Privacy Policy
Last updated: 6 May 2026
This Privacy Policy explains how KVA di Andreas Zanin (P.IVA 01199720077) ("we", "us", "our") collects, uses, and protects personal data through the Simple Chat service at getsimplechat.com ("Service").
We are the Data Controller for personal data collected from Customers (account holders) and a Data Processor for personal data of Visitors (people interacting with chatbots on Customer websites). The relationship between Customer and visitors is governed by the Customer's own privacy policy.
1. Data we collect from Customers
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account | Email, name, hashed password or OAuth identifier | Provide the Service, account security | Contract (Art. 6.1.b GDPR) |
| Billing | Country, fiscal type, address, VAT/fiscal code, payment processor customer ID | Process payments, issue invoices | Legal obligation (Art. 6.1.c) |
| Bot configuration | System prompts, knowledge base content, design settings | Operate your chatbots | Contract |
| Usage data | API call logs, credit transactions, login history | Operate & secure the Service, billing | Contract / Legitimate interest (Art. 6.1.f) |
| Security data | Hashed IP, hashed user agent, audit log entries | Fraud prevention, abuse detection | Legitimate interest |
| Communications | Support emails, contact form submissions | Respond to inquiries | Contract / Legitimate interest |
2. Data we process from Visitors (on behalf of Customers)
When a visitor interacts with a chatbot — whether embedded on a Customer site or accessed through a Customer-activated public Share Link at https://getsimplechat.com/chat/{token} — we process:
- conversation messages (text, optional images);
- visitor IP address (hashed with a salted SHA-256 — we never store the raw IP);
- visitor country (from IP geolocation, before hashing);
- browser language and user agent;
- page URL where the chat started;
- lead-capture form data (name, email, phone, optional fields), if used.
This processing is necessary to deliver the bot service requested by the Customer. We act as Processor; the Customer (the website operator) is the Controller.
Source of data (Art. 14 GDPR): Visitor data is collected directly from the visitor through their interaction with the chatbot. In limited cases, the Customer may upload lead-capture or chat-history data via our API or import tools — in such cases the source of the data is the Customer, who has independently obtained the data from the data subject and is responsible for the lawfulness of that collection.
3. Cookies and similar technologies
See our Cookie Policy for details. In short:
- The Simple Chat dashboard uses a strictly necessary session cookie (
simplechat_session). - Marketing pages may load analytics and conversion-measurement scripts only after explicit consent.
- The embedded chat widget does not set any cookies of its own. When the bot's owner enables the "visitor memory" feature, the widget stores a random session identifier in the browser's
localStorage(keysimplechat_session_<botId>) so the conversation can be resumed on return visits. The visitor can clear it at any time through their browser's site-data controls. Third-party challenges loaded inside the widget (such as the anti-spam CAPTCHA) may set their own cookies — see the Cookie Policy.
4. Where we host your data
The Service is hosted in the European Union. To deliver the platform we engage sub-processors for the following categories of service:
- AI inference — generating chatbot responses (USA, with Standard Contractual Clauses; the provider does not train models on your data when accessed via API).
- Authentication — identity verification and account login (USA, with Standard Contractual Clauses).
- Payment processing — subscription billing, tax, refunds (EU/USA).
- Transactional email — account, billing, security notifications (USA).
- CDN & CAPTCHA — DDoS protection and anti-bot (USA, with Standard Contractual Clauses).
- Error tracking — production-only crash reports (USA, with Standard Contractual Clauses).
- Application hosting — primary servers and database (EU).
- Electronic invoicing — Italian fiscal invoices (EU).
The current named list of sub-processors is available on request to [email protected]. We notify Customers of material changes at least 30 days in advance.
5. Retention
| Data | Retention |
|---|---|
| Customer account data | Until account deletion + 30 days |
| Invoicing data (invoices, payment receipts) | 7 years (Italian fiscal requirement, DPR 633/72) |
| Subscription events (Stripe webhook history) | 2 years (dispute / chargeback window) |
| Visitor conversations | Until the Customer deletes them from the dashboard, or until the Customer's account is closed (+30 days). The Customer can also clear individual conversations or the full history at any time. |
| Lead data | Until the Customer deletes them or the account closes (+30 days) |
| AI call logs (per-message technical log) | 90 days |
| Email send log | 1 year |
| Audit log (administrative actions) | 1 year |
| Admin impersonation sessions | 2 years |
| Hashed IPs | Same as the parent record (we never store raw IP) |
6. Your rights (GDPR)
If you are in the EU/EEA you have the right to:
- Access your data (export from dashboard or by emailing us);
- Rectify inaccurate data (edit profile or contact us);
- Erasure ("right to be forgotten") — delete your account from the dashboard;
- Portability — download all your data as a ZIP from the dashboard;
- Object to processing based on legitimate interest;
- Restrict processing in certain situations;
- Withdraw consent for marketing emails any time (link in every email);
- Lodge a complaint with the Italian Garante per la protezione dei dati personali (www.garanteprivacy.it) or your local Data Protection Authority.
Visitors can exercise their rights through the Customer (the website operator). They can also write to [email protected] and we will forward the request to the relevant Customer.
7. Automated decision-making (Art. 22 GDPR)
The Service uses third-party large language models to generate chatbot replies. These responses are produced automatically based on inputs provided by the Customer (system prompt, knowledge base) and the visitor's messages. They are informational and do not produce legal effects on the data subject, nor decisions that significantly affect the data subject in a similar way. The chatbot does not perform credit scoring, profiling for hiring, eligibility assessment, or any equivalent automated decision under the meaning of Art. 22(1) GDPR. Customers who deploy chatbots in regulated contexts (medical, legal, financial advice) are responsible for adding appropriate disclaimers and human-review escalation paths, as required by Section 7 of our Terms.
8. Security
Passwords are managed entirely by our authentication provider (Firebase Auth). Plaintext passwords never reach our infrastructure; the provider applies industry-standard hashing internally. For our own infrastructure we follow industry best practices: TLS in transit, encryption at rest where supported by the underlying database, prepared statements for all queries, hashed IPs (salted SHA-256, never the raw value), API keys stored as one-way hashes, rate limiting and CAPTCHA on authentication endpoints, and an audit log of every administrative action. We patch known vulnerabilities within 7 days of disclosure.
9. Children
The Service is not intended for children under 16. If we learn we have collected data from a child under 16 without parental consent, we will delete it.
10. Data Protection Officer
We have not appointed a Data Protection Officer (DPO) under Art. 37 GDPR. Our core activity is providing chatbot infrastructure to Customers; the per-Customer scale of visitor conversations is generally below the thresholds that the European Data Protection Board considers "large scale" for systematic monitoring (EDPB Guidelines 4/2017), and we do not deliberately collect special categories of data within the meaning of Art. 9 GDPR. We will reassess this position if our processing scale changes materially. For all data-protection matters, please write to [email protected]; we will respond within the timelines set by Art. 12.3 GDPR (one month, extendable by two further months for complex requests).
11. Changes to this policy
We will notify Customers of material changes by email at least 30 days in advance.
12. Contact
Privacy questions: [email protected]
Security issues: [email protected]
Postal contact via the company registry record at REA AL-266378.
KVA di Andreas Zanin · P.IVA 01199720077 · Italy