Privacy Policy

Last updated: April 18, 2026

David Langr, Business Registration No. (ICO): 04617002, with the place of business at V olsinach 1451/20, 100 00, Prague 10 - Strasnice, Czech Republic, operating as Chaterimo ("we", "us", or "our"), operates the Chaterimo platform (the "Service").

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Czech data protection law.


1. Data Controller

The data controller for the processing of your personal data is:

David Langr
ICO: 04617002
V olsinach 1451/20, 100 00, Prague 10 - Strasnice, Czech Republic
Email: info@chaterimo.com


2. What Data We Collect

We collect the following categories of personal data:

2.1. Account Data (provided during registration)

  • Email address
  • Name and username
  • Organisation (business) details
  • Password (stored as a secure hash, never in plain text)
  • Language and locale preferences
  • Marketing consent preferences

2.2. Billing Data

  • Stripe customer ID and subscription information
  • Billing history and invoice data (managed by Stripe)
  • We do not store credit card numbers or payment card data. All payment processing is handled by Stripe in accordance with PCI DSS standards.

2.3. Service Usage Data

  • Chatbot configuration and settings
  • Knowledge base content (product catalogs, website content, uploaded documents)
  • Chat conversations between end-users and chatbots
  • Lead data collected through chat widgets (names, emails, phone numbers voluntarily provided by end-users)
  • Email content (if email integration is enabled)
  • Support ticket content (if ticketing is enabled)

2.4. Technical Data

  • IP addresses (used for security, rate limiting, and abuse detection)
  • Session identifiers
  • Browser type and device information (collected via chat widget)
  • Application logs (which may contain request metadata)

2.5. API Keys (if provided by Customer)

  • Third-party API keys for AI services (OpenAI, Anthropic, Google, Groq)
  • E-commerce platform API credentials (Shopify, Shoptet, Upgates, WooCommerce, etc.)
  • CRM integration credentials (Zoho, HubSpot, Pipedrive)
  • Email OAuth tokens (Gmail, Outlook)
  • All API keys and credentials are encrypted at rest using Fernet symmetric encryption

3. How We Use Your Data

We process personal data for the following purposes:

  • Service delivery: Providing and maintaining the Chaterimo platform, including AI-powered chatbot responses, knowledge base search, and e-commerce integrations
  • Account management: Managing your registration, authentication, and subscription
  • Payment processing: Processing subscription payments through Stripe
  • Customer support: Responding to your inquiries and providing technical assistance
  • Security: Protecting the Service from abuse, fraud, and unauthorized access through IP blocking, rate limiting, and malicious pattern detection
  • Service improvement: Analyzing aggregated, anonymized usage data to improve the platform
  • Legal compliance: Fulfilling our legal obligations under applicable law
  • Communication: Sending transactional emails (account notifications, billing receipts, service updates) and, with your consent, marketing communications

4. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

  • Performance of contract (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to (account data, service usage data, billing data)
  • Legitimate interests (Art. 6(1)(f)): Security measures (IP blocking, rate limiting, logging), service improvement through aggregated analytics, and fraud prevention
  • Consent (Art. 6(1)(a)): Marketing communications (you can withdraw consent at any time)
  • Legal obligation (Art. 6(1)(c)): Tax and accounting record-keeping as required by Czech law

5. Data Sharing and Third-Party Processors

We share your data with the following categories of third-party service providers, who process data on our behalf:

5.1. Infrastructure and Hosting

  • Hetzner Online GmbH (Germany) — Server hosting and infrastructure
  • DigitalOcean LLC (EU/US) — File storage and CDN for uploaded files and static assets

5.2. AI Language Model Providers

Depending on the chatbot configuration, chat messages and knowledge base excerpts are sent to one or more of the following AI providers to generate chatbot responses:

  • OpenAI (OpenAI Ireland Ltd. / OpenAI, Inc.) — GPT models
  • Anthropic, PBC — Claude models
  • Google (Google Ireland Limited / Google LLC) — Gemini models
  • Groq, Inc. — Groq models

We use API-tier access to all AI providers. Your data is not used to train the AI providers' foundational models.

5.3. Payment Processing

  • Stripe, Inc. — Payment processing, subscription management, invoicing. Stripe's privacy policy applies to payment data.

5.4. Email Integration (if enabled by Customer)

  • Google (Google Ireland Limited / Google LLC) — Gmail OAuth integration
  • Microsoft Corporation (Microsoft Ireland / USA) — Outlook/Microsoft 365 OAuth integration

5.5. Messaging Integration (if enabled by Customer)

  • Meta Platforms (Meta Platforms Ireland Limited / Meta Platforms, Inc.) — Facebook Messenger integration

5.6. CRM Integration (if enabled by Customer)

  • Zoho Corporation — CRM data sync
  • HubSpot, Inc. — CRM data sync
  • Pipedrive OU (Estonia/USA) — CRM data sync

5.7. Monitoring and Logging

  • Better Stack (Logtail) (EU) — Application logging and monitoring. Logs may contain IP addresses, error details, email processing metadata, and request data.

5.8. Other

  • Jina AI GmbH (Germany) — Web page content extraction (fallback method for knowledge base training)

We do not sell your personal data to third parties. We do not share your data with third parties for their own marketing purposes.


