Privacy Policy

Last Updated: February 22, 2026

This Privacy Policy describes how MoltBot Ninja ("we," "our," or "us") collects, uses, and protects your personal information when you use our service at moltbot.ninja. MoltBot Ninja is operated by Jonathan Shachar, a sole proprietorship based in Ontario, Canada.

This Policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and Ontario's applicable privacy legislation. For the purposes of PIPEDA, the Privacy Officer responsible for our compliance is Jonathan Shachar, reachable at info@moltbot.ninja.

1. Information We Collect

1.1 Google User Data (OAuth Authentication)

When you authenticate using Google Sign-In, we request access to your basic profile information using the minimum scopes necessary for authentication (profile, email, openid). We collect the following Google user data:

  • Google Account ID: A unique identifier assigned by Google to your account (used as your primary account identifier in our system)
  • Email address: Your primary Google account email address
  • Display name: Your full name as it appears on your Google account
  • Profile photo URL: A link to your Google profile picture (if publicly available)

1.2 Optional Google Service Integrations

Beyond authentication, you may choose to connect additional Google services to your AI assistant through the MoltBot Ninja dashboard. These integrations are entirely optional, user-initiated, and require your explicit consent via a separate Google OAuth flow. When you connect a service, we access only the data necessary to fulfil the actions you request your AI assistant to perform on your behalf.

  • Google Calendar (calendar) — Read and write access to your calendar events. Used by your assistant to list, search, create, update, and delete events on your behalf.
  • Gmail (gmail.readonly, gmail.compose) — Read access to your email messages and threads, and the ability to compose and send emails. Used by your assistant to read, search, and respond to emails on your behalf.
  • Google Contacts (contacts.readonly) — Read-only access to your contacts. Used by your assistant to look up contact details when helping you draft messages or identify people in conversation.
  • Google Analytics (analytics.readonly) — Read-only access to your Google Analytics data. Used by your assistant to answer questions about your website traffic and performance.

Google API scopes requested:

  • Calendar events — https://www.googleapis.com/auth/calendar
  • Gmail read access — https://www.googleapis.com/auth/gmail.readonly
  • Gmail compose & send — https://www.googleapis.com/auth/gmail.compose
  • Contacts (read-only) — https://www.googleapis.com/auth/contacts.readonly
  • Analytics reporting (read-only) — https://www.googleapis.com/auth/analytics.readonly

We access this data only to fulfil explicit user requests and do not retain it beyond the immediate task. Service integration tokens are encrypted at rest (AES-256-GCM) and stored in Firebase. You can disconnect any service at any time from the dashboard. Users can also revoke MoltBot Ninja's access to their Google account at any time through their Google Account Permissions page.

1.3 Usage Information

We collect information about how you use our service, including:

  • Deployment configurations (server settings, bot names)
  • AI assistant settings and personalities
  • Service usage patterns (login times, feature usage)
  • Technical logs for service maintenance and debugging
  • Device and browser information (user agent, IP address, operating system)

1.4 Third-Party API Keys

You provide your own API keys for third-party services (Anthropic, OpenAI, Telegram, etc.) which are encrypted and stored securely in Firebase. We do not have the ability to use your API keys outside of your explicitly configured AI assistant deployments. API keys are only decrypted server-side when your deployed bot needs to make API calls on your behalf.

2. How We Use Your Information

2.1 How We Use Google User Data

We use the Google user data collected during OAuth authentication exclusively for the following purposes:

  • Google Account ID: Used as your unique account identifier in our database to associate your deployments, settings, and subscription with your account
  • Email address: Used to send you critical service notifications (deployment status, security alerts), billing receipts, password-free authentication links, and optional service announcements (you can unsubscribe from non-transactional emails)
  • Display name: Displayed in your dashboard header and used to personalize your experience
  • Profile photo: Displayed as your avatar in the dashboard interface

Limited Use Compliance: We strictly limit our use of Google user data to providing and improving user-facing features of MoltBot Ninja. We do not use Google user data for:

