Privacy Policy

At CHATLAB Sp. z o.o., protecting the privacy of our visitors is one of our top priorities. This Privacy Policy outlines the types of information we collect, how it is recorded, and how we use it. If you have any questions or require further information about our Privacy Policy, please feel free to contact us.

Consent

By using our website or products, you acknowledge that you have read and understood our Privacy Policy and consent to its terms.

Information We Collect

1. Personal Information You Provide:
   • The specific personal information we ask you to provide and the reasons for requesting it will be explained at the point of collection.
2. Information You Provide When Contacting Us:
   • If you contact us directly, we may collect additional details, such as:
     • Your name, email address, and phone number.
     • The contents of your message and any attachments you send.
     • Any other information you choose to share.
3. Usage Data:
   • Information related to your interactions with our website and services, such as:
     • Prompts, selected context, and your usage patterns.
     • Note: We do not collect information from other web pages you have opened.
4. Technical Information:
   • Details such as your IP address, browser type, and device information.
5. Registration Information:
   • When you register for an account, we may request contact details including:
     • Name, company name, address, email address, and telephone number.

How We Use Your Information

We use the information we collect for a variety of purposes, including:

1. Website Operations and Maintenance:
   • To provide, operate, and maintain our website.
2. Enhancement and Personalization:
   • To improve, personalize, and expand our website.
3. Usage Analysis:
   • To understand and analyze how you interact with our website.
4. Development of Products and Services:
   • To develop new products, services, features, and functionality.
5. Communication:
   • To communicate with you directly or through our partners for purposes such as:
     • Customer service.
     • Updates and information related to the website.
     • Marketing and promotional activities.
6. Legal and Safety Obligations:
   • To disclose personal information if required by law or to protect the rights and safety of CHATLAB Sp. z o.o. and its users.
7. Email Notifications:
   • To send you emails.
8. Fraud Prevention:
   • To identify and prevent fraudulent activity.

Important: We do not sell or share your personal information as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Log Files

CHATLAB Sp. z o.o. adheres to standard practices for using log files. These files record visitor activity when they access websites, a common practice among hosting companies as part of their analytics services.

The information collected by log files may include:

• Internet protocol (IP) addresses.
• Browser type.
• Internet Service Provider (ISP).
• Date and time stamps.
• Referring/exit pages.
• Number of clicks.

This data is not linked to any personally identifiable information. The purposes of collecting this information include:

• Analyzing trends.
• Administering the website.
• Tracking user movement on the site.
• Gathering demographic information.

Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy, typically:

• Account data: Until account deletion
• Chat conversation logs: 90 days from creation (customer-configurable)
• System and technical logs: 180 days
• Backup data: 90 days after deletion from production systems
• Legal records: As required by law

AI Processing and Data Usage

When you use our AI-powered chatbot services:

• No AI Model Training: We have opted out of providing customer data for AI model training with all AI service providers (OpenAI, Google Gemini). Your personal data, conversations, and prompts are never used for training, fine-tuning, or improving AI models.
• API Processing: Data sent to AI providers is processed solely through API calls for generating responses and is typically retained by AI providers for up to 30 days (provider-dependent) for abuse monitoring and security purposes only, then automatically deleted.
• Processing Logs: Technical logs may be retained by AI providers for security, system recovery, and compliance purposes for limited periods. Such logs may contain limited personal data (e.g., timestamps, request identifiers) necessary for system operations.

Prohibited Data

Please do not submit the following data types through our Services:

• Government-issued identification numbers
• Payment card information
• Health records
• Passwords or authentication credentials
• Biometric or genetic data
• Precise geolocation data
• Trade-union membership
• Special categories of personal data as defined under GDPR Article 9
• Data relating to criminal convictions and offences (GDPR Article 10)

We may delete, block, or anonymize any such data to comply with applicable data protection laws.

CCPA Privacy Rights (Do Not Sell My Personal Information)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California consumers are entitled to the following rights:

1. Disclosure of Collected Data:
   • Consumers can request that a business disclose the categories and specific pieces of personal data it has collected about them.
2. Deletion of Personal Data:
   • Consumers can request that a business delete any personal data it has collected about them.
3. Right to Know About Sharing:
   • Consumers have the right to know whether their personal information is being sold or shared.

We do not sell or share your personal information as defined under the CCPA/CPRA. We do not disclose personal information to third parties for their direct marketing purposes.

If you wish to exercise any of these rights, please contact us. We are committed to responding to your request within one month of receiving it.

GDPR Data Protection Rights

We want to ensure you are fully informed about your data protection rights. Under the General Data Protection Regulation (GDPR), every user is entitled to the following:

1. Right to Access:
   • You have the right to request copies of your personal data. We will provide this free of charge, except where your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee.
2. Right to Rectification:
   • You can request that we correct any information you believe is inaccurate.
   • You may also request that we complete any information you believe is incomplete.
3. Right to Erasure:
   • You have the right to request that we erase your personal data, subject to certain conditions. We strive to complete deletion requests within 14 days, while maintaining the statutory one-month response period.
4. Right to Restrict Processing:
   • You can request that we restrict the processing of your personal data, subject to certain conditions.
5. Right to Object to Processing:
   • You have the right to object to our processing of your personal data, subject to certain conditions.
6. Right to Data Portability:
   • You may request that we transfer the personal data we have collected to another organization or directly to you, subject to certain conditions.

If you wish to exercise any of these rights, please contact us. We are committed to responding to your request within one month of receiving it.

Please find Data Processing Addendum here.

International Data Transfers

Your personal data may be transferred and processed in countries outside the European Economic Area (EEA), United Kingdom, and Switzerland, primarily in the United States where certain service providers are located. We primarily process personal data within the EEA; certain processing may occur outside the EEA where necessary to utilize third-party AI services and infrastructure providers.

We ensure appropriate safeguards through:

• EU-US Data Privacy Framework (DPF) - where applicable for certified processors
• Standard Contractual Clauses (SCCs) - Commission Decision 2021/914/EU
• UK International Data Transfer Addendum - for UK data transfers
• Data Processing Agreements with all providers
• Technical and organizational security measures

Main processors outside EEA:

• Amazon Web Services - cloud infrastructure (USA/EU configurable)
• OpenAI - AI language processing (USA)
• Google (Gemini / Vertex AI) - AI services (USA/EU configurable)
• Pinecone - vector database (USA/EU configurable)
• Cloudflare - security and CDN (USA with global network)
• Stripe - payment processing (USA/EU entities available)

For a complete list of our sub-processors, their locations, and transfer mechanisms, please visit: https://www.chatlab.com/subprocessors/

You have the right to receive a copy of the safeguards used for these transfers. Contact us at contact@chatlab.com for details.

Children's Information

Protecting children while they use the internet is a top priority for us. We encourage parents and guardians to actively observe, participate in, monitor, and guide their children’s online activities.

CHATLAB Sp. z o.o. does not knowingly collect any Personally Identifiable Information (PII) from children under the age of 13.

If you believe that your child has provided such information on our website or through our products, we urge you to contact us immediately. We will make every effort to promptly remove this information from our records.

Questions, Concerns, or Complaints

If you have any questions, concerns, complaints, or wish to exercise your rights, please contact us at:

• CHATLAB Sp. z o.o.
• ul. Zamknięta 10/1.5
• 30-554 Kraków, Poland
• Email: contact@chatlab.com