Privacy Policy

1. Who We Are

ChatClaw is operated by Globasoft Ltd (“we”, “us”, “our”). We are the data controller for the personal data we collect about our Customers (businesses that use ChatClaw). For personal data of End Users (website visitors who interact with chatbots), our Customers are the data controllers and we act as a data processor.

2. Data We Collect

Customer Data (you, the business)

• Account information: name, email address, company name
• Authentication data: hashed passwords, OAuth provider identifiers
• Billing data: payment details processed securely by Stripe (we do not store card numbers)
• Usage data: login history, feature usage, API call counts
• Knowledge base content: documents and text you upload to train your bots

End User Data (your website visitors)

• Conversation content: messages exchanged between visitors and your chatbot
• Session identifiers: anonymous visitor IDs (no names or emails collected by default)
• Technical data: browser type, page URL where the widget is embedded

3. How We Use Data

• To provide, maintain, and improve the Service
• To process payments and manage subscriptions
• To send transactional emails (account verification, password reset)
• To generate AI chatbot responses using your knowledge base
• To provide analytics and usage reports in your dashboard
• To detect and prevent fraud, abuse, and security threats

We do not:

• Sell your data or your end users’ data to third parties
• Use conversation data to train AI models
• Share data with advertisers

4. Legal Basis (UK GDPR)

• Contract: Processing necessary to provide the Service you signed up for
• Legitimate interest: Security monitoring, fraud prevention, service improvement
• Consent: Where required (e.g., marketing communications)
• Legal obligation: Tax records, regulatory compliance

5. Data Sharing

We share data only with:

• AI providers (currently Anthropic) — to generate chatbot responses. Conversation context is sent per-request and not retained by the provider for training.
• Stripe — for payment processing
• Railway — our hosting infrastructure provider (EU-based servers)
• Resend — for transactional email delivery

All sub-processors are bound by data processing agreements.

6. Data Retention

• Account data: Retained while your account is active, deleted 30 days after account closure
• Conversation data: Retained for 90 days by default (configurable per bot)
• Knowledge base: Retained while your account is active, deleted on account closure
• Billing records: Retained for 7 years (UK tax requirements)
• Server logs: Retained for 30 days

7. Your Rights (UK GDPR)

You have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate data
• Erasure — Request deletion of your data (“right to be forgotten”)
• Portability — Receive your data in a machine-readable format
• Restriction — Limit how we process your data
• Objection — Object to processing based on legitimate interest

To exercise any right, email privacy@chatc.dev. We will respond within 30 days.

8. Security

• All data encrypted in transit (TLS 1.3)
• Database encrypted at rest
• Passwords hashed with bcrypt (cost factor 12)
• API keys hashed — only prefix stored for identification
• CSRF protection on all state-changing endpoints
• Rate limiting on authentication endpoints

9. Cookies

We use strictly necessary cookies for authentication (session tokens). We do not use advertising or tracking cookies. The chat widget uses a session identifier stored in the visitor’s browser to maintain conversation continuity.

10. International Transfers

Our servers are hosted in the EU (Railway, europe-west4). Where data is transferred outside the UK/EU (e.g., to AI providers in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

11. Contact

Data Controller: Globasoft Ltd
Email: privacy@chatc.dev

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.