CHATIVOX Privacy Policy

Effective: 2026-04-19 — Version: 1.0.0

CHATIVOX provides an AI customer-support platform composed of two surfaces: an operator dashboard used by our business customers ("tenants") and an embeddable chat widget that tenants place on their own websites so their end-visitors can start a conversation.

This policy explains what personal data we handle, why, and how you can exercise your rights. It is written in plain language; where a legal term is unavoidable we explain it the first time it appears.

Who is responsible for your data

The controller for this policy is:

CHATIVOX Nevo 12 St, Kochav Yair, Israel privacy@chativox.com

CHATIVOX's role depends on whose data is in question.

If you are a tenant user — an operator who signs in to the CHATIVOX dashboard — CHATIVOX is the controller of your account data. We decide what we collect and why.
If you are an end-visitor — a person chatting with a tenant through the widget — the tenant is the controller of your conversation data. CHATIVOX acts as a processor on the tenant's behalf under a written Data Processing Agreement. If you want to exercise rights over that data, your primary point of contact is the tenant operating the website where you used the chat. We support tenants in fulfilling your rights and will act directly when we can identify you.

Data we collect

From tenant users (CHATIVOX is controller)

Account: email address, display name, profile avatar.
Authentication: salted password hash, OAuth access/refresh/ID tokens (when social sign-in is used).
Session: IP address and user-agent string attached to each session, hashed for audit purposes.
Consent: the version of this policy and the Terms of Service you accepted, the time you accepted, and a hash of the IP/user-agent used to accept.

From end-visitors (the tenant is controller; CHATIVOX processes)

Contact identifier (optional): email address or display name if you provide one in chat.
Conversation content: messages you send to the tenant and responses you receive.
AI reasoning: internal notes our AI produces while drafting a reply.
Session: IP address, user-agent string, a random visitor session ID stored in your browser's local storage so you can later request access to or erasure of your data.
Consent: the policy version you accepted before the chat started, time of acceptance, hashed IP/user-agent.

Operational data

Security events: snippets of input that matched our prompt-injection or PII-leak detectors.
Email integration: subjects and metadata of messages sent between the tenant and their customers via CHATIVOX-managed mailboxes.
Knowledge base: documents the tenant uploads to train the AI. These may incidentally contain personal data about third parties; the tenant is responsible for the lawful basis of that content.

Purposes and legal bases

Purpose	Data used	GDPR legal basis (Art. 6)
Provide the dashboard service to a tenant user	Account, authentication, session	Contract (6(1)(b))
Deliver the chat service to an end-visitor on behalf of a tenant	Contact identifier, conversation content, session	Processor — lawful basis is the tenant's responsibility
Detect prompt-injection or PII leakage	Conversation snippets	Legitimate interests (6(1)(f)) — securing the service
Bill our tenants	Tenant contact + Paddle customer ID	Contract (6(1)(b))
Record policy acceptance	Consent data	Compliance with a legal obligation (6(1)(c)) + Art. 7 provability
Send transactional email (password resets, notifications)	Email address, message body	Contract (6(1)(b))
Improve the service	Aggregated, de-identified usage metrics	Legitimate interests (6(1)(f))

We do not rely on consent (Art. 6(1)(a)) for any core processing other than the initial collection of widget-visitor data — consent there is recorded through the widget's consent panel and can be withdrawn at any time.

Retention

Tenant-user accounts: kept while the account is active; deleted on request or after a grace period following account closure.
End-visitor conversations: default 90 days from the last message, configurable per tenant.
Security events: 365 days.
Retention audit logs: 730 days.
Consent records: kept for as long as the underlying account exists and are cascade-deleted when the subject is erased.

The retention worker runs daily and enforces these limits automatically.

Your rights

Under the GDPR, UK GDPR, and CCPA/CPRA you can request that we:

Access the personal data we hold about you (Art. 15).
Correct inaccurate data (Art. 16).
Erase your data — "right to be forgotten" (Art. 17).
Restrict processing in specific circumstances (Art. 18).
Receive a portable copy in a machine-readable format (Art. 20).
Object to processing based on legitimate interests (Art. 21).
Withdraw consent at any time, without affecting processing that already occurred (Art. 7(3)).
Avoid solely automated decisions that have legal or similarly significant effects (Art. 22). CHATIVOX does not make such decisions.
Lodge a complaint with your supervisory authority.

