Privacy Policy
This English translation is provided for convenience. In case of any discrepancy, the Spanish version prevails.
Last updated: 2026-06-24.
This Privacy Policy describes how ChatMe OÜ (hereinafter "ChatME", "we" or "our") processes the personal data you entrust to us when you use our AI chatbot platform at app.chatme.es or when you interact with a chatbot that one of our customers has embedded on their website.
1. Identity of the data controller
| Legal name | ChatMe OÜ |
| Commercial register | 17391989 (Estonia) |
| Tax ID / VAT | EE102933761 |
| Registered office | Järvevana tee 9, Tallinn, 11314, Estonia |
| Email for privacy matters | privacy@chatme.es |
| Supervisory authority | AKI (Andmekaitse Inspektsioon, Estonia) as lead authority; AEPD for residents of Spain |
2. Are you a customer or a visitor?
This policy covers two distinct relationships:
A. If you have a ChatME account (you are a "customer" or "owner") ChatMe OÜ is the data controller for your account data (email, name, billing details, etc.).
B. If you have chatted with a chatbot created by one of our customers (you are a "visitor") Our customer is the data controller for your conversation data. ChatME acts as a data processor on their behalf, under the documented instructions in our Data Processing Agreement (DPA) with the customer.
If you have interacted with a chatbot and want to exercise your rights (access, erasure, portability), you should first contact the customer whose chatbot you used. If you receive no response or do not know who they are, write to us at privacy@chatme.es and we will help you locate them.
3. What data we process and why
3.1 Customers (holders of accounts at app.chatme.es)
| Data | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Identification, login, transactional communications | Performance of a contract | Account lifetime + 30 days | |
| Password (hashed) | Authentication | Performance of a contract | Account lifetime + 30 days |
| Full name | Personalization + customer support | Performance of a contract | Account lifetime + 30 days |
| Business name | Context in the dashboard + emails | Performance of a contract | Account lifetime + 30 days |
| Preferred language | Dashboard personalization | Performance of a contract | Account lifetime |
| Plan + subscription status | Billing + service management | Performance of a contract | Account lifetime + 30 days |
| Stripe customer / subscription (ID) | Payment processing | Performance of a contract | Account lifetime |
| Billing details (address, tax ID) | Tax obligations | Legal obligation | 10 years (tax legislation) |
| Browser IP address (access logs) | Security + abuse prevention | Legitimate interest | 30 days |
3.2 Visitors (end users of the widget)
We process the following data on behalf of our customer (the chatbot's owner), not as a controller:
| Data | Purpose | Retention (default, configurable by the customer) |
|---|---|---|
| Conversation messages | Generating responses using AI | 90 days |
| Form data (name, email, phone, etc.) | Enabling the customer to contact you | 365 days |
| Session ID (random) | Conversation continuity | 90 days (together with the conversation) |
| Device type, referrer | Basic analytics for the customer | 90 days |
| Clicks on links within the chat | Engagement metrics | 180 days |
| IP address (access logs) | Security + abuse prevention | 30 days |
The chatbot may operate on the Customer's website (widget), on their direct-link page, or on the messaging channels the Customer connects (Instagram and WhatsApp). On those channels, messages additionally pass through Meta's API (see sub-processors, section 5); all other processing is identical.
ChatME never uses this data to train AI models, nor does it share it with third parties beyond the sub-processors listed in section 5.
3.3 Google data you connect (Google Calendar)
If you are a customer and connect your Google Calendar account to your chatbot (an optional appointment-booking feature), we process the following Google data under your explicit authorization and solely so that your chatbot can manage your appointments. You connect and disconnect the calendar yourself from your dashboard.
| Google data / scope | Purpose | How we use it |
|---|---|---|
Availability (busy/free slots) of your primary calendar — calendar.freebusy scope |
Checking whether the requested time is free before booking, to avoid double bookings | We only read busy/free ranges; never the titles, descriptions, attendees or content of your events |
Creating events in your primary calendar — calendar.events scope |
Creating the appointment event when a visitor confirms a date and time in the chat | We only create new appointment events; we do not read, modify or delete your existing events |
- Google access tokens are stored encrypted (AES-256-GCM) and are used exclusively on the server for the two operations above.
