Privacy Policy

1. Introduction

Welcome to Chatloom ("we," "our," or "us"). This Privacy Policy explains how WORKSJO LTD (registered in England and Wales, ICO Registration: ZB810612) collects, uses, discloses, and safeguards your information when you use our AI-powered chatbot platform and services. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

2. Information We Collect

2.1 Information You Provide

• Account information (name, email address)
• Billing information (processed securely through Stripe)
• Chatbot configuration data
• Training data and conversation history
• Customer support communications

2.2 Automatically Collected Information

• Usage data and analytics
• Device information and IP address
• Cookies and similar tracking technologies
• Log files and error reports

3. How We Use Your Information

• To provide and maintain our services
• To process your transactions and subscriptions
• To improve and optimize our platform
• To send you updates, security alerts, and support messages
• To detect, prevent, and address technical issues
• To comply with legal obligations

Legal Bases for Processing (GDPR)

Where the EU or UK GDPR applies, we rely on the following legal bases under Article 6 to process your personal data:

• Performance of a contract — to provide the service you sign up for: managing your account and agents, and processing conversations on your behalf.
• Legitimate interests — to secure, maintain, debug and improve the service, prevent abuse, and communicate with you about your account, balanced against your rights and freedoms.
• Consent — for optional analytics and marketing cookies and where consent is otherwise required; you can withdraw it at any time.
• Legal obligation — to comply with applicable laws, tax and accounting duties, and lawful requests from authorities.

4. AI and Data Processing

Chatloom uses artificial intelligence (AI) powered by Anthropic's Claude to provide chatbot services. When you use our platform:

• Your training data is processed to improve chatbot responses
• Conversation data may be analyzed to enhance service quality
• We implement encryption and security measures to protect your data
• AI model providers may process data according to their terms

We do not use your data, or your end-users’ conversations, to train our own AI models. Conversation inputs are sent to our AI providers (OpenAI, Anthropic, Google) only to generate responses, through their business APIs whose standard terms do not use API inputs to train their models. For conversation data you process through Chatloom you are the data controller and Chatloom acts as your processor; a Data Processing Agreement (DPA) is available on request.

5. Data Sharing and Disclosure

We may share your information with:

• Service Providers: Anthropic, OpenAI and Google (AI inference), Cohere and Voyage (search/embedding, where applicable), Supabase (database and storage), Vercel (hosting and analytics), Clerk (authentication), Stripe (payments), Resend (transactional email), Sentry (error monitoring), Upstash (Redis cache). A current list with locations and DPA links is published at /sub-processors.
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

We do NOT sell your personal information to third parties.

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit and at rest
• Regular security audits and updates
• Access controls and authentication
• Secure data centers and infrastructure

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Conversation data is retained for 30 days by default but can be configured in your settings.

8. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your data
• Opt-out of marketing communications
• Withdraw consent

You also have the right to lodge a complaint with a data protection supervisory authority. In the UK this is the Information Commissioner’s Office (ICO); in the EU, your local supervisory authority.

9. Cookies

We use cookies and similar technologies for authentication, preferences, and analytics. You can control cookies through your browser settings.

10. Automated Decision-Making

Our AI chatbot uses automated processing to generate responses based on your inputs. These responses do not produce legal or similarly significant effects on you. The AI does not make decisions about your access to services, pricing, or eligibility. You have the right to request human review of any AI-generated response by contacting us at support@chatloom.app.

11. International Data Transfers

Your data may be transferred and processed in countries outside your jurisdiction, including the United States. We use Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) and the European Commission to ensure appropriate safeguards are in place for international data transfers. Our sub-processors include Anthropic, OpenAI and Google (AI processing), Cohere and Voyage (search/embedding, where applicable), Stripe (payments), Vercel (hosting and analytics), Clerk (authentication), Supabase (database and storage), Upstash (Redis cache), Resend (transactional email), and Sentry (error monitoring). The complete and current list, including processing purpose and location, is published at /sub-processors and updated whenever we add or change a sub-processor.

12. Children's Privacy

Our services are not intended for children below the age of digital consent in their country (between 13 and 16 depending on jurisdiction; 13 in the UK and US, 16 in Germany and several other EU member states). We do not knowingly collect data from children below the applicable age, and we will delete such data on becoming aware of it.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). You have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt-out of the sale or sharing of personal information (we do not sell personal information and we honour Do Not Sell or Share opt-outs); non-discrimination for exercising your privacy rights. To exercise your California privacy rights, contact us at support@chatloom.app. We will respond to verifiable consumer requests within 45 days, with one extension of up to 45 additional days where reasonably necessary, as permitted under CCPA section 1798.130(a)(2).

14. Brazilian Data Protection (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD). These include the right to: confirmation of processing; access to your data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary data; data portability; information about third parties with whom data is shared; and the ability to revoke consent. To exercise your LGPD rights, contact our Data Protection Officer at support@chatloom.app.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through our platform.

16. Contact Us