Privacy Policy
This Privacy Policy explains how AUTOPERATE.AI(KvK 97483672, BTW NL005273716B87, the “Controller”, “we”, “us”) processes personal data when you use ClientBuddy via clientbuddy.ai.
We follow the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Dutch Telecommunications Act. If you have a question, email info@clientbuddy.ai.
1. Data we collect
Account data
- Email address and website URL (you provide these at signup; your workspace name is derived from your domain)
- Authentication identifiers (passwords stored hashed; one-time login tokens stored hashed)
- IP address and basic browser metadata for security and abuse prevention
Billing data
- IBAN and SEPA direct debit mandate reference (your authorization for the standard European bank payment), collected and stored by Mollie B.V. (Keizersgracht 313, 1016 EE Amsterdam), our payment processor. We do not store your IBAN ourselves.
- Mollie customer ID, payment IDs, subscription IDs, and invoice history (so we can show you charges).
- VAT identification number, where applicable.
Service data
- Knowledge base content: pages we crawl from your website to train the assistant, plus any documents, FAQs, or text you add yourself.
- Conversations between your website visitors and the assistant, including message text and timestamps.
- Visitor email addresses captured when a conversation is handed over to you (lead capture), together with the lead status and value you record in your dashboard.
- Aggregate usage metrics (number of conversations, handovers to your team, response times).
2. Why we process this data
- To deliver the service: answering your customers, handing conversations to your inbox, hosting the chat window. Legal basis: contract performance, art. 6(1)(b) GDPR.
- To bill you: issuing the SEPA Direct Debit mandate via Mollie and collecting your monthly fee. Legal basis: contract performance, art. 6(1)(b) GDPR.
- To meet legal obligations: keeping invoices for 7 years per Dutch tax law. Legal basis: legal obligation, art. 6(1)(c) GDPR.
- To secure the platform: rate-limiting, anti-fraud, incident response. Legal basis: legitimate interest, art. 6(1)(f) GDPR.
- To send service & billing notifications: payment receipts and SEPA mandate confirmations are delivered by our payment processor (Mollie); other service notices appear in-product and, if you connect it, via Telegram. The only emails we send ourselves are password-reset links and trial-expiry notices, delivered via Resend. Legal basis: contract performance, art. 6(1)(b) GDPR.
We do not sell your data, and we do not train AI models on your conversations or knowledge base.
3. Sub-processors
We use a small number of vetted EU-first sub-processors:
- Mollie B.V. (Netherlands): payment processing, SEPA mandate management, invoicing.
- Vercel Inc. (USA, Frankfurt edge): web hosting and edge delivery; bound by EU SCCs and DPF.
- Convex (Get Convex Inc.) (EU region: eu-west-1): realtime application backend, database, authentication, vector search.
- OpenAI(OpenAI Ireland Ltd. / OpenAI, L.L.C., USA): large language model inference and embeddings. Chat messages and relevant knowledge base excerpts are sent to OpenAI to generate answers, and may be processed in the United States (safeguarded by EU SCCs and the EU-US Data Privacy Framework). Per OpenAI's API terms, this data is not used to train their models.
- Resend (Resend, Inc.)(USA; EU sending region): transactional email only: password-reset links and trial-expiry notices. Receives the recipient's email address; bound by EU SCCs. We do not use email for marketing or lead notifications.
- Telegram (Telegram Messenger Inc.) (global): used only when you choose to connect it for owner and lead notifications. When enabled, it carries your notification content (e.g. new-lead alerts and service notices) to your Telegram chat. Customer-optional; not used unless you opt in.
A current sub-processor list is maintained in our Data Processing Addendum. We notify you in the product before introducing any new sub-processor.
4. Where data lives
Your application data (accounts, knowledge base, conversations, leads) is stored in the EU: our database runs in Convex's eu-west-1 region. Not everything can stay inside the EU, though: to generate answers, chat messages and knowledge base excerpts are sent to OpenAI and may be processed in the United States. For any transfer to a non-EU sub-processor we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework.
5. How long we keep data
- Account data: for the life of your account, until you delete it.
- Invoices and billing records: 7 years to satisfy Dutch tax retention. These are kept even after you delete your account, on an anonymized organization record.
- Conversations, captured leads, and knowledge base content: until you delete them or delete your account.
- Your website's registered domain name: retained after account deletion to enforce our one-free-trial-per-domain rule (abuse prevention, legitimate interest).
- Operational server logs: kept briefly by us and our hosting providers for security and debugging.
6. Your rights
Under the GDPR you can:
- Request a copy of the personal data we hold about you (art. 15)
- Correct inaccurate data (art. 16)
- Erase your data when no longer needed (art. 17)
- Restrict or object to processing (art. 18 / 21)
- Export your data in a portable format (art. 20)
- Lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl)
You can exercise the most important rights yourself, directly in the product: Settings → General → Privacy & data offers a one-click JSON export of your workspace and full account deletion. Deletion removes your conversations, documents, and assistants; invoices and billing records are retained for tax law on an anonymized record, and your website domain is retained to prevent repeat free trials (see section 5).
For anything else, email info@clientbuddy.ai. We respond within 30 days.
7. Cookies & local storage
On clientbuddy.ai we use first-party cookies that are strictly necessary to keep you signed in and to remember which workspace you last used (legal basis: strictly necessary, no consent required under art. 11.7a Dutch Telecom Act). We do not use third-party advertising trackers or analytics cookies.
The embeddable chat widget sets no cookieson your website. It stores three small values in the visitor's browser: a random session identifier in localStorage so a conversation stays continuous across page loads, a flag in localStorage once the visitor has left their email so we don't ask again, and a once-per-visit flag in sessionStorage so the chat window auto-opens at most once. None of these identify the visitor or track them across sites.
8. Children
ClientBuddy is a B2B product not directed at children. We do not knowingly process personal data of users under 16.
9. Changes
If we materially change this policy, we will notify you in the product and post a notice at the top of this page at least 30 days before the change takes effect.