Privacy Policy

This Privacy Policy explains how Extreme Digital Studio LLP ("Company," "we," "us," or "our") collects, uses, stores, discloses, and protects information about you when you access or use the Chatzo platform at chatzo.nestify.cloud ("Service"). By using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of the Service.

1. Data Controller

The data controller responsible for your personal data is Extreme Digital Studio LLP, 22, 14th Street NW, Atlanta, Georgia, USA 30309. For all privacy-related enquiries, requests, or complaints, you may contact us at info@nestify.cloud. We aim to respond to all privacy requests within 30 days of receipt. This Policy applies to all users of the Service, including administrators, paying clients, and any person whose data is processed as a result of using our Service.

2. Information We Collect

2.1 Information You Provide Directly

When you register, use the Service, or contact support, we collect: full name and email address; hashed password or authentication tokens (if using Google Sign-In, we receive a Google-issued token and your profile email); billing and payment information (processed and tokenized by Stripe — we do not store full card numbers or bank account details); business name, address, or other profile information you voluntarily provide; content, documents, files, and any other materials you upload as your Knowledge Base ("User Content"); chatbot configuration settings, instructions, and customizations; and support communications including emails or messages you send to us.

2.2 Information Collected Automatically

When you use the Service, we automatically collect: device and browser information (type, version, operating system); IP address and approximate geographic location derived from IP; session identifiers and login timestamps; pages visited, features used, and navigation patterns within the Service; token consumption and storage usage metrics; chatbot interaction logs (the questions your end-users send to your Chatbots and the AI-generated responses); error logs and technical diagnostics; and referrer URLs indicating how you arrived at the Service.

2.3 Information from Third Parties

If you use Google Sign-In, we receive your name and email address from Google. If you integrate Telegram or WhatsApp messaging, we receive message content and user identifiers from those platforms as necessary to provide the integration. We receive billing and fraud-prevention signals from Stripe.

3. Knowledge Base Content and User-Uploaded Data

The Service is designed to let you upload proprietary documents, text, and other materials to build AI Chatbots. This User Content is among the most sensitive data we handle and is subject to the following practices: (a) User Content is stored on Company-managed servers and within Qdrant, a vector database service, in the form of vector embeddings derived from your documents. (b) User Content is transmitted to OpenAI's API solely for the purpose of generating AI responses and embeddings to power your Chatbots; it is not transmitted to any other third party for independent purposes. (c) Per OpenAI's API usage policies, data submitted via the API is not used to train OpenAI's foundational models; however, the Company cannot make absolute warranties about OpenAI's internal practices beyond what OpenAI publicly discloses. (d) If your User Content contains personal data of third parties (for example, customer records, staff information, or client details), you are the data controller for such third-party personal data, and you are solely responsible for having a lawful basis for processing, for providing appropriate notices, and for complying with all applicable data protection laws. (e) We do not read, analyze, sell, or use your User Content for any purpose other than providing the Service to you. (f) Upon account termination or document deletion, User Content is removed from active storage within 30 days; vector embeddings in Qdrant are deleted when you delete documents or close your account. Backup copies may persist for up to 90 days following deletion for disaster recovery purposes, after which they are permanently destroyed.