  • Serving advertisements of any kind
  • Personalized, targeted, or interest-based advertising
  • Selling or transferring to data brokers, information resellers, or advertising platforms
  • Determining credit-worthiness or lending purposes
  • Training AI models or creating user profiles for third-party use
  • Any purpose unrelated to providing the MoltBot Ninja service

2.2 How We Use Other Information

We use non-Google data (usage logs, deployment configs, IP addresses) to:

  • Provide and maintain the MoltBot Ninja service
  • Deploy and manage your dedicated AI assistant instances on AWS
  • Process payments via Stripe and manage subscriptions
  • Improve our service, fix bugs, and develop new features
  • Ensure security, prevent fraud, and investigate abuse
  • Comply with legal obligations

Lawful Basis (PIPEDA): We collect and use your personal information with your knowledge and consent, which you provide when you create an account and agree to our Terms of Service. For certain processing activities (security, fraud prevention, legal compliance), we rely on legitimate business purposes as permitted under PIPEDA Principle 4.3.

3. Data Storage and Security

Your data is stored using industry-standard security practices:

  • Encrypted storage using Firebase/Google Cloud Platform
  • API keys are encrypted at rest
  • Isolated deployment environments per user
  • Regular security updates and monitoring

4. Data Sharing and Third-Party Disclosures

4.1 No Sale of Personal Data

We do not sell your personal information, including Google user data, to any third party. We do not provide your data to advertising networks, data brokers, or information resellers. We do not share, sell, rent, or otherwise distribute Google user data to third parties without your explicit consent.

4.2 Sharing with Service Providers (Sub-Processors)

To provide the MoltBot Ninja service, we share limited data with trusted third-party service providers (sub-processors) who process data on our behalf. These providers are contractually obligated to protect your information and may only use it for the specific purposes we authorize:

  • Google Cloud Platform / Firebase (USA) — Authentication, account data storage, database hosting, Cloud Functions
    What we share: Google user data (ID, email, name, photo), deployment configs, encrypted API keys, usage logs
  • Amazon Web Services (AWS) Lightsail (USA/Global) — Dedicated server instances for your AI assistant
    What we share: Server configuration metadata, your encrypted API keys (deployed to your server), SSH keys
  • Stripe (USA) — Payment processing and subscription billing
    What we share: Email address, billing name. Note: Stripe handles payment card details directly; we never see or store your card information.

Each sub-processor is selected with reasonable diligence and is contractually required to comply with data protection standards as required by PIPEDA. We periodically review our sub-processors to ensure continued compliance.

4.3 Transfers of Google User Data

We only transfer Google user data to third parties in the following limited circumstances, in compliance with the Google API Services User Data Policy:

  • Service Provision: To provide or improve user-facing features (e.g., storing your profile in Firebase to display it in your dashboard)
  • Security Purposes: To investigate abuse, bugs, or security incidents
  • Legal Compliance: When required by applicable law, court order, or government request
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, only after obtaining your explicit prior consent and providing you notice

We do not allow humans (employees, contractors, or third parties) to read your Google user data except: (1) with your explicit consent for specific support requests, (2) when necessary for security investigations, or (3) to comply with legal obligations.

4.4 Other Sharing Scenarios

Beyond the sub-processors listed above, we may share non-Google information in these scenarios:

  • With Your Consent: When you explicitly authorize us to share specific data with a third party
  • Aggregated/Anonymized Data: We may share aggregated, anonymized usage statistics (e.g., "500 users deployed bots this month") that cannot identify you individually

5. Your Rights

You have the right to:

  • Access your personal data held by us (PIPEDA Principle 4.9)
  • Correct inaccurate or incomplete data
  • Request deletion of your data
  • Export your data in a portable format
  • Withdraw consent for non-essential processing
  • Opt out of marketing communications
  • Cancel your subscription at any time
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise any of these rights, contact our Privacy Officer at info@moltbot.ninja. We will respond to access requests within 30 days as required by PIPEDA.

