Privacy Policy
Effective Date: [DATE]
Last Updated: [DATE]
Introduction
[COMPANY NAME] ("[COMPANY SHORT NAME]," "we," "us," or "our") is committed to protecting your privacy and the privacy of all individuals whose data is processed through our platform. This Privacy Policy ("Policy") describes how we collect, use, process, store, share, and protect Personal Data in connection with our website at [WEBSITE URL] (the "Website"), our cloud-based AI chatbot and agent platform (the "Service"), and any related mobile applications, APIs, and tools we provide.
We understand the importance of data privacy and take our obligations seriously. This Policy is designed to help you understand what information we collect, why we collect it, how we use it, and what choices you have regarding your data.
Please read this Policy carefully. By accessing or using our Website or Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, please do not use our Website or Service.
Table of Contents
- Scope of This Policy
- Definitions
- Data Controller and Data Processor Roles
- Personal Data We Collect
- How We Use Personal Data
- Legal Basis for Processing
- Cookies and Tracking Technologies
- Sharing and Disclosure of Personal Data
- Third-Party Platform Integrations
- International Data Transfers
- Data Security
- Data Retention
- Your Data Protection Rights
- Rights for EEA, Switzerland, and UK Residents
- Rights for California Residents
- Rights for Brazilian Residents (LGPD)
- Rights for Other Jurisdictions
- AI and Automated Decision-Making
- Children's Privacy
- Third-Party Links
- Data Protection Mechanisms
- Changes to This Policy
- Contact Information
1. Scope of This Policy
This Policy applies when [COMPANY SHORT NAME] acts as a data controller — that is, when we determine the purposes and means of processing Personal Data. This includes when you:
- Visit or interact with our Website;
- Create an account and use the Service as an Administrator, Agent, or other authorized User;
- Register for or participate in our webinars, events, marketing activities, or promotional campaigns;
- Contact us with inquiries, support requests, or feedback;
- Apply for employment with us;
- Engage in commercial transactions with us.
When This Policy Does NOT Apply
This Policy does not apply to:
- End User Data Processed on Behalf of Customers: When our Customers use the Service to communicate with their End Users (e.g., through chatbots on WhatsApp, Messenger, Instagram, Telegram, or web chat), we process End User data solely on behalf of and under the instructions of our Customers. In this capacity, we act as a data processor (or sub-processor), and the Customer acts as the data controller. If you are an End User interacting with a Customer's chatbot or agent, please refer to that Customer's privacy policy for information about how your data is handled.
- Third-Party Services: Data collected by third-party services (such as WhatsApp, Meta/Facebook, Instagram, Telegram, or other platforms) is governed by those services' own privacy policies.
- Employee Data: Personal Data about our current and former employees, job candidates, and contractors is governed by separate internal privacy notices.
2. Definitions
"Account" means a registered user account on the Service.
"Admin" / "Administrator" means a User with full administrative access to the Service within their organization.
"Agent" means a User with limited access, primarily focused on handling customer interactions and escalated conversations.
"Bot" or "AI Agent" means an AI-powered conversational agent created and configured by a Customer within the Service.
"Customer" means a business or individual that has registered for and uses the Service.
"Customer Data" means all data submitted to the Service by a Customer or its Users, including Knowledge Base Content, Bot configurations, conversation data, End User information, and lead capture data.
"End User" means an individual who interacts with a Customer's Bot(s) or human agents through a supported communication platform.
"Knowledge Base Content" means documents, FAQs, and other materials uploaded or generated within the Service.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including the GDPR, CCPA, LGPD, and other applicable laws).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, transfer, erasure, or destruction.
"Service" means [COMPANY SHORT NAME]'s cloud-based AI chatbot and agent platform, including all features, tools, APIs, and related services.
"User" means any individual authorized by a Customer to access and use the Service, including Administrators and Agents.
