Legal
Privacy Policy
Last updated: June 17, 2026
1. Overview
Chaaty ("Chaaty", "we", "us", or "our") provides an AI-powered chatbot widget that businesses ("Customers", "you") can embed on their websites. This Privacy Policy explains what data we collect, how we use it, and the rights you have over it — both as a Customer who builds a chatbot with Chaaty, and as a visitor who chats with a Chaaty-powered widget on someone else's website.
By creating a Chaaty account, embedding a Chaaty widget, or interacting with a chatbot built on Chaaty, you agree to the practices described in this policy. If you do not agree, please do not use the service.
2. Account data we collect
When you create a Chaaty account, we collect and store:
- Identity information: your name and email address, used for login and account communication.
- Authentication data: your account is secured via Supabase Auth; we never see or store your raw password — it is hashed by our authentication provider.
- Chatbot configuration: the chatbots you create, including their name, personality, tone of voice, greeting message, theme, colors, placement settings, and any custom instructions you write.
- Knowledge base content: any documents, URLs, FAQs, or text you upload to train your chatbot. This content is processed and stored as searchable embeddings used to answer your visitors' questions.
- Usage data: message counts, widget view counts, and chatbot performance metrics tied to your account, used to enforce plan limits and show you analytics.
3. Your website visitors' data
When someone visits your website and interacts with your Chaaty widget, we process the following on your behalf as the chatbot owner:
- Conversation content: the messages exchanged between the visitor and your chatbot, stored so you can review conversation history in your dashboard.
- Lead information: if you enable lead capture, the name and email address a visitor voluntarily provides during the conversation.
- Session identifiers: an anonymous session ID used to keep a conversation continuous across messages — this is not linked to any other identity unless the visitor shares contact details directly in the chat.
- Booking details: if your chatbot offers appointment scheduling, the visitor's name, email, and selected time slot are stored to complete the booking.
You are the data controller for your visitors' conversation data.Chaaty acts as a data processor on your behalf. If you collect personal data from your website visitors through your chatbot, you are responsible for having a lawful basis to do so and for informing your visitors accordingly — for example, in your own website's privacy policy.
4. AI & message processing
Chaaty uses Anthropic's Claude models to generate chatbot responses. When a visitor sends a message, the relevant conversation context, your chatbot's configuration, and any matching knowledge base content are sent to Anthropic's API to generate a reply.
Anthropic processes this data solely to return a response and, per their API terms, does not use API content to train their underlying models. You can read Anthropic's own privacy practices at anthropic.com/legal/privacy.
If you upload files to train your chatbot, their content is processed, chunked, and converted into vector embeddings stored in our database (via pgvector on Supabase) so your chatbot can retrieve relevant information when answering visitor questions.
5. Billing & payment data
Paid subscriptions are processed by Stripe. Chaaty does not store your credit card number, CVC, or full billing details on our own servers — Stripe handles and stores this information securely under their own PCI-compliant infrastructure.
We store a Stripe customer ID, subscription ID, and your selected plan so we can manage your subscription status, enforce plan limits, and provide billing support. You can view Stripe's privacy policy at stripe.com/privacy.
6. Third-party service providers
We rely on the following sub-processors to operate Chaaty:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, and file storage |
| Anthropic | AI chatbot response generation |
| Stripe | Payment processing and subscription billing |
| Resend | Transactional email delivery (e.g. account, billing notices) |
| Google Calendar / Microsoft Outlook / Calendly | Optional calendar integrations for appointment booking, only if you connect them |
| Vercel / AWS / Cloudflare / GCP | Application hosting and infrastructure |
Each provider only receives the minimum data necessary to perform its function and is bound by its own data protection obligations.
7. Cookies & tracking
Chaaty's own website and dashboard use essential cookies to keep you logged in and remember your session. We do not use third-party advertising cookies or sell visitor data to advertisers.
The embeddable chat widget stores a lightweight, anonymous session identifier in the visitor's browser (via local storage) so a conversation can continue across page reloads. This identifier is not used for cross-site tracking or advertising purposes.
8. Data retention
- Account data is retained for as long as your account is active.
- Conversation history and leads are retained for as long as the associated chatbot exists, so you can review past interactions.
- If you delete a chatbot, its conversations, leads, and knowledge base content are permanently deleted within 30 days.
- If you delete your account, all associated data is permanently deleted within 30 days, except where we are legally required to retain billing records.
9. Your rights (GDPR & equivalent laws)
If you are located in the EU, UK, or another jurisdiction with similar data protection laws, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Export your data in a portable format.
- Object to or restrict certain processing.
- Withdraw consent at any time, where processing is based on consent.
You can exercise most of these rights directly from your account Settings page, or by contacting us at the email below. Website visitors who wish to exercise these rights regarding data collected by a chatbot should contact the website owner (the Chaaty Customer) directly, as they control that data.
10. Security
We use industry-standard measures to protect your data, including encrypted connections (TLS) for all data in transit, encryption at rest provided by our database provider, row-level security policies that restrict access to your own data, and access controls limiting internal access to production systems.
No method of transmission or storage is 100% secure. If we become aware of a data breach affecting your account, we will notify you in accordance with applicable law.
11. Children's privacy
Chaaty is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify active account holders by email or via a notice in the dashboard before the changes take effect. Continued use of Chaaty after changes take effect constitutes acceptance of the updated policy.
13. Contact us
If you have questions about this Privacy Policy or how your data is handled, reach out and we'll get back to you.
Questions about your data or this policy?
Email privacy@chaaty.io →