Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 9, 2026

This Privacy Policy ("Policy") describes how Ioxo Software ("Company," "we," "us," or "our"), operating the ChatForge platform located at chatforge.chat and related websites (collectively, the "Service"), collects, uses, discloses, and protects information from and about users of the Service ("you" or "User"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must discontinue use of the Service immediately.

1. Definitions

  • "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identifiable natural person or household.
  • "User Content" means any documents, files, text, URLs, Q&A pairs, response rules, business profile information, or other materials uploaded, submitted, or provided by you to or through the Service.
  • "Chat Data" means the messages, queries, responses, and metadata generated through conversations between your chatbot(s) and end users of the embedded widget.
  • "End User" means a visitor to your website who interacts with a ChatForge-powered chatbot widget.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration Data: name, email address, and hashed password when you create an account.
  • User Content: documents (PDF, DOCX), website URLs, Q&A pairs, response rules, persona configurations, and business profile information (business name, address, phone number, hours, policies) you provide to train and configure your chatbot.
  • Payment and Billing Data: billing name, billing address, and payment method details. Payment card information is processed and stored exclusively by our third-party payment processor, Stripe, Inc. We do not receive, access, or store your full credit card number, CVV, or other sensitive payment card data.
  • Communications: information you provide when contacting us for support, submitting feedback, or responding to surveys.

2.2 Information Collected Automatically

  • Chat Data: all messages, queries, and AI-generated responses exchanged between your chatbot widget and End Users, including timestamps, session identifiers, and conversation metadata.
  • Lead Data: when an End User submits a lead capture form through your widget, we collect the name, email address, phone number, and any message they provide, along with the associated conversation context.
  • Usage and Analytics Data: conversation counts, message volumes, token usage, top questions, response quality metrics, knowledge gap analysis, and other aggregated analytics.
  • Device and Log Data: IP address, browser type and version, operating system, device type, referring/exit pages, access timestamps, and pages viewed.
  • Cookies and Similar Technologies: we use essential cookies for session management and authentication. See our Cookie Policy for details.

2.3 Information from Third Parties

We may receive information from third-party services you integrate with ChatForge, such as authentication providers. We may also receive information from our payment processor regarding the status of your transactions.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your Personal Data based on the following legal grounds:

  • Performance of a Contract: Processing necessary to provide the Service to you under our Terms of Service.
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your data protection rights.
  • Consent: Where you have provided explicit consent to specific Processing activities.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

4. How We Use Your Information

  • To create, maintain, and secure your account.
  • To provide, operate, and maintain the Service, including document processing, embedding generation, chatbot training, response generation, widget hosting, lead capture, and analytics.
  • To process your User Content through Retrieval-Augmented Generation (RAG) pipelines to generate contextually relevant chatbot responses.
  • To process payments, manage subscriptions, and enforce usage limits.
  • To display analytics, usage metrics, and insights in your dashboard.
  • To communicate with you regarding your account, Service updates, security alerts, and support inquiries.
  • To detect, investigate, and prevent security incidents, fraud, abuse, and violations of our Terms of Service.
  • To comply with applicable laws, regulations, legal processes, and governmental requests.
  • To improve, personalize, and develop new features and functionality for the Service.
  • To generate aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you, which we may use for any lawful business purpose.

5. Artificial Intelligence and Data Processing

ChatForge uses third-party artificial intelligence (AI) services, including large language model (LLM) providers, to generate chatbot responses based on your User Content. By using the Service, you acknowledge and agree to the following:

  • Data Transmission to AI Providers: Portions of your User Content and Chat Data (including document chunks and conversation context) are transmitted to third-party AI model providers for the purpose of generating responses. This transmission is necessary for the core functionality of the Service.
  • No Model Training: We contractually require that our AI providers do not use your User Content or Chat Data to train, improve, or fine-tune their foundation models. However, we cannot guarantee the internal practices of third-party providers beyond our contractual agreements.
  • AI Limitations: AI-generated responses may be inaccurate, incomplete, misleading, or inappropriate. We do not warrant the accuracy, reliability, or fitness of any AI-generated content. You are solely responsible for reviewing and monitoring responses produced by your chatbot.
  • Prompt Data: System prompts, persona configurations, and response rules you configure are included in requests sent to AI providers as necessary to generate appropriate responses.