"Website" means [COMPANY SHORT NAME]'s website at [WEBSITE URL] and any associated subdomains, landing pages, or other web properties we operate.
3. Data Controller and Data Processor Roles
When We Act as a Data Controller
[COMPANY SHORT NAME] is the data controller for Personal Data that we collect and process for our own purposes, such as:
- Website visitor data;
- Account registration and authentication data;
- Billing and payment data;
- Marketing and communications data;
- Job applicant data;
- Support and inquiry data.
When We Act as a Data Processor
[COMPANY SHORT NAME] acts as a data processor (or sub-processor) when processing Personal Data on behalf of our Customers through the Service. This includes:
- End User messages and conversation data;
- End User profile and contact information;
- Lead capture / User profiling data collected through Bot interactions;
- Knowledge Base Content that may contain Personal Data;
- Conversation logs and interaction histories.
When we act as a data processor, the Customer is the data controller and is responsible for ensuring lawful processing of End User data, including obtaining necessary consents and providing appropriate privacy notices. If you are an End User and have questions about how your data is processed, please contact the relevant Customer directly.
4. Personal Data We Collect
4.1 Data You Provide Directly
(a) Account and Registration Data: When you create an Account or register for the Service, we collect:
- Full name
- Email address
- Password (stored in encrypted form)
- Organization name
- Phone number (if provided)
- Role (Admin or Agent)
- Job title (if provided)
(b) Billing and Payment Data: When you subscribe to a paid plan, we collect:
- Company name
- Billing address
- Payment method details (credit card number, expiration date, CVC — processed by our third-party payment processor)
- Tax identification number (VAT, GST, EIN, or equivalent, where applicable)
- Transaction history
(c) Knowledge Base and Bot Configuration Data: When you use the Service, we process:
- Documents uploaded to the Knowledge Base (PDF, DOC, DOCX, and other supported formats)
- FAQs generated from uploaded documents (pending, approved, rejected)
- Bot configuration settings (name, description, language, personality, rate limits, message size limits, welcome messages, escalation messages, off-topic responses, privacy-related messages)
- Platform connection credentials and configurations
- User profiling / lead capture form configurations
(d) Communication Data: When you contact us or communicate through the Service, we collect:
- Email correspondence
- Support tickets and chat transcripts
- Phone call recordings (if applicable and with consent)
- Feedback and survey responses
(e) Job Application Data: If you apply for a position with us, we collect:
- Resume / CV
- Cover letter
- Contact information
- Education and employment history
- References
- Any other information you voluntarily provide
4.2 Data Collected Automatically
(a) Usage Data: When you access or use the Website or Service, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Device type and identifiers
- Pages viewed and features used
- Click activity and navigation paths
- Session duration and timestamps
- Referring and exit pages
- API usage and request logs
(b) Log Data: Our servers automatically record information that your browser or device sends whenever you access the Service, including:
- Server logs
- Error reports
- Access timestamps
- Request and response metadata
(c) Geolocation Data: We may collect approximate geographic location based on your IP address. We do not collect precise GPS-based location data unless you explicitly enable such functionality.
(d) Cookie Data: We collect data through cookies and similar tracking technologies as described in Section 7 below.
4.3 Data Collected from Third Parties
We may receive Personal Data about you from:
- Third-party authentication providers: When you sign in using Google, Facebook, Apple, or other single sign-on (SSO) providers, we receive your name, email address, and profile information as authorized by you.
- Business partners and resellers: Contact information, company information, and business relationship details.
- Public sources: Information from public databases, social media profiles, and other publicly available sources.
- Platform integrations: When you connect third-party Platforms (WhatsApp, Instagram, Facebook Messenger, Telegram) with the Service, we may receive data necessary to facilitate the integration.