- You can disconnect Google Calendar at any time from your dashboard (
app.chatme.es/dashboard/citas); when you do, we delete the stored tokens. - We do not sell this data, do not use it for advertising, and do not use it to train AI models.
Limited Use (Google API Services User Data Policy). ChatME's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4. Browser storage (cookies and similar technologies)
When you interact with a chatbot, we store the following in your browser's sessionStorage (these are not cookies and are not sent to the server):
cbp_session_<id>— a random identifier to keep the conversation alivecbp_history_<id>— the history of the ongoing conversation (deleted when you close the tab)cbp_csat_<id>— a flag to avoid asking you for a rating twicecbp_storage_consent_<id>— remembers that you accepted the widget's storage notice
We do not use tracking, analytics or advertising cookies. We do not share information with social networks, Google Analytics, or similar services.
The full details of cookies and browser storage (public website, dashboard and widget) are set out in our Cookie Policy.
5. Who else processes your data (sub-processors)
The full, up-to-date list is available at: /legal/en/subprocessors.
Summary:
- Supabase (Ireland, EU) — database, authentication
- Anthropic (USA, SCCs) — AI model inference
- OpenAI (USA, SCCs) — embeddings for knowledge-base search
- Resend (USA, SCCs) — email delivery
- Stripe (Ireland, EU) — billing and subscriptions
- Vercel (EU for execution, USA for logs, SCCs) — hosting
- Google (USA, SCCs) — Google Calendar, only if the customer connects it for bookings (under their authorization; see §3.3)
- Meta Platforms (USA, SCCs) — Instagram and WhatsApp messaging, only if the customer connects those channels
- Plausible Analytics (Germany, EU) — cookieless web analytics for our public website chatme.es; it collects no personal data and uses no persistent identifiers (see Cookie Policy §3.1)
- Google Analytics 4 / Google Ads (USA, SCCs) — analytics and advertising measurement for the public website chatme.es; they are only activated with your consent via the cookie banner (see Cookie Policy §3.1)
- Rewardful (USA, SCCs) — tracking and attribution for our affiliate program on chatme.es; it sets a first-party cookie containing a random referral identifier (no personal data) to credit sign-ups that arrive through an affiliate (see Cookie Policy §3.1)
All transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Your rights
You have the right to:
- Access your data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase ("right to be forgotten") your data (Art. 17)
- Restrict processing (Art. 18)
- Portability: receive your data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Not be subject to automated decisions with legal effects (Art. 22) — ChatME does not currently make automated decisions with legal effects concerning you
How to exercise them:
- If you are a customer: most of them from your dashboard at app.chatme.es → Privacy and data. For complete erasure, write to privacy@chatme.es.
- If you are a visitor: first contact the customer whose chatbot you used. If they do not respond within 30 days or you cannot locate them, write to us at privacy@chatme.es and we will help you.
- Response time: 1 month from receipt, extendable to 3 months in complex cases.
You have the right to lodge a complaint with the supervisory authority (AKI in Estonia, AEPD in Spain) if you believe the processing infringes the GDPR.
7. Security
- TLS 1.2+ encryption in transit; AES-256 at rest in Supabase.
- Per-user isolation through Row-Level Security (RLS) at the database level.
- No human access to conversation content by the ChatME team by default (access only for incident resolution, logged).
- Documented incident-response procedure with notification to the authorities within 72 hours (Art. 33).
8. Automated decision-making and profiling
ChatME uses AI models to generate responses in the chat. These responses do not constitute "automated decisions with legal or similarly significant effects" under GDPR Art. 22 — they are informational conversations. The chatbot's customer may use the form data to make their own decisions (handling a booking, answering an inquiry), under their own responsibility.
In accordance with the EU AI Act (Regulation (EU) 2024/1689), we always inform you that you are talking to an AI system: an "AI" badge appears in the widget next to the chatbot's name.
9. Changes to this policy
We publish changes at this same URL. If the changes are material (they affect your rights or introduce new sub-processors with access to your data), we will notify you:
- If you are a customer: by email to your account address, at least 30 days in advance.
- If you are a visitor: the customer whose chatbot you use will receive the notice and is responsible for passing it on to you under their own policy.
10. Contact
For any matter relating to this policy or the processing of your data:
ChatMe OÜ · Järvevana tee 9, Tallinn, 11314, Estonia