Privacy Policy

1. Introduction

1.1 Scope of This Policy

This Privacy Policy applies when Chat.co acts as a data controller—that is, when we determine the purposes and means of processing your personal data. This includes when you:

• Visit our website or marketing pages
• Create an account and use our platform
• Subscribe to our newsletter or marketing communications
• Contact our support team
• Apply for employment with us

1.2 When This Policy Does Not Apply

When our customers use Chat.co to create and deploy chatbots, we act as a data processor on their behalf. In these cases, our customers are the data controllers and their privacy policies govern how end-user data is collected and used. If you interact with a chatbot deployed by one of our customers, please refer to that organization's privacy policy for information about their data practices.

For questions about data processed through a customer's chatbot, please contact that organization directly.

1.3 Important Information

2. Data Controller Information

For the purposes of applicable data protection laws, the data controller is:

2.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact our DPO at:

Email: dpo@chat.co

2.2 EU Representative

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you may contact our EU representative for data protection matters. Contact details are available upon request at privacy@chat.co.

2.3 Brazil Representative (Encarregado)

For users located in Brazil, our Data Protection Officer also serves as our Encarregado under the Lei Geral de Proteção de Dados (LGPD). Contact: dpo@chat.co.

3. Information We Collect

We collect information in several ways: directly from you, automatically when you use our Services, and from third parties. The types of information we collect depend on how you interact with us.

3.1 Information You Provide Directly

3.1.1 Account Information

When you create an account, we collect:

• Name and email address
• Password (stored in encrypted form)
• Company or organization name
• Job title and role
• Phone number (optional)
• Profile picture (optional)

3.1.2 Payment Information

When you make a purchase, our payment processor (Stripe) collects:

• Credit or debit card number
• Billing address
• Transaction history

We do not store your full payment card details. Payment processing is handled entirely by Stripe, Inc. in accordance with PCI-DSS standards. Please review Stripe's Privacy Policy for information about their data practices.

3.1.3 Customer Content

When you use our platform, you may upload or create:

• Documents for Knowledge Bases (PDFs, Word documents, Excel files, text files)
• Chatbot configurations and customizations
• System prompts and training data
• Question and answer pairs
• Custom branding and appearance settings

3.1.4 Communications

When you contact us, we collect:

• Support request content and attachments
• Feedback and survey responses
• Email correspondence

3.2 Information Collected Automatically

3.2.1 Usage Data

We automatically collect information about how you use our Services:

• Pages visited and features used
• Time spent on pages
• Click patterns and navigation paths
• Search queries within the platform
• Chatbot creation and configuration activities
• Error logs and performance data

3.2.2 Device and Technical Information

We collect information about your device and connection:

• IP address (used to derive approximate location at city/region level)
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen resolution
• Language preferences
• Referring URL

3.2.3 Cookies and Similar Technologies

We use cookies, pixels, and similar tracking technologies to collect information. See Section 9 (Cookies and Tracking Technologies) for detailed information about our cookie practices and your choices.

3.3 Information from Third Parties

We may receive information about you from:

• Single sign-on providers (Google, Microsoft) if you choose to authenticate through them
• Analytics providers (aggregated usage data)
• Marketing partners (business contact information for B2B outreach)
• Publicly available sources (company information, professional profiles)

3.4 Sensitive Personal Data

We do not intentionally collect sensitive personal data, including:

• Racial or ethnic origin
• Political opinions or religious beliefs
• Genetic or biometric data
• Health information
• Sexual orientation
• Precise geolocation data

If you upload documents containing sensitive data to your Knowledge Base, you are responsible for ensuring you have the appropriate legal basis and consent to process such data.

3.5 Children's Privacy

4. How We Use Your Information

We use the information we collect for the purposes described below. For users in the European Economic Area (EEA), United Kingdom (UK), or Brazil, we have identified the legal basis for each processing activity.

4.1 To Provide and Maintain Our Services

• Create and manage your account
• Process your transactions and send related information
• Provide customer support and respond to inquiries
• Enable you to create, configure, and deploy chatbots
• Process and index documents for Knowledge Bases
• Generate AI-powered chatbot responses

Legal Basis (GDPR/LGPD): Performance of a contract with you.

4.2 To Improve and Develop Our Services

• Analyze usage patterns to improve features and user experience
• Conduct research and development
• Test new features and functionality
• Generate aggregated, anonymized analytics and benchmarks

Legal Basis (GDPR/LGPD): Legitimate interests in improving our Services.

