Privacy Policy
OyeChats Privacy Policy, how we collect, use, store, share, and protect your data.
Introduction
OyeChats ("OyeChats," "we," "us," or "our") operates the OyeChats platform, including our website at oyechats.com, the customer dashboard at app.oyechats.com, our REST and WebSocket APIs, and the embeddable chat widget our customers deploy on their own websites (collectively, the "Service").
This Privacy Policy describes how we collect, use, store, share, and protect personal information when you interact with the Service, whether you are a customer who has signed up for an OyeChats account, an end user ("Visitor") chatting with a bot on a customer's website, or simply browsing oyechats.com. By using the Service, you agree to the practices described here.
Our Role: Controller vs. Processor
Privacy law distinguishes between data "controllers" (who decide why and how data is processed) and "processors" (who handle data on a controller's instructions). Our role differs depending on whose data is involved:
- Customer data: Where you have signed up for an OyeChats account, we act as the controller of the data we collect from you to operate, bill for, and improve the Service.
- Visitor data: Where a Visitor interacts with a bot on a customer's website, our customer is the controller of that conversation data and we act as a processor on their behalf, governed by the Data Processing Addendum incorporated into our Terms of Service.
If you are a Visitor with questions about how a specific customer uses your data, please contact that customer directly. We will assist with verified requests forwarded by the controller.
Information We Collect
We collect the following categories of information:
- Account data: Name, work email address, organization name, hashed password, account role, and optionally a website URL when you register or invite team members.
- Bot configuration: Bot name, system prompt, appearance settings, business hours, and the knowledge base content (documents you upload or URLs you ask us to crawl).
- Conversation data: Chat messages between Visitors and the bot or live operators, timestamps, lead-capture form submissions (name, email, phone, company), and qualification signals derived from the conversation.
- Visitor metadata: Truncated IP address, browser and device type, approximate geographic location (country/region), page URL the widget loaded on, referrer, and UTM campaign parameters.
- Operator data: For customers using live chat, the names, emails, roles, and activity logs of human operators assigned to handle visitor conversations.
- Usage and diagnostic data: Feature usage counters, API request volumes, error stack traces, performance metrics, and audit logs of administrative actions.
- Billing data: Plan tier, billing cycle, invoice history, and the last four digits and brand of the payment instrument. Full card numbers and bank account details are processed and stored by our payment providers (Stripe and Razorpay) and never reach our servers.
- Communications: Contents of emails or support tickets you send us.
How We Use Your Information
We use the information described above for the following purposes:
- Provide, maintain, and operate the Service, including running the retrieval-augmented generation pipeline that answers Visitor questions from your knowledge base.
- Authenticate users, enforce plan limits, and prevent abuse.
- Generate lead-qualification signals (for example, BANT or MEDDIC scoring) and surface those signals to the customer who owns the conversation.
- Send transactional emails such as account verification, password resets, billing notifications, and webhook failure alerts.
- Process payments, issue invoices, and meet tax and accounting obligations.
- Monitor platform health, debug errors, and investigate security incidents.
- Improve the Service through aggregated, anonymized analytics. We do not use Customer or Visitor conversation content to train large language models, ours or any third party's.
- Comply with applicable law and respond to lawful requests from public authorities.
Legal Bases for Processing (EEA / UK)
If you are in the European Economic Area or United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract: to deliver the Service you have signed up for.
- Legitimate interests: to secure the Service, prevent abuse, debug errors, and conduct aggregated analytics, balanced against your rights and freedoms.
- Consent: where required (for example, non-essential cookies on our marketing site). You may withdraw consent at any time.
- Legal obligation: to retain billing records, respond to lawful authority requests, and meet tax requirements.
Sub-processors and Data Sharing
We do not sell your personal information. We share data only with the sub-processors and partners we engage to deliver the Service, each under written agreements that require equivalent protections. Categories of sub-processors include cloud infrastructure and hosting, AI model providers, transactional email delivery, payment processors, and observability tooling.
The current, itemized list, including each provider's name, purpose, and location, is maintained on our Subprocessors List page.
