Privacy Policy

Last updated: 11 April 2026

This Privacy Policy explains how ChatCraft ("we", "us", or "our") collects, uses, stores, and shares personal data when you use our websites, dashboards, APIs, widgets, and related services (the "Service"). It is intended to align with the UK GDPR and EU GDPR where those laws apply. For questions or to exercise your rights, contact feedback@chatcraft.app.

1. Who is responsible for your data?

The data controller for personal data processed through the Service is the operator of ChatCraft as identified in product communications and contracts. Where you deploy bots to your own end users, you may also act as a controller for your end-user data; this Policy describes our role as the platform provider.

2. Data we collect

Account data: email address, name or username where provided by your authentication provider, identifiers from Clerk, plan and subscription metadata, and billing-related identifiers from Stripe.
Bot configuration: bot names, prompts, personality settings, uploaded avatars, knowledge-base files and derived text chunks, integration settings (for example Discord server identifiers where you connect a bot), and analytics events tied to your account.
Conversation data: messages sent to your bots (including end-user messages where you embed or deploy a bot), model responses, timestamps, and technical metadata needed to operate conversations and debugging.
Technical data: IP address, device and browser type, approximate location derived from IP, cookies and similar technologies, logs, and security signals.

3. How we use personal data

We process personal data to provide, secure, and improve the Service; authenticate users; manage subscriptions and payments; provide customer support; detect abuse and fraud; comply with law; and communicate service-related notices. Our legal bases under GDPR typically include performance of a contract, legitimate interests (for example security, product analytics, and service improvement, balanced against your rights), and consent where required (for example certain non-essential cookies or marketing, where applicable).

4. AI processing and automated outputs

When you or your end users interact with a bot, we send relevant content to AI providers to generate responses. Outputs are automated and may be incorrect. You should not rely on outputs as professional, legal, medical, or financial advice without human review.

5. Third parties and subprocessors

We use carefully selected service providers. Depending on your use of the Service, personal data may be processed by:

Anthropic — AI inference (Claude) where enabled for your workspace or bots.
OpenAI — embeddings and related model services where used for knowledge search or other features.
Stripe — payments, subscriptions, invoices, and tax where applicable.
Clerk — authentication, session management, and account security.
Supabase — database, storage (for example avatars or uploaded files), and related infrastructure where configured.
Discord — when you connect a bot to Discord, message content and identifiers needed to operate the integration are exchanged with Discord according to their policies.

These providers process data under their own terms and may be located outside your country. Where required, we use appropriate safeguards such as Standard Contractual Clauses.

6. Retention

We retain personal data for as long as your account is active and as needed to provide the Service. Conversation and log data may be retained for a limited period for security, debugging, and analytics, then deleted or anonymised unless a longer period is required by law or legitimate business needs (for example billing records). Knowledge-base documents are retained until you delete them or delete the associated bot or account, subject to backup cycles.

7. Your rights (GDPR)

Where GDPR applies, you may have the right to access, rectify, erase, restrict processing, object to certain processing, data portability, and to withdraw consent at any time (without affecting prior lawful processing). You may lodge a complaint with a supervisory authority. To exercise rights, email feedback@chatcraft.app. We may need to verify your identity before responding.

8. Cookies and similar technologies

We use cookies and similar technologies for essential functions (for example authentication and security), preferences, and analytics where enabled. You can control many cookies through your browser settings. Some Clerk, Stripe, or analytics cookies may be set by those providers when their features load.

9. Children

The Service is not directed to children under 16 (or the minimum age required in your jurisdiction). Do not provide personal data of children unless you have lawful authority and appropriate consent.

10. Security

We implement technical and organisational measures designed to protect personal data. No method of transmission or storage is completely secure; we encourage strong passwords and safe handling of API keys and integration secrets.

11. International transfers

We may process data in the United Kingdom, the European Economic Area, the United States, and other countries where our providers operate. Where data is transferred internationally, we implement appropriate safeguards consistent with applicable law.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date. Material changes may be communicated by email or in-product notice where appropriate.