4.3 To Communicate With You

• Send service-related notices (updates, security alerts, support messages)
• Send marketing communications (with your consent where required)
• Respond to your comments, questions, and requests
• Provide information about new features, products, or services

Legal Basis (GDPR/LGPD): Contract performance (service notices); Consent (marketing); Legitimate interests (customer relationship management).

4.4 To Ensure Security and Prevent Fraud

• Monitor for suspicious activity and potential security threats
• Prevent fraud, abuse, and violations of our Terms of Service
• Protect the rights, property, and safety of Chat.co and our users
• Investigate and respond to security incidents

Legal Basis (GDPR/LGPD): Legitimate interests in security and fraud prevention; Legal obligations.

4.5 To Comply With Legal Obligations

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from public authorities
• Establish, exercise, or defend legal claims
• Maintain records as required by law (tax, accounting)

Legal Basis (GDPR/LGPD): Legal obligation; Legitimate interests in legal compliance.

4.6 With Your Consent

We may process your information for other purposes with your explicit consent. You may withdraw consent at any time, but this will not affect the lawfulness of processing before withdrawal.

5. AI Features and Data Processing

Our Services utilize artificial intelligence and machine learning technologies to provide chatbot functionality. This section explains how your data is processed in connection with AI features.

5.1 How AI Features Work

When you use Chat.co to create chatbots:

• Documents you upload are processed to extract text and create vector embeddings
• These embeddings are stored in our secure databases to enable semantic search
• When end-users interact with your chatbot, their queries are processed by AI models to generate responses
• Responses are generated based on your Knowledge Base content and chatbot configuration

5.2 Third-Party AI Providers

We use third-party AI services to power certain features. These providers process data to generate AI responses but operate under our commercial agreements with specific data protection terms:

5.2.1 AWS Bedrock

• Provider: Amazon Web Services, Inc.
• Purpose: AI model hosting and inference
• Data Retention: Zero data retention for inference by default
• Training: Your data is NOT used to train AWS foundation models

5.2.2 OpenAI

• Provider: OpenAI, Inc.
• Purpose: Large language model processing
• Training: Under our API/Business Terms, OpenAI does NOT use API inputs or outputs to train their models
• Data Retention: Subject to OpenAI's data retention policies for API usage

5.2.3 Anthropic

• Provider: Anthropic PBC
• Purpose: Large language model processing
• Training: Under our Commercial Terms, Anthropic does NOT use API data to train their models
• Data Retention: Subject to Anthropic's data retention policies for API usage

5.3 Our AI Training Practices

We may use the following data to improve our Services:

• Aggregated, anonymized usage statistics
• Technical performance metrics
• Error logs and debugging information (with personal data removed)

5.4 AI Output Limitations

AI-generated content may contain inaccuracies, errors, or inappropriate content ("hallucinations"). We recommend:

• Human review of AI outputs before relying on them for important decisions
• Not using AI features for medical, legal, financial, or other professional advice
• Verifying factual claims generated by AI

5.5 Opting Out of AI Processing

If you do not want your data processed by AI features, you may:

• Not upload documents to Knowledge Bases
• Disable AI-powered features in your chatbot configuration
• Delete your Knowledge Base data at any time
• Contact us to discuss alternative configurations

6. How We Share Your Information

6.1 Service Providers (Sub-Processors)

We share information with third-party vendors who perform services on our behalf. These providers are contractually obligated to use your data only as directed by us and to maintain appropriate security measures.

6.2 Business Transfers

If Chat.co is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose information when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of users or the public
• Protect against legal liability

6.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

6.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. This data may be used for industry analysis, benchmarking, and other business purposes.

7. International Data Transfers

Chat.co is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate.

7.1 Transfers from the European Economic Area (EEA) and UK

For transfers of personal data from the EEA and UK to the United States, we rely on the following transfer mechanisms:

7.1.1 EU-U.S. Data Privacy Framework

We are committed to complying with the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. We are in the process of self-certifying our compliance through the Data Privacy Framework program.

7.1.2 Standard Contractual Clauses

Where required, we use the European Commission's Standard Contractual Clauses (SCCs) approved in June 2021 (Module 2: Controller to Processor) to provide adequate safeguards for international data transfers. These clauses are incorporated into our Data Processing Agreement.