4.4 End User Data (Processed on Behalf of Customers)
When our Customers use the Service to interact with their End Users, the following categories of End User data may be processed through the Service:
- End User names and identifiers from the communication Platform
- Phone numbers (WhatsApp, Telegram)
- Social media profile information (Instagram, Facebook Messenger)
- Message content (text, images, audio, video, documents)
- Conversation metadata (timestamps, message status, escalation events)
- Lead capture data (name, country, phone number, custom fields as configured by the Customer)
- Platform-specific information (source platform, first seen date, message count)
- Warning and blocking status
- Geographic location (if available from the Platform)
- Feedback and ratings provided by End Users
Important: We process this End User data solely as a data processor on behalf of our Customers. The Customer is the data controller and is responsible for providing privacy notices to End Users and obtaining all necessary consents.
5. How We Use Personal Data
5.1 To Provide and Operate the Service
- Creating and managing your Account
- Processing subscriptions and payments
- Providing the Service's features and functionality, including Bot creation, Knowledge Base management, platform integrations, live chat, dashboard, analytics, playground, cost analysis, and team management
- Processing and delivering AI-generated responses to End User queries on behalf of Customers
- Storing and managing conversation data, Knowledge Base Content, and Bot configurations
- Generating automated FAQs from uploaded documents
- Facilitating platform integrations (WhatsApp, Instagram, Facebook Messenger, Telegram, web chat)
- Providing lead capture / User profiling functionality
- Sending service-related notifications, including system alerts, maintenance notices, and account updates
5.2 To Improve and Develop the Service
- Analyzing usage patterns, trends, and performance metrics
- Monitoring Service Data to identify bugs, errors, and areas for improvement
- Conducting internal research and development
- Generating aggregated, anonymized analytics and reports
- Optimizing AI response quality and Service performance (using aggregated, anonymized data only — we do not use Customer Data to train generalized AI models)
5.3 For Communication and Marketing
- Responding to your inquiries, support requests, and feedback
- Sending you marketing communications about our products, services, features, and events (with your consent where required by law)
- Personalizing your experience on our Website and in the Service
- Conducting surveys and collecting feedback
5.4 For Security and Fraud Prevention
- Detecting, preventing, and addressing security threats, fraud, spam, and abuse
- Monitoring for violations of our Terms of Service
- Enforcing rate limits and usage restrictions
- Investigating suspicious activity and unauthorized access
5.5 For Legal and Compliance Purposes
- Complying with applicable laws, regulations, and legal processes
- Responding to lawful requests from government authorities and law enforcement
- Establishing, exercising, or defending legal claims
- Maintaining audit trails and compliance records
5.6 For Business Operations
- Processing payments and managing billing
- Maintaining internal business records
- Performing accounting, auditing, and financial reporting
- Facilitating corporate transactions (mergers, acquisitions, reorganizations)
5.7 For Recruitment
- Evaluating job applications and conducting the recruitment process
- Communicating with applicants about their applications
- Verifying qualifications, references, and background (where applicable and permitted by law)
6. Legal Basis for Processing
Where required by applicable data protection laws (such as the GDPR), we process Personal Data based on one or more of the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service and managing your Account | Performance of a contract |
| Processing payments and billing | Performance of a contract; Legal obligation |
| Responding to support requests and inquiries | Performance of a contract; Legitimate interests |
| Sending service-related communications | Performance of a contract; Legitimate interests |
| Sending marketing communications | Consent (where required); Legitimate interests |
| Improving and developing the Service | Legitimate interests |
| Analytics and aggregated reporting | Legitimate interests |
| Ensuring security and preventing fraud | Legitimate interests; Legal obligation |
| Complying with legal obligations | Legal obligation |
| Processing job applications | Taking steps prior to entering a contract; Legitimate interests; Consent (for sensitive data) |
| Conducting corporate transactions | Legitimate interests |
| Processing End User data on behalf of Customers | Performance of a contract (with the Customer) |
Where we rely on legitimate interests, we have conducted balancing tests to ensure that our interests do not override your rights and freedoms. You may contact us for more information about these assessments.
