1. About this policy
This policy explains how Chattrick.ai processes information when the chatbot is used on a customer's website and when the customer uses the administration portal. We emphasize being specific: what data we process, why we process it, how it is shared, and when it is deleted.
The statement is written with the EU/EEA as a starting point and is intended to function alongside a Data Processing Agreement (DPA) for customers using the service in their business operations.
2. Roles and Responsibilities
In a typical customer relationship, the division of roles is as follows:
When the chatbot is used on the customer's website: The customer is generally the Data Controller. This means the customer determines the purpose of the processing (e.g., customer service, sales, booking) and what the data will be used for further. Chattrick.ai will normally act as the Data Processor and process data on behalf of the customer, in line with the customer's instructions and agreements (including the DPA).
When the customer uses Chattrick.ai as a service: For example, for account management, access control, support, and billing, Chattrick.ai will to a greater extent process certain information as a Data Controller because this is necessary to deliver and administer the service.
If the service is distributed via a reseller/partner, the reseller may have separate duties related to their customer relationship. For processing occurring within the platform itself, the division of roles will still normally follow the principles above.
3. Types of Information We May Process
The scope depends on the customer's configuration but will typically include:
- Chat and inquiry data: The content of the dialogue between the end-user and the chatbot, including questions, answers, and context needed to provide a relevant response.
- Lead data (voluntarily provided): When lead collection is activated, Chattrick.ai can send email notifications to addresses configured by the customer for rapid follow-up. The email will normally contain contact information provided by the end-user, as well as a transcript or summary of the relevant chat dialogue that led to the inquiry.
- Knowledge base data: In order for the chatbot to provide accurate answers, we may build and maintain a knowledge base based on:
- Information publicly available on the customer's website (content visible to all visitors).
- Documents the customer shares with us (e.g., PDFs and files).
- Any other public sources the customer requests us to use, such as FINN.no for customers publishing products there.
- Technical operational and security data: We may process information such as IP addresses, timestamps, log data, error messages, and other technical data required for stable operation, troubleshooting, and security.
- Customer data in administration: For active customers, we may store contact information for the customer's contact persons (name, email, telephone) and the customer's logo for branding within the chatbot.
Demo Chatbots and Pre-configuration
As part of the sales and evaluation process, Chattrick.ai may create a temporary demo chatbot for potential customers. The purpose of such a demo is to show how the service works and how the chatbot would appear and respond on the customer's website before a decision is made to enter into an agreement.
In this context, Chattrick.ai may collect and structure information that is publicly available on the relevant organization's website and accessible to all visitors. This may include general content about products, services, opening hours, and contact information published by the business itself. Chattrick.ai does not attempt to bypass technical barriers and does not retrieve content behind logins or paywalls without a specific agreement and legal basis.
This processing is based on Chattrick.ai's legitimate interest in demonstrating the service in a relevant and expected manner. If the demo does not convert into an active customer relationship, the demo chatbot is automatically deleted, along with all associated collected information, no later than two (2) months from the time the chatbot was created.
4. Purpose of Processing
The information is processed to:
- Deliver chatbot functionality and provide relevant answers.
- Enable lead collection and follow-up (if activated by the customer).
- Build and maintain the knowledge base the chatbot answers from.
- Provide the customer with insights and history in the administration portal (e.g., conversations, topics, and leads).
- Ensure stable operation, prevent misuse, and maintain information security.
- Administer the customer relationship (account, access, support, and billing).
5. No Training on Customer Data
Chattrick.ai does not use the customer's chat content, leads, or uploaded documents to train its own models or improve general models for other customers. The customer's data is used solely to deliver the service to that specific customer.
Should this practice change in the future, it will only occur after clear prior information to customers and an update to the contractual basis. Where applicable regulations require it, such a change would also require an active and explicit choice from the customer.
7. Storage in the EU and Infrastructure
Customer data is stored and processed within the EU. Infrastructure is hosted at Hetzner in Frankfurt.
When using subcontractors (sub-processors), we require them to process data in accordance with applicable privacy requirements and our instructions. An overview of sub-processors can be made available to customers as part of the DPA or upon request.
8. Retention Period and Deletion
We store data for as long as necessary for the purposes described above and in accordance with the agreement with the customer. As a general rule:
- Lead data: Stored in the system for up to 2 years, unless the customer requests earlier deletion or legal requirements dictate otherwise.
- Knowledge base (website content and uploaded files/PDFs): Stored as long as the customer is active and deleted continuously when the collaboration ends.
- Contact person data (customer contact points): Stored as long as the customer relationship is active and deleted upon termination, unless there is a need for limited further storage for administrative or legal reasons.
- Logo/branding: Stored to display the customer's profile in the chatbot and removed upon termination.
- Technical logs may have a shorter retention period for operational and security reasons.
9. Information Security
We use appropriate technical and organizational measures to protect information against unauthorized access, alteration, loss, or misuse. This typically includes access control based on "least privilege," authentication, logging, secure communication (HTTPS), and routines for handling security incidents.
10. End-User Rights and Inquiries
When the chatbot is used on the customer's website, the customer is normally the Data Controller for the processing of personal data. However, end-users may contact Chattrick.ai directly if they have questions or requests regarding access, correction, or deletion of information processed through the chatbot.
Inquiries can be sent to support@chattrick.ai. If a customer receives such an inquiry directly, it can also be forwarded to the same address. Chattrick.ai will assist in handling the request in cooperation with the customer and in line with the applicable agreement (DPA) and regulations.
11. Security Incidents and Breaches
We have routines to detect, assess, and handle security incidents. If we become aware of a breach of personal data security affecting customer data, we notify the customer without undue delay, so that the customer can fulfill any notification obligations they may have.
12. Changes to the Policy
The policy is updated as needed—for example, in the event of changes to functionality, data sources, subcontractors, or legal requirements. Material changes will be communicated to customers in an appropriate manner.
13. Contact
Questions regarding privacy and data processing can be sent to:
Email: support@chattrick.ai
Subject: "Privacy – Chattrick.ai"