6. Data Sharing and Disclosure

We do not sell, rent, or lease your Personal Data to third parties. We may share your information in the following circumstances:

  • Service Providers and Sub-processors: We share data with trusted third-party service providers who assist us in operating the Service, including: Google LLC / Firebase (cloud hosting, database, authentication, and storage), Stripe, Inc. (payment processing), and AI model providers (response generation). These providers are contractually bound to process your data only as directed by us and in accordance with this Policy.
  • Legal Requirements: We may disclose your information if required to do so by law, regulation, subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business Transfers: In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, bankruptcy, dissolution, or similar transaction, your information may be transferred or disclosed to the acquiring entity. We will notify you via email and/or prominent notice on the Service before your Personal Data is transferred and becomes subject to a different privacy policy.
  • With Your Consent: We may share your information for purposes not described in this Policy with your explicit consent.
  • Aggregated or De-identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for any lawful purpose.

7. Your Role as Data Controller

When you use ChatForge to collect information from End Users through the chatbot widget (including Chat Data and Lead Data), you act as the data controller (or "business" under CCPA) with respect to that End User data. We act as a data processor (or "service provider") processing that data on your behalf.

As the data controller, you are responsible for:

  • Providing appropriate privacy notices to your End Users informing them that their interactions with the chatbot are recorded and processed.
  • Obtaining any necessary consents from End Users as required by applicable law.
  • Responding to End User requests regarding their Personal Data (access, deletion, portability, etc.).
  • Ensuring that your use of End User data complies with all applicable privacy laws and regulations.

We will assist you in fulfilling your obligations to the extent reasonably practicable and as required by applicable law.

8. Data Security

We implement and maintain reasonable and appropriate technical and organizational security measures designed to protect the confidentiality, integrity, and availability of your data, including:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of data at rest using AES-256 or equivalent industry-standard encryption.
  • Secure authentication mechanisms including hashed and salted passwords.
  • Access controls limiting data access to authorized personnel on a need-to-know basis.
  • Regular monitoring and logging of system access and activity.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept the inherent risks of transmitting data electronically.

9. Data Retention

  • Active Accounts: We retain your Personal Data, User Content, and Chat Data for as long as your account remains active and as needed to provide the Service.
  • Account Deletion: Upon account deletion, we will delete or anonymize your Personal Data, User Content, and Chat Data within thirty (30) days. Certain data may persist in encrypted backups for up to ninety (90) days before being permanently purged.
  • Legal Obligations: We may retain certain data for longer periods as required by applicable law, regulation, or legal proceedings, or as necessary to enforce our Terms of Service or resolve disputes.
  • Aggregated Data: Aggregated, de-identified data that cannot reasonably be used to identify you may be retained indefinitely for analytics and service improvement purposes.

10. Your Privacy Rights

10.1 Rights Under GDPR (EEA/UK/Switzerland)

If you are in the EEA, UK, or Switzerland, you have the following rights:

  • Right of Access: Request a copy of the Personal Data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete Personal Data.
  • Right to Erasure: Request deletion of your Personal Data, subject to legal retention requirements.
  • Right to Restrict Processing: Request that we limit the Processing of your Personal Data in certain circumstances.
  • Right to Data Portability: Request your Personal Data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to Processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where Processing is based on consent, withdraw that consent at any time without affecting the lawfulness of Processing performed prior to withdrawal.
  • Right to Lodge a Complaint: File a complaint with a supervisory authority in your jurisdiction.

10.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of Personal Data we have collected, the sources of collection, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of Personal Data we have collected from you, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate Personal Data.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by the CCPA/CPRA) your Personal Data.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

10.3 Exercising Your Rights

To exercise any of the above rights, contact us at ioxosoftware+chatforge@gmail.com. We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA). You may also delete your account and associated data directly from your account settings.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to the transfer of your data to the United States and other jurisdictions where we or our service providers operate. Where required by applicable law, we implement appropriate safeguards for international data transfers, including standard contractual clauses approved by the European Commission.

12. Children's Privacy

The Service is not directed to and is not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect Personal Data from children under 18. If we become aware that we have inadvertently collected Personal Data from a child under 18, we will take reasonable steps to delete such data promptly. If you believe a child has provided us with Personal Data, please contact us at ioxosoftware+chatforge@gmail.com.

13. Third-Party Links and Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service. This Policy applies solely to information collected by us through the Service.

14. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for interpreting DNT signals, the Service does not currently respond to DNT signals. We will update this Policy if a uniform standard is established.

15. Changes to This Policy

We reserve the right to modify this Policy at any time. If we make material changes, we will notify you by email (at the address associated with your account) and/or by posting a prominent notice on the Service at least thirty (30) days prior to the changes taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. We encourage you to periodically review this page for the latest information on our privacy practices.

16. Contact Information

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

Ioxo Software

ChatForge Privacy Inquiries

Email: ioxosoftware+chatforge@gmail.com

We will make every reasonable effort to resolve your complaint in a timely manner. If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.