Where we rely on consent, you may withdraw your consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
7. Cookies and Tracking Technologies
7.1 What Are Cookies
Cookies are small text files placed on your device when you visit our Website. We use cookies and similar technologies (such as web beacons, pixels, and local storage) to collect information about your browsing activity and preferences.
7.2 Types of Cookies We Use
(a) Strictly Necessary Cookies: Essential for the operation of our Website and Service. These cookies enable core functionality such as authentication, security, and session management. You cannot opt out of these cookies.
(b) Performance and Analytics Cookies: Help us understand how visitors interact with our Website by collecting information about pages visited, time spent, errors encountered, and other usage metrics. We use this data to improve our Website and Service.
(c) Functional Cookies: Allow us to remember your preferences and settings (such as language, region, and display options) to provide a more personalized experience.
(d) Marketing and Advertising Cookies: Used to track your browsing activity across websites and deliver targeted advertisements that are relevant to your interests. These cookies may be set by us or by third-party advertising partners.
7.3 Third-Party Cookies
We may allow third-party service providers to place cookies on your device for analytics, advertising, and other purposes. These third parties include:
- Google Analytics
- [OTHER ANALYTICS PROVIDERS]
- [ADVERTISING PARTNERS]
7.4 Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking certain cookies may affect the functionality of our Website and Service.
You may also manage your cookie preferences through our cookie consent banner when you first visit our Website.
7.5 Do Not Track Signals
We do not currently respond to "Do Not Track" (DNT) signals sent by web browsers, as there is no universally accepted standard for DNT compliance. However, you can manage your cookie preferences as described above.
8. Sharing and Disclosure of Personal Data
We do not sell your Personal Data to third parties. We may share or disclose Personal Data in the following circumstances:
8.1 Service Providers and Sub-Processors
We engage trusted third-party service providers to assist us in providing and operating the Service. These providers process Personal Data on our behalf and under our instructions, and are contractually bound to protect your data. Categories of service providers include:
- Cloud hosting and infrastructure providers
- Payment processors
- Email and communication service providers
- Analytics and monitoring tools
- Customer support and ticketing systems
- Security and fraud prevention services
- Content delivery networks
A current list of our sub-processors is available at [SUB-PROCESSORS URL].
8.2 Affiliates
We may share Personal Data with our corporate affiliates and subsidiaries for purposes consistent with this Policy, including for business operations, support, and Service delivery.
8.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of all or a portion of our assets, Personal Data may be transferred to the acquiring entity as part of the transaction. We will provide notice of such transfer and any changes to applicable privacy practices.
8.4 Legal Requirements and Law Enforcement
We may disclose Personal Data if required by law, regulation, legal process, or governmental request, including:
- Responding to subpoenas, court orders, or other legal processes;
- Cooperating with law enforcement or regulatory investigations;
- Protecting the rights, property, or safety of [COMPANY SHORT NAME], our Customers, or others;
- Detecting, preventing, or addressing fraud, security issues, or technical problems.
8.5 With Your Consent
We may share your Personal Data with third parties when you have given us explicit consent to do so.
8.6 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data that does not reasonably identify any individual with third parties for analytics, benchmarking, research, and other lawful purposes.
9. Third-Party Platform Integrations
9.1 Communication Platforms
The Service integrates with third-party communication Platforms, including WhatsApp (Meta), Instagram (Meta), Facebook Messenger (Meta), Telegram, and web-based chat. When Customers connect these Platforms:
- We receive and process messages and data from these Platforms on behalf of the Customer;
- Data processed through these Platforms is also subject to the privacy policies and terms of those Platforms;
- We do not control the data collection and processing practices of these third-party Platforms;
- Customers are responsible for understanding and complying with the privacy requirements of each Platform.
