ChatDropAI /Quiz.

GDPR Compliance

Last Updated: December 5, 2024

At ChatDropAI, we are committed to protecting the privacy and personal data of our users, especially those located in the European Union (EU) and European Economic Area (EEA). This page outlines how we handle your data in accordance with the General Data Protection Regulation (GDPR).

For comprehensive information about our privacy practices, please also see our Privacy Policy.

Data Controller Information

The data controller responsible for your personal data is:

ChatDropAI

Email: ezrawork20@gmail.com

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with GDPR.

What Personal Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Name, username, and account credentials
  • Contact Data: Email address and communication preferences
  • Financial Data: Payment information (processed by Stripe, not stored by us)
  • Content Data: Documents you upload, chatbot configurations, conversations, and AI-generated responses
  • Technical Data: IP address, browser type, device information, and usage logs
  • Usage Data: Information about how you interact with our services

Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

  • Contractual Necessity (Article 6(1)(b)): Processing is necessary to perform our contract with you and provide our chatbot services as outlined in our Terms of Service.
  • Consent (Article 6(1)(a)): You have given explicit consent for specific processing activities, such as receiving marketing emails. You can withdraw consent at any time.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate business interests, such as:
    • Improving our services and user experience
    • Detecting and preventing fraud and security threats
    • Conducting analytics to understand service usage
    • Ensuring network and information security

    We have conducted legitimate interest assessments to ensure these interests do not override your fundamental rights and freedoms.

  • Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with our legal obligations, such as tax regulations and responding to lawful requests.

How Your Data is Used

Your data is used solely to power your custom chatbot and provide our services. Specifically:

  • To create and manage your account
  • To process your uploaded documents and generate chatbot responses
  • To provide customer support and respond to your inquiries
  • To process payments and send billing information
  • To improve our services and develop new features
  • To ensure security and prevent fraudulent activity
  • To send you service-related communications (with your consent for marketing)

Important: Your data is never used to train shared AI models and is not shared with other users or third parties except as described in our data sharing section below.

Data Encryption and Security

We implement robust technical and organizational measures to protect your personal data:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS protocols (minimum TLS 1.2).
  • Encryption at Rest: Your data stored on our servers is encrypted using AES-256 symmetric encryption.
  • Access Controls: We implement strict role-based access controls. Only authorized personnel with a legitimate need can access personal data.
  • Authentication Security: Multi-factor authentication is enforced for administrative access to systems containing personal data.
  • Regular Security Audits: We conduct regular security assessments and vulnerability testing.
  • Data Minimization: We only collect and retain data necessary for our stated purposes.

Third-Party Service Providers (Data Processors)

To deliver and operate our service, we rely on trusted third-party providers who process data on our behalf as data processors under GDPR Article 28. We have entered into data processing agreements with all processors to ensure GDPR compliance:

OpenAI

Purpose: AI model processing for chatbot responses

Data Processed: Your prompts and uploaded content

Privacy Commitment: OpenAI does not use data submitted via their API to train their models. Data is processed in accordance with their API Data Usage Policies.

Anthropic (Claude)

Purpose: Alternative AI model for certain features

Data Processed: Your prompts and content for AI processing

Privacy Commitment: Anthropic does not train on data submitted via their Commercial API.

Stripe

Purpose: Payment processing and billing management

Data Processed: Payment information, billing details, transaction history

Privacy Commitment: Stripe is PCI DSS Level 1 certified. Payment card details are handled directly by Stripe and not stored on our servers.

Neon

Purpose: Serverless PostgreSQL database hosting and storage

Data Processed: Account data, uploaded documents, chatbot configurations, conversation history, and all application data

Privacy Commitment: Neon is GDPR-compliant with SOC 2, ISO 27001, and ISO 27701 certifications. All data is encrypted at rest using AES-256 and in transit using TLS. Neon acts as a subprocessor and has Data Processing Agreements in place with Standard Contractual Clauses for international transfers.

All of these providers are GDPR-compliant and operate under data processing agreements that ensure:

  • They only process data on our documented instructions
  • They implement appropriate security measures
  • They assist us with data subject rights requests
  • They delete or return data when our agreement ends

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers operate.

When we transfer personal data outside the EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses for transfers to countries without adequacy decisions.
  • Adequacy Decisions: Where available, we rely on EU Commission adequacy decisions recognizing certain countries as providing adequate data protection.
  • Additional Safeguards: We implement supplementary measures as required by the Schrems II decision, including encryption, access controls, and contractual commitments from data processors.

You can request copies of the safeguards we have in place by contacting us at ezrawork20@gmail.com.

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

1. Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to access that data and information about how it is processed.

2. Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent.

4. Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. We do not engage in such automated decision-making.

8. Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing based on consent before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at ezrawork20@gmail.com with "GDPR Rights Request" in the subject line.

We will respond to your request without undue delay and within one month of receipt. This period may be extended by two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy and our Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods

  • Active Account Data: Retained while your account is active and you continue using our services.
  • Billing Records: Retained for 7 years to comply with tax and accounting regulations.
  • Support Communications: Retained for 3 years for quality assurance and legal purposes.
  • Security Logs: Retained for 1 year for security and fraud prevention purposes.

Account Deletion Process

When you delete your account or request data deletion:

  1. You can delete your chatbots and documents at any time through your dashboard.
  2. If you delete your account, all personal data will be deleted within 30 days.
  3. Deleted data may persist in backup systems for up to 90 days before permanent removal.
  4. Some data may be retained longer if required by law (e.g., financial records for tax purposes) or to protect our legal interests (e.g., in case of ongoing disputes).

Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you, as defined under GDPR Article 22.

Our AI services are used solely to generate chatbot responses based on your uploaded content and user queries. These AI-generated responses do not make automated decisions about you as an individual.

Cookies and Tracking

We use cookies and similar technologies for authentication, security, and to improve user experience. Our use of cookies complies with the ePrivacy Directive (Cookie Law).

  • Strictly Necessary Cookies: Required for authentication and security. These do not require consent under GDPR.
  • Functional Cookies: Remember your preferences and settings. We obtain consent before setting these cookies.
  • Analytics Cookies: Help us understand service usage (if used). We obtain consent before setting these cookies.

You can manage your cookie preferences through our cookie consent banner (for EU visitors) or through your browser settings. For more information, see our Cookie Policy.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (as required by GDPR Article 34).
  • Document all data breaches, including facts, effects, and remedial actions taken.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

You can find your local data protection authority at: EDPB Member List

However, we encourage you to contact us first at ezrawork20@gmail.com so we can try to resolve your concerns directly.

Updates to This Policy

We may update this GDPR compliance page from time to time. We will notify you of any material changes by:

  • Updating the "Last Updated" date at the top of this page
  • Sending you an email notification (if you have provided your email address)
  • Displaying a prominent notice on our website

Contact Us

For any GDPR-related questions, requests, or concerns, please contact us:

Email: ezrawork20@gmail.com

Subject Line: GDPR Inquiry

We will respond to your request within 30 days of receipt, in accordance with GDPR requirements.

Related Documents