ClientBuddy← back home
✦ Last updated · 6 May 2026

Privacy Policy

This Privacy Policy explains how AUTOPERATE.AI(KvK 97483672, BTW NL005273716B87, the “Controller”, “we”, “us”) processes personal data when you use ClientBuddy via clientbuddy.ai.

We follow the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Dutch Telecommunications Act. If you have a question, email privacy@clientbuddy.ai.

1. Data we collect

Account data

  • Name, email address, company name, website (you provide these at checkout)
  • Authentication identifiers (hashed credentials or OAuth subject IDs)
  • IP address and basic browser metadata for security and abuse prevention

Billing data

  • IBAN and SEPA mandate reference — collected and stored by Mollie B.V. (Keizersgracht 313, 1016 EE Amsterdam), our payment processor. We do not store your IBAN ourselves.
  • Mollie customer ID, payment IDs, subscription IDs, and invoice history (so we can show you charges).
  • VAT identification number, where applicable.

Service data

  • Knowledge base content (URLs, documents, FAQs) you upload to be answered by the agent.
  • Conversations between your end-customers and the agent, including message text, timestamps, and language detection results.
  • Aggregate usage metrics (number of conversations, escalations, response times).

2. Why we process this data

  • To deliver the service — answering your customers, escalating to your inbox, hosting the widget. Legal basis: contract performance, art. 6(1)(b) GDPR.
  • To bill you — issuing the SEPA Direct Debit mandate via Mollie and collecting €49 each month. Legal basis: contract performance, art. 6(1)(b) GDPR.
  • To meet legal obligations — keeping invoices for 7 years per Dutch tax law. Legal basis: legal obligation, art. 6(1)(c) GDPR.
  • To secure the platform — rate-limiting, anti-fraud, incident response. Legal basis: legitimate interest, art. 6(1)(f) GDPR.
  • To send transactional email — receipts, mandate confirmations, service notices. Legal basis: contract performance, art. 6(1)(b) GDPR.

We do not sell your data, and we do not train AI models on your conversations or knowledge base.

3. Sub-processors

We use a small number of vetted EU-first sub-processors:

  • Mollie B.V. (Netherlands) — payment processing, SEPA mandate management, invoicing.
  • Vercel Inc. (USA, Frankfurt edge) — web hosting and edge delivery; bound by EU SCCs and DPF.
  • Supabase Inc. (EU region: eu-west-1, Ireland) — database, authentication, vector search.
  • Convex (Get Convex Inc.) (EU region: eu-west-1) — realtime application backend.
  • OpenAI Ireland Ltd. (Ireland) — large language model inference, with Zero Data Retention enabled where available.
  • Resend / Postmark — transactional email delivery.

A current sub-processor list is maintained in our Data Processing Addendum. We notify you in the product before introducing any new sub-processor.

4. Where data lives

ClientBuddy is hosted in the EU — primarily Frankfurt (Germany) and Dublin (Ireland). When data must transit a non-EU sub-processor (e.g. OpenAI inference), we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework.

5. How long we keep data

  • Account & billing data — for the life of your subscription, plus 7 years to satisfy Dutch tax retention.
  • Conversation logs — 12 months by default; you can shorten this in your dashboard or delete on request.
  • Knowledge base content — until you delete it or close your account.
  • Server access logs — 30 days.

6. Your rights

Under the GDPR you can:

  • Request a copy of the personal data we hold about you (art. 15)
  • Correct inaccurate data (art. 16)
  • Erase your data when no longer needed (art. 17)
  • Restrict or object to processing (art. 18 / 21)
  • Export your data in a portable format (art. 20)
  • Lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl)

To exercise any of these rights, email privacy@clientbuddy.ai. We respond within 30 days.

7. Cookies

We use a single first-party session cookie required to keep you signed in (legal basis: strictly necessary, no consent required under art. 11.7a Dutch Telecom Act). We do not use third-party advertising trackers or analytics cookies.

8. Children

ClientBuddy is a B2B product not directed at children. We do not knowingly process personal data of users under 16.

9. Changes

If we materially change this policy, we will email you and post a notice at the top of this page at least 30 days before the change takes effect.

Contact: AUTOPERATE.AI (Eindhoven, Netherlands) · KvK 97483672 · BTW NL005273716B87 · privacy@clientbuddy.ai