Effective date: February 1, 2026
1. What data we collect
When using the Bitrix24 Hub service (hereinafter — the Service), the following data is processed:
| Category |
Data |
Source |
| User profile |
Name, surname, email, phone, avatar |
Bitrix24 REST API (user.get) |
| Identification |
Bitrix24 user ID, portal domain, Hub address |
Automatically on connection |
| Messages |
Message text, Bitrix24 message IDs |
Chat webhook events |
| Files |
File name and size (content is transient) |
Chat webhook events |
| Access tokens |
OAuth tokens for the app and bots |
Bitrix24 REST API |
2. How we use data
- Message routing — profile data is used to identify the sender and recipient. Message text is transmitted between portals via representative bots.
- File transfers — files are downloaded from one portal and transferred to another. File content is stored in a temporary directory only during transfer and is deleted immediately after delivery.
- Profile synchronization — name and avatar are updated on representative bots so that the other party sees current information.
We do not use user data for advertising, analytics, profiling, or sharing with third parties.
3. Data storage
- Database — information about portals, users, connections, and message logs is stored in MySQL on a secure server.
- Message text — logs store the text of the last message for deduplication. The full message history is not stored in the Service — it remains in Bitrix24 chats.
- Files — file content is not stored. Files are transferred in transit: downloaded to a temporary directory, uploaded to the target portal, and immediately deleted.
- Tokens — OAuth tokens are stored in the database in plain text (required by the REST API for refresh). Administrator passwords are stored as bcrypt hashes.
4. Security
- Channel encryption — all connections between clients, the server, and Bitrix24 are protected by HTTPS (TLS 1.2+). SSL certificate by Let's Encrypt.
- Request authentication — every incoming event from Bitrix24 is verified by application_token. Requests without a valid token are rejected.
- Token protection — OAuth token refresh uses a mutex to prevent race conditions. Tokens are not logged and not included in API responses (redacted to [REDACTED]).
- Data isolation — each portal can only access its own data. Messages are routed strictly between connected users.
- Rate limiting — the API is protected by rate limiting (200 requests per minute per IP).
5. User rights
- Disconnection — a user can disconnect from Hub using the
disconnect command. This removes from the database: Hub address, name, surname, email, phone, avatar. The account transitions to "inactive" status.
- App removal — when the app is removed from a portal, the data of the portal, associated users, and connections is preserved in the database for possible reinstallation. For complete data deletion, please contact support.
- Data request — you can request information about stored data by contacting support@bitrix24hub.com.
6. Third-party data sharing
We do not share personal data with third parties, except in the following cases:
- Transmitting messages and files between Bitrix24 portals — at the direct request of the user (sending a message).
- Compliance with applicable law.
7. Cookies and tracking
The core service (chatbot) does not use cookies and does not track user activity. The admin panel uses an httpOnly cookie for administrator authentication.
8. Policy changes
We reserve the right to update this Policy. The current version is available at bitrix24hub.com/privacy.html.
9. Contact
For privacy and security inquiries: support@bitrix24hub.com