This Privacy Policy applies to use of the Chatbyte Platform, including self-serve registration, workspaces, dashboards, chat and voice products, knowledge sources, integrations, billing, and related support processes. It explains what personal data we process as controller for platform accounts and how we handle product-related customer data in connection with the Data Processing Agreement.
Controller: Chatbyte GmbH, Gertigstraße 69, 22303 Hamburg, Germany. Commercial Register: HRB 187972. Register Court: Amtsgericht Hamburg. VAT ID: DE452019271. Email: contact@chatbyte.ai.
Competent supervisory authority: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany, email: mailbox@datenschutz.hamburg.de.
Document version: 1.2.
Effective date: May 17, 2026.
Related documents: Data Processing Agreement and Platform Terms.
1. Roles and Scope
For account administration, billing, security, support, product analytics, and direct communication with platform users, Chatbyte acts as controller. For customer content processed inside workspaces on behalf of a business customer, Chatbyte usually acts as processor and the customer remains the controller. Customer content includes conversations, tickets, files, knowledge sources, prompts, generated answers, call events, transcripts, summaries, embeddings, and integration data configured by the customer.
If you are an end user communicating with a company that uses Chatbyte, that company is usually responsible for its own privacy notice, legal basis, channel opt-ins, and handling your rights request. Chatbyte supports the customer under the Data Processing Agreement where required.
2. Data We Process
When you use the Platform, we may process the following categories of personal data, depending on the account, plan, enabled modules, and integrations:
- Account data: name, business email address, password hash or authentication identifier, locale, profile settings, role, permissions, invited team members, organization membership, and login status.
- Organization and billing data: company name, billing address, VAT or tax information, subscribed products, plan, seats, usage counters, invoices, payment status, and billing contact details.
- Workspace and product data: workspace configuration, agent settings, prompts, workflow rules, inbox settings, routing rules, channel configuration, API keys or integration metadata, and audit events.
- Customer content: conversation messages, email contents, attachments, knowledge base documents, website source material, voice call events, audio where enabled, transcripts, summaries, CSAT feedback, tickets, and generated answers.
- Usage, analytics, and diagnostics: page views inside the platform, feature events, device and browser information, performance data, error reports, logs, and troubleshooting data.
- Communication data: support requests, demo or lead forms, onboarding messages, feedback, contract-related correspondence, and records of operational notices.
- Security data: IP address, session identifiers, authentication events, access logs, rate-limit events, abuse signals, and security-relevant technical events.
3. Purposes and Legal Bases
We process personal data for the following purposes and legal bases:
- Account creation and contract performance: registration, authentication, workspace access, billing, product delivery, support, and contractual communication under Article 6(1)(b) GDPR.
- Platform operation: hosting, database operation, message processing, AI response generation, voice processing, workflow execution, inbox routing, and integration delivery under Article 6(1)(b) GDPR or, for customer-controlled content, as processor under the customer's instructions.
- Security and abuse prevention: authentication protection, fraud prevention, audit logging, rate limiting, incident investigation, and service integrity under Article 6(1)(f) GDPR.
- Product improvement and internal analytics: understanding platform usage, debugging, quality assurance, and improving reliability under Article 6(1)(f) GDPR, or consent where consent is required for analytics or similar technologies.
- Marketing and optional communications: newsletters, product updates, campaign measurement, and similar communications only where we have a legal basis, usually consent or legitimate interests depending on the communication and recipient relationship.
- Legal and tax compliance: invoices, accounting records, commercial retention duties, sanctions or abuse checks, and legal claims under Article 6(1)(c) or Article 6(1)(f) GDPR.
Providing account, organization, billing, and security data is generally necessary to create and operate a Platform account. Without the required data we may be unable to provide the account, selected paid features, invoices, support, or security controls. Optional integration, analytics, marketing, and workflow data is only needed if you enable the relevant feature or consent to the relevant processing.
