The following document outlines the privacy features of ChatBotKit. Learn about ChatBotKit’s encryption, anonymity and entity handling.

ChatBotKit has built-in privacy features to ensure the safety of your data and end-user conversations. Our privacy features are designed to protect your data and conversations from unauthorized access and use as well as preserve the anonymity of end-users. This is a default control which cannot be overridden.

As a general rule, we advise where possible to pre and post-process your data to ensure it is in line with your privacy policy even when ChatBotKit is handling all privacy-related issues automatically for you.


Messages that arrive in the systems are automatically scanned for PII (personally identifiable information) such as name, address, phone number, email, etc. If PII is discovered, the message is transformed using several anonymisation techniques, such as hashing and tokenisation, to ensure it cannot be used to identify the user. The output of this operation is several "entities" which logically represent the PII data encapsulated in the message.

Each entity is made of several components: the type, beginning position, end position, original text and entity replacement information. To provide a smooth user experience you may need to handle detected entities and keep track of their use. If you use the built-in integrations (Widget, Slack, etc) this operation is automatically handled for you.

Handling Entities

Let's see how entities are generated in ChatBotKit. Consider the following payload submitted to conversation/${conversationId}/send API call:

{ "text": "My name is John." }

The message contains PII data: the name "John.". As a result, the name will be anonymised. The API endpoint will return the following response:

{ "id": <message id> "entities": [ { "type": "name", "begin": 11, "end": 15, "text": "John", "replacement": { "begin": 11, "end": 22, "text": "i03n7d1g9fo" } } ] }

The entities array contains information about detected entities and how these entities were anonymised. As you can see, the name "John" was anonymised using a generated token (i03n7d1g9fo) and the original text was replaced with this token.

Internally, the system will store the message "My name is i03n7d1g9fo." instead of "My name is John.". The anonymised text is also what is getting sent to the underlying model, not the original.

The user interface must handle the entities and display the original text instead of the token. This is a simple search-and-replace operation. In other words, to keep the user experience smooth and natural, the UI should display the original message ("My name is John.") instead of the tokenised version ("My name is i03n7d1g9fo.").

The conversation/${conversationId}/send end may also receive entity information to skip transforming already anonymised entities. For example consider the following call to conversation/${conversationId}/send API endpoint:

{ "text": "My name is i03n7d1g9fo.", "entities": [ { "begin": 11, "end": 22 } ] }

Using this payload we instruct the endpoint to skip processing entities between positions 11 and 22 which is where the anonymised token can be found. As a result of this action, the endpoint will return the following response:

{ "id": <message id> "entities": [] }

Notice that the entities array in the response is empty. This is because the system was instructed not to process the entity between positions 11 and 22.


ChatBotKit's privacy features are designed to protect your data and conversations from unauthorized access and use while preserving the anonymity of end-users. Entities are generated automatically whenever PII is discovered in a message. To provide a smooth user experience, the UI should handle detected entities and replace the anonymised tokens with the original text.