9.2 WhatsApp and Meta Platforms
When the Service is used with WhatsApp, Instagram, or Facebook Messenger:
- Messages sent through WhatsApp Cloud API are temporarily stored by Meta's infrastructure and automatically deleted after 30 days;
- Customer and End User data processed through Meta Platforms is subject to Meta's Platform Terms, Data Policy, and applicable addenda;
- [COMPANY SHORT NAME] does not share End User data with Meta for advertising purposes;
- Customers must comply with Meta's Commerce Policy, Business Messaging Policy, and other applicable policies.
9.3 Telegram
When the Service is used with Telegram, data processing is subject to Telegram's Privacy Policy and Terms of Service. [COMPANY SHORT NAME] processes Telegram data solely on behalf of the Customer.
9.4 Single Sign-On (SSO)
If you log in to the Service using a third-party authentication provider (such as Google, Facebook, or Apple), we receive and process the profile information you authorize the provider to share with us. The authentication provider's privacy policy governs their collection and use of your data.
10. International Data Transfers
10.1 Where We Process Data
[COMPANY SHORT NAME] operates globally and may process Personal Data in countries other than the country where it was originally collected. Our servers and service providers are located in [LIST PRIMARY DATA CENTER LOCATIONS, e.g., United States, European Union, Singapore, etc.].
10.2 Safeguards for International Transfers
When transferring Personal Data internationally, we implement appropriate safeguards to ensure an adequate level of protection, including:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers of Personal Data from the EEA, Switzerland, and the UK to countries that do not provide an adequate level of data protection;
- Data Privacy Framework (DPF): [If applicable] We comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework;
- Contractual protections: We require all service providers and sub-processors to maintain appropriate data protection measures through binding contractual obligations;
- Additional safeguards: We implement supplementary technical and organizational measures where necessary, including encryption, access controls, and data minimization.
10.3 Data Localization
Where required by applicable law or Customer contract, we offer data residency options. Please contact us for information about available data hosting locations.
11. Data Security
11.1 Security Measures
We implement and maintain robust technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, loss, or destruction. These measures include:
- Encryption: All data is encrypted at rest and in transit using industry-standard encryption protocols (AES-256 for data at rest; TLS 1.2+ for data in transit).
- Access Controls: Role-based access controls ensure that only authorized personnel can access Personal Data. We follow the principle of least privilege.
- Authentication: Multi-factor authentication is supported and recommended for all accounts.
- Infrastructure Security: Our infrastructure is hosted on reputable cloud service providers with SOC 2, ISO 27001, and other relevant security certifications.
- Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation are used to protect our infrastructure.
- Regular Assessments: We conduct regular security assessments, vulnerability scans, and penetration tests.
- Incident Response: We maintain an incident response plan to promptly detect, investigate, contain, and remediate security incidents.
- Employee Training: All employees and contractors with access to Personal Data receive regular data protection and security training.
- Vendor Management: We assess the security practices of our service providers and require them to maintain appropriate safeguards.
11.2 Data Breach Notification
In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:
- Notify affected Customers without undue delay (and within the timeframes required by applicable law);
- Provide details about the nature of the breach, the data affected, and the measures taken or proposed to address the breach;
- Cooperate with Customers and data protection authorities as required;
- Take all reasonable steps to contain and remediate the breach.
11.3 Customer's Security Responsibilities
Customers are responsible for maintaining the security of their Account credentials, managing User access, properly configuring security settings, and implementing appropriate security measures for their own systems and data.
12. Data Retention
12.1 General Retention Principles
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention period depends on the nature of the data, the purpose of processing, and any legal or contractual obligations.