4. EU Hosting and Recipients
Chatbyte is designed to support GDPR-compliant business use and hosts relevant product data in the European Union. Relevant product data includes customer content, conversations, files, knowledge sources, embeddings, voice artifacts, workspace configuration, and product logs processed for the Chatbyte Platform. Our standard production setup uses EU regions for this product-related processing.
We use selected service providers that process data on our behalf where this is necessary for hosting, infrastructure, email delivery, analytics, support, AI processing, voice processing, security, or payment processing. For product-related customer data processed on behalf of customers, the current standard subprocessors include Vercel, PlanetScale, Cloudflare R2, Microsoft Azure OpenAI, Turbopuffer, AWS SES/S3, Trigger.dev, ElevenLabs, and Twilio where the relevant module is enabled. Details, purposes, and processing locations are documented in the Data Processing Agreement.
For controller-side operations, we may also use providers for authentication, payment and invoicing, product analytics, error monitoring, customer communication, and abuse prevention. Some payment, messaging, marketplace, or integration providers may act as independent controllers for their own processing under their own notices.
5. International Transfers
Relevant product data processed by the Chatbyte Platform stays in the EU. Customer content, conversations, files, embeddings, voice artifacts, and workspace configuration are processed in the EU for standard product processing.
Where separate controller-side business operations involve non-product data, such as payment-provider records, marketplace records, or legally required communication with a third-party provider, we ensure that any international transfer has a lawful basis and appropriate safeguards. These safeguards may include adequacy decisions, the EU-U.S. Data Privacy Framework, standard contractual clauses, transfer impact assessments, and supplementary measures where required.
6. Cookies, Tracking, and Consent
The public website and the Platform may use necessary technologies for login, security, routing, load balancing, language selection, and abuse prevention. Optional analytics or marketing technologies are used only where the required consent exists or where the relevant access or storage is legally exempt.
For platform analytics, Chatbyte may process product usage data by default where a suitable GDPR legal basis exists, while persistent analytics storage and session recording are limited until consent or a legally applicable TDDDG/ePrivacy exemption applies. You can change or withdraw cookie and tracking consent through the consent interface where available.
7. AI Processing
Where customers enable AI features, Chatbyte processes customer content to generate answers, summaries, classifications, embeddings, and other configured outputs. Product-related AI processing is performed in EU regions. Customer content is not used by Chatbyte to train general foundation models.
Customers remain responsible for configuring AI agents, reviewing outputs where appropriate, defining escalation rules, and ensuring that connected channels and workflows match their own legal basis and notices.
8. Retention and Deletion
We store personal data only for as long as necessary for the purposes described above. Account and contract-related data are generally retained for the duration of the customer relationship and afterwards as required by applicable retention laws. Billing and accounting records may be retained according to commercial and tax retention duties.
Customer content is retained according to the customer's configuration, product plan, deletion requests, and applicable legal obligations. Technical security and event data are rotated or deleted when they are no longer needed for operations, abuse detection, or troubleshooting. Backups and logs may persist for limited technical retention periods before automatic deletion.
9. Your Rights
Subject to the applicable legal requirements, you have rights of access, rectification, erasure, restriction, portability, and objection in relation to certain processing activities. You may also object to processing based on legitimate interests for reasons arising from your particular situation.
If processing is based on consent, you may withdraw that consent at any time for the future. You also have the right to lodge a complaint with a competent data protection authority.
Where Chatbyte acts as processor for a customer, we may need to forward or coordinate your request with that customer. We do not use Platform account data for decisions based solely on automated processing that produce legal effects or similarly significant effects within the meaning of Article 22 GDPR.
10. Security and Contact
We implement appropriate technical and organizational measures to protect personal data against loss, misuse, and unauthorized access. These measures include access controls, role-based permissions, encrypted transport, logging, backup controls, least-privilege access, and operational security processes. If you have questions about this Privacy Policy or want to exercise your rights, contact us at contact@chatbyte.ai.