We may add or change sub-processors from time to time. Material changes affecting how Customer data is handled will be communicated via email or in-product notice with at least 30 days' advance notice where reasonably possible. We may also disclose information when required by law, to protect the rights, property, or safety of OyeChats, our customers, or others, or in connection with a corporate transaction such as a merger or acquisition, in which case we will notify affected customers.
International Data Transfers
OyeChats is operated from India and uses sub-processors located in India, the United States, the European Union, and other jurisdictions. Where personal data is transferred out of the EEA, UK, or India, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms permitted under the Digital Personal Data Protection Act, 2023. A copy of the relevant transfer mechanism is available on request.
Data Retention
We retain personal information only as long as needed for the purposes described in this policy:
- Account data: Retained for the life of the account and deleted (or anonymized) within 30 days of account closure, except where longer retention is required by law.
- Conversation history: Retained according to your plan, 7 days on Free, 30 days on Starter, 90 days on Standard, and unlimited on Enterprise, unless a shorter custom retention period is configured in your dashboard settings.
- Knowledge base content: Retained until you delete it or close your account.
- Diagnostic and error logs: Retained for up to 90 days.
- Audit logs of administrative actions: Retained for up to 12 months.
- Billing records and invoices: Retained for the period required under applicable tax and accounting law, typically 7 years.
- Backups: Encrypted database backups are retained for up to 30 days before automatic rotation.
You may request earlier deletion of Visitor or account data by writing to support@oyechats.com. Requests will be honored within 30 days unless a legal hold applies.
Security
We apply technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.3 for all API and widget traffic), encryption at rest for primary databases and object storage, role-based access controls on production systems, audit logging of administrative actions, and dedicated environments for production and non-production workloads. Production access is restricted to a small number of authorized personnel under multi-factor authentication.
No system can be guaranteed perfectly secure. If you discover a vulnerability, please report it to support@oyechats.com under our responsible disclosure policy.
Data Breach Notification
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify our customers without undue delay and, where required, the relevant supervisory authority within 72 hours of becoming aware. Customers are responsible for notifying their own Visitors and any applicable regulators in respect of Visitor data, with our reasonable assistance.
Your Rights
Depending on where you live, you have rights over your personal information. We honor verified requests regardless of residency wherever practical.
If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR): the rights to access, rectification, erasure, restriction of processing, data portability, and objection; the right not to be subject to solely automated decision-making with significant effects; and the right to lodge a complaint with your local supervisory authority.
If you are a California resident (CCPA / CPRA): the rights to know what we collect, to delete personal information, to correct inaccurate information, to opt out of any sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising), and to limit the use of sensitive personal information.
If you are in India (DPDP Act, 2023): the rights to obtain a summary of personal data processed, to correction and erasure, to nominate another individual to exercise your rights in case of incapacity, and to grievance redressal.
To exercise any of these rights, write to support@oyechats.com from the email associated with your account, or use the self-service deletion controls in your dashboard.
Children's Privacy
OyeChats is intended for use by businesses and is not directed to children. We do not knowingly collect personal information from children under the age of 16 (or under 18 where required by local law, including India under the DPDP Act). If you believe a child has provided us personal information, please contact us and we will delete it.
Automated Decision-Making
OyeChats generates qualification signals (such as BANT or MEDDIC scoring) and conversation summaries using large language models. These outputs are decision-support information for the customer who owns the conversation; they do not by themselves produce legal or similarly significant effects on a Visitor. Customers remain responsible for any subsequent decisions they take based on these signals.
Third-Party Links
Our website and the chat widget may contain links to third-party sites or content provided by our customers. We are not responsible for the privacy practices of those third parties. You should review their privacy policies independently.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this page indicates when it was last revised. Material changes will be communicated via email to account administrators or via in-product notice at least 30 days in advance where reasonably possible.
Contact Us
For privacy questions, requests, or complaints, please contact:
- Privacy: support@oyechats.com
- Security: support@oyechats.com
- General: support@oyechats.com
If you are in the EEA or UK and we do not resolve your concern, you may lodge a complaint with your local data protection authority. If you are in India, you may approach the Data Protection Board of India after first writing to our grievance address above.