12.2 Specific Retention Periods
| Data Category | Retention Period |
|---|---|
| Account and registration data | Duration of the Account plus [X] years after Account closure |
| Billing and payment data | Duration of the business relationship plus [X] years (or as required by tax and accounting laws) |
| Customer Data (including Knowledge Base Content, conversation data, Bot configurations) | Duration of the Subscription Period. Retained for 30 days after termination to allow for data export. Deleted thereafter unless required by law. |
| End User data (processed on behalf of Customers) | As determined by the Customer. Deleted upon Customer instruction or within 30 days of Account termination. |
| Website usage and analytics data | [X] months |
| Cookie data | Varies by cookie type (see Section 7) |
| Marketing communications data | Until you opt out, plus [X] years on suppression list |
| Support and inquiry data | [X] years after resolution |
| Job application data | [X] months after the recruitment process ends (or longer with your consent for future opportunities) |
| Security and audit logs | [X] years |
12.3 Deletion and Anonymization
When Personal Data is no longer needed for the purposes described in this Policy and there is no legal requirement to retain it, we will securely delete or anonymize it. Anonymized data may be retained indefinitely for analytics, research, and statistical purposes.
12.4 Customer-Requested Deletion
Customers may request deletion of their Account and associated data by contacting us at [CONTACT EMAIL]. Upon receiving a verified deletion request, we will delete the data within thirty (30) days, except where retention is required by law.
13. Your Data Protection Rights
Depending on your location and applicable law, you may have the following rights regarding your Personal Data:
13.1 Right of Access
You have the right to request confirmation of whether we process your Personal Data and, if so, to receive a copy of that data along with information about how it is processed.
13.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete Personal Data.
13.3 Right to Erasure (Right to Be Forgotten)
You have the right to request deletion of your Personal Data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
13.4 Right to Restrict Processing
You have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data.
13.5 Right to Data Portability
You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.
13.6 Right to Object
You have the right to object to the processing of your Personal Data in certain circumstances, including processing for direct marketing purposes or processing based on our legitimate interests.
13.7 Right Not to Be Subject to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you, except where permitted by applicable law.
13.8 Right to Withdraw Consent
Where we process your Personal Data based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
13.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority in your jurisdiction.
13.10 Exercising Your Rights
To exercise any of these rights, please contact us using the information provided in Section 23. We will respond to your request within the timeframes required by applicable law (typically within 30 days). We may need to verify your identity before processing your request.
13.11 End User Rights
If you are an End User interacting with a Customer's Bot or Agent through the Service, and you wish to exercise any data protection rights, please contact the Customer directly. The Customer, as the data controller, is responsible for responding to your requests. We will assist our Customers in fulfilling such requests as required.
14. Rights for EEA, Switzerland, and UK Residents
If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), the following supplemental terms apply:
14.1 Legal Basis
We process your Personal Data based on the legal bases described in Section 6. For processing based on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights.
14.2 Data Controller
[COMPANY SHORT NAME]'s entity responsible for the processing of your Personal Data is: [ENTITY NAME AND ADDRESS].
14.3 Data Protection Officer
We have appointed a Data Protection Officer (DPO) who can be contacted at:
Email: [DPO EMAIL] Postal Address: [DPO ADDRESS]
14.4 International Transfers
Personal Data transferred outside the EEA, Switzerland, or the UK is protected by appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and/or the UK Information Commissioner's Office. For more information, see Section 10.
14.5 Supervisory Authority
You have the right to lodge a complaint with the data protection authority in your country of residence:
- EU: A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK: The Information Commissioner's Office (ICO) — https://ico.org.uk
- Switzerland: The Federal Data Protection and Information Commissioner (FDPIC) — https://www.edoeb.admin.ch
14.6 EU/UK Representative
[If applicable] We have appointed [REPRESENTATIVE NAME] as our representative in the [EU/UK] in accordance with Article 27 of the GDPR / UK GDPR:
Name: [REPRESENTATIVE NAME] Address: [REPRESENTATIVE ADDRESS] Email: [REPRESENTATIVE EMAIL]
15. Rights for California Residents
If you are a California resident, the following supplemental terms apply pursuant to the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"):
15.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, IP address, account name | Yes |
| Customer Records | Billing information, payment details | Yes |
| Commercial Information | Subscription history, transaction records | Yes |
| Internet/Network Activity | Browsing history, search history, usage data | Yes |
| Geolocation Data | Approximate location based on IP address | Yes |
| Professional Information | Job title, employer name | Yes |
| Inferences | Preferences, characteristics based on usage patterns | Yes |
| Sensitive Personal Information | Account login credentials | Yes |
15.2 Sale and Sharing of Personal Information
We do not sell your personal information in exchange for monetary consideration. However, certain data sharing activities involving advertising and analytics cookies may constitute a "sale" or "sharing" under California law. You have the right to opt out of such "sale" or "sharing."
