The short version. ChatBoss is operated by ProductShake, LLC. We collect the minimum data we need to run the Service: account info for our customers; conversation messages and basic metadata (IP, user agent, page URL, country) for visitors who chat with our customers' bots; and standard logs for security. We use a small set of vetted sub-processors for things like LLM inference, payments, and email. We do not sell your data, we do not use it to train AI models, and we do not run advertising or tracking cookies. If you're in the EEA, UK, or California, you have additional rights β described below.
1. Who this policy covers
This Privacy Policy applies to three groups of people:
- Account holders β people and organizations who sign up for ChatBoss to operate one or more AI chatbots.
- Chatbot end-users (visitors) β people who chat with a ChatBoss-powered bot embedded on our customers' websites.
- Marketing-site visitors β people who browse trychatboss.com without an account.
2. Our role under data-protection law
- For account holders and marketing-site visitors, ProductShake, LLC is the data controller (or, under California law, the business) β we decide why and how the data is processed.
- For chatbot end-users, the situation is different. The customer who operates the chatbot is the data controller for the conversations and any visitor data that flows through their bot. ProductShake acts as the data processor (or, under California law, a service provider) on the customer's instructions. A Data Processing Addendum (DPA) is available on request β email [email protected].
3. Controller details
ChatBoss is operated by ProductShake, LLC, a limited liability company organized under the laws of the State of Delaware, United States. For any privacy-related question or to exercise the rights described below, contact [email protected].
4. What data we collect
4.1 From account holders
- Profile: name, email address, avatar URL (when supplied by your sign-in provider), timezone, notification preferences.
- Authentication: Google or Apple OAuth identifier (so we can recognize you on return), session cookie, password hash if you set one.
- Optional integrations: Slack webhook URL if you configure Slack notifications.
- Billing: a customer ID and subscription status with our payment processor. Card data is collected and stored by the payment processor β we never see or store full card numbers.
- Support correspondence: emails and messages you send us, plus our replies.
4.2 From chatbot end-users (visitors)
When a visitor opens a ChatBoss widget on a customer's site, we process β on the customer's behalf β the following:
- Conversation content: the messages the visitor sends and the bot's replies.
- Optional contact details: name, email, or phone number that the visitor voluntarily provides (e.g. when escalating to a human).
- Technical metadata: IP address, user agent, the page URL where the widget loaded, country derived via GeoIP lookup.
- Session presence: short-lived heartbeat data (stored in Redis) used to show the customer when a visitor is actively on the site.
We do not place advertising or analytics cookies through the widget, and we don't fingerprint visitors across customer sites.
4.3 Customer Content
The customer uploads their knowledge base β documents, website URLs, and Q&A pairs. To the extent that material contains personal data (e.g. an "About the team" page), we process it strictly on the customer's instructions and only to power their bot.
4.4 Logs and telemetry
- Application logs: request paths, response codes, timing, error messages β used for debugging and security monitoring.
- Error reports: sent to our error-monitoring provider for diagnosis. We configure it to scrub personal data from error reports where possible.
- Rate-limit counters and security events: kept briefly to detect abuse.
5. Why we process this data, and the legal basis
Under EU/UK GDPR Article 6, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service to account holders (delivering the dashboard, training bots, generating answers, sending operator notifications). | Performance of a contract (Art. 6(1)(b)) |
| Processing visitor data on behalf of customers. | The customer's chosen basis (typically their legitimate interest or contract with the visitor) β we act as processor. |
| Billing, tax, and invoicing. | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, abuse detection, error monitoring, and product reliability. | Legitimate interest (Art. 6(1)(f)) β keeping the Service safe and working. |
| Sending non-promotional service emails (e.g. billing receipts, security alerts). | Contract / legal obligation |
| Sending occasional product-update emails to existing customers. | Legitimate interest, with an opt-out in every email. |
| Optional features you enable (e.g. Slack notifications). | Consent (Art. 6(1)(a)) |
We do not process special-category personal data (Art. 9 GDPR β health, biometrics, etc.) for our own purposes, and customers must not route such data through the Service without an appropriate lawful basis and safeguards.
6. AI processing and model training
We send each user question, plus retrieved snippets from the customer's knowledge base, to a hosted large-language-model provider (see Service providers) so it can compose a reply. We have configured these providers to operate in modes that do not retain prompts beyond the immediate request and do not use prompts or completions to train their models, where the provider offers that option. We do not train any first-party AI/ML models on Customer Content or visitor conversations.
Embeddings (numerical representations of text used for retrieval) are generated either by a model we host ourselves, or β when configured β by a vetted external provider under the same no-retention / no-training terms.
7. Who we share data with
We do not sell personal information. We share it only with:
- Our service providers, described below, under contract.
- A successor entity in the event of a merger, acquisition, or sale of substantially all assets β with notice and an opportunity to delete your account before the transfer.
- Authorities, when required by valid legal process, subject to challenging overbroad requests where we believe the law requires it.
- Your own organization (for account holders) β admins on your account can see usage and the conversation logs the bot has produced for your project.
8. Service providers
To run ChatBoss we rely on a small number of vetted third-party service providers. By category, these include:
- Hosting infrastructure β servers, database, and cache that store your account data and your knowledge-base content.