4. How We Use Your Information

We use the information we collect for the following purposes: (a) Service provision: to create and manage your account, process your subscription, provide access to Service features, host your Chatbots, and process your Knowledge Base for AI response generation. (b) Billing and payments: to process subscription payments, manage billing disputes, send invoices and payment receipts, and prevent fraud. (c) Communications: to send transactional emails including account confirmations, password resets, billing notifications, renewal reminders, and service alerts. We do not send unsolicited marketing emails; if we add a newsletter, you will be given an explicit opt-in. (d) Service improvement: to analyze aggregate usage patterns, diagnose technical issues, improve AI response quality (using aggregated and anonymized insights, not your specific User Content), and develop new features. (e) Security and compliance: to detect and prevent fraud, unauthorized access, and abuse; to comply with applicable legal obligations; and to enforce our Terms of Service. (f) Legal obligations: to respond to lawful requests from courts, law enforcement, and government authorities, including subpoenas, court orders, and regulatory inquiries. We will notify you of such requests where legally permitted.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar requirements, our legal bases for processing personal data are as follows: (a) Contract performance: processing necessary to provide the Service you have contracted for, including account management, subscription billing, and Knowledge Base processing. (b) Legitimate interests: security monitoring, fraud prevention, service improvement using aggregated analytics, and enforcing our Terms — where our interests are not overridden by your rights. (c) Legal obligation: processing necessary to comply with applicable law, including financial record-keeping and responding to lawful governmental requests. (d) Consent: for any processing not covered by the above (for example, optional marketing communications), where we will seek your explicit consent and you may withdraw it at any time.

6. Third-Party Service Providers

We share your information with third-party service providers ("Processors") only to the extent necessary to operate the Service. These Processors are contractually bound to handle your data only on our instructions and in accordance with applicable data protection laws. Our current Processors include: OpenAI, L.L.C. (San Francisco, CA, USA) — AI language model processing and TTS audio generation; your User Content and chat messages are transmitted to OpenAI's API for AI response and embedding generation. Stripe, Inc. (San Francisco, CA, USA) — payment processing and billing management; Stripe handles payment card data and is PCI-DSS Level 1 certified. Qdrant — vector database service for storing Knowledge Base embeddings. Google LLC — Google OAuth authentication (if you use Google Sign-In). Telegram Messenger / Meta Platforms (WhatsApp) — optional messaging integrations when you connect these channels to your Chatbot; message content necessary for the integration is processed by these platforms under their own privacy policies. Email delivery providers — for transactional email delivery. We do not sell, rent, or trade your personal data to any third party for that party's independent commercial purposes. If we use additional Processors in the future that materially affect your data, we will update this Policy and notify affected users.

7. Chatbot End-User Data

When you deploy a Chatbot powered by Chatzo on your website or through a messaging platform, visitors or users who interact with that Chatbot ("End-Users") submit messages to the Chatbot. These conversation messages are stored in our database associated with your account for the purpose of providing conversation history, improving Chatbot performance for your configuration, and for your administrative review. You, as the Chatbot owner and operator, are the data controller for your End-Users' personal data, and the Company acts as your data processor in relation to such data. You are responsible for: (a) providing adequate privacy notices to your End-Users about how their messages are processed; (b) ensuring you have a lawful basis for collecting and processing End-User conversation data; (c) responding to any data subject access, deletion, or other requests from your End-Users as required by applicable law. You may request deletion of specific conversation records by contacting info@nestify.cloud. Conversation data is retained for 12 months from the date of the conversation, after which it is automatically deleted unless you request earlier deletion or longer retention is required by law.

8. Data Retention

We retain your personal data for as long as your account is active and for a period thereafter as described below: Account information (name, email, settings) is retained for the duration of your account and for up to 12 months following account closure, after which it is deleted or anonymized. Billing records and transaction data are retained for 7 years as required by US federal and Georgia state financial record-keeping requirements. User Content (uploaded documents and their vector embeddings) is deleted within 30 days of your request or account closure; backup copies are destroyed within 90 days. Conversation logs are retained for 12 months from the date of the conversation. Technical logs and security audit trails are retained for 90 days. Data retained for legal compliance will be kept for as long as legally required. If you request deletion of your account, we will action your request within 30 days, subject to any legal hold requirements.

