Privacy Policy for Onbuddy.ai

ProteusAI Limited

Email: hello@onbuddy.ai

We are the Data Controller for all personal data processed under this Policy.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on Personal Data (e.g., collection, storage, use, disclosure).

Data Subject: An identified or identifiable individual whose Personal Data is processed.

Special Category Data: Sensitive personal data (e.g., health, biometric) requiring heightened protection.

Customer: The organization (e.g., your employer) that subscribes to the OnBuddy Services and authorizes you to use them.

Customer Data: Personal Data and other content that a Customer or its authorized users submit to or generate within the Services (including bot messages, uploaded documents, and configuration data). With respect to Customer Data, we act as a Data Processor on behalf of the Customer.

Subprocessor: A third party engaged by us to process Customer Data on our behalf under a written data processing agreement.

Microsoft Teams Service Data: Data that we receive from Microsoft Teams or the Microsoft Bot Framework when you use the OnBuddy bot, as described in the “Microsoft Teams Integration” section below.

We collect Identity Data, such as your name, job title, and company, from sign-ups and CRM imports.

We collect Professional Data, such as your employer, job role, and department, from onboarding processes.

We collect Account Data, such as usernames and authentication credentials (passwords are always stored using a salted one-way hash, never in plaintext), during account registration.

We collect Usage Data, like your IP address, browser type, and pages visited, through analytics tools.

We collect Communications Data, such as support tickets and emails, through direct correspondence with our support team.

We collect Payment & Business Data, including billing and transaction details, via our billing partner and our payment processor.

Note: We do not collect Special Category Data unless explicitly requested and with your consent.

Tenant Information: Your Microsoft 365 tenant identifier (tenant ID), which uniquely identifies your organization in Microsoft Entra ID (formerly Azure Active Directory). This is collected when an administrator connects Microsoft Teams to OnBuddy using Microsoft sign-in.

OAuth Tokens: Microsoft-issued access tokens and refresh tokens granted by the connecting administrator. These are encrypted at rest using industry-standard encryption and are used only to maintain the connection between your tenant and the OnBuddy Services.

User Identity Data: Your Microsoft Entra ID object ID (AAD object ID), display name, and work email address, obtained through the Microsoft Bot Framework when you interact with the bot. We use this data solely to match your Teams identity to your OnBuddy member account.

Conversation References: Conversation, channel, and service URL identifiers issued by the Microsoft Bot Framework. These are stored so that OnBuddy can deliver proactive notifications (e.g., task reminders) to you within Teams.

Message Content: The text of messages you send directly to the OnBuddy bot in personal chat, team channels, or group chats. We process this content to generate AI responses (see “AI Processing of Content” below).

What we do NOT collect from Teams: OnBuddy does not read or store messages sent in channels or chats unless the bot is explicitly addressed (mentioned) or messaged directly. We do not access your Teams files, calendar, presence information, or any other Microsoft 365 data outside of bot interactions and the explicit OAuth scopes (openid, profile, email, offline_access).

When you uninstall the OnBuddy app from Teams: We automatically delete the conversation references associated with your Teams account, which stops future proactive notifications. Administrators can fully disconnect the Teams integration from the OnBuddy settings page, which deletes the stored OAuth tokens and tenant connection.

OnBuddy is an AI-powered onboarding assistant. Messages you send to the bot, along with knowledge sources your organization has provided (such as uploaded documents and approved web links), are processed by large language model (LLM) providers to generate responses.

LLM providers we use: OpenAI (via our ProteusAI processing layer). These providers act as our data processors under written data processing agreements that prohibit the use of your content to train their general-purpose models.

No model training on your data: Your message content and your organization’s knowledge base are not used to train, retrain, or fine-tune any general-purpose AI model.

Human review: We do not routinely review the content of bot conversations. Authorized OnBuddy personnel may access content only to investigate a specific support request you submit, to debug a reported incident, or where required by law.