7.2 Transfers from Brazil

For transfers of personal data from Brazil to the United States, we implement the Standard Contractual Clauses approved by the Brazilian National Data Protection Authority (ANPD) in accordance with LGPD requirements.

7.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments to evaluate the level of protection in destination countries and implement supplementary measures where necessary. These assessments consider local laws, government access requests, and available legal remedies.

7.4 Your Rights Regarding International Transfers

You may request a copy of the safeguards we have put in place for international data transfers by contacting privacy@chat.co.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

8.1 Retention Periods

8.2 Criteria for Retention

When determining retention periods, we consider:

• The amount, nature, and sensitivity of the data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the data
• Whether we can achieve those purposes through other means
• Applicable legal, regulatory, tax, accounting, or other requirements

8.3 Data Deletion

When retention periods expire or you request deletion, we will securely delete or anonymize your personal data, unless we are required to retain it for legal compliance. Deletion from backup systems may take up to 90 days.

9. Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to collect information about your browsing activities and to distinguish you from other users.

9.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners.

9.2 Types of Cookies We Use

9.2.1 Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be disabled. They include:

• Authentication cookies (to keep you logged in)
• Security cookies (to prevent fraud and protect the site)
• Session cookies (to remember your preferences during a session)

9.2.2 Performance and Analytics Cookies

These cookies help us understand how visitors interact with our website:

• Google Analytics: Collects anonymized data about page views, session duration, and user behavior
• Internal analytics: Tracks feature usage and performance metrics

9.2.3 Functional Cookies

These cookies enable enhanced functionality and personalization:

• Language and region preferences
• Customized layouts and settings
• Previously viewed content

9.2.4 Marketing Cookies

These cookies track your activity to deliver relevant advertising:

• Advertising cookies from third-party networks
• Social media cookies for sharing features
• Retargeting cookies for personalized ads

9.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages, including Google Analytics, Stripe (payment processing), and social media platforms.

9.4 Managing Your Cookie Preferences

9.4.1 Cookie Consent Banner

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your preferences at any time by clicking the cookie settings link in our website footer.

9.4.2 Browser Settings

Most web browsers allow you to manage cookies through their settings. You can typically:

• View cookies stored on your device
• Delete all or specific cookies
• Block all cookies or only third-party cookies
• Set preferences for specific websites

9.4.3 Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, but we do honor the Global Privacy Control (GPC) signal as required by California law.

9.5 Consequences of Disabling Cookies

If you disable or reject cookies, some features of our website may not function properly. Strictly necessary cookies cannot be disabled as they are required for the website to operate.

9.6 Embedded Chat Widgets

When our customers embed Chat.co widgets on their websites:

• The widget uses session cookies for functionality (conversation continuity)
• Analytics cookies are only loaded if consent is provided
• Our customers are responsible for obtaining cookie consent on their websites
• We provide documentation to help customers implement consent-controlled widget loading

10. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data. This section describes those rights and how to exercise them.

10.1 Rights Available to All Users

Regardless of your location, you can:

• Access your account settings and update your information
• Download your data through the platform's export features
• Delete your account and associated data
• Opt out of marketing communications by clicking "unsubscribe" in any email
• Manage your cookie preferences

10.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

10.2.1 Right to Know

You have the right to request that we disclose:

• The categories of personal information we have collected about you
• The categories of sources from which we collected personal information
• Our business or commercial purpose for collecting personal information
• The categories of third parties with whom we share personal information
• The specific pieces of personal information we have collected about you

10.2.2 Right to Delete

You have the right to request deletion of personal information we have collected, subject to certain exceptions (legal obligations, security, completing transactions, etc.).

10.2.3 Right to Correct

You have the right to request correction of inaccurate personal information.

10.2.4 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. However, some of our use of third-party cookies for analytics and advertising may constitute "sharing" under CPRA. You can opt out by:

• Clicking "Do Not Sell or Share My Personal Information" on our website
• Using the Global Privacy Control (GPC) browser setting
• Adjusting cookie preferences in our consent banner

10.2.5 Right to Limit Use of Sensitive Personal Information

We do not collect sensitive personal information as defined by CPRA.

10.2.6 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

10.2.7 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of your identity and the agent's authority.

10.2.8 Response Timing

We will acknowledge your request within 10 business days and provide a substantive response within 45 days (which may be extended by an additional 45 days with notice).

