Privacy Policy

Last Updated: October 9, 2025

Privacy Policy

Last Updated: October 9, 2025 Effective Date: October 9, 2025

Introduction

Welcome to backend.chat ("we," "us," or "our"). We are committed to protecting your privacy and being transparent about how we collect, use, and protect your information.

backend.chat is an AI-powered customer support platform that helps businesses communicate with their customers through real-time chat, with intelligent AI assistance powered by Retrieval Augmented Generation (RAG) technology.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, whether as a business customer (using our dashboard and services) or as an end user (chatting with businesses through our widget).

Contact Us: For any questions about this Privacy Policy or to exercise your privacy rights, please contact us at: [email protected]

Who We Are

backend.chat is operated by VINAY KHOBRAGADE TECHNOLOGIES LLP, a Limited Liability Partnership incorporated in India.

Registered Address: RL/5211, Bramhapuri, ARL Bramhapuri, Bramhapuri, Chandrapur, Maharashtra, India, 442402

Contact Email: [email protected]

Information We Collect

1. Information You Provide Directly

When You Create an Account (Businesses):

  • Email address
  • Full name
  • Organization name
  • Password (encrypted and hashed)

When You Use the Chat Widget (End Users):

  • Name (if provided)
  • Email address (if provided)
  • Messages and conversation content
  • Files or attachments you share (future feature)

When You Contact Support:

  • Any information you choose to provide in your communications

2. Information Collected Automatically

Technical Information:

  • Visitor ID (randomly generated identifier)
  • Conversation ID
  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Referral source
  • Pages visited on your website (where widget is embedded)
  • Date and time of access
  • WebSocket connection data

Browser Storage: We store the following information in your browser's localStorage:

  • chat_visitor_id – Unique visitor identifier
  • chat_conversation_[keyPrefix] – Active conversation ID
  • chat_visitor_name_[keyPrefix] – Your name (if provided)
  • chat_visitor_email_[keyPrefix] – Your email (if provided)
  • chat_conversations – List of your conversations
  • chat_sound_enabled – Sound notification preference
  • chat_cross_tab_message – For synchronizing chat across browser tabs

Note: We do NOT use traditional tracking cookies. All data storage is functional and essential for the service to work.

3. AI and Analytics Data

When Our AI Processes Your Messages:

  • AI-generated responses
  • Confidence scores (how confident the AI is in its answer)
  • LLM provider and model used (e.g., GPT-4, Claude)
  • Token usage (for AI processing)
  • Knowledge base chunks used to generate responses
  • Tools called by AI (e.g., knowledge base search, customer history)
  • Response time metrics

Analytics Data:

  • Number of conversations
  • AI vs. human-handled conversations
  • Conversation resolution rates
  • Average response times
  • User feedback on AI responses (helpful/not helpful)

Important: This data is used to improve our AI, monitor performance, and provide analytics to businesses. You can opt out of having your data used for AI training (see "Your Rights" below).

4. Information From Third Parties

AI Services:

  • OpenAI (for GPT models)
  • Anthropic (for Claude models)

These services process conversation content to generate AI responses. We have data processing agreements with these providers. See our Subprocessor List for details.

Payment Processors (Future): When we implement paid plans, we will use third-party payment processors. We will update this policy before collecting payment information.

How We Use Your Information

We use the collected information for the following purposes:

1. Provide and Improve Our Service

  • Enable real-time chat between businesses and their customers
  • Generate AI-powered responses using RAG technology
  • Maintain conversation history
  • Send notifications about new messages
  • Provide customer support

2. AI Training and Improvement

  • Train and improve our AI models
  • Enhance response accuracy
  • Reduce AI hallucinations through RAG
  • Develop new AI features

You can opt out of AI training by contacting [email protected]

3. Analytics and Performance

  • Monitor system performance
  • Track conversation metrics
  • Generate analytics for businesses
  • Identify and fix bugs
  • Improve user experience

