Privacy Policy

Last updated: April 6, 2026

1. Who We Are

MyChat ("we", "us", "our") is a SaaS platform operated from Tallinn, Estonia. We provide AI-powered chatbot services for websites. Contact: info@mychat.ee.

2. Data We Collect

2.1 Account Data (Platform Users)

When you register on our platform, we collect:

  • Email address
  • Display name
  • Password (stored as a salted scrypt hash, never in plaintext)

2.2 Payment Data

Payments are processed by Stripe, Inc. We do not store credit card numbers. Stripe may collect payment details, billing address, and related information under their own Privacy Policy. We store only a Stripe customer identifier to link your account.

2.3 Website Visitor Data (Chatbot Users)

When a visitor interacts with a chatbot on our customer's website, we collect:

  • Chat messages (text content)
  • IP address (for rate limiting only, not stored long-term)
  • Lead form submissions (name, email, phone — if voluntarily provided)
  • Browser language preference (for chatbot localization)

2.4 Website Content (RAG Indexing)

When a platform user connects their website, we crawl publicly available pages to build a knowledge base for the chatbot. This content is publicly accessible on the web and is used solely to improve chatbot responses.

3. How We Use Data

  • Providing and operating the chatbot service
  • Processing payments and managing subscriptions
  • Generating AI responses based on website content
  • Delivering lead form submissions to our customers
  • Rate limiting and abuse prevention
  • Service improvement and debugging

4. Legal Basis (GDPR)

We process personal data under the following legal bases:

  • Contract performance — to provide the service you signed up for (Art. 6(1)(b))
  • Legitimate interest — for security, rate limiting, and service improvement (Art. 6(1)(f))
  • Consent — when visitors voluntarily submit lead forms (Art. 6(1)(a))

5. Third-Party Services

We use the following third-party processors:

ServicePurposeLocation
StripePayment processingUSA (EU SCCs)
xAI (Grok)AI response generationUSA
OpenAIText embeddings for knowledge baseUSA (EU SCCs)
HetznerServer hostingEU (Finland/Germany)

For US-based processors, data transfers are safeguarded by Standard Contractual Clauses (SCCs) or equivalent mechanisms.

6. Data Retention

  • Account data — retained while your account is active; deleted within 30 days of account deletion
  • Chat conversations — retained for up to 12 months, then automatically purged
  • Lead submissions — retained until deleted by the platform user
  • Payment records — retained as required by tax law (typically 7 years)
  • IP addresses — used for rate limiting in memory only, not persisted

7. Your Rights (GDPR)

As a data subject in the EU, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, contact us at info@mychat.ee. We will respond within 30 days.

8. Cookies

Our platform uses a single session cookie (httpOnly, secure) for authentication. We do not use tracking cookies, analytics cookies, or advertising cookies. The chatbot widget on customer websites does not set any cookies.

9. Security

We protect your data with:

  • HTTPS/TLS encryption for all connections
  • Passwords hashed with scrypt + random salt
  • Session tokens signed with HMAC-SHA256
  • Rate limiting on all public endpoints
  • SSRF protection on URL processing
  • Content Security Policy (CSP) headers

10. Children

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top indicates the latest revision.

12. Contact

For privacy-related inquiries:
Email: info@mychat.ee
Location: Tallinn, Estonia

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee).

Privacy Policy | MyChat