1. Overview
Chatsloop is an AI-powered chatbot platform that allows businesses ("Customers") to create, customise, and embed AI assistants on their websites. In operating this service we process data belonging to two categories of person:
- ▸Customers — individuals or organisations who sign up, create chatbots, and manage the platform through our dashboard.
- ▸End-users / Visitors — people who interact with a chatbot widget embedded on a Customer's website.
This policy covers both groups. Where obligations or rights differ between them, we say so explicitly.
2. Data We Collect
2.1 — Account & profile data (Customers)
- ▸Email address and password (hashed — we never store plaintext passwords)
- ▸First name, last name, company name, website URL, phone number (optional)
- ▸Billing information (card details are stored exclusively by Stripe — we never see raw card numbers)
- ▸Subscription plan and usage metrics
2.2 — Website content you provide
- ▸URLs you submit for crawling — we fetch, parse, and index the textual content of those pages
- ▸Documents you upload (PDF, DOCX) — we extract text and store embeddings derived from it
- ▸Custom instructions and system prompts you write for your chatbot
2.3 — Visitor chat data (End-users)
- ▸Messages sent to a chatbot widget (conversation content)
- ▸An anonymous visitor ID generated in the browser (no login required, no cookie tracking)
- ▸Name and email address if a visitor voluntarily submits a lead-capture form within the widget
- ▸Approximate session timestamps
2.4 — Automatically collected technical data
- ▸IP address and user-agent (used for abuse prevention; not linked to individual profiles)
- ▸API request logs (retained for up to 30 days for debugging and security monitoring)
- ▸Performance and error telemetry (no personally identifiable information)
3. AI & Content Processing
Important — how AI works in Chatsloop
Chatsloop uses OpenAI's API to generate responses. This means that when a visitor sends a message to your chatbot, relevant excerpts from your knowledge base and the visitor's question are sent to OpenAI's servers for processing.
3.1 — What is sent to OpenAI
- ▸The visitor's question (natural-language text)
- ▸Relevant excerpts ("chunks") from your website content or uploaded documents, retrieved via semantic search
- ▸Your chatbot's system prompt / custom instructions
- ▸Recent conversation history (up to 10 prior turns) for context continuity
3.2 — What is NOT sent to OpenAI
- ▸Visitor IP addresses or device identifiers
- ▸Customer billing or payment information
- ▸Passwords or authentication tokens
- ▸Your entire website — only the most relevant excerpts are retrieved per query
3.3 — OpenAI data use
We use OpenAI's API under their standard API terms. OpenAI does not use API inputs to train their models by default. Refer to OpenAI's API data usage policy for full details.
3.4 — Embeddings & vector storage
We convert your website content into vector embeddings (numerical representations) using OpenAI's embedding models. These embeddings are stored in our database and used solely to match visitor questions to relevant content. The raw text of your content is stored alongside them to construct AI prompts.
3.5 — No automated decision-making with legal effect
Chatsloop's AI is used exclusively to answer questions about a Customer's website content. We do not use AI to make automated decisions that produce legal effects or significantly affect individuals (e.g. credit decisions, employment screening).
4. How We Use Your Data
Legal basis: Contract performance
- ▸Creating and managing your account
- ▸Operating chatbots you create and serving responses to visitors
- ▸Processing subscription payments via Stripe
- ▸Sending transactional emails (account confirmation, invoices, plan changes)
Legal basis: Legitimate interests
- ▸Security monitoring and fraud prevention
- ▸Improving service reliability and performance
- ▸Aggregated, anonymised analytics on platform usage
- ▸Debugging errors and customer support
Legal basis: Legal obligation
- ▸Retaining financial records as required by applicable tax and accounting law
- ▸Responding to lawful requests from courts or regulators
Legal basis: Consent
- ▸Marketing emails about new features or plans (opt-in only; unsubscribe at any time)
5. Third-Party Services
We share data with the following trusted service providers only to the extent necessary to operate Chatsloop. We do not sell your personal data to any third party.
All providers are GDPR-compliant and bound by appropriate data processing agreements where required.
7. Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We may disclose data in the following limited circumstances:
- ▸Service providers — as listed in Section 5, strictly for service operation.
- ▸Legal requirements — if required by law, court order, or to protect rights, property, or safety.
- ▸Business transfers — in the event of a merger, acquisition, or asset sale, data may transfer to the successor entity. We will notify you via email and/or a prominent notice before data becomes subject to a different privacy policy.
- ▸With your consent — any other sharing will only occur with your explicit permission.
8. Security
We implement industry-standard technical and organisational measures to protect your data:
- ▸All data in transit is encrypted via TLS 1.2+
- ▸Data at rest is encrypted (AES-256) by Supabase/AWS
- ▸Row-level security policies in our database ensure each Customer can only access their own data
- ▸Authentication via Supabase Auth — passwords are bcrypt-hashed and never stored in plaintext
- ▸API routes are protected with authentication checks on every request
- ▸Payment data is handled exclusively by Stripe (PCI DSS Level 1 compliant)
- ▸Access to production systems is restricted to authorised personnel only
Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@chatsloop.com.
9. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days grace period |
| Website content & embeddings | Until you delete the source or delete the chatbot |
| Chat conversations & messages | Retained while account is active; deleted 90 days after account closure |
| Lead capture data | Until deleted by the Customer or account closure + 30 days |
| Billing records | 7 years (legal / accounting obligation) |
| API request logs | 30 days rolling |
| Backups | Up to 30 days (then permanently purged) |
You can request deletion of your account and all associated data at any time by emailing privacy@chatsloop.com. We will process your request within 30 days.
10. Your Rights
10.1 — GDPR rights (EEA / UK residents)
If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:
- ▸Access — request a copy of the personal data we hold about you.
- ▸Rectification — ask us to correct inaccurate or incomplete data.
- ▸Erasure — request deletion of your personal data (subject to legal retention obligations).
- ▸Restriction — ask us to restrict processing of your data in certain circumstances.
- ▸Portability — receive your data in a structured, machine-readable format.
- ▸Objection — object to processing based on legitimate interests.
- ▸Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
10.2 — CCPA rights (California residents)
If you are a California resident, the California Consumer Privacy Act gives you rights to know, delete, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@chatsloop.com.
10.3 — How to exercise your rights
Email privacy@chatsloop.com with the subject line "Privacy Request". We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).
11. Children's Privacy
Chatsloop is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@chatsloop.com and we will delete it promptly.
Customers are responsible for ensuring that chatbots they deploy on their own websites are appropriate for their audience, and for complying with applicable laws if their site is directed at children.
12. Changes to this Policy
We may update this privacy policy from time to time. When we make material changes, we will:
- ▸Update the "Last updated" date at the top of this page
- ▸Send an email notification to registered Customers at least 14 days before the changes take effect
- ▸Where required by law, ask for your consent before the changes apply
Your continued use of Chatsloop after changes take effect constitutes acceptance of the updated policy. We encourage you to review this page periodically.
13. Contact Us
If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us: