GDPR Compliance

Our Commitment to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Economic Area (EEA). At Chateta, we are fully committed to GDPR compliance across our entire platform, including our chat widget, team inbox, AI auto-reply, knowledge base, and WooCommerce integration.

Whether you are a business using Chateta to support your customers, or an end-user interacting with the Chateta widget, we ensure that your personal data is processed lawfully, fairly, and transparently.

Key Definitions

Understanding the following terms is essential to this policy:

• Data Controller: The entity that determines the purposes and means of processing personal data. When you use Chateta to manage customer conversations, you (the account holder) are the data controller for your customers' data.
• Data Processor: The entity that processes personal data on behalf of the controller. Chateta acts as a data processor when handling your customers' conversation data.
• Data Subject: The individual whose personal data is being processed. This includes your customers who interact with the Chateta widget, as well as your team members.
• Personal Data: Any information relating to an identified or identifiable natural person, such as names, email addresses, IP addresses, and conversation content.
• Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or erasure.

Lawful Basis for Processing

Under GDPR, all processing of personal data must have a lawful basis. Chateta relies on the following legal bases depending on the context:

• Contractual necessity (Article 6(1)(b)): Processing your account information and usage data is necessary to provide the Chateta service as outlined in our Terms of Service.
• Legitimate interests (Article 6(1)(f)): We process certain data for our legitimate business interests, such as improving our platform, preventing fraud, and ensuring security. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): Where required, we obtain your explicit consent before processing data, such as for marketing communications or optional analytics. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): We process data where necessary to comply with applicable laws and regulations, such as tax and accounting requirements.

Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data. We are committed to honoring these rights promptly and transparently:

Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed. We will provide this information in a commonly used, machine-readable format within 30 days of your request.

Right to Rectification (Article 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update much of your information directly through your Chateta account settings, or contact us for assistance.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you may request the deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or the data has been unlawfully processed. Certain exceptions apply where we are legally required to retain data.

Right to Restrict Processing (Article 18)

You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, or when you have objected to processing and we are verifying whether our legitimate grounds override yours.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Chateta provides data export functionality in your account settings to facilitate this right.

Right to Object (Article 21)

You have the right to object to the processing of your personal data for direct marketing purposes at any time. You may also object to processing based on legitimate interests, and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right Not to Be Subject to Automated Decisions (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. While Chateta uses AI to auto-reply to customer queries, these automated responses are designed to assist -- not replace -- human decision-making, and you can always request human review of any automated interaction.

Data Processing

What We Process

In the course of providing our services, Chateta processes the following categories of personal data:

• Account data: Names, email addresses, company names, and billing information of account holders and team members.
• Conversation data: Messages exchanged between your team and your customers through the Chateta widget, including any personal information shared within those conversations.
• Technical data: IP addresses, browser information, device identifiers, and usage logs.
• Knowledge base data: Articles and content you create in your knowledge base, which may reference customer scenarios.
• Integration data: Order information and customer details exchanged through the WooCommerce integration.

How We Process

All personal data is processed in accordance with the principles set out in Article 5 of the GDPR: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. We only collect data that is necessary for the stated purposes and retain it only as long as required.

Where We Process

Chateta's primary data processing infrastructure is hosted on cloud servers. Where data is transferred outside the EEA, we ensure adequate protections are in place through Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by GDPR.

Sub-processors

We use a limited number of sub-processors to help provide our services. Each sub-processor is carefully vetted and contractually bound to comply with data protection obligations. Our current sub-processors include:

• Cloud infrastructure provider: Hosting and storage of application data.
• Payment processor: Processing of subscription payments and billing.
• Email delivery service: Sending transactional and notification emails.
• AI/ML provider: Powering AI auto-reply capabilities with conversation data processed per our data processing agreement.
• Analytics service: Anonymized and aggregated usage analytics to improve the platform.

We will notify customers of any changes to our sub-processors with at least 30 days' advance notice, giving you the opportunity to object if you have concerns about a new sub-processor.

International Data Transfers

When personal data is transferred outside the European Economic Area, we ensure compliance with Chapter V of the GDPR by implementing appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with all sub-processors located outside the EEA.
• Adequacy decisions: Where available, we rely on adequacy decisions issued by the European Commission for transfers to countries with an adequate level of data protection.
• Supplementary measures: Where required, we implement additional technical and organizational measures to ensure data protection standards are maintained.

Data Protection Officer

Chateta has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and compliance with GDPR. The DPO ensures that all data processing activities are conducted in accordance with applicable regulations and serves as the primary point of contact for data protection inquiries.

You can contact our Data Protection Officer at [email protected].

Data Processing Agreement (DPA)

As required by GDPR Article 28, Chateta offers a Data Processing Agreement (DPA) to all customers. The DPA sets out the terms under which we process personal data on your behalf, including:

• The subject matter, duration, nature, and purpose of the processing.
• The types of personal data processed and categories of data subjects.
• Our obligations and your rights as the data controller.
• Security measures we implement to protect personal data.
• Terms for sub-processor engagement and international data transfers.
• Procedures for data subject requests, data breach notification, and audit rights.

To request a copy of our DPA or to execute a DPA with Chateta, please contact us at [email protected].

Data Breach Notification

In the event of a personal data breach, Chateta will comply with the notification requirements set out in Articles 33 and 34 of the GDPR:

• Notification to customers: We will notify affected customers (data controllers) without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the breach, the likely consequences, and the measures taken to address it.
• Supervisory authority notification: Where required, we will assist you in notifying the relevant supervisory authority within the 72-hour timeframe.
• Data subject notification: If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will assist you in notifying affected individuals as required.
• Documentation: We maintain records of all data breaches, including the facts, effects, and remedial actions taken, regardless of whether they meet the reporting threshold.

Contact Us

If you have any questions about our GDPR compliance, want to exercise your data protection rights, or need to request a Data Processing Agreement, please contact us:

• Data Protection Officer: [email protected]
• General support: [email protected]
• Website: chateta.com

We aim to respond to all data protection inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.