Privacy Policy

1. Introduction

This Privacy Policy describes how AESCULAP Praha s.r.o. ("ChatbotIQ", "we", "us") collects, uses, shares, and protects your personal data when you use the ChatbotIQ platform available at chatbotiq.eu and app.chatbotiq.eu (the "Service").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

a) Account Data

When you create an account, we collect your email address and, if you use Google OAuth, your name and profile information provided by Google. We also store your account preferences, workspace settings, and team membership.

b) Billing Data

Payment processing is handled by Stripe. We do not store your credit card numbers or full payment details. We retain only your subscription plan, billing status, and transaction history necessary for account management and tax compliance.

c) Usage Data

We automatically collect technical information when you use the Service, including your IP address, browser type, operating system, pages visited, features used, and timestamps. This data helps us maintain, secure, and improve the Service.

d) Chat Data

When end users interact with chatbots created through the Service, we process the questions asked and the AI-generated responses. This data is associated with the workspace that owns the chatbot and is used to deliver the Service and provide analytics to bot owners.

e) Crawled Content

When you add knowledge sources, we crawl and index the web content at the URLs you specify. This content is processed to generate embeddings and provide retrieval-augmented responses. We store the crawled text, generated embeddings, and associated metadata.

3. Legal Bases for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

• Contract performance — Processing necessary to provide the Service, manage your account, process payments, and deliver chatbot functionality as agreed in our Terms of Service.
• Legitimate interest — Processing necessary for analytics, service improvement, security monitoring, fraud prevention, and debugging. We balance our interests against your rights and only process data where our interests do not override yours.
• Consent — Where required, we obtain your consent for marketing communications and optional analytics cookies. You may withdraw consent at any time.
• Legal obligation — Processing necessary to comply with applicable laws, including tax and financial record-keeping requirements.

4. How We Use Your Data

We use the data we collect to:

• Operate, maintain, and provide the Service, including crawling, indexing, and generating AI responses
• Process payments and manage your subscription
• Authenticate your identity and secure your account
• Provide customer support and respond to your inquiries
• Analyze usage patterns to improve the Service and develop new features
• Send transactional communications (e.g., account verification, billing notifications)
• Send marketing communications where you have opted in (you can unsubscribe at any time)
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with legal obligations and enforce our Terms of Service

Internal access: Our support team may access conversation data when investigating issues, providing technical support, or ensuring service integrity. All such access is performed by authorized personnel only and is subject to internal access controls.

We do not use your personal data or User Content to train general-purpose AI models. Your data is processed solely to provide the Service to you.

5. Third-Party Processors

We share your data with the following categories of third-party service providers ("processors") who process data on our behalf. All processors are bound by data processing agreements ensuring appropriate safeguards. For detailed information including data retention and training opt-out status, see our Sub-processors page.

6. International Data Transfers

Our primary infrastructure is hosted by Hetzner in the European Union (Germany). However, some of our third-party processors are located outside the European Economic Area (EEA), primarily in the United States.

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Our general retention periods are:

• Account data — Retained for the duration of your account plus 30 days after account deletion to allow for reactivation or data export.
• Billing records — Retained as required by applicable tax and financial regulations (typically up to 10 years under Czech tax law).
• Chat data — Retained for the duration of the associated bot's existence, then deleted within 90 days of bot deletion or account termination.
• Crawled content & embeddings — Deleted within 30 days of source removal or account termination.
• Usage data — Retained in aggregated or anonymized form for analytics purposes. Raw logs are retained for up to 90 days for security and debugging.

8. Your Rights Under GDPR

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Access (Art. 15) — You have the right to request a copy of the personal data we hold about you.
• Rectification (Art. 16) — You have the right to request correction of inaccurate or incomplete personal data.
• Erasure (Art. 17) — You have the right to request deletion of your personal data, subject to applicable legal retention requirements.
• Restriction (Art. 18) — You have the right to request that we restrict processing of your personal data in certain circumstances.
• Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Objection (Art. 21) — You have the right to object to the processing of your personal data based on legitimate interests.
• Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days as required by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. For users in the Czech Republic, the relevant authority is the Office for Personal Data Protection (ÚOOÚ). Users in other EU member states may contact their local data protection authority.

9. Cookies and Tracking

We use cookies and similar technologies to operate the Service:

• Essential cookies — Required for authentication, session management, and core functionality. These cannot be disabled as the Service would not function without them.
• Analytics cookies — Optional cookies that help us understand how you use the Service. These are only placed with your consent.

We do not use third-party advertising or tracking cookies. You can manage your cookie preferences through your browser settings.

10. Children's Data

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete it promptly. If you believe that a child under 16 has provided us with personal data, please contact us at [email protected].

11. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days before the changes take effect by email or through a prominent notice within the Service. The effective date at the top of this page will be updated accordingly. We encourage you to review this Privacy Policy periodically.