We process your data for account management and authentication, also relying on contractual necessity under Art. 6(1)(b).

We process your data for providing customer support and help, based on legitimate interests under Art. 6(1)(f).

We use your data for service improvements and analytics, relying on our legitimate interests under Art. 6(1)(f).

We send marketing communications only when you have opted in, based on your consent under Art. 6(1)(a).

We may process your data to ensure compliance with legal obligations, under Art. 6(1)(c).

Note: We do not collect Special Category Data unless explicitly requested and with your consent.

On our website and web application we use cookies, local storage, web beacons, and similar technologies (collectively, “Cookies”). The OnBuddy Microsoft Teams bot itself does not set browser cookies; it operates inside the Microsoft Teams client.

We use the following categories of Cookies:

• Strictly Necessary: Required to deliver the Services, including authentication, session management, and security (e.g., CSRF protection). These cannot be disabled.
• Functional: Remember your preferences and settings (e.g., language, UI state).
• Analytics: Help us understand how users interact with the Services (e.g., Google Analytics, Mixpanel). These are only set with your consent where required by law.
• Marketing: Only set with your explicit consent. We currently do not use third-party advertising cookies.

For users in the European Economic Area, the United Kingdom, and other jurisdictions that require prior consent, non-essential Cookies are only loaded after you accept them via our cookie banner. You can change your choices at any time through the cookie preferences link in our website footer, or by clearing cookies in your browser settings.

We honor recognized opt-out signals where applicable, including Global Privacy Control (GPC).

Microsoft Corporation (Bot Framework / Azure Bot Service): Transmits messages between Microsoft Teams users and the OnBuddy bot. Microsoft processes this data under its own privacy commitments for Microsoft 365 and Azure services.

OpenAI, L.L.C.: Provides the large language models that generate OnBuddy’s AI responses. Content sent for processing is not used to train OpenAI’s general-purpose models.

Slack Technologies, LLC: Where your organization has enabled the OnBuddy Slack integration, Slack processes bot messages on our behalf.

Cloud hosting and infrastructure providers: For hosting, database storage, logging, monitoring, and analytics.

Email delivery providers: For transactional emails (e.g., account notifications, invitations).

Payment processors: For subscription billing and invoicing.

Professional advisors: Legal, accounting, and audit experts when bound by confidentiality obligations.

Law enforcement and regulators: Where required by valid legal process or to protect rights, property, or safety.

An up-to-date list of our subprocessors is available on request by emailing hello@onbuddy.ai.

We do not sell your personal data under any circumstances. We do not share Microsoft Teams data with advertisers or use it for advertising or marketing purposes.

ProteusAI Limited is established in the Federal Republic of Nigeria. To operate the Services, your Personal Data may be transferred to, stored, and processed in countries outside your country of residence, including Nigeria, the United States (for example, by our AI provider OpenAI, our hosting and infrastructure providers, and the Microsoft Bot Framework / Azure Bot Service operated by Microsoft Corporation), and other jurisdictions where our subprocessors operate.

Where Personal Data of individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, we rely on appropriate safeguards, including:

• The Standard Contractual Clauses (SCCs) adopted by the European Commission in Decision 2021/914, and the UK International Data Transfer Addendum where applicable
• Supplementary technical, contractual, and organizational measures, including encryption in transit and at rest
• Transfer impact assessments, where required

You may request a copy of the safeguards we rely on for international transfers by contacting us at hello@onbuddy.ai.

We retain Personal Data only for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

• Account & profile data: For the duration of your organization’s subscription, plus up to 90 days after account closure.
• Bot message history (Microsoft Teams): Retained for the lifetime of your member account, or until your administrator deletes it. AI processing logs are typically purged within 30 days.
• Microsoft Teams OAuth tokens and conversation references: Deleted immediately when an administrator disconnects the integration, or when you uninstall the OnBuddy app from Teams.
• Support and operational logs: Up to 12 months.
• Billing and tax records: Up to 7 years, where required by applicable law.