6. International Data Transfers

Our primary infrastructure is located in Germany (EU). However, some third-party providers are located in the United States. For transfers of personal data outside the European Economic Area (EEA), we rely on:

  • The European Commission's adequacy decision for the EU-U.S. Data Privacy Framework (where the provider is certified)
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision (EU) 2021/914)
  • Where available, we contract with the EU/EEA subsidiary of providers to minimize cross-border transfers

7. Data Retention

  • Account data: Retained for the duration of your subscription and for a reasonable period thereafter to allow for account reactivation, unless you request deletion
  • Service usage data (chat sessions, leads, knowledge base): Retained for the duration of your subscription. Upon termination, deleted from active systems within 30 days and from backups within 90 days
  • Billing data: Retained as required by Czech tax and accounting laws (typically 10 years for invoices)
  • Application logs: Retained according to the logging provider's retention schedule
  • IP addresses used for security blocking: Cached temporarily (up to 24 hours) and not stored in the database

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • TLS/HTTPS encryption for all data in transit with automatic certificate management
  • Industry-standard symmetric encryption for sensitive credentials at rest (API keys, OAuth tokens)
  • Dedicated server infrastructure in Germany (not shared hosting)
  • Isolated container architecture with internal networking
  • Multi-tenant data isolation with organization-based scoping
  • Automated security middleware: IP blocking, rate limiting, malicious pattern detection
  • Database connection pooling with transaction-level isolation
  • Password hashing for user authentication
  • Regular automated backups with redundant storage

For details, see Annex 2 of our Data Processing Agreement (DPA).


9. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used format. Self-service CSV exports are available for leads and chat history.
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)): Withdraw your consent to marketing communications at any time

To exercise any of these rights, contact us at info@chaterimo.com. We will respond within 30 days as required by the GDPR.


10. Data Processing on Behalf of Customers

When our Customers use the Service to deploy chatbots on their websites, we process personal data of the Customers' end-users (chat visitors) on behalf of the Customer. In this relationship:

  • The Customer is the data controller for their end-users' data
  • Chaterimo is the data processor

This processing is governed by our Data Processing Agreement (DPA), which forms part of the Terms of Service. The Customer is responsible for providing appropriate privacy notices to their end-users.


11. Model Context Protocol (MCP) and AI Agent Connectors

Customers can connect Chaterimo to Claude and other MCP-compatible AI agents so that the agent can read (and, when explicitly authorized, update) data inside the Customer's organisation.

11.1. How the connector authenticates

Two connection methods are available:

  • Universal OAuth 2.0 endpoint (recommended, used for Anthropic's directory-listed connector): the Customer signs in with their normal Chaterimo credentials, explicitly consents to the connection on a Chaterimo-hosted authorization screen, and selects a single organisation. The issued access token is scoped to that organisation only and cannot be used to read data from any other organisation, even one owned by the same user.
  • Per-key tokenized URL (legacy): the Customer generates an API key inside Chaterimo and pastes the resulting MCP URL into the agent. The key is scoped to one organisation and can be revoked by the Customer at any time from the API keys dashboard.

11.2. Data that flows through MCP

When the Customer uses an MCP connector, the AI agent (for example Claude, running on Anthropic's infrastructure) initiates requests to Chaterimo and receives responses containing the Customer's organisation data — which may include chatbot configuration, conversation transcripts, product catalog entries, tickets, leads, and sales rules, depending on the tools the Customer invokes. Chaterimo does not send data to the agent proactively; data is only returned in response to a tool call explicitly made by the agent on the Customer's behalf. End-user personal data returned through MCP (for example email addresses in conversations or leads) is redacted using the same PII-stripping logic applied to our Developer API.

11.3. Data that Chaterimo stores about MCP sessions

For each MCP tool call Chaterimo records: the tool name, execution status (success or error), response time, timestamp, the organisation and API key or OAuth user that initiated the call, the authentication mode, the OAuth client identifier (where applicable), the source IP address, and the user-agent string. Tool arguments are stored only as structural metadata (the list of argument names, their data types, and the length of their string representation) — the raw argument values are not retained. Tool response payloads are not retained; only the response size and an error indicator are stored.

11.4. OAuth authentication artefacts

To run the OAuth flow, Chaterimo stores SHA-256 hashes (never the raw values) of short-lived authorization codes (valid for 10 minutes and invalidated on first use) and of refresh tokens (valid for up to 30 days or until the Customer revokes the connection). Access tokens are signed JSON Web Tokens bound to a specific organisation and resource URL; they are not stored server-side and expire one hour after issuance.

11.5. Role of Anthropic and other MCP clients

When the Customer connects Chaterimo to Anthropic's Claude (or another MCP client), the MCP client becomes an additional processor for the Customer's data on the Customer's behalf. Anthropic's own privacy terms and data-handling commitments govern how the client stores and uses the data once it is returned from Chaterimo. The Customer is responsible for choosing which MCP clients to connect and for accepting those clients' terms.

11.6. Limits, retention, and revocation

MCP session records (tool call metadata, as described in 11.3) are retained alongside other service-usage data as described in Section 7. Customers can revoke an MCP connection at any time by deleting the relevant API key or by revoking the OAuth client from the API keys dashboard. MCP requests are rate-limited per organisation to protect platform reliability; the applicable limits are displayed in the API keys dashboard.


12. Cookies and Tracking

The Chaterimo website uses cookies for essential functionality (session management, authentication, language preferences). We do not use third-party advertising or tracking cookies.

The Chaterimo chat widget, when embedded on a Customer's website, uses session storage to maintain chat state. The Customer is responsible for disclosing the widget's data collection in their own cookie/privacy policy.


13. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at info@chaterimo.com and we will delete it promptly.


14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The current version is always available on our website.


15. Contact and Complaints

For any questions or concerns about this Privacy Policy or our data processing practices, contact us at:

Email: info@chaterimo.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for the Czech Republic is:

Office for Personal Data Protection (UOOU)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Website: www.uoou.cz

chaterimo logo

Copyright © Chaterimo

about-icon