Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is:

For all data protection enquiries, including requests to exercise your rights, please contact our Data Protection Officer (DPO) at privacy@thesupbot.com.

2. What Data We Collect

2.1 Chat conversations

When a visitor interacts with a SupBot-powered widget, we collect the messages exchanged during that chat session, together with a pseudonymous session identifier, timestamp, and the bot configuration (tenant) involved. No name or email address is collected from chat visitors unless the visitor provides it voluntarily.

2.2 Account data

When you register for a SupBot account we collect your name, email address, and (in hashed form) your password. If you subscribe to a paid plan we also collect billing information, which is processed by our payment processor.

2.3 Usage data

We collect technical usage data such as page views, feature interactions, browser type, operating system, and approximate geographic region. This data is used exclusively for product improvement and is not linked to your personal identity without your consent.

2.4 Cookies

We use the following categories of cookies:

• Strictly necessary — Required for the service to function (e.g. session authentication). Cannot be disabled.
• Functional — Remember your preferences such as language and dashboard layout.
• Analytics — Help us understand how the product is used so we can improve it. Only activated with your consent.
• Marketing — Used to show relevant advertising. Only activated with your explicit consent.

3. Legal Basis for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

• Art. 6(1)(b) — Contract: Processing necessary to provide the service you have signed up for (account management, delivering chat responses).
• Art. 6(1)(c) — Legal obligation: Processing required to comply with applicable laws (e.g. tax records, fraud prevention).
• Art. 6(1)(f) — Legitimate interests: Processing for our legitimate interest in improving the product and preventing abuse, where those interests are not overridden by your rights.
• Art. 6(1)(a) — Consent: Processing of optional analytics and marketing cookies, where we ask for your explicit consent before activation.

4. Third-Party Processors

We use the following third-party sub-processors to deliver the service. Each is engaged under a Data Processing Agreement (DPA) and is bound to process data only on our instructions.

4.1 Anthropic (Claude AI)

Natural-language processing for chat responses is powered by Anthropic’s Claude API. Conversation messages are transmitted to Anthropic servers for inference. Anthropic does not use API data to train its models. Data transfer is covered by Standard Contractual Clauses (SCCs) as Anthropic is a US-based company.

4.2 Vercel

Our web application is hosted on Vercel’s infrastructure. Vercel processes request logs and edge-cache data. Vercel is certified under the EU-US Data Privacy Framework.

4.3 all-inkl.de

Email delivery (transactional emails such as account verification and password reset) is handled by all-inkl.de, a German hosting provider. All data remains within the EU.

5. Data Retention

• Chat conversations: Retained for 90 days from the date of the conversation, then permanently deleted.
• Account data: Retained for the lifetime of your account. Permanently deleted within 30 days of an account deletion request.
• Billing records: Retained for 7 years as required by EU tax law.
• Analytics data: Aggregated and anonymised after 13 months.

6. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights. To exercise any of them, contact us at privacy@thesupbot.com.

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17):Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a machine-readable format and transfer it to another controller.
• Right to object (Art. 21): Object to processing based on our legitimate interests or for direct marketing purposes.
• Right to restriction of processing (Art. 18): Ask us to restrict processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your national data protection supervisory authority. In Germany this is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include encryption at rest and in transit (TLS 1.2+), access controls, and regular security reviews.

8. International Data Transfers

Some of our sub-processors (notably Anthropic) are located outside the European Economic Area. Where this is the case, we ensure an adequate level of protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or by relying on an adequacy decision.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify registered users by email and update the “last updated” date at the top of this page. We encourage you to review this policy periodically.

10. Contact

For any questions about this Privacy Policy or to exercise your rights, please contact: