Legal

Privacy Policy

Last updated: 25 June 2026

Chatsloop ("we", "us", or "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.

1. Overview

Chatsloop is an AI-powered chatbot platform that allows businesses ("Customers") to create, customise, and embed AI assistants on their websites. In operating this service we process data belonging to two categories of person:

  • Customers — individuals or organisations who sign up, create chatbots, and manage the platform through our dashboard.
  • End-users / Visitors — people who interact with a chatbot widget embedded on a Customer's website.

This policy covers both groups. Where obligations or rights differ between them, we say so explicitly.

2. Data We Collect

2.1 — Account & profile data (Customers)

  • Email address and password (hashed — we never store plaintext passwords)
  • First name, last name, company name, website URL, phone number (optional)
  • Billing information (card details are stored exclusively by Stripe — we never see raw card numbers)
  • Subscription plan and usage metrics

2.2 — Website content you provide

  • URLs you submit for crawling — we fetch, parse, and index the textual content of those pages
  • Documents you upload (PDF, DOCX) — we extract text and store embeddings derived from it
  • Custom instructions and system prompts you write for your chatbot

2.3 — Visitor chat data (End-users)

  • Messages sent to a chatbot widget (conversation content)
  • An anonymous visitor ID generated in the browser (no login required, no cookie tracking)
  • Name and email address if a visitor voluntarily submits a lead-capture form within the widget
  • Approximate session timestamps

2.4 — Automatically collected technical data

  • IP address and user-agent (used for abuse prevention; not linked to individual profiles)
  • API request logs (retained for up to 30 days for debugging and security monitoring)
  • Performance and error telemetry (no personally identifiable information)

3. AI & Content Processing

Important — how AI works in Chatsloop

Chatsloop uses OpenAI's API to generate responses. This means that when a visitor sends a message to your chatbot, relevant excerpts from your knowledge base and the visitor's question are sent to OpenAI's servers for processing.

3.1 — What is sent to OpenAI

  • The visitor's question (natural-language text)
  • Relevant excerpts ("chunks") from your website content or uploaded documents, retrieved via semantic search
  • Your chatbot's system prompt / custom instructions
  • Recent conversation history (up to 10 prior turns) for context continuity

3.2 — What is NOT sent to OpenAI

  • Visitor IP addresses or device identifiers
  • Customer billing or payment information
  • Passwords or authentication tokens
  • Your entire website — only the most relevant excerpts are retrieved per query

3.3 — OpenAI data use

We use OpenAI's API under their standard API terms. OpenAI does not use API inputs to train their models by default. Refer to OpenAI's API data usage policy for full details.

3.4 — Embeddings & vector storage

We convert your website content into vector embeddings (numerical representations) using OpenAI's embedding models. These embeddings are stored in our database and used solely to match visitor questions to relevant content. The raw text of your content is stored alongside them to construct AI prompts.

3.5 — No automated decision-making with legal effect

Chatsloop's AI is used exclusively to answer questions about a Customer's website content. We do not use AI to make automated decisions that produce legal effects or significantly affect individuals (e.g. credit decisions, employment screening).

4. How We Use Your Data

Legal basis: Contract performance

  • Creating and managing your account
  • Operating chatbots you create and serving responses to visitors
  • Processing subscription payments via Stripe
  • Sending transactional emails (account confirmation, invoices, plan changes)

Legal basis: Legitimate interests

  • Security monitoring and fraud prevention
  • Improving service reliability and performance
  • Aggregated, anonymised analytics on platform usage
  • Debugging errors and customer support

Legal basis: Legal obligation

  • Retaining financial records as required by applicable tax and accounting law
  • Responding to lawful requests from courts or regulators

Legal basis: Consent

  • Marketing emails about new features or plans (opt-in only; unsubscribe at any time)

5. Third-Party Services

We share data with the following trusted service providers only to the extent necessary to operate Chatsloop. We do not sell your personal data to any third party.

OpenAIAI language model and embedding API. Receives question text and relevant knowledge-base excerpts per chat request.Privacy policy →
SupabaseDatabase, authentication, and file storage. All data at rest is encrypted. Hosted on AWS (EU region by default).Privacy policy →
StripePayment processing and subscription management. Card details go directly to Stripe — we never handle raw card numbers.Privacy policy →
ResendTransactional email delivery (account confirmations, invoices, notifications).Privacy policy →
VercelApplication hosting and edge network. Processes HTTP requests including IP addresses (ephemeral — not stored by us).Privacy policy →

All providers are GDPR-compliant and bound by appropriate data processing agreements where required.

6. Cookies

We use the minimum number of cookies necessary to operate the service.

CookieTypePurposeDuration
sb-auth-tokenEssentialSupabase authentication session token. Required to keep you logged in to the dashboard.Session / 7 days
chatsloop-visitorFunctionalAnonymous visitor ID stored in the embedded widget. Maintains conversation continuity without identifying the visitor.30 days
stripe-*EssentialStripe's fraud-prevention and session cookies. Set only on checkout pages.Session

We do not use advertising, tracking, or analytics cookies. You can clear cookies at any time via your browser settings. Deleting the auth cookie will sign you out of the dashboard.

7. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We may disclose data in the following limited circumstances:

  • Service providers — as listed in Section 5, strictly for service operation.
  • Legal requirements — if required by law, court order, or to protect rights, property, or safety.
  • Business transfers — in the event of a merger, acquisition, or asset sale, data may transfer to the successor entity. We will notify you via email and/or a prominent notice before data becomes subject to a different privacy policy.
  • With your consent — any other sharing will only occur with your explicit permission.

8. Security

We implement industry-standard technical and organisational measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted (AES-256) by Supabase/AWS
  • Row-level security policies in our database ensure each Customer can only access their own data
  • Authentication via Supabase Auth — passwords are bcrypt-hashed and never stored in plaintext
  • API routes are protected with authentication checks on every request
  • Payment data is handled exclusively by Stripe (PCI DSS Level 1 compliant)
  • Access to production systems is restricted to authorised personnel only

Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@chatsloop.com.

9. Data Retention

Data typeRetention period
Account dataUntil account deletion + 30 days grace period
Website content & embeddingsUntil you delete the source or delete the chatbot
Chat conversations & messagesRetained while account is active; deleted 90 days after account closure
Lead capture dataUntil deleted by the Customer or account closure + 30 days
Billing records7 years (legal / accounting obligation)
API request logs30 days rolling
BackupsUp to 30 days (then permanently purged)

You can request deletion of your account and all associated data at any time by emailing privacy@chatsloop.com. We will process your request within 30 days.

10. Your Rights

10.1 — GDPR rights (EEA / UK residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data (subject to legal retention obligations).
  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.

10.2 — CCPA rights (California residents)

If you are a California resident, the California Consumer Privacy Act gives you rights to know, delete, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@chatsloop.com.

10.3 — How to exercise your rights

Email privacy@chatsloop.com with the subject line "Privacy Request". We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

11. Children's Privacy

Chatsloop is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@chatsloop.com and we will delete it promptly.

Customers are responsible for ensuring that chatbots they deploy on their own websites are appropriate for their audience, and for complying with applicable laws if their site is directed at children.

12. Changes to this Policy

We may update this privacy policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to registered Customers at least 14 days before the changes take effect
  • Where required by law, ask for your consent before the changes apply

Your continued use of Chatsloop after changes take effect constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Chatsloop

Email: privacy@chatsloop.com

General enquiries: info@chatsloop.com

Website: chatsloop.com