4. Security and Fraud Prevention

  • Detect and prevent abuse
  • Protect against unauthorized access
  • Ensure platform security
  • Monitor for violations of our Terms of Service

5. Communication

  • Respond to your inquiries
  • Send service announcements
  • Notify you of important changes
  • Provide customer support

6. Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to lawful requests from authorities
  • Enforce our Terms of Service
  • Protect our rights and property

Data Storage and Security

Where We Store Your Data

Primary Storage:

  • PostgreSQL database (encrypted at rest)
  • Redis cache (for session management and real-time features)
  • Vector database (pgvector) for AI embeddings

Data Locations:

  • Currently hosted in [specify region, e.g., "US East" or "Mumbai, India"]
  • Self-hosting option available for customers who want data on their own infrastructure

How We Protect Your Data

Encryption:

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • At Rest: Sensitive data (like API keys) is encrypted using AES-256-GCM
  • Passwords: All passwords are hashed using bcrypt with salt

Access Controls:

  • Role-based access control (RBAC)
  • Multi-tenant isolation (organization-level data separation)
  • Audit logging of all data access
  • Regular security reviews

Infrastructure Security:

  • Regular security updates and patches
  • Automated backups
  • Intrusion detection systems
  • DDoS protection

Self-Hosting Security: For customers who self-host, please refer to our Security Guidelines for best practices.

Data Retention

Data TypeRetention Period
Conversations & MessagesUntil deleted by business customer or 90 days after account closure
AI Training DataAnonymized and retained indefinitely (unless you opt out)
Analytics DataAggregated data retained indefinitely; detailed data for 2 years
Account InformationUntil account deletion + 30 days (for recovery)
Logs (Security, Audit)1 year
Backups30 days (automatic deletion)

You can request deletion of your data at any time by contacting [email protected]

Data Sharing and Disclosure

We Share Your Information With:

1. AI Service Providers (Subprocessors)

  • OpenAI (GPT models)
  • Anthropic (Claude models)

These providers process conversation content to generate AI responses. We have contractual agreements ensuring they protect your data and don't use it for their own purposes.

2. Infrastructure Providers

  • Cloud hosting providers (for storage and compute)
  • Database providers

3. Business Customers If you're an end user chatting through our widget, the business you're chatting with has access to:

  • Your conversation content
  • Your name and email (if you provided them)
  • Conversation metadata (time, status, etc.)

4. Legal Obligations We may disclose your information if required by law, court order, or government request, or to:

  • Protect our rights and property
  • Prevent fraud or abuse
  • Protect the safety of users

We Do NOT:

  • Sell your personal information
  • Share data with advertisers
  • Use your data for marketing without consent

International Data Transfers

Cross-Border Transfers

backend.chat operates from India, but we use service providers located in various countries, including the United States (OpenAI, Anthropic).

For European Users (GDPR): When we transfer your data outside the European Economic Area (EEA), we use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Self-hosting option (you can host data in the EU)

For Indian Users: Currently governed by the Information Technology Act, 2000. When India's Digital Personal Data Protection Act (DPDP Act) 2023 comes into force, we will comply with its cross-border data transfer requirements.

Self-Hosting Option: Enterprise customers can self-host backend.chat on their own infrastructure to maintain data sovereignty and control over data location.

Your Privacy Rights

Depending on your location, you have various rights regarding your personal information:

For All Users

Right to Access: Request a copy of your personal information.

Right to Correction: Update or correct inaccurate information.

Right to Deletion: Request deletion of your data (subject to legal retention requirements).

Right to Object: Object to certain processing of your data.

For Users in the European Union (GDPR)

Right to Portability: Receive your data in a structured, machine-readable format.

Right to Restrict Processing: Limit how we process your data.

Right to Withdraw Consent: Withdraw consent for data processing (where consent is the legal basis).

Right to Lodge a Complaint: File a complaint with your local data protection authority.

For Users in California and Other US States (CCPA/CPRA)

Right to Know: Know what personal information we collect and how we use it.