9. Data Security

We implement a range of technical and organizational security measures designed to protect your personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include: encrypted data transmission using TLS (HTTPS) for all data in transit; password hashing using industry-standard algorithms (bcrypt); access controls limiting employee access to production data on a need-to-know basis; security headers including Content Security Policy, HSTS, and X-Frame-Options on all Service responses; regular security reviews and dependency updates; Stripe's PCI-DSS compliant environment for payment data (we never store raw card data); and application-level rate limiting and abuse detection. HOWEVER, NO SECURITY MEASURE IS 100% INFALLIBLE. We cannot guarantee absolute security of your data transmitted over the internet or stored in our systems. In the event of a data security incident that affects your personal data, we will notify you as required by applicable law, including within 72 hours for incidents covered by GDPR where technically feasible. If you believe your account has been compromised, contact us immediately at info@nestify.cloud.

10. Cookies and Tracking Technologies

The Service uses cookies and similar technologies for the following purposes: (a) Strictly necessary cookies: session cookies required for authentication and maintaining your logged-in state. These cannot be disabled without preventing the Service from functioning. (b) Functional cookies: cookies that remember your preferences, settings, and configurations. (c) Analytics: we may collect aggregate, anonymized usage analytics to understand how the Service is used and to improve it; where we use third-party analytics tools, they are configured to anonymize IP addresses where possible. We do not use third-party advertising or behavioral tracking cookies. You may control cookie settings through your browser preferences; however, disabling strictly necessary cookies will prevent you from using the Service. By using the Service, you consent to the use of cookies as described in this Policy.

11. International Data Transfers

The Company is based in the United States of America. If you access the Service from outside the USA, your personal data will be transferred to, processed in, and stored in the United States, which may have different data protection standards than your country of residence. For transfers from the EEA or UK, we rely on applicable transfer mechanisms including Standard Contractual Clauses with our Processors where required. By using the Service, you consent to the transfer of your personal data to the USA and acknowledge the associated risks. User Content is processed by OpenAI, which operates in the USA; by uploading User Content, you acknowledge and consent to this cross-border processing.

12. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data: (a) Access: the right to request a copy of the personal data we hold about you. (b) Rectification: the right to have inaccurate personal data corrected. (c) Erasure: the right to request deletion of your personal data, subject to our legal retention obligations. (d) Restriction: the right to request that we restrict processing of your data in certain circumstances. (e) Portability: the right to receive your personal data in a structured, machine-readable format. (f) Objection: the right to object to processing based on legitimate interests. (g) Withdrawal of consent: the right to withdraw any consent previously given, without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at info@nestify.cloud. We will respond within 30 days. We may need to verify your identity before processing your request. Some rights may be limited where processing is necessary for legal compliance or legitimate interests. If you are unsatisfied with our response, you may have the right to lodge a complaint with your local data protection authority.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides you with specific rights regarding your personal information. You have the right to: (a) know what categories of personal information we collect, use, disclose, and sell (we do not sell personal information); (b) request deletion of your personal information, subject to certain exceptions; (c) opt out of the sale or sharing of your personal information (we do not sell or share your personal information for cross-context behavioral advertising); (d) non-discrimination for exercising your rights; and (e) correct inaccurate personal information. To exercise California privacy rights, contact us at info@nestify.cloud. We do not sell personal information to third parties and have not sold personal information in the preceding 12 months. We do not use or disclose sensitive personal information for purposes other than providing the Service.

14. Children's Privacy

The Service is intended for business use by adults and is not directed to individuals under the age of 18. We do not knowingly collect personal information from persons under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child under 18, please contact us at info@nestify.cloud.

15. Links to Third-Party Websites

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those external sites. We are not responsible for the privacy practices or content of any third-party website. We encourage you to review the privacy policies of any third-party sites you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page with a revised "Last updated" date, and where required by law or where changes materially affect your rights, by sending an email notification to your registered email address. We encourage you to review this Policy periodically. Your continued use of the Service following the effective date of any revised Policy constitutes your acceptance of the changes.

17. Contact and Data Requests

For all privacy-related matters, data subject requests, or questions about this Policy:

Extreme Digital Studio LLP  ·  22, 14th Street NW, Atlanta, Georgia, USA 30309  ·  info@nestify.cloud