Privacy Policy

1. Controller

Carmine Paolino
Brunnenstr. 169
10119 Berlin
Germany
Email: support@chatwithwork.com

2. What data we process

• Account data: email address, password (hashed), account settings.
• Waitlist data: email address (via getwaitlist.com).
• Google Drive connection: OAuth tokens (encrypted using Active Record Encryption), file metadata, and file contents needed to answer chats.
• Service data: chat messages and history, credits/plan usage, support tickets, and documents processed for chat (docs, sheets, slides, PDFs, audio, images; including OCR or transcription outputs).
• Payment data (when billing is enabled): billing details and payment method tokens handled by Stripe.
• Technical data: IP address, user agent, request and error logs, uptime monitoring data.

3. Purposes and legal bases

• Provide the service, including Drive search/read and chat responses (contract Art. 6(1)(b) GDPR).
• Security, operations, and self-hosted analytics/support (legitimate interests Art. 6(1)(f)).
• Waitlist communications (consent Art. 6(1)(a)).
• Billing and compliance when applicable (legal obligation Art. 6(1)(c)).

4. Cookies and tracking

We use essential session/auth cookies only. No tracking or marketing cookies are set. Plausible is self hosted and cookieless.

5. Processors and hosting

• Google Vertex AI (Gemini) in europe-west1 for LLM responses, OCR, and transcription of chat content and relevant documents.
• Hetzner (Germany for the app; Finland for analytics/support infrastructure).
• Stripe (future billing; may apply 3DS and Radar fraud checks by default).
• getwaitlist.com for waitlist signups (email only).
• Self-hosted Plausible, Chatwoot, Uptime Kuma, Seq, Grafana on EU infrastructure for analytics/support/monitoring; no third-party access.
• Backups stored on a self-hosted service in Germany.

6. Data sharing and model use

We share data only with the processors above. Chat content and necessary document snippets may be sent to Google Vertex AI to generate responses. We do not use your data to train models. Support may review chats flagged by users or requiring attention.

7. Retention

• Account and chats: kept until you delete them.
• Google Drive derived documents: retained for 30 days from last access.
• Logs: retained for 30 days.
• OAuth tokens: deleted when the account is deleted.
• Waitlist email: kept until you unsubscribe or ask us to delete it.
• Backups: follow our retention schedule; deleted data may remain until backups expire.

8. Your rights

You have the rights to access, rectification, erasure, restriction, objection, data portability, and to withdraw consent. Contact hello@chatwithwork.com to exercise them.

9. Security

We use HTTPS, encryption at rest, access controls, audit logging, least privilege, and encrypted storage for OAuth tokens.

10. International data transfers

Google Vertex AI in europe-west1 and Stripe may involve transfers outside the EU/EEA; we rely on appropriate safeguards such as standard contractual clauses. Other processing occurs on EU infrastructure.

11. Children

The service is not intended for children under 16. Please do not sign up if you are under 16.

12. Changes

We may update this policy and will post the updated version here with a new effective date.

13. Contact

Email: support@chatwithwork.com