10.3 Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent legislation:

• Right of Access: Obtain confirmation of whether we process your data and receive a copy
• Right to Rectification: Have inaccurate personal data corrected
• Right to Erasure: Have your personal data deleted in certain circumstances
• Right to Restriction: Restrict processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent
• Right Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal effects

10.3.1 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU member state of your residence, place of work, or where the alleged infringement occurred.

10.3.2 Response Timing

We will respond to your request within 30 days, which may be extended by up to two additional months for complex requests.

10.4 Rights for Brazilian Residents (LGPD)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD):

• Confirmation of Processing: Confirm whether we process your data
• Access: Access your personal data
• Correction: Correct incomplete, inaccurate, or outdated data
• Anonymization, Blocking, or Deletion: For unnecessary or excessive data
• Portability: Transfer data to another service provider
• Deletion: Delete data processed with your consent
• Information about Sharing: Know which entities received your data
• Information about Consent: Be informed about the consequences of denying consent
• Withdrawal of Consent: Revoke consent at any time
• Right to Petition: Submit a complaint to the ANPD (National Data Protection Authority)

10.5 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us:

• Email: privacy@chat.co
• Mail: SA Cyber LLC, Attn: Privacy Team

10.6 Identity Verification

To protect your privacy, we may need to verify your identity before fulfilling your request. We may ask you to provide information that matches our records or verify your request through your account email address.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Security Measures

11.1.1 Infrastructure Security

• Hosting on AWS with SOC 2 Type II and ISO 27001 certifications
• Virtual Private Cloud (VPC) isolation
• Distributed denial-of-service (DDoS) protection
• Web Application Firewall (WAF)

11.1.2 Data Encryption

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• AWS Key Management Service (KMS) for encryption key management
• Encrypted database connections

11.1.3 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication for administrative access
• Principle of least privilege
• Regular access reviews
• Comprehensive audit logging

11.1.4 Monitoring and Response

• 24/7 security monitoring
• Automated threat detection
• Incident response procedures
• Regular vulnerability assessments
• Annual third-party penetration testing

11.2 Employee Security

• Background checks for employees with data access
• Security awareness training
• Confidentiality agreements
• Secure development practices

11.3 Your Responsibilities

While we take security seriously, you also play a role in protecting your data:

• Use strong, unique passwords for your account
• Enable two-factor authentication when available
• Keep your login credentials confidential
• Log out of shared devices
• Report any suspected security incidents promptly

11.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify relevant supervisory authorities within 72 hours as required by GDPR
• Notify affected individuals without undue delay when there is high risk
• Notify the Brazilian ANPD within 3 working days as required by LGPD
• Comply with applicable state breach notification laws in the United States

Our notification will describe the nature of the breach, the data involved, the likely consequences, and the measures taken or proposed to address the breach.

12. California-Specific Notices

This section provides additional disclosures required under California law.

12.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, IP address)
• Commercial information (transaction history, subscription details)
• Internet activity (usage data, browsing history on our site)
• Professional information (job title, company name)
• Inferences drawn from the above

12.2 Sources of Personal Information

• Directly from you (account registration, support requests)
• Automatically from your devices (cookies, usage data)
• From third parties (single sign-on providers, analytics partners)

12.3 Business Purposes for Collection

• Providing and maintaining our Services
• Processing transactions
• Customer support
• Security and fraud prevention
• Analytics and service improvement
• Marketing (with consent)
• Legal compliance

12.4 Disclosure of Personal Information

We may disclose personal information to the following categories of third parties:

• Service providers (hosting, payment processing, analytics)
• Business partners (with your consent)
• Legal authorities (when required by law)

12.5 Sale and Sharing of Personal Information

We do not sell your personal information.

We may "share" (as defined by CPRA) personal information with advertising partners through cookies. You can opt out using the methods described in Section 10.2.4.

12.6 Financial Incentives

We do not offer financial incentives for the collection, sale, or deletion of personal information.

12.7 Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

13.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Post the revised policy on our website
• Send email notification to registered users for significant changes
• Provide prominent notice on our platform when you log in

13.2 Your Continued Use

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised policy, you should stop using our Services and contact us to delete your account.

13.3 Previous Versions

Previous versions of this Privacy Policy are available upon request. Contact privacy@chat.co to request archived versions.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: