Privacy Policy

1. Who we are

Eosphorus ("we", "us", "our") operates the Eosphorus platform — a multi-tenant SaaS service that lets businesses build and deploy AI chatbots. We act as a data controller for the personal data of our registered users (workspace owners and members), and as a data processor on behalf of our tenants for the personal data of their end-users (chatbot visitors).

2. Data we collect

2.1 Account & workspace data

• Email address and user ID (from your authentication provider)
• Workspace name and billing plan
• Role and membership status within a workspace
• Audit log entries recording actions you take in the dashboard

2.2 Chat & visitor data (processed on behalf of tenants)

• Chat messages are anonymized at write time — emails, phone numbers, and identifiers are stripped before storage
• Human-handoff records (name, email, message) submitted via the chat widget are stored per chatbot and can be erased on request via the GDPR erasure endpoint

2.3 Technical & usage data

• Essential session cookies required to keep you signed in
• Preference cookies (theme, language)
• Aggregate usage metrics (no individual tracking)

3. Legal basis for processing

• Contract performance (Art. 6(1)(b) GDPR) — account data, billing, and workspace operations are necessary to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f) GDPR) — security logging, fraud prevention, and aggregate analytics.
• Consent (Art. 6(1)(a) GDPR) — non-essential cookies and analytics. You can withdraw consent at any time via the cookie settings banner.
• Legal obligation (Art. 6(1)(c) GDPR) — retaining billing records as required by applicable law.

4. Data retention

• Chat transcripts: deleted automatically after 30 days (configurable)
• Audit logs: retained for the lifetime of the workspace
• Billing records: retained as required by applicable tax law (typically 7 years)
• Account data: deleted within 30 days of account closure on request

5. Third-party processors

We share data with the following sub-processors to operate the service:

• Supabase — database hosting (EU region available)
• Google (Gemini API) — primary LLM inference
• OpenAI — embeddings and fallback LLM inference
• Stripe — payment processing
• Upstash — Redis cache
• Google Cloud Pub/Sub — asynchronous messaging and background job dispatch
• Firebase App Hosting / Google Cloud Run — application hosting
• Google Cloud Logging — operational error logging and monitoring

All processors are bound by data processing agreements and operate under GDPR-compliant terms.

6. Your rights

Under GDPR you have the right to:

• Access— download all personal data we hold via Dashboard → Settings → Privacy & Data
• Erasure — request deletion of your account data by contacting us
• Portability — export your data in machine-readable JSON format
• Rectification — correct inaccurate data by contacting us
• Restriction — request we limit processing of your data
• Objection — object to processing based on legitimate interests
• Withdraw consent — update cookie preferences at any time via the banner at the bottom of this page

To exercise any right, contact us at privacy@eosphorus.ai. We will respond within 30 days.

7. Data Processing Agreement (DPA)

If you are a business using Eosphorus to process personal data of your own users (e.g. chatbot visitors), you are acting as a data controller and we act as your data processor. A standard DPA is available on request at privacy@eosphorus.ai.

8. Cookies

We use the following cookies:

9. International transfers

Some of our sub-processors may process data outside the EEA. Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

10. Contact & supervisory authority

For privacy questions: privacy@eosphorus.ai

You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national DPA in the EU).