Privacy Policy
Last updated: 2026-05-22
This policy explains how Astroworld Chat handles personal data. It covers the business customers who use the dashboard and the website visitors who chat with a customer's bot.
Controller and processor
For visitor conversations, the business customer is the data controller and Astroworld is the data processor. We process that data only on the customer's instructions. A Data Processing Agreement is available at /dpa.
Data we collect
- Account data: name, email, company name, and billing identifiers from Stripe.
- Bot configuration and knowledge base: the content a business uploads for its bot.
- Visitor conversations: the messages a visitor sends and the bot's replies, plus a random visitor identifier stored in the visitor's browser.
- Technical data: standard server logs needed to run and secure the service.
How we use data
We use data to provide the chat service: answering visitor questions from the business knowledge base, showing analytics to the business, processing subscriptions, and sending service email. We do not sell personal data and we do not use visitor conversations to train our own models.
Sub-processors
We use these third parties to run the service:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | AI model that generates chatbot answers | United States |
| Hetzner Online GmbH | Primary application and database hosting | Germany (EU) |
| Strato AG | Secondary hosting and backups | Germany (EU) |
| Stripe | Subscription billing and payment processing | United States / EU |
| Resend | Transactional email delivery | United States / EU |
Where data is hosted
All application and database data is hosted in the European Union (Germany), on Hetzner and Strato infrastructure. Some sub-processors (Anthropic, Stripe, Resend) may process limited data outside the EU under appropriate safeguards.
Data retention
Account and bot configuration data is kept while the account is active. Visitor conversations are retained for a configurable period and then deleted. When a business deletes its account, all associated data is removed.
Security
All traffic is encrypted in transit with TLS (256-bit HTTPS). Access to production systems is restricted and key-based. Payments are handled by Stripe, which is PCI DSS compliant; we never receive or store card numbers.
Your rights
Businesses can exercise GDPR rights directly from the dashboard:
- Access and portability: export all your data as JSON from the dashboard.
- Erasure: delete your account and all associated data from the dashboard.
- Rectification, restriction, objection: contact us and we will action your request.
Visitors who want their conversation data removed should contact the business they chatted with (the data controller); we will assist that business with the request.
Cookies and widget storage
The chat widget stores a random visitor identifier in the visitor's browser so a conversation can continue across visits and returning visitors can be recognized. The widget can be configured to disable visitor tracking until a business has collected the consent it requires. The dashboard uses a single session cookie to keep you logged in.
Contact
Questions about privacy or data requests: [email protected].