Chatbyte Logo

Privacy Policy (Platform)

Last updated: 10/16/2025

This privacy policy informs you about the processing of personal data when using our web and SaaS platform "Chatbyte" as well as our website. The controller within the meaning of the GDPR is:

Chatbyte GmbH Gertigstraße 69 22303 Hamburg, Germany Commercial Register: HRA 128461 Register Court: Amtsgericht Hamburg VAT ID: DE452019271 Email: contact@chatbyte.ai

Data Protection Officer: A data protection officer is currently not legally required. For data protection questions, please contact: contact@chatbyte.ai

1. Overview of Data Processing

We process personal data to provide our platform, for contract fulfillment, for security, for billing, for communication, for support, and – with consent – for product analytics and marketing purposes. Legal bases are Art. 6 para. 1 lit. b GDPR (contract/contract initiation), lit. c (legal obligations), lit. f (legitimate interests) and – where necessary – lit. a (consent).

2. Categories of Personal Data

  • Master and contact data (e.g., name, company, email),
  • Contract and usage data (e.g., plan, billing data, feature usage),
  • Communication data (e.g., chat content, support requests),
  • Log data/metadata (e.g., IP address, timestamps),
  • Content/file data (e.g., knowledge base documents, uploads),
  • Integration data (e.g., IDs/tokens for third-party systems),
  • Payment data (via payment service providers),
  • Consent data (e.g., cookie/consent logs).

3. Purposes and Legal Bases

  • Contract and platform operation (Art. 6 para. 1 lit. b GDPR): Account creation, authentication, agent/knowledge base functions, integrations, support.
  • Security and abuse prevention (Art. 6 para. 1 lit. f GDPR): Logging, monitoring, access controls.
  • Billing (Art. 6 para. 1 lit. b, lit. c GDPR): Payment processing, invoices, record-keeping obligations.
  • Communication (Art. 6 para. 1 lit. b, lit. f GDPR): Email notifications, system messages.
  • Product analytics/statistics (Art. 6 para. 1 lit. a GDPR or § 25 TTDSG): only with consent (e.g., PostHog).

4. Third-Party Providers and Recipients

We use – partly as data processors – the following services or enable their integration. Processing may involve third-country transfers (Art. 44 ff. GDPR); in such cases, we implement appropriate safeguards (e.g., EU Standard Contractual Clauses) and minimize data.

  • LLM Providers (model-dependent): OpenAI, Anthropic, Google Generative AI, Azure OpenAI (operation in Azure region Sweden/EU, where technically possible) Purpose: Execution of AI functions (text generation/classification). Legal basis: Art. 6 para. 1 lit. b, possibly lit. a. Note: Content/prompts may be transmitted to the respective provider for model execution. Where possible, we disable training use.
  • Storage/Uploads: Cloudflare R2 (EU region, Frankfurt) Purpose: File/asset storage. Legal basis: Art. 6 para. 1 lit. b.
  • Cache/Queues: Upstash Redis (EU region, preferably Frankfurt/DE) Purpose: Performance/session/queueing. Legal basis: Art. 6 para. 1 lit. f.
  • Vector Store: AWS (EU/Frankfurt) for embeddings/similarity search Purpose: Provision of vector search/functional logic. Legal basis: Art. 6 para. 1 lit. b, lit. f. Analytics Backends: Tinybird (no vector storage) Purpose: Usage/cost analyses, metrics. Legal basis: Art. 6 para. 1 lit. f.
  • Product Analytics: PostHog (EU hosting/proxying) Purpose: Product analytics/events (only with consent via consent banner). Legal basis: Art. 6 para. 1 lit. a (GDPR) in conjunction with § 25 para. 1 TTDSG. Disabled without consent.
  • Email Dispatch: Resend Purpose: Transactional and system emails. Legal basis: Art. 6 para. 1 lit. b.
  • Payment: Stripe Purpose: Payment processing, invoicing. Legal basis: Art. 6 para. 1 lit. b, lit. c.
  • CMS (Landing): Sanity Purpose: Management of website content. Legal basis: Art. 6 para. 1 lit. f.
  • Database: Neon PostgreSQL (Frankfurt/DE) Purpose: Persistent storage of contract, configuration, and operational data. Legal basis: Art. 6 para. 1 lit. b, lit. f.
  • Error Tracking/Monitoring (Client) Purpose: Error reports/crash reports in the web app. Legal basis: Art. 6 para. 1 lit. a (consent) in conjunction with § 25 TTDSG (if cookies/device storage are used). Server-side error logs are based on legitimate interests (Art. 6 para. 1 lit. f) with data minimization.
  • Vector Store: TurboPuffer (EU region, preferably Frankfurt/DE, if available) Purpose: Provision of vector search/functional logic. Legal basis: Art. 6 para. 1 lit. b, lit. f.
  • Background Jobs/Task Processing: Trigger.dev (Frankfurt/DE) Purpose: Processing of asynchronous tasks and background jobs (e.g., data import, vector indexing). Legal basis: Art. 6 para. 1 lit. b, lit. f.