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

We retain your personal information only for as long as necessary to provide the service or as required by law:

  • Active accounts: We retain your Google user data (ID, email, name, photo) and account data for as long as your account remains active
  • Deleted accounts: When you delete your account, we permanently delete your Google user data and account information within 30 days, except where retention is required for legal compliance, fraud prevention, or dispute resolution
  • Deployment data: When you delete a deployment or cancel your subscription, the associated AWS server and all data on it are immediately and permanently destroyed
  • Logs and analytics: Technical logs are retained for up to 90 days for security and debugging purposes, then automatically deleted
  • Billing records: Financial transaction records are retained for 7 years to comply with tax and accounting regulations

6.2 Your Right to Request Deletion

You may request deletion of your data at any time by contacting info@moltbot.ninja or by cancelling your account in the dashboard. We will process deletion requests within 30 days. Note that deletion is permanent and cannot be undone — you will lose access to all deployments and configurations.

7. Data Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:

  • Notify you as soon as feasible, and in any event within 72 hours of becoming aware of the breach, via the email address associated with your account
  • Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA's breach notification provisions (Division 1.1)
  • Provide you with details of the breach, including the nature of the information involved, the steps we have taken to reduce the risk of harm, and recommended actions you can take to protect yourself
  • Maintain records of all breaches of security safeguards, whether or not reported, for a minimum of 24 months as required by law

"Significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property, as defined in PIPEDA.

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or tracking pixels.

9. Third-Party Services

Our service integrates with:

  • Google OAuth: For authentication
  • Firebase/Google Cloud: For data storage and hosting
  • AWS LightSail: For your dedicated AI assistant instances

These services have their own privacy policies which govern their use of your data.

10. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at info@moltbot.ninja.

11. International Data Transfers

Your data may be processed in the United States or other countries where our service providers operate (see Section 4 for the specific sub-processors and their locations). By using the Service, you consent to the transfer of your personal information to jurisdictions outside of Canada. We ensure that appropriate contractual and technical safeguards are in place for international transfers in accordance with PIPEDA requirements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the service. Your continued use after changes constitutes acceptance.

13. Google API Services User Data Policy Compliance

MoltBot Ninja's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What Google Data We Access

We access two categories of Google data, described in full in Section 1.1 and 1.2:

  • Authentication (always): profile, email, openid — your basic account identity used to sign in to MoltBot Ninja.
  • Optional service integrations (user-initiated only): calendar, gmail.readonly, gmail.compose, contacts.readonly, analytics.readonly — accessed only when you explicitly connect a service through the dashboard. We do not access Google Drive, Photos, YouTube, or any other Google services.

Limited Use Commitment

We strictly comply with Google's Limited Use requirements. Specifically:

  • We limit our use of Google user data to providing or improving user-facing features that are prominent in MoltBot Ninja's user interface (authentication, profile display, email notifications)
  • We do not transfer Google user data to third parties except: (a) to provide user-facing features with your consent (e.g., storing your profile in Firebase), (b) for security purposes, (c) to comply with applicable laws, or (d) as part of a merger/acquisition after obtaining your explicit prior consent
  • We do not allow humans to read your Google user data unless: (a) you give affirmative consent for specific support requests, (b) it's necessary for security investigations, (c) it's required by law, or (d) the data is aggregated and anonymized
  • We do not use Google user data for serving advertisements, including personalized, targeted, retargeted, or interest-based ads
  • We do not transfer or sell Google user data to advertising platforms, data brokers, or information resellers
  • We do not use Google user data to determine credit-worthiness or for lending purposes

Your Google Account Controls

Users can revoke Google account access at any time through their Google Account settings (myaccount.google.com/permissions). Revoking access will prevent you from signing in to MoltBot Ninja, and you will need to delete your account separately if you wish to remove your data from our systems. You can also disconnect individual Google services at any time from the MoltBot Ninja dashboard without deleting your account.

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at: info@moltbot.ninja

Back to Home