Privacy Policy
How ChatForge collects, uses, and protects your data.
Last updated: 18 May 20261. Who We Are
ChatForge ("we", "us", "our") operates the website chatforge.live and provides an AI chatbot builder platform. We are the data controller for all personal data processed under this policy.
Company: ChatForge
Website: chatforge.live
Contact: connect@chatforge.live
2. What Data We Collect
We collect the following categories of personal data:
2.1 Account & Registration Data
- Name, email address, and password
- Billing information (handled via Stripe — see Section 6)
- Company name and job title (optional)
2.2 Chatbot Configuration Data
- AI agent persona, system prompt, and quick-reply configurations
- Knowledge documents you upload (processed for AI responses)
- Channel credentials you provide (e.g., Telegram bot token, WhatsApp number) — stored encrypted at rest
2.3 Conversation Data
- Messages exchanged between end users and your AI agents
- Message metadata (timestamps, channel, sender identifier)
- AI response logs (the AI's replies to users)
2.4 Lead Capture Data
- Names, email addresses, and other information collected via chatbot lead forms
- Use case descriptions and conversation summaries from lead interactions
2.5 Landing Page & Analytics Data
- Session metadata (browser type, referring URL, pages visited)
- Landing page chatbot interactions and lead capture form submissions
- Cookies as described in Section 8
2.6 API Integration Data
- Credentials for third-party APIs you connect (stored encrypted)
- API call logs (endpoint URL, timestamp, response status)
3. How We Use Your Data
We use your data to:
- Provide and maintain the ChatForge service
- Route messages between users and your AI agents
- Generate AI responses using OpenAI (processed via Polsia proxy)
- Store and display conversation history
- Enable lead capture and CRM integrations
- Process payments via Stripe
- Send transactional emails (account notifications, password resets)
- Detect and prevent abuse or fraud
- Comply with legal obligations
AI agents process conversations in real time to generate responses. Conversations are stored so you can review chat history and improve agent performance.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and service provision | Contract performance (Article 6(1)(b)) |
| Payment processing | Contract performance (Article 6(1)(b)) |
| Sending account and service emails | Legitimate interests (Article 6(1)(f)) — operational communications |
| Marketing emails (with consent) | Consent (Article 6(1)(a)) |
| Fraud prevention and security | Legitimate interests (Article 6(1)(f)) |
| Legal compliance obligations | Legal obligation (Article 6(1)(c)) |
5. Data Retention
We retain personal data for as long as necessary to provide the service and fulfil the purposes described in this policy. Specific retention periods:
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Conversation logs | 12 months from conversation date (configurable by user) |
| Lead capture data | Until deleted by user or account deletion |
| API credentials (encrypted) | Until credentials removed by user |
| Billing records | 7 years (tax compliance requirement) |
| Landing page leads | Until deleted or account closure |
You can request deletion of your data at any time — see Section 10.
6. Third-Party Services
6.1 Twilio (WhatsApp & Voice)
We use Twilio for WhatsApp message delivery and voice calls. Twilio acts as a data processor. Their privacy policy applies to data they hold: twilio.com/legal/privacy.
6.2 Stripe (Payments)
Payments are processed by Stripe. We do not store your card details — Stripe handles this entirely. Their privacy policy: stripe.com/privacy.
6.3 OpenAI (AI Responses)
AI responses are generated using OpenAI models via the Polsia proxy. OpenAI processes conversation data under their data processing terms. Their privacy policy: openai.com/privacy.
6.4 Telegram
Bot tokens and messages are subject to Telegram's privacy policy: telegram.org/privacy.
6.5 Discord, Slack, Email
Credentials for Discord bots, Slack apps, and email channels (via Nodemailer/IMAP) are stored encrypted. Each platform's privacy policy governs their data handling.
6.6 Brevo (Transactional Email)
We use Brevo (formerly Sendinblue) to send transactional and marketing emails. Their privacy policy: brevo.com/legal/privacy.
7. Data Security
We implement the following technical and organisational security measures:
- AES-256-GCM encryption at rest — all stored credentials and sensitive data
- TLS 1.2+ for all data in transit
- Access controls — least-privilege principle for internal systems
- API call audit logs — immutable records of outbound API calls
- Rate limiting — per-endpoint caps to prevent abuse
- SSRF protection — outbound API calls restricted to allowlisted external destinations
No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to industry-standard practices.
8. Cookies
We use minimal cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Authentication session | Session |
| csrf_token | CSRF protection | Session |
Our landing page may use analytics cookies (e.g., Google Analytics or similar) to understand how visitors use our site. You can opt out of analytics cookies by adjusting your browser settings.
We do not use advertising or tracking cookies.
9. International Data Transfers
Data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.
Twilio, OpenAI, and Stripe each maintain their own compliance certifications (ISO 27001, SOC 2, etc.) for data processed outside the EEA.
10. Your Rights Under GDPR / UK GDPR
If you are in the EEA or UK, you have the following rights:
- Access — Request a copy of your personal data (Article 15)
- Rectification — Correct inaccurate data (Article 16)
- Erasure — Request deletion of your data ("right to be forgotten") (Article 17)
- Restriction — Request we restrict processing in certain circumstances (Article 18)
- Portability — Receive your data in a machine-readable format (Article 20)
- Objection — Object to processing based on legitimate interests (Article 21)
- Withdraw consent — Withdraw consent at any time where processing is based on consent
To exercise any of these rights, email connect@chatforge.live. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK or your national DPA in the EEA).
11. Children's Data
ChatForge is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at connect@chatforge.live and we will delete that data.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website before the change takes effect. We encourage you to review this policy periodically.
The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact Us
For any questions about this Privacy Policy, data subject requests, or privacy concerns:
Email: connect@chatforge.live
Website: chatforge.live
For UK users specifically: our data protection practices comply with the UK GDPR. Contact the ICO at ico.org.uk if you have concerns.