15.3 Your California Privacy Rights
- Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal information.
- Right to Limit Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
15.4 Exercising Your California Rights
To exercise your rights, please contact us using the information in Section 23 or submit a request through [PRIVACY REQUEST FORM URL]. We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf.
15.5 Response Timing
We will respond to opt-out requests within 15 business days and to other requests within 45 days (extendable to 90 days with notice).
15.6 Financial Incentives
If we offer any financial incentives (such as discounts or promotions) in exchange for personal information, we will provide the material terms of the offer at the time of participation. You may withdraw from any financial incentive at any time.
16. Rights for Brazilian Residents (LGPD)
If you are located in Brazil, the following supplemental terms apply pursuant to the Lei Geral de Proteção de Dados ("LGPD"):
16.1 Your Rights Under LGPD
- Confirmation and Access: You have the right to confirm the existence of processing and to access your Personal Data.
- Correction: You have the right to request correction of incomplete, inaccurate, or outdated data.
- Anonymization, Blocking, or Deletion: You have the right to request anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
- Data Portability: You have the right to portability of your data to another service or product provider.
- Deletion: You have the right to request deletion of Personal Data processed with your consent.
- Information on Sharing: You have the right to be informed about the public and private entities with which your data is shared.
- Information on Consent: You have the right to be informed about the possibility and consequences of not providing consent.
- Withdrawal of Consent: You have the right to withdraw your consent at any time.
- Complaint: You have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd/pt-br.
16.2 Exercising Your LGPD Rights
To exercise your rights under LGPD, please contact us using the information in Section 23.
17. Rights for Other Jurisdictions
17.1 Australia
Personal Data collected from Australian residents is processed in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles. You may file a complaint with the Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au.
17.2 Canada
Personal Data collected from Canadian residents is processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation.
17.3 Singapore
Personal Data collected from Singapore residents is processed in accordance with the Personal Data Protection Act 2012 (PDPA).
17.4 Hong Kong
Personal Data collected from Hong Kong residents is processed in accordance with the Personal Data (Privacy) Ordinance (PDPO).
17.5 Japan
Personal Data collected from Japanese residents is processed in accordance with the Act on the Protection of Personal Information (APPI).
17.6 Other U.S. States (Colorado, Connecticut, Virginia, Utah, and Others)
Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others as enacted) have rights similar to those described for California residents in Section 15, including rights to access, correct, delete, and opt out of certain processing activities. To exercise your rights, contact us using the information in Section 23. You may appeal a denial of your request by contacting us as described in the notice of denial.
18. AI and Automated Decision-Making
18.1 How We Use AI
The Service uses artificial intelligence technologies, including large language models and retrieval-augmented generation (RAG), to:
- Generate automated responses to End User queries based on the Customer's Knowledge Base Content;
- Automatically generate suggested FAQs from uploaded documents;
- Analyze conversation data to provide dashboard metrics and analytics;
- Provide cost analysis and usage insights.
18.2 No Generalized AI Training
We do not use Customer Data or End User data to train, develop, or improve generalized AI or machine learning models. Our AI processes use RAG and similar techniques to generate contextual responses based solely on the Customer's own Knowledge Base Content. Your data is not used to improve models for other customers.