Right to Delete: Request deletion of your personal information.

Right to Opt-Out: Opt out of "sale" or "sharing" of personal information. Note: We do not sell or share personal information.

Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights.

For Users in India (IT Act 2000 / Future DPDP Act)

Right to Review and Correct: Review and correct your information.

Right to Withdraw Consent: Withdraw consent for data processing (under future DPDP Act).

Right to Nominate: Nominate someone to exercise rights on your behalf (under future DPDP Act).

How to Exercise Your Rights

To exercise any of these rights, contact us at: [email protected]

We will respond within:

  • 30 days for most requests
  • 45 days for CCPA requests (California law allows 45 days + 45-day extension)
  • 1 month for GDPR requests (EU law allows 1 month + 2-month extension for complex requests)

Verification: We may ask you to verify your identity before processing requests, to prevent unauthorized access.

No Fee: Exercising your rights is free, unless your requests are manifestly unfounded or excessive.

AI-Specific Privacy Practices

How Our AI Works

backend.chat uses Retrieval Augmented Generation (RAG) technology:

  1. When you ask a question, we search the business's knowledge base for relevant information
  2. We send the relevant information + your question to an AI model (OpenAI or Anthropic)
  3. The AI generates a response based on the provided context
  4. We show the response to you and track its accuracy

This approach reduces AI hallucinations and ensures responses are based on the business's actual knowledge.

AI Training and Your Data

How Your Data May Be Used:

  • Improve our AI's ability to understand questions
  • Enhance response generation
  • Train our proprietary models (future)
  • Generate anonymized datasets for research

Safeguards:

  • We anonymize and de-identify data used for training
  • Personal identifiers (names, emails) are removed or masked
  • Businesses can opt out of AI training for their organization's data
  • End users can opt out by contacting [email protected]

Third-Party AI Providers:

Opt-Out of AI Training

To opt out: Email [email protected] with subject line: "Opt-Out of AI Training"

Include:

  • Your email address or visitor ID
  • Organization name (if you're a business customer)

We will process your request within 7 business days.

Children's Privacy

backend.chat is not intended for children under 13 years of age (or 16 in the EU).

We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at [email protected] and we will delete it promptly.

For Indian Users: When India's DPDP Act 2023 comes into force, we will implement verifiable parental consent mechanisms for processing children's data.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • New features or services
  • Legal or regulatory requirements

How We Notify You:

  • Material changes: We will email you at least 30 days before the changes take effect
  • Minor changes: We will update the "Last Updated" date at the top of this page
  • Continued use: Your continued use of backend.chat after changes take effect means you accept the updated policy

Policy History: We maintain an archive of previous versions. Contact [email protected] to request older versions.

Cookies and Tracking Technologies

What We Use

backend.chat does NOT use traditional cookies for tracking or advertising.

What We Do Use:

  • LocalStorage: To store conversation data, visitor ID, and preferences in your browser
  • SessionStorage: For temporary session data

Purpose: Essential functionality only (maintaining conversations, syncing across tabs)

Third-Party Tracking

We do NOT use:

  • Google Analytics or similar tracking
  • Facebook Pixel or social media tracking
  • Advertising networks
  • Third-party tracking cookies

Your Control

You can clear localStorage in your browser settings:

  • Chrome: Settings > Privacy and Security > Clear browsing data > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data > Clear Data
  • Safari: Preferences > Privacy > Manage Website Data > Remove All

Note: Clearing localStorage will reset your conversation history in the widget.

For more details, see our Cookie Policy.

California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

CategoryExamplesCollected
IdentifiersName, email, IP address, visitor IDYes
Commercial InformationPurchase records, subscription infoYes (future)
Internet ActivityBrowsing history on our site, conversation logsYes
Geolocation DataApproximate location based on IPYes
InferencesPreferences derived from your activityYes

How We Use Personal Information

See "How We Use Your Information" section above.

