Privacy Policy
Last updated: August 20, 2025
Data Controller
ChatGridAI operates as an individual service provider based in Latvia, European Union. We are subject to EU data protection laws including GDPR.
Information We Collect
Authentication Data
For Google Workspace™ users:
- Email address
- Company domain
- Google OAuth tokens (temporary)
For Microsoft Teams™ users:
- Display name
- Email address
- Azure Active Directory Object ID
- Tenant ID
- Company name
- Microsoft OAuth tokens (temporary)
Configuration Data
- OpenAI API keys (encrypted)
- Assistant ID
- Vector Store ID
- Group assignments and roles (admin, user, unassigned)
- Thread IDs for ongoing conversations
- Customer ID (internal identifier)
Technical Data
- JWT authentication tokens (temporary, 2 hours)
- CSRF tokens for security
- Session cookies (httpOnly, secure)
- IP addresses (server logs only, anonymized)
Analytics Data (Only with Your Consent)
- Google Analytics: We use Google Analytics only after you explicitly consent through our cookie banner
- Data Collected: Anonymized page views, session duration, browser type, referral sources
- IP Anonymization: Your IP address is anonymized before processing
- Purpose: To understand how visitors use our website and improve user experience
- Your Control: You can withdraw consent anytime using the "Cookie Settings" link in our footer
Trial and Subscription Data
- Trial start and end dates
- Subscription status
- Billing information (if applicable)
Legal Basis for Processing (GDPR Article 6)
- Contract Performance (Article 6.1.b): Processing your authentication data, configuration settings, and service usage to deliver the AI assistant service you've subscribed to
- Legitimate Interest (Article 6.1.f):
- Maintaining security and preventing fraud
- Improving our service based on usage patterns
- Technical administration and troubleshooting
- Consent (Article 6.1.a): Google Analytics tracking and any marketing communications
- Legal Obligation (Article 6.1.c): Compliance with EU regulations and tax requirements
How We Use Your Information
- Authentication: To verify your identity and associate you with your organization
- Service Delivery: To provide AI assistant functionality through OpenAI's API
- Configuration: To maintain your group settings and preferences
- Analytics: To understand usage patterns and improve our service (only with consent)
- Support: To respond to your inquiries and provide assistance
- Legal Compliance: To meet our legal obligations under EU law
Data Retention Periods
- Account Data: Retained while your account is active, plus 30 days after account deletion
- Authentication Tokens: 2 hours maximum (automatically expired)
- Conversation Content: Not permanently stored by us; processed real-time through OpenAI API only
- Configuration Data: Retained until account deletion plus 30 days for support purposes
- Google Analytics Data: 26 months (Google's default, you can request earlier deletion)
- Server Logs: 30 days maximum for security and troubleshooting
- Billing Records: 7 years as required by Latvian tax law
Third-Party Data Processors and International Transfers
Data Processors We Use
- OpenAI (USA):
- Purpose: AI response generation
- Data: Your conversation messages (processed, not stored)
- Safeguards: Standard Contractual Clauses (SCCs) and adequate level of protection
- Your data may be processed in the USA under appropriate safeguards
- Google Analytics (USA):
- Purpose: Website analytics (only with your consent)
- Data: Anonymized usage statistics
- Safeguards: Google's EU-US Data Privacy Framework certification
- Hetzner (Germany):
- Purpose: Cloud hosting and data storage
- Data: All account and configuration data
- Location: Germany (EU) - no international transfer
International Data Transfers
When we transfer your personal data outside the EU (specifically to OpenAI and Google), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where available
- Additional technical and organizational measures to protect your data
Cookies and Tracking Technologies
Essential Cookies (No Consent Required)
- JWT Authentication Tokens: Secure, httpOnly cookies for login sessions (2 hours)
- CSRF Tokens: Security protection against cross-site attacks
- Session Management: Temporary cookies for service functionality
Analytics Cookies (Consent Required)
- Google Analytics: _ga, _gid, _ga_* cookies for usage tracking
- Your Control: These are only set after you click "Accept" in our cookie banner
- Withdraw Consent: Click "Cookie Settings" in our footer to change your preference
- Browser Control: You can also disable these through your browser settings
Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of Access (Article 15): Request a copy of your personal data we process
- Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
- Right to Data Portability (Article 20): Receive your data in a machine-readable format
- Right to Restriction (Article 18): Limit how we process your data
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7.3): Withdraw consent for analytics or marketing
- Right to Lodge a Complaint: Contact your local data protection authority
How to Exercise Your Rights
To exercise any of these rights:
- Email us at info@chatgridai.com with "GDPR Request" in the subject
- Specify which right you want to exercise
- Provide your email address and domain for verification
- We will respond within 30 days (may be extended by 60 days for complex requests)
Data Security Measures
- Encryption: All communication secured over HTTPS/TLS 1.3
- Data Protection: API keys stored encrypted in database using AES-256
- Access Control: Restricted to authorized domains and tenants only
- Token Security: JWT tokens with short expiration (2 hours maximum)
- Infrastructure: Hosted on secure, EU-based infrastructure (Hetzner, Germany)
- Monitoring: Regular security updates and 24/7 monitoring
- Network Security: Firewall protection and intrusion detection
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware
- We will notify affected individuals without undue delay if the breach poses a high risk
- We will document all breaches and the measures taken to address them
- We maintain an incident response plan to minimize impact and prevent future breaches
Children's Privacy
Our service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us immediately.
Changes to This Privacy Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes:
- We will notify you by email (if you have an account)
- We will display a notice on our website
- We will update the "Last updated" date at the top of this policy
- Continued use of our service after notification constitutes acceptance of the updated policy
Contact Information
Data Controller: ChatGridAI
Location: Latvia, European Union
Email: info@chatgridai.com
GDPR Requests: Use subject line "GDPR Request" for data protection inquiries
Response Time: We respond to privacy inquiries within 1 business day, GDPR requests within 30 days
Supervisory Authority
If you believe we have not adequately addressed your privacy concerns, you may lodge a complaint with:
Latvian Data State Inspectorate
Website: www.dvi.gov.lv
Or your local EU data protection authority
Cookie Consent Management
To change your cookie preferences at any time, use the "Cookie Settings" link in our website footer.