18.3 Automated Decision-Making
The Service does not make automated decisions that produce legal effects or similarly significant effects on individuals without human oversight. AI-generated responses are informational in nature and subject to the Customer's review and configuration. Customers can configure escalation rules to ensure human intervention when needed.
18.4 Accuracy and Limitations
AI-generated content may contain inaccuracies. The Customer is responsible for reviewing and monitoring AI responses for accuracy. [COMPANY SHORT NAME] does not guarantee the accuracy, completeness, or appropriateness of AI-generated content.
19. Children's Privacy
Our Website and Service are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we learn that we have inadvertently collected Personal Data from a child, we will take steps to delete such data promptly.
If you are a parent or guardian and believe that your child has provided Personal Data to us, please contact us using the information in Section 23 so that we can take appropriate action.
Note for Customers: If you use the Service to communicate with End Users, you are responsible for ensuring that your Bots and Agents do not knowingly collect data from children in violation of applicable laws (such as COPPA in the United States).
20. Third-Party Links
Our Website and Service may contain links to third-party websites, services, or applications that are not owned or controlled by [COMPANY SHORT NAME]. We are not responsible for the privacy practices, content, or security of third-party sites. We encourage you to read the privacy policies of any third-party sites you visit.
The inclusion of a link does not imply endorsement, authorization, or affiliation with the linked website.
21. Data Protection Mechanisms
We implement comprehensive data protection mechanisms to safeguard your information:
- Encryption: All data is encrypted using industry-standard algorithms both at rest (AES-256) and in transit (TLS 1.2+).
- Access Controls: Role-based access controls and the principle of least privilege ensure only authorized personnel access sensitive data.
- Rate Limiting: We implement rate limiting on our APIs and Bots to protect against abuse and maintain service availability.
- Domain Controls: For web-embeddable chat widgets, Customers can configure domain allowlists to restrict where their Bots can be embedded.
- Infrastructure Security: Our services run on enterprise-grade cloud infrastructure with SOC 2, ISO 27001, and other relevant compliance certifications.
- No AI Training on Customer Data: We do not use Customer Data to train generalized AI models.
- Data Processing Agreements: We maintain data processing agreements with all sub-processors and service providers.
- Regular Audits: We conduct regular security audits and compliance assessments.
- Incident Response: We maintain a documented incident response plan with defined escalation procedures.
22. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, the Service, applicable laws, or for other operational, legal, or regulatory reasons.
- Material Changes: For material changes, we will provide notice through prominent posting on our Website, email notification to registered Users, or in-product notifications, at least thirty (30) days before the changes take effect.
- Non-Material Changes: Minor or clarifying changes may be made without prior notice.
Your continued use of the Website or Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you should discontinue your use of the Website and Service.
We encourage you to review this Policy periodically for the latest information about our privacy practices.
23. Contact Information
If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or if you wish to exercise any of your data protection rights, please contact us:
General Privacy Inquiries
[COMPANY NAME] [COMPANY ADDRESS LINE 1] [COMPANY ADDRESS LINE 2] [CITY, STATE/PROVINCE, POSTAL CODE] [COUNTRY]
Email: [PRIVACY CONTACT EMAIL] Website: [COMPANY WEBSITE URL]
Data Protection Officer
Name: [DPO NAME] Email: [DPO EMAIL] Postal Address: [DPO ADDRESS]
EU/UK Representative (if applicable)
Name: [EU/UK REPRESENTATIVE NAME] Address: [EU/UK REPRESENTATIVE ADDRESS] Email: [EU/UK REPRESENTATIVE EMAIL]
Privacy Rights Requests
To submit a data subject access request or exercise any of your data protection rights, please:
- Email us at: [PRIVACY RIGHTS EMAIL]
- Submit a request at: [PRIVACY REQUEST FORM URL]
We aim to respond to all requests within thirty (30) days or within the timeframes required by applicable law. We may need to verify your identity before processing your request.
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | [DATE] | Initial version |
This Privacy Policy was last updated on [DATE].