Additional optional integrations (e.g., Shopify, HubSpot, Zendesk, Intercom, Mailchimp, Klaviyo) are only activated if enabled by you, under your responsibility. We only process data necessary for integration and act – where applicable – as a data processor.

5. WhatsApp Business and RCS Integration

WhatsApp Business: If you connect WhatsApp Business, we process Meta/WhatsApp user data, chat content, metadata, and IDs to provide the channel. WhatsApp/Meta act as independent controllers; their privacy policies apply additionally.

RCS (Rich Communication Services): If you connect RCS for Business, we process user data, chat content, metadata, phone numbers, and IDs to provide the messaging channel. RCS providers (e.g., Google, mobile carriers) act as independent controllers.

Legal Basis: Art. 6 para. 1 lit. b (contract with you) and – where end users are concerned – Art. 6 para. 1 lit. a (end user consent) or lit. f (legitimate interests, e.g., support communication), depending on your setup.

Your Responsibilities:

  • Obtaining valid consents from end users (including opt-out),
  • Lawful use of templates/categories and sending windows,
  • Provision of legally required information (e.g., imprint, privacy policy),
  • Fulfillment of access/deletion/objection rights,
  • Compliance with respective provider guidelines (WhatsApp Business Terms, RCS Guidelines).

6. Cookies, Local Storage, and Consent (TTDSG)

We use technically necessary cookies/storage (Art. 6 para. 1 lit. f). For non-essential technologies (e.g., PostHog tracking), we obtain your consent (opt-in). You can revoke consents at any time with future effect and change settings in the consent banner.

7. Storage Duration

We store personal data only as long as necessary for the respective purposes or as required by legal retention obligations. Configuration/log/usage data are regularly automatically deleted or anonymized, unless legitimate interests/legal obligations prevent this.

8. Data Minimization, Encryption, Security

We follow the principle of data minimization, use encryption in transit and – where possible – at rest, role-based access controls, logging, and regular security measures.

9. Origin of Personal Data

The personal data we process comes from the following sources:

  • Directly from you: Data you provide during registration, use of the platform, or in contact with us.
  • Automatically during use: Technical data such as IP addresses, browser information, usage data through cookies and similar technologies.
  • From third-party providers: When integrating third-party services (e.g., CRM, e-commerce), data may be transmitted from these systems if you have configured it.
  • Public sources: Where legally permissible, we may use publicly available information (e.g., commercial registers, company websites) for verification.

10. Data Subject Rights

You have the following rights under the GDPR:

Right of Access (Art. 15 GDPR): You may request information about the personal data we process about you, including information about processing purposes, categories of data, recipients, and storage duration.

