and pseudonymization where appropriate.

Adequacy and Supplementary Measures: We continuously monitor regulatory developments concerning international data transfers, including guidance from the European Data Protection Board (EDPB). Where required, we implement supplementary technical, contractual, and organizational measures to ensure that transferred personal data receives a level of protection essentially equivalent to that guaranteed within the EEA.

UAE Cross-Border Transfers: For transfers of personal data subject to the UAE PDPL to jurisdictions outside the UAE, we ensure that the receiving country provides an adequate level of data protection as recognised by the UAE data protection authority, or that we have implemented appropriate contractual safeguards.

Data Localization Options: Enterprise customers with strict data localization requirements may request that their data be stored and processed exclusively within the UAE or the European Union. Please contact our enterprise sales team to discuss data residency arrangements.

Right to be Informed: You have the right to receive clear, transparent, and easily accessible information about how we process your personal data. This Privacy Policy is the primary mechanism through which we fulfil this obligation.

Right of Access (GDPR Art. 15 / UAE PDPL Art. 11): You may request a copy of the personal data we hold about you, along with information about the purposes of processing, categories of data, recipients, retention periods, and your other rights. We will respond within 30 days of a verified request.

Right to Rectification (GDPR Art. 16 / UAE PDPL Art. 12): If any personal data we hold about you is inaccurate or incomplete, you may request that we correct or supplement it. Many corrections can be made directly through your account settings.

Right to Erasure / Right to be Forgotten (GDPR Art. 17 / UAE PDPL Art. 13): You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (where consent was the lawful basis), where you object and we have no overriding legitimate interest, or where processing is unlawful. We will comply within 30 days unless a legal retention obligation applies.

Right to Restriction of Processing (GDPR Art. 18): You may request that we restrict the processing of your data in certain circumstances, such as while you contest the accuracy of the data or while an objection is pending.

Right to Data Portability (GDPR Art. 20 / UAE PDPL Art. 14): Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted directly to another controller where technically feasible.

Right to Object (GDPR Art. 21): You have the right to object at any time to processing of your personal data for direct marketing purposes (which we will always honor without requiring justification) and for processing based on legitimate interests (which we will honor unless we can demonstrate compelling legitimate grounds that override your interests).

Rights Under UAE PDPL: In accordance with the UAE Federal Decree-Law No. 45 of 2021, UAE residents are entitled to request disclosure of the personal data we hold, request correction of inaccurate data, object to processing, withdraw consent at any time, and request deletion of data in the circumstances set out in the law.

Automated Decision-Making: We do not make decisions solely by automated means that produce legal or similarly significant effects about you without human review. If we introduce such processing in future, we will provide specific notice and implement the protections required under applicable law.

To exercise any of the above rights, please submit a request to privacy@verbox.com with sufficient information to verify your identity. We will not charge a fee for reasonable requests unless they are manifestly unfounded or excessive.

General Retention Principle: We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. We have implemented a formal data retention schedule that is reviewed and updated annually.

Active Account Data: Account profile data, subscription details, and configuration settings are retained for the duration of your active subscription. Upon account closure, this data is retained for 30 calendar days during which you may request a full export. After 30 days, account data is permanently deleted unless a legal hold applies.

Conversation and Interaction Logs: Chatbot conversation logs are retained according to your configured retention settings. The default retention period is 12 months, with options to set shorter periods down to 7 days or longer periods up to 36 months on higher-tier plans. You can delete specific conversations or all conversation history at any time from your dashboard.

Training and Knowledge Base Content: Documents, URLs, and other knowledge base materials you upload are retained for the duration of your subscription and are permanently deleted within 30 days of account closure or upon your specific deletion request.

Billing and Financial Records: Invoices, payment records, and financial transaction data are retained for 7 years from the date of the transaction to comply with UAE commercial and tax law requirements. This retention obligation persists after account closure.

Security and Audit Logs: System access logs, security event records, and administrative audit trails are retained for a minimum of 24 months to support security investigations and regulatory compliance obligations. These logs are stored in an immutable, write-once format.

Support and Communications Records: Customer support tickets, email correspondence, and call recordings are retained for 3 years after the close of the interaction, to enable continuity of support and resolution of any follow-up disputes.

Anonymized and Aggregated Data: Statistical and aggregated data from which individual identities cannot reasonably be reconstructed is not subject to this retention schedule and may be retained indefinitely for product analytics and benchmarking purposes.

We use cookies and similar technologies (including pixel tags, web beacons, and local storage) on our website and platform. These technologies serve essential functions such as authentication, security, and load balancing, as well as optional functions such as analytics and personalization.

Essential Cookies: Strictly necessary for the platform to operate. They include session authentication tokens, CSRF protection tokens, load balancer routing cookies, and consent preference records. These cookies cannot be disabled without impairing platform functionality.

Analytics Cookies: Used to understand aggregate visitor behavior, feature adoption, and navigation patterns. Data collected is pseudonymized and aggregated before analysis. You may opt out of analytics cookies through our Cookie Preference Center.

Functional Cookies: Remember your preferences such as language settings, dashboard layout configurations, and display preferences to provide a more personalized experience. Disabling these cookies means that preferences will not be retained between sessions.

We honor browser Do Not Track (DNT) signals. When a DNT signal is detected, non-essential cookies are disabled and data collection is limited to what is strictly necessary for platform operation.

For full details of the cookies we use, their durations, and how to manage them, please refer to our Cookie Policy.

The Verbox platform is intended for use by businesses and professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18.

If we become aware that we have inadvertently collected personal data from a person under 18 without verifiable parental or guardian consent, we will take immediate steps to delete that data from our systems.

If you are a parent or guardian and believe that your child under 18 has provided us with personal data, please contact us immediately at privacy@verbox.com and we will investigate and take appropriate remedial action within 7 business days.

Customers who deploy Verbox chatbots in contexts where end users may include individuals under 18 are responsible for implementing appropriate age verification mechanisms and obtaining all required parental consents in accordance with applicable law.

We review and update this Privacy Policy at least annually and whenever material changes to our processing activities make an update necessary. Material changes include the introduction of new categories of personal data, new purposes of processing, new sub-processors in sensitive categories, or changes to your rights.

When we make material changes, we will notify you by email to the address associated with your account at least 30 days before the changes take effect, and will publish a prominent notice on our website. For non-material clarifications, we will update the «Last updated» date without further notice.

Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acknowledgment of and agreement to the updated terms. If you do not agree with the revised policy, you must stop using the Platform and may request deletion of your data.

We maintain an archive of previous versions of this Privacy Policy, which are available upon request from privacy@verbox.com.

Verbox Technologies LLC is the data controller for personal data collected directly from you through our website and platform. For data processed on behalf of our customers (their end-user data), Verbox acts as the data processor and the customer is the data controller.

Data Protection Officer: We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable laws. You may contact our DPO directly for any privacy-related matter.

Email: privacy@verbox.com

Postal Address: Verbox Technologies LLC, Dubai, United Arab Emirates.

You may submit a formal data subject access request, a complaint, or any other privacy inquiry through the Privacy section of your account settings or directly to privacy@verbox.com. We acknowledge all requests within 5 business days and aim to resolve them within 30 calendar days, or within any shorter period required by applicable law.

Supervisory Authority: If you are located in the European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For UAE residents, complaints may be submitted to the UAE data protection authority once the relevant regulatory infrastructure is established under the UAE PDPL.