Bot review guidelines
APPLIES TO: SDK v4
We welcome you and thank you for investing your talents and time in building bot, botlets, web apps, add-ins, or skills ("app integrations") for Microsoft channels. The following are the minimum requirements your app integration must meet before it may be published to a Microsoft channel such as Microsoft Teams. Each channel may have specific requirements in addition to the requirements detailed below. If applicable, you'll find channel- specific terms on each channel's configuration page, and you may be required to sign-up for a channel's service before you can publish a bot to that channel.
App Integration Policies
1. Value, Representation, Security and Usability
Your app integration and its associated metadata must:
- have distinct and informative metadata and must provide a valuable and quality user experience;
- accurately and clearly reflect the source, functionality, and features of your app integration and describe any important limitations;
- not use a name or icon similar to that of other apps, and may not claim to be from a company, government body, or other entity if you do not have permission to make that representation;
- not jeopardize or compromise user security, or the security or functionality of the Microsoft channel;
- not attempt to change or extend the described functionality in violation of these policies or the applicable Microsoft channel terms;
- not include or enable malware;
- be testable;
- continue to run and remain responsive to user input;
- include a working link to your Terms of Service;
- operate as described in its description, profile, terms of use and privacy policy;
- operate in accordance with the terms applicable to the Microsoft Bot Framework (or other terms applicable to its development) and the Microsoft Channel Terms (or other applicable terms for the channel upon which your app integration is published);
- inform users if your app integration includes human interaction, such as customer service or support with a live person;
- be localized for all languages that it supports. The text of your app integration's description must be localized in each language that you declare.
2.Privacy
- If your app integration handles users' personal information (personal information includes all information or data that identifies or could be used to identify a person, or that is associated with such information or data. Examples of personal information include: name and address, phone number, biometric identifiers, location, contacts, photos, audio & video recordings, documents, SMS, email, or other text communication, screenshots, and in some cases, combined browsing history), you must provide a prominent link from your app integration to an applicable privacy policy, and such privacy policy must comply with all applicable laws, regulations and policy requirements. This policy should cover what data you're collecting or transmitting, what you will be doing with that data, and (if applicable) who you'll be sharing it with. If you don't have a privacy statement, here are some third-party resources* that might be of some assistance:
Future of Privacy Forum – Application Privacy Policy Generator
Iubenda – Privacy Policy Generator
You agree to assume all risk and liability arising from your use of these third-party resources and that Microsoft is not responsible for any issues arising out of your use of them.
- Your app integration must not collect, store or transmit personal information unrelated to its primary purpose, without first obtaining express user consent. You must obtain all consents from users to process personal information where required by law.
- You may not publish an app integration that is directed at children under the age of 13 (as defined in the Children's Online Privacy Protection Act), without express permission from Microsoft.
3. Financial Transactions
- For payment enabled app integrations:
- Your app integration may not transmit financial instrument details through the user interface;
- Subject to any channel or third-party platform restrictions, your app integration may: (a) support payments through the Microsoft Seller Center subject to the terms of the Microsoft Seller Center Agreement; or (b) transmit links to other secure payment services;
- If your app integration enables the foregoing payment mechanisms, you must disclose this in your app integrations terms of use and privacy policy (and any profile page or website for the app integration) before the end user agrees to use your app integration;
- You must clearly indicate that an app integration is payment-enabled in the its profile and provide end users with the merchant's customer service details; and
- You may not publish app integrations on any Microsoft channel that include links or otherwise direct users to payment services for the purchase of digital goods without express permission from Microsoft.
4. Content
- All content in your app integration and associated metadata must be either originally created by the publisher, appropriately licensed from the third-party rights holder, used as permitted by the rights holder, or used as otherwise permitted by law.
- You will not publish an app integration or content in your app integration that:
- is illegal;
- exploits, harms, or threatens to harm children;
- includes advertising, spam, unwanted or unsolicited or bulk communications, posts or messages;
- could be considered inappropriate or offensive material (involving, for example, nudity, bestiality, profanity, pornography or sexually explicit, graphic or gratuitous violence, tobacco products, criminal, dangerous or irresponsible activity, drugs, human rights violations, the creation or illegal use of weapons against a person or animal in the real world, irresponsible use of alcohol products);
- is false or misleading (e.g., asking for money under false pretenses, impersonating someone else);
- is harmful to you, the Microsoft Channel or others or creates a safety risk (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating discrimination, hatred, or violence based on considerations of race, ethnicity, national origin, language, gender, age, disability, religion, sexual orientation, status as a veteran, or membership in any other social group);
- infringes upon the rights of others (e.g., unauthorized sharing of copyrighted music or other copyrighted material;
- is defamatory, libelous, slanderous, or threatening;
- violates the privacy of others;
- processes information that (a) relates to a patient's condition, treatment or payment for treatment; (b) identifies individuals as or communicates with patients, health plan members or beneficiaries; or (c) is otherwise 'protected health information' under the Health Insurance Portability and Accountability Act, as amended ("HIPAA") or perform any activity governed by HIPAA if you're a 'covered entity' or 'business associate' as defined under HIPAA;
- is offensive in any country/region to which your app is targeted. Content may be considered offensive in certain countries/regions because of local laws or cultural norms;
- helps others to break these rules.
- You must notify Microsoft in advance by sending an email to the specific channel you have published to if you make any material changes to your app integration. Changes made to your bot's registration may require your bot to be re-reviewed to ensure that it continues to meet the requirements stated here. Microsoft has the right, in its sole discretion, to intermittently review app integrations on any channel and remove without notice.