Doc. PP-01 Last revised 2026.06.25

Privacy Policy

This policy explains how InChat collects, uses, and protects your information. We've written it in plain language — no legalese, no hidden gotchas.

Who We Are

InChat ("we", "us", "our") is an AI-powered live chat platform for websites, operated at inchat.ai. When you sign up for InChat, add it to your website, or visit inchat.ai, you're sharing information with us. This policy tells you exactly what we collect, why we collect it, and what you can do about it.

If you have questions about anything in this policy, email us at team@inchat.ai. We'll respond to privacy questions within 5 business days.

What Information We Collect

Account Information

When you create an InChat account, we collect:

  • Name and email address — used to identify your account and send important service communications
  • Password — stored as a cryptographic hash; we never store or can read your actual password
  • Email verification code — a short-lived code used once to confirm your email address
  • Team name — the name you give your InChat workspace
  • Payment information — we do not store your credit card data directly; all payment processing is handled by Stripe (see Third-Party Services below)

Website and Training Data

To power your AI agent, InChat needs to learn from your content. When you connect a website or upload materials, we collect and process:

  • Website URLs you submit for crawling — the domains and pages you explicitly add to InChat
  • Page content extracted from those URLs — text content, headings, and structured information that the AI uses to answer questions
  • Uploaded files (PDF, DOCX, TXT) — documents you upload to supplement the AI's knowledge base
  • Content hashes and embeddings — mathematical representations of your content used for AI retrieval; not human-readable and not shared

We only crawl URLs you explicitly provide. We do not crawl your website without your permission, and we do not share your training content with other InChat customers.

Visitor and Conversation Data

When InChat is installed on your website, we collect information about your website's visitors on your behalf. This includes:

  • Session identifiers — anonymous IDs that track a visitor across their current session
  • IP address and approximate location — country and city-level geolocation derived from the visitor's IP; full IPs are not stored long-term
  • Browser and operating system — user agent string used to display visitor context in your dashboard
  • Current page URL and referrer — which page a visitor is on when they start a chat
  • Visitor-provided information — name and email address if the visitor chooses to share them during a conversation
  • Conversation messages — the full text of conversations between your visitors and InChat (both AI responses and any human agent replies)

As an InChat customer, you are the data controller for your visitor data. We process this data on your behalf as a data processor. You are responsible for ensuring you have appropriate legal basis to collect this data from your visitors, including maintaining an appropriate privacy policy on your own website.

Usage and Analytics Data

We collect data about how you use InChat to operate and improve the service:

  • Feature usage — which InChat features you use and how often, to understand what's working and what needs improvement
  • Conversation counts and volume — tracked against your plan's limits and for billing purposes
  • Login timestamps and session activity — used for security monitoring and account recovery
  • Error logs — technical error data that helps us diagnose and fix bugs

How We Use Your Information

To Provide the Service

The primary reason we collect data is to make InChat work for you:

  • Authenticating your account and keeping it secure
  • Crawling and indexing your training content to power your AI agent
  • Routing visitor conversations to your team and generating AI responses
  • Enforcing plan limits and tracking usage against your subscription
  • Sending transactional emails — account verification, billing receipts, password resets

To Improve InChat

We use aggregated, anonymized usage data to understand how customers use InChat and where the product needs improvement. We do not use the content of your visitors' conversations to train any shared AI models. Your training data and conversation data stay within your account.

To Communicate With You

We may send you:

  • Service emails — things like billing notifications, security alerts, and major product changes. You cannot opt out of these while you have an active account.
  • Product updates — occasional emails about new features or significant changes. You can unsubscribe at any time via the link in any such email.

We do not sell your email address or share it with third-party marketers.

Third-Party Services

InChat integrates with a small number of third-party services to operate. Here's what each one receives:

Stripe (Payments)

All payment processing is handled by Stripe. When you enter billing information, it goes directly to Stripe — we never see or store your full credit card number. Stripe may store your name, email, billing address, and payment method details for billing purposes. Stripe's privacy policy governs how they handle this data: stripe.com/privacy.

Transactional Email Provider

We use a transactional email provider (Mailgun or Amazon SES depending on region) to send verification codes, billing receipts, and service notifications. These providers receive your email address and the content of any email we send you. They are contractually prohibited from using your data for any other purpose.

OpenAI

InChat uses OpenAI's API to generate AI responses in conversations. When a visitor sends a message to your AI agent, relevant chunks of your training content and the conversation history are sent to OpenAI to generate a response. OpenAI processes this data under its API data usage policies, which — for API users — do not use submitted data to train OpenAI's models. You can review OpenAI's privacy practices at openai.com/privacy.

Infrastructure Providers

InChat runs on cloud infrastructure. Our servers, databases, and file storage are hosted with reputable cloud providers. All data is encrypted in transit (TLS 1.2+) and at rest. We do not share your data with these providers beyond what's necessary to run the infrastructure.

Cookies and Tracking

InChat uses cookies and similar technologies in two contexts:

On inchat.ai (Our Website and Dashboard)

  • Session cookie — keeps you logged into your InChat dashboard. Required for the service to function.
  • CSRF token — a security cookie that protects your account from cross-site request forgery attacks. Required.
  • Preference cookies — may store UI preferences like your billing period toggle selection (monthly vs yearly).

We do not use third-party advertising cookies or cross-site tracking on inchat.ai.

On Your Website (The InChat Widget)

When you install the InChat widget on your website, it sets a cookie or uses localStorage to maintain a visitor's session across page loads within the same visit. This allows conversations to persist as a visitor navigates your site. The widget does not set persistent tracking cookies and does not track visitors across different websites.

As the website owner, you are responsible for disclosing the use of the InChat widget in your own privacy policy and obtaining any necessary consent from your visitors where required by applicable law.

Data Retention and Deletion

Retention Periods

We retain different types of data for different periods:

  • Account data — retained for the life of your account, plus 30 days after deletion to allow recovery
  • Conversation history — retained according to your plan (30 days on Free, 1 year on Starter, unlimited on Plus and Pro)
  • Training content and embeddings — retained while your account is active; deleted when you remove a training source or close your account
  • Usage logs — retained for 90 days for billing accuracy and then aggregated or deleted
  • Billing records — retained for 7 years as required for financial compliance

Account Deletion

You can delete your InChat account at any time from your billing settings. When you delete your account, we remove your personal information, training content, and conversation data within 30 days. Billing records required for legal compliance are retained separately in anonymized form.

If you want to delete specific data without closing your account — such as removing a training source or deleting a visitor record — you can do this directly from the InChat dashboard.

Your Rights (Including GDPR)

Depending on where you're located, you may have legal rights regarding your personal data. We respect these rights for all users, regardless of location:

  • Right to access — you can request a copy of the personal data we hold about you
  • Right to correction — if any data we hold is inaccurate, you can ask us to correct it
  • Right to deletion — you can ask us to delete your personal data ("right to be forgotten"); we will comply except where retention is required by law
  • Right to portability — you can request your data in a machine-readable format
  • Right to object — you can object to certain types of processing, including any future direct marketing
  • Right to restrict processing — in some circumstances, you can ask us to pause processing of your data while we address a concern

For EU/EEA users, InChat processes your personal data under the following legal bases: contract performance (to deliver the service you've subscribed to), legitimate interests (to operate and improve our business), and consent (for any optional communications). You have the right to withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at team@inchat.ai. We will respond within 30 days.

Data Security

We take data security seriously and implement industry-standard measures to protect your information:

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256
  • Passwords are stored as bcrypt hashes — we cannot recover your actual password
  • Access to production systems is restricted to a small number of authorized personnel
  • We perform regular security reviews and keep dependencies up to date
  • Stripe handles all payment card data; we are not in scope for PCI DSS

No security system is perfect. In the unlikely event of a data breach that affects your personal data, we will notify you as required by applicable law.

Children's Privacy

InChat is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at team@inchat.ai and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) before the changes take effect. The current version of this policy always governs your use of InChat.

If you continue using InChat after a policy update, you accept the updated terms. If you disagree with any changes, you can close your account before they take effect.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your data, please contact us:

We're a small team and we take privacy seriously. You'll get a real response from a real person.