Sale or Sharing of Personal Information

We do NOT sell your personal information.

We do NOT share your personal information for cross-context behavioral advertising.

Retention

See "Data Retention" section above.

Your CCPA Rights

  • Right to Know: What personal information we collect, use, disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Correct inaccurate personal information
  • Right to Opt-Out: Opt out of sale/sharing (not applicable as we don't sell/share)
  • Right to Limit Sensitive Personal Information: Limit use of sensitive data (not applicable)
  • Right to Non-Discrimination: Not receive discriminatory treatment

How to Exercise: Email [email protected]

Response Time: 45 days (may extend by another 45 days if complex)

Verification: We may verify your identity before processing requests

Authorized Agent: You may designate an authorized agent to make requests on your behalf

Do Not Track

California law requires us to disclose how we respond to "Do Not Track" (DNT) signals. We do not currently respond to DNT signals because there is no industry standard for compliance. However, we do not track you across third-party websites.

European Union Residents (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR).

Legal Basis for Processing

We process your personal data under the following legal bases:

PurposeLegal Basis
Provide chat servicePerformance of contract
AI improvementsLegitimate interest (with opt-out)
AnalyticsLegitimate interest
Legal complianceLegal obligation
Marketing (if applicable)Consent

Your GDPR Rights

  • Right to Access: Obtain a copy of your data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure ("Right to be Forgotten"): Request deletion
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interest
  • Right to Withdraw Consent: Where consent is the legal basis
  • Right to Lodge a Complaint: With your supervisory authority

How to Exercise: Email [email protected]

Response Time: 1 month (may extend by 2 months if complex)

Supervisory Authority: You can lodge a complaint with your local data protection authority. Find yours at: https://edpb.europa.eu/about-edpb/board/members_en

International Transfers

We transfer data to the US (OpenAI, Anthropic). We use Standard Contractual Clauses (SCCs) approved by the European Commission.

Self-Hosting: EU customers can self-host to keep data within the EU.

India Residents (IT Act 2000 / Future DPDP Act)

Current Law: Information Technology Act, 2000

We comply with:

  • Information Technology Act, 2000
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Sensitive Personal Data we collect:

  • Passwords (hashed)
  • Financial information (future, for payments)

Your Rights:

  • Review and correct your information
  • Withdraw consent for collection

Security Practices: We implement reasonable security practices including encryption, access controls, and regular security audits.

Future Law: Digital Personal Data Protection Act (DPDP Act) 2023

When India's DPDP Act 2023 is enforced (expected 2025), we will:

  • Implement verifiable consent mechanisms
  • Provide clear notice of data processing
  • Enable easy withdrawal of consent
  • Implement data localization (for sensitive data if required)
  • Notify data breaches within 72 hours
  • Allow you to nominate someone to exercise rights on your behalf

Data Fiduciary: Under DPDP Act, we are a "Data Fiduciary" responsible for determining the purpose and means of processing your data.

Data Processor: Our AI providers (OpenAI, Anthropic) are "Data Processors" who process data on our behalf.

Contact Us & Data Protection Officer

General Privacy Questions

Email: [email protected] Response Time: 48-72 hours

Data Protection Officer (Future)

When required by law (e.g., under GDPR or DPDP Act), we will appoint a Data Protection Officer (DPO). Contact details will be added here.

Mailing Address

VINAY KHOBRAGADE TECHNOLOGIES LLP RL/5211, Bramhapuri, ARL Bramhapuri, Bramhapuri, Chandrapur Maharashtra, 442402, India

Complaints and Escalation

If you're not satisfied with our response to your privacy concern:

For EU Residents: Contact your local supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

For California Residents: Contact the California Attorney General: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

For Indian Residents: Contact the Indian Computer Emergency Response Team (CERT-In): https://www.cert-in.org.in/

Additional Resources

Last Updated: October 9, 2025

Questions? Email us at [email protected]

This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting with an attorney for legal compliance in your specific jurisdiction.