- A payment processor β for subscription billing. Card data is collected and stored by the processor; we never see or store full card numbers.
- Large-language-model providers β generate the replies the bot returns to your visitors, and (in some configurations) the embeddings used for retrieval.
- Authentication providers β used when an account holder signs in with a supported third-party identity provider.
- An email-delivery provider β for transactional emails such as sign-in confirmations, billing receipts, and escalation notifications.
- An error-monitoring provider β for reliability and diagnostic logs, configured to scrub personal data where possible.
- An optional notifications provider β used only when an account holder explicitly enables outgoing webhook notifications.
Each provider is bound by a written agreement and processes personal data only on our instructions and only for the purposes described in this policy. None of them are used for advertising, profiling, or building cross-site profiles of your visitors.
If you need the names of specific providers, the country in which each is established, and the safeguards in place for international data transfers (e.g. for a vendor-review process or a Data Processing Addendum), email [email protected] and we'll share the current list. We may add or replace providers from time to time; we'll update this section on material changes that affect personal data.
9. International data transfers
ChatBoss is operated globally. When personal data of EU/UK residents is transferred to a country outside the European Economic Area or the United Kingdom that is not the subject of an adequacy decision (such as the United States), we rely on:
- The European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable), with the UK Addendum where UK GDPR applies; and/or
- The EUβUS Data Privacy Framework and its UK Extension, where the relevant sub-processor is certified.
Where we believe additional safeguards are warranted given the destination country's legal regime, we apply them β for example, encryption in transit and at rest, and processor commitments to challenge overbroad government requests. Copies of the SCCs we have in place are available on request.
10. How long we keep data
| Data | Retention |
|---|---|
| Account profile and authentication data | For the life of your account, plus up to 30 days after deletion to complete clean-up. Backups are overwritten on a rolling cycle. |
| Customer Content (knowledge sources, prompts) | For the life of your project. Customers can delete content at any time from the dashboard. |
| Conversation logs (visitor messages and bot replies) | For the life of the project, unless the customer deletes them sooner. |
| Application and security logs | Up to 90 days, then aggregated or deleted. |
| Billing records (invoices, tax records) | Up to 7 years where required by tax law. |
| Support correspondence | Up to 3 years after last contact. |
11. Cookies and similar technologies
We use only strictly necessary cookies and local-storage entries β the kind you can't meaningfully opt out of without breaking the Service:
chatbase_sessionβ your authentication session, set after sign-in.- A CSRF protection token β prevents cross-site request forgery on form submissions.
- A theme preference (light/dark) stored in your browser's
localStorage.
We do not run advertising cookies, third-party analytics, social media pixels, or cross-site tracking on trychatboss.com or in the embedded widget. Because we do not use non-essential cookies, we do not display a cookie banner.
12. Security
We use industry-standard measures to protect personal data:
- TLS encryption for all traffic between your browser and our servers, and between our servers and our sub-processors.
- Encryption at rest for sensitive fields in our database (such as integration credentials).
- Tenant scoping in PostgreSQL so one customer cannot read another customer's data.
- Least-privilege access for our team, with administrative actions logged.
- A vendor review process before adding new sub-processors.
No system can guarantee perfect security. If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and within the timeframes required by law (72 hours where GDPR applies).
13. Your rights β EEA, UK, and Switzerland
If GDPR or UK GDPR applies to you, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to limited exceptions (e.g. legal retention obligations).
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interest, including profiling, and to direct marketing.
- Data portability β receive a copy of your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time, where we rely on consent β without affecting the lawfulness of processing before withdrawal.
- Lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu; the UK authority is the ICO. We'd appreciate the chance to address your concern first by emailing [email protected].
Visitor end-users: most rights requests about your conversations on a third-party site should be directed to the operator of that site (the data controller). If you don't know who that is, contact us and we'll route the request.
14. Your rights β California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties we share it with.
- Access the specific pieces of personal information we hold about you.
- Delete personal information we hold about you, subject to legal exceptions.
- Correct inaccurate personal information.
- Limit the use of "sensitive personal information" β though we do not use sensitive personal information for purposes beyond providing the Service.
- Opt out of "sale" or "sharing" of personal information β we do not sell or share personal information within the meaning of the CCPA, including for cross-context behavioural advertising.
- Non-discrimination β we will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right.
To exercise these rights, email [email protected] from the address associated with your account, or include enough information for us to verify your identity. You can authorize an agent to act on your behalf in writing. We aim to respond within 45 days.
15. Your rights β other US states
If you are a resident of a US state with a comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as they take effect), you have rights similar to those in California. The same contact route β [email protected] β handles those requests. You may also have a right to appeal a denied request; we'll explain the appeal process in our response.
16. Children's privacy
The Service is not directed at children. We do not knowingly collect personal data from children under 16 (EEA/UK) or under 13 (US). If you believe a child has provided us personal data, contact [email protected] and we'll delete it.
17. Automated decisions
We do not use your personal data to make decisions about you that produce legal or similarly significant effects without human involvement. AI-generated chatbot replies are content, not decisions about a person.
18. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we'll notify you by email and update the "Last updated" date at the top. If you don't accept a change, you may close your account before it takes effect.
19. Contact us
For privacy questions, requests under any of the rights above, or to request our DPA template, email [email protected].