Privacy Policy
1. Who we are
CHAiTS is a messaging platform that lets you chat with CHAiTers — digital people created with artificial intelligence — and with other real people. This policy explains what personal data we collect when you use the app, why we collect it, how long we keep it, and what rights you have over it, in accordance with the EU General Data Protection Regulation ("GDPR").
Data controller: Donata Garberini, individual operator (the name is in any case public on the app store consoles as the developer account holder). Privacy contact: privacy@chaits.app (placeholder address — to be confirmed before publishing).
2. What data we collect
We only collect the data needed to run the service. We do not collect your precise location, health data, or your payment card details.
| Data | Required? | Why we collect it | Encrypted? |
|---|---|---|---|
| Email address | Yes | Account identity, one-time-code login, important service communications | No (it is your identifier) |
| Phone number | No, optional | Only if you choose to verify it to find contacts already on CHAiTS in your address book | Yes (AES-256-GCM) |
| Date of birth | Yes | To automatically apply age-appropriate content rules, as required by the EU AI Act | Yes (AES-256-GCM) |
| Username and display name | Yes | Public identification within the app | No |
| Profile photo | No, optional | Account avatar | No (public image) |
| Message content (with CHAiTers and with other people) | Generated by use | Run the conversation, give CHAiTers contextual memory, deliver messages between users | Yes (AES-256-GCM, when stored on our servers) |
| Voice messages (audio) | No, optional | Automatic transcription and CHAiTer response; message playback | Yes — audio files are stored on protected storage (Cloudflare R2) with authenticated access |
| Your personal AI API keys ("bring your own key" feature, optional) | No, optional | Let you use your own access keys to external AI services (e.g. Google Gemini, OpenRouter, Anthropic, OpenAI) for conversations | Yes (AES-256-GCM), decrypted only for the duration of each call |
| Device token for push notifications | No, optional | Send you notifications (e.g. new message) via Firebase Cloud Messaging | No |
| Usage data (e.g. daily message count) | Generated by use | Enforce your subscription plan limits | No |
| Subscription data (active plan, payment status) | Generated by use | Verify which features you can access | No — your payment card data never passes through our servers: it is handled directly by Apple, Google, or Stripe |
3. Why we use your data
- Let you log in and maintain your account.
- Run conversations with CHAiTers, including remembering the context of past chats (the CHAiTer's "memory", available on paid plans).
- Automatically apply content rules appropriate to your age.
- Give you access to paid features according to your chosen plan.
- Send you app-related notifications, if you have enabled them.
- Keep the service safe: prevent abuse, spam, fraud, unauthorized access.
- Respond to your support requests.
- Comply with legal obligations (e.g. retaining billing records).
4. Legal basis for processing
Depending on the data and the purpose, processing is based on:
- Performance of a contract: data necessary to provide the service you requested (e.g. email for login, messages to run the chat).
- Explicit consent: for optional data such as your phone number, voice messages, or saving your personal AI keys. You can withdraw consent at any time from Settings.
- Legal obligation: for billing data that the law requires us to retain for a certain period.
- Legitimate interest: for anti-abuse security measures, always balanced against your rights.
If you are a parent or guardian of a user under 16, registration requires your consent, as required by Article 8 of the GDPR.
5. Who sees your data (sub-processors)
We do not sell your data to anyone. To run the service we rely on a few external providers, who process data only on our behalf and according to our instructions:
- AI providers (e.g. Anthropic, Google Gemini, Groq, OpenAI, OpenRouter): process message text to generate CHAiTer replies. If you use the "bring your own key" feature, the provider you chose processes your conversations using your own credentials.
- Apple, Google, and Stripe: handle subscription payments. We never see or store your card numbers.
- Cloudflare: hosts files (e.g. voice messages, images) on secure infrastructure.
- Firebase (Google): sends push notifications to your device.
- Twilio: only if you choose to verify a phone number from your address book.
6. International transfers
Some of the providers listed above are based, or have infrastructure, outside the European Union (for example, in the United States). In these cases, data transfers take place with the safeguards required by the GDPR (such as the European Commission's Standard Contractual Clauses), to ensure your data remains protected even outside the EU.
7. How long we keep your data
- Account data: for as long as the account is active.
- After a deletion request: the account enters a 30-day grace period during which you can still change your mind and recover it. After 30 days, the data is permanently and irrecoverably deleted (see also the dedicated Account Deletion page).
- CHAiTer memory: duration depends on the subscription plan (from a few days up to unlimited on higher plans); the memory feature is not active on free plans.
- Billing data: retained for the period required by tax law, even after account deletion.
- Security logs: kept for a limited period needed to detect abuse, then automatically deleted.
8. Your rights
As a data subject, you always have the right to:
- Access: know what data we hold about you.
- Portability: receive a copy of your data in a readable format, to take it elsewhere. You can request this from the app's Settings, "Export your data" section.
- Rectification: correct inaccurate data.
- Erasure ("right to be forgotten"): request complete deletion of your account and data. See the Account Deletion page.
- Restriction and objection: ask us to restrict or object to a specific processing activity.
- Withdraw consent: for consent-based processing (e.g. phone number, voice), you can withdraw it at any time without affecting basic use of the app.
- Lodge a complaint: you always have the right to lodge a complaint with your national data protection authority (in Italy: the Garante per la Protezione dei Dati Personali, www.garanteprivacy.it).
You can exercise these rights directly inside the app (Settings → Privacy) or by writing to privacy@chaits.app (to be confirmed).
9. Data security
We protect your data with concrete technical measures: sensitive content (messages, phone number, personal API keys) is encrypted when stored on our servers using the AES-256-GCM standard, a strong encryption method also used by banks and governments. Access to data is protected by authentication and permission checks on every request. We continue to invest in periodic security audits.
10. Minors
CHAiTS requires a date of birth to automatically apply stricter content rules to younger users. For users under 16, registration requires parental or guardian consent, as required by European law. Explicit content is always forbidden for users under 13; between 13 and 17, explicit content for entertainment purposes is forbidden, but educational content always remains allowed.
11. CHAiTers are artificial intelligence
Every CHAiTer is an agent generated by artificial intelligence models, not a real person. We always disclose this clearly within the app (an "AI" badge on the avatar) in accordance with the EU AI Act. Content written by a CHAiTer never replaces professional medical, legal, psychological, or financial advice.
12. Changes to this policy
We may update this policy over time, for example to reflect a new service feature. In case of significant changes we will notify you via the app or by email before they take effect.
13. Contact
For any question about this policy or your personal data:
Email: privacy@chaits.app (placeholder — to be confirmed)
General support: chaits.app/support