How to exercise your rights

Tenant users: sign in, open Settings → Privacy, and use the self-service export and erasure controls. You can also email privacy@chativox.com.
End-visitors: the tenant operating the website is your primary contact. You can also go to /privacy/request on the CHATIVOX dashboard domain and verify your identity either via email magic-link or by pasting the visitor session ID shown in the widget's "Your data" menu. This identification step exists because the widget does not require you to log in — per GDPR Art. 11, if you never provided an identifier and no longer have your session ID, we may not be able to locate your data without additional information.

We respond within 30 days. If we need more time (up to 60 days total) we will tell you within the first 30 days.

Subprocessors

CHATIVOX uses a small number of third-party services to run the product. See SUBPROCESSORS.md for the current list including purpose, region, and DPA link. When we add or replace a subprocessor we bump the MINOR version of this policy and notify affected tenants.

International transfers

CHATIVOX is an Israeli company. The European Commission recognises Israel as providing an adequate level of protection under GDPR Art. 45, so transfers of EU/UK personal data to us as controller do not require additional safeguards.

Our infrastructure is hosted outside Israel:

Railway (United States) hosts the dashboard and API servers where personal data is stored.
Cloudflare (global edge network, operator headquartered in the United States) delivers the chat widget.
Anthropic, OpenAI, and Google (United States) process conversation content when generating AI responses.
Resend (United States) delivers transactional email.
Paddle (United Kingdom / United States) processes tenant subscription payments.

For every transfer of EU/UK personal data to these subprocessors we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum. We implement supplementary technical measures — AES-256-GCM encryption at rest, TLS in transit, and pseudonymization before sending content to large language model subprocessors — to ensure a level of protection essentially equivalent to that in the EU/UK.

Security measures

AES-256-GCM envelope encryption for personal data at rest; per-row data encryption keys wrapped by a master key held in a managed secret store.
TLS 1.2+ for all data in transit.
Role-based access control for tenant users; platform administrators' reads are written to an immutable access log.
Password storage follows modern hashing standards as maintained by our authentication library.
Rate limiting and CSRF protection on state-changing endpoints.
Automated anomaly detection on authentication and administrative access.
Independent audit log for every erasure request, including external-provider status.

Breach notification

If we detect a personal data breach that creates a risk to your rights and freedoms we notify our supervisory authority within 72 hours of becoming aware (Art. 33). If the breach creates a high risk we also notify affected data subjects without undue delay (Art. 34). Our internal runbook defines the decision tree, notification templates, and evidence preservation steps.

Children

CHATIVOX is not directed at children under 16 and we do not knowingly collect personal data from them. Tenants are responsible for ensuring that their own products and their own collection of end-visitor data comply with child-privacy laws such as COPPA, and for obtaining parental consent where required.

California rights (CCPA / CPRA)

California residents have additional rights including the right to know the categories and specific pieces of personal information we have collected, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, and the right to limit the use of sensitive personal information. CHATIVOX does not sell personal information and does not share personal information for cross-context behavioral advertising. To exercise California rights, use the same /privacy/request page or email privacy@chativox.com.

Changes to this policy

This policy is versioned with semantic versioning (semver):

MAJOR — a change to subject rights or the categories of data processed. Tenants and end-visitors will be prompted to accept the new version before continuing to use the service.
MINOR — addition or replacement of a subprocessor. Tenants are notified at least 30 days in advance when practicable.
PATCH — clarifications and typographical corrections with no substantive change.

The version and effective date are shown in the YAML frontmatter at the top of this file. The full revision history is available in git.

Contact

Email: privacy@chativox.com
Postal: CHATIVOX, Nevo 12 St, Kochav Yair, Israel
EU representative / UK representative: [to be appointed where Art. 27 GDPR / Art. 27 UK GDPR applies]

If we cannot resolve your concern you have the right to lodge a complaint with your local supervisory authority. Israeli residents may contact the Israeli Privacy Protection Authority.