After the applicable retention period, we securely delete or anonymize the data. You may request earlier deletion at any time (see “Your Rights” below).

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher, and encryption of sensitive data at rest (including OAuth tokens stored using AES-256)
• Alignment with recognized industry security frameworks (e.g., the principles of SOC 2, ISO/IEC 27001, and the OWASP Top 10). Any current certifications held by us or our infrastructure providers are available on request
• Role-based access controls, least-privilege provisioning, and multi-factor authentication for production systems
• Centralized logging, monitoring, and alerting; periodic vulnerability scanning; and security review of code changes
• Secure software development practices, dependency monitoring, and an internal incident-response process
• Personnel training on data protection and confidentiality obligations

Data Breach Notification. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware (in accordance with GDPR Article 33). Where the breach is likely to result in a high risk to affected individuals, we will also notify them without undue delay (GDPR Article 34). For Customer Data we process on a Customer’s behalf, we will notify the Customer in accordance with our data processing agreement.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Access: Request a copy of your Personal Data (Art. 15).

Rectification: Correct inaccurate or incomplete data (Art. 16).

Erasure: Request deletion of your data where lawful (Art. 17).

Restriction: Limit processing in certain circumstances (Art. 18).

Portability: Receive your data in a structured, machine-readable format (Art. 20).

Objection: Oppose processing based on legitimate interests or marketing (Art. 21).

Withdraw consent: At any time for consent-based processing (Art. 7).

Lodge a complaint: You have the right to lodge a complaint with a supervisory authority, such as your local Data Protection Authority in the EEA/UK, or the Nigeria Data Protection Commission.

To exercise any of these rights, please contact us at hello@onbuddy.ai. We will respond within one month as required by the GDPR.

This section applies to California residents whose Personal Data is governed by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). It supplements the disclosures elsewhere in this Policy.

Categories of Personal Information collected: Identifiers (name, email, account ID), professional or employment information, internet or other electronic network activity (usage data), commercial information (billing), and inferences drawn from the foregoing. See “Categories of Data Collected” and “Microsoft Teams Integration” above for details.

Sources and purposes: Described in “Categories of Data Collected” and “Purposes & Legal Bases for Processing” above.

Sale or Sharing of Personal Information: We do not “sell” Personal Information, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the preceding 12 months.

Sensitive Personal Information: We do not use or disclose Sensitive Personal Information for purposes that would trigger the CCPA right to limit such use.

Your CCPA rights:

• Right to Know the categories and specific pieces of Personal Information we have collected about you
• Right to Delete Personal Information we have collected from you
• Right to Correct inaccurate Personal Information
• Right to Opt Out of any sale or sharing of Personal Information (not applicable here, as we do not engage in either)
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination for exercising any CCPA right

To exercise any of these rights, please email hello@onbuddy.ai. We will verify your request using reasonable methods (such as confirming control of the account email). You may use an authorized agent to submit a request on your behalf, subject to verification. We honor Global Privacy Control (GPC) signals as opt-outs of sale or sharing where applicable.

B2B context. If you access the Services in the course of your employment with a Customer, your employer is generally the controller of your Personal Data. Please direct certain requests (such as access or deletion of work-related records) to your employer in the first instance.

We may update this Policy for legal, technical, or operational reasons. When we do, we will:

• Post the revised Policy on our website
• Update the “Last updated” date above
• Provide notice where required by law or contract

For privacy questions, requests, or to exercise any of the rights described in this Policy, please contact our Data Protection Officer:

Data Protection Officer
ProteusAI Limited
[Registered office address, Federal Republic of Nigeria]
Email: hello@onbuddy.ai

EU/UK Representative. Where required by Article 27 of the GDPR or the UK GDPR, our representative for individuals located in the EEA or the UK can be contacted at the same email address above. If we appoint a dedicated representative, their details will be published here.

Additional Resources:

Terms of Service