← Back to Bobby

Privacy Policy

Last updated: 24 March 2026

1. Data Controller

The data controller for your personal data is Digital Platforms Ltd, a company registered in England and Wales (company number 17087275), with its registered office at 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE.

Email: [email protected]

2. What We Collect

We collect and process the following personal data:

Information you provide

  • Account information: email address, display name, and profile preferences
  • Personalisation data: country, currency, sizes, style preferences, household information, and other preferences you choose to share
  • Conversation data: messages you send through the chat interface, mobile apps, or Telegram bot
  • Wishlist data: products and experiences you save, and price alert preferences
  • Feedback: ratings, comments, and feedback you submit

Information collected automatically

  • Usage data: search queries, click-through events, pages visited, and interaction patterns
  • Device data: IP address, browser type and version, operating system, screen resolution, and (for mobile apps) device model, OS version, and unique device identifiers
  • Push notification tokens: if you enable push notifications in our iOS or Android apps, we collect your device token (APNs token on iOS, FCM registration token on Android) solely for delivering notifications to your device
  • Mobile app data: app version, crash logs, and performance diagnostics collected by our mobile apps to maintain and improve the service
  • Telegram data: if you use our Telegram bot, your Telegram user ID, first name, last name, username, and language preference

Information from third parties

  • Google Sign-In: if you sign in with Google, we receive your name and email address from your Google profile

Publicly available product data

Bobby indexes publicly available product information from online retailers, including product titles, descriptions, prices, images, availability, and other catalogue data that retailers make publicly accessible on their websites. This data does not include any personal data of the retailer's customers. We collect this information using automated crawlers that respect robots.txt directives.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR:

  • Contract: to provide the Service you have requested (account features, personalised search, wishlists, conversation history)
  • Legitimate interest: to improve the Service, prevent fraud, ensure security, and to index publicly available product data from online retailers for the purpose of providing a product search service
  • Consent: for marketing communications and optional analytics (you may withdraw consent at any time)

4. How We Use Your Data

  • To provide personalised product and experience search results
  • To maintain your conversation history and provide contextual AI responses
  • To send price drop alerts for wishlisted items
  • To improve search quality, relevance, and AI response accuracy
  • To communicate service updates and account notifications
  • To detect and prevent abuse, fraud, and security threats
  • To generate anonymised, aggregated analytics about Service usage

5. Third-Party Services and Data Sharing

We share data with the following categories of third-party service providers:

  • AI providers (OpenAI, OpenRouter): search queries and conversation text are sent to AI providers for embedding generation and chat responses. No personally identifiable information is included in AI requests.
  • Affiliate networks (Awin, Impact, Viator): click-through events are tracked by affiliate networks for commission attribution. These networks may set their own cookies when you visit a retailer's website.
  • Email provider (Resend): your email address is shared with our email provider to send transactional emails such as verification links and price alerts.
  • Google Sign-In: if you use Google Sign-In, authentication is handled by Google. We receive only your name and email.
  • Apple Push Notification service (APNs): if you use our iOS app with push notifications enabled, your device token is sent to Apple to deliver notifications. Apple's privacy policy applies to their processing of this data.
  • Firebase Cloud Messaging (FCM): if you use our Android app with push notifications enabled, your device registration token is sent to Google Firebase to deliver notifications. Google's privacy policy applies to their processing of this data.
  • App stores (Apple App Store, Google Play): when you download our apps, Apple or Google may share limited data with us such as download analytics and crash reports, subject to their respective privacy policies.
  • Infrastructure providers (OVH): our servers are hosted by OVH in Europe. All data at rest is stored on EU-based infrastructure.

We do not sell your personal data to third parties. We do not share your personal data with advertisers or data brokers.

When you click through to a retailer or experience provider, their own privacy policy applies to your interaction with their website.

6. Cookies and Local Storage

We use the following client-side storage:

  • Authentication cookie: a secure, HTTP-only JWT session token. Essential for maintaining your login session.
  • Local storage: conversation history, UI preferences, and theme settings. This data stays on your device and is not transmitted to our servers unless you have an account.

We do not use third-party advertising cookies. Affiliate networks may set cookies when you click through to a retailer's website.

Mobile app storage

  • Device token: your push notification token is stored securely on our servers and associated with your account to deliver push notifications. You can revoke this at any time by disabling notifications in your device settings or within the app.
  • Local app storage: our mobile apps store authentication tokens, conversation history, preferences, and cached data locally on your device.

7. Mobile Applications

Bobby is available as a mobile application on iOS (Apple App Store) and Android (Google Play). In addition to the data described above, the following applies specifically to our mobile apps:

  • Push notifications: with your consent, we send push notifications for price alerts, wishlist updates, and service messages. You can manage notification preferences in your device settings or within the app at any time.
  • Device permissions: the app may request access to device features such as camera (for visual search, if available) or location (for local results). These permissions are optional and can be revoked in your device settings.
  • Offline data: some data (e.g. recent conversations, cached search results) is stored locally on your device to enable offline access. This data is cleared when you log out or uninstall the app.
  • App analytics: we may collect anonymised app performance data (crash reports, load times, feature usage) to improve the app experience. No personally identifiable information is included in these analytics.

Your use of the mobile app is also subject to the terms of the platform provider (Apple or Google) from which you downloaded the app.

8. International Data Transfers

Your data is primarily stored on servers located in Europe (OVH, France). Some processing involves transfers to the United States:

  • OpenAI: search queries are sent to OpenAI's API for embedding generation (US-based)
  • OpenRouter: conversation text is sent for AI chat responses
  • Resend: email delivery (US-based)
  • Apple (APNs): push notification delivery for iOS app users
  • Google Firebase (FCM): push notification delivery for Android app users

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the providers' data processing agreements.

9. Data Retention

  • Account data: retained while your account is active, and for up to 30 days after account deletion
  • Conversation history: retained for up to 12 months from the date of the conversation
  • Search history: retained for up to 12 months
  • Click logs: retained for up to 24 months for affiliate commission reconciliation
  • Push notification tokens: retained while your account is active and notifications are enabled; deleted within 30 days of disabling notifications or deleting your account
  • Wishlists and preferences: retained while your account is active

Anonymised, aggregated data may be retained indefinitely for analytics and service improvement purposes.

10. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate personal data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: request that we limit how we use your data
  • Right to data portability: request your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent: withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

11. Retailer and Merchant Data

Bobby indexes publicly available product catalogue data from online retailers to power its search engine. This includes product titles, descriptions, prices, images, availability, brand names, and other product attributes that retailers make publicly accessible.

  • What we index: publicly available product catalogue data only. We do not collect or store any personal data belonging to a retailer's customers.
  • How we collect it: our automated crawlers access publicly available product data feeds and pages. We respect robots.txt directives and standard exclusion protocols.
  • How we use it: indexed product data is used solely to provide product search results to Bobby users. All product links direct users to the retailer's website, driving traffic and potential sales to the original store.
  • Opt-out: if you are a retailer and wish to have your products removed from Bobby's index, please contact us at [email protected] and we will remove your listings within 7 business days. You may also block our crawler by adding appropriate directives to your robots.txt file.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us and we will promptly delete it.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Hashed and salted passwords (bcrypt)
  • Secure, HTTP-only authentication cookies
  • API key authentication with SHA-256 hashing
  • Database access restricted to application services only
  • Regular security updates and dependency patching

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact

For privacy enquiries or to exercise your data rights, contact us at:

Digital Platforms Ltd
3rd Floor, 86-90 Paul Street
London, EC2A 4NE
Email: [email protected]