Privacy Policy

Last updated:

This Privacy Policy describes how SMM Panel Bot ("we", "our") handles information when you use the service. We believe in collecting only what is necessary to run the product.

1. Information we collect

Account information

• Seller name, email, optional phone number, and a hashed password (via bcrypt — we never store passwords in plaintext).
• Chosen brand slug and store configuration.

Operational credentials (seller-provided)

• SMM provider API URLs and API keys — used solely to place orders on your behalf.
• Gmail address and app password — used solely to read payment confirmation emails over IMAP for UPI auto-verification. We do not scan emails for any other purpose.
• UPI ID and optional QR image URL.
• WhatsApp session credentials (Baileys tokens) — stored encrypted in the database and used only to send/receive bot messages.

Customer interaction data

• WhatsApp JID (phone number), display name, push name from incoming messages.
• Order data: target URL, quantity, amounts, payment status, provider order ID, delivery status.
• Wallet balances and transaction log.

Technical

• Server logs (IP, request path, timestamp) retained for up to 14 days for abuse prevention.
• Cookies: one signed session cookie per role (admin / seller) to keep you logged in. No third-party trackers.

2. How we use information

• To route customer orders to upstream SMM providers.
• To verify UPI payments by matching amounts in your Gmail inbox.
• To send order-status and top-up updates back to customers over WhatsApp.
• To compute aggregate stats displayed in your dashboard.
• To communicate product updates, if you opt in.

3. Sharing and third parties

We transmit data to third parties only when strictly needed for the service:

• Your SMM provider(s) — target link + quantity are sent to the provider API you configured.
• Gmail (Google) — we connect over IMAP with your app password to read emails containing payment notifications.
• WhatsApp (Meta) — messages go through WhatsApp's network as part of normal bot operation.
• Your configured SMTP or the PHP mailer endpoint — when sending notification emails to customers.

We do not sell personal information. We do not share customer data with advertisers.

4. Retention

• Accounts and their data are retained while the account is active.
• Orders and wallet history are retained for accounting and dispute resolution for at least 2 years.
• WhatsApp session files are deleted immediately when you log out or disconnect the bot.
• On account deletion request, personal account data is deleted within 30 days, except where retention is legally required.

5. Security

Credentials are stored in a SQLite database on the host where the service runs. Passwords are bcrypt-hashed. Session cookies are HMAC-SHA256 signed with a server secret. Inter-service communication uses TLS. You are responsible for keeping your hosting environment secure.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, or delete your personal data. To exercise these rights, contact the operator of your storefront.

7. Children

The service is not directed to anyone under 18.

8. Changes

We will announce material changes to this Policy on the site and/or via your registered email.

9. Contact

For privacy questions, reply with support on the WhatsApp bot or email the operator of your storefront.