Right to Rectification (Art. 16 GDPR): You have the right to have incorrect personal data corrected. You may have incomplete data completed.

Right to Erasure (Art. 17 GDPR): You may request the deletion of your personal data if one of the legal grounds applies (e.g., data no longer necessary, withdrawal of consent, unlawful processing).

Right to Restriction of Processing (Art. 18 GDPR): In certain cases, you may request restriction of the processing of your data, e.g., if you contest the accuracy of the data or the processing is unlawful.

Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and to transmit this data to another controller.

Right to Object (Art. 21 GDPR): You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you based on Art. 6 para. 1 lit. f GDPR. In case of objection to direct marketing, we will immediately cease processing.

Right to Withdraw Consent (Art. 7 para. 3 GDPR): Consents may be withdrawn at any time with future effect. The lawfulness of processing carried out until withdrawal remains unaffected.

Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority responsible for us is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Ludwig-Erhard-Straße 22 20459 Hamburg Phone: 040 / 428 54 – 4040 Email: mailbox@datenschutz.hamburg.de

Exercise of Your Rights: To exercise your rights, please contact: contact@chatbyte.ai. We will respond to your request without undue delay, but at the latest within one month.

11. Provision of Data and Consequences of Non-Provision

The provision of certain personal data is required for contract conclusion and use of our platform:

Contractually Required Data: For registration and use of the platform, we require at least name, email address, and company data. Without this information, we cannot enter into a contract with you and you cannot use the platform.

Legally Required Data: For invoicing and tax purposes, certain data are legally required (e.g., billing address, possibly VAT ID).

Voluntary Data: All other data are voluntary. Non-provision of voluntary data has no disadvantages but may limit the functionality or convenience of the platform.

12. Automated Decision-Making and Profiling

We do not employ automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Limited Automation: We use automated processes exclusively for:

  • Spam and fraud prevention (e.g., for suspicious registration patterns)
  • System security and access protection
  • Technical optimization of the platform

These automated checks do not lead to legally binding decisions. In case of anomalies, manual review by our staff always follows.

AI Models: The AI agents you configure process data on your instruction. You are responsible for the configuration and use of AI functions as well as for resulting decisions.

13. Data Processing Agreement (Art. 28 GDPR)

Where we provide services as a data processor for you, we will conclude a DPA upon request. We engage sub-processors (e.g., the providers mentioned above) in compliance with legal requirements.

14. Third-Country Transfers (Art. 44 ff. GDPR)

For transfers to third countries, we ensure appropriate safeguards (e.g., EU Standard Contractual Clauses) and assess the level of protection. We limit data content to the necessary minimum and prefer EU locations where possible.

15. Processing of End User Content by AI Models

To provide AI functions, user inputs, conversations, and contexts are transmitted to the LLM providers you have selected. Where possible, we disable training purposes. The specific processing modalities depend on the respective provider and your configuration.

16. PostHog Product Analytics

With consent, we collect pseudonymous usage events with PostHog (e.g., feature clicks, flows). IP addresses are shortened or not permanently stored; we use EU hosting/proxying where possible. Purpose: Product improvement, error analysis. Legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with § 25 TTDSG. Revocation possible at any time in the consent banner.

17. Logs and Server Logs

To ensure stability/security, we maintain server logs (e.g., IP address, timestamps, request IDs) based on Art. 6 para. 1 lit. f GDPR for a short, purpose-bound duration.

18. Mandatory Information for Electronic Communication

For channel integrations (e.g., WhatsApp Business, RCS, email), you are required to provide legally mandated information to end users (e.g., imprint, sender identification, unsubscribe options). We provide functions/placeholders for this but are not responsible for their content design.

19. Changes to this Privacy Policy

We will adapt this policy as needed, e.g., for functional changes or legal developments. The current version is always available on our website. We will inform you of significant changes by email or through a clear notice at your next login.

Contact for data protection inquiries: contact@chatbyte.ai