This Privacy Policy describes how ChatBrat.ai ("ChatBrat", "we", "us") collects, uses, stores, and shares your personal data when you use chatbrat.ai (the "Platform"). It is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA, and equivalent laws in other jurisdictions where we operate.
1. Who we are (data controller)
The data controller is the operator of chatbrat.ai. Contact: [email protected]. A full legal entity disclosure, Data Protection Officer (DPO), EU Article 27 representative, and UK representative will be published as part of the EU/UK launch gate. [Legal entity name and registered address — to be confirmed by user before launch].
2. What we collect
- Account data — email address, username, password hash, profile information.
- Your content — characters, scenarios, chat messages, prompts, AI outputs, and any images or files you upload.
- Age-assurance data — where you go through age verification, our provider confirms a pass/fail result to us only. We do not store the underlying ID document or biometric data.
- Payment metadata — billing plan, transaction ID. Card details are handled by our payment processor (Stripe) and not stored on our servers.
- Automatic data — IP address, device and browser information, usage events, cookie identifiers, and performance telemetry.
Please do not share sensitive personal information in chats — such as government identifiers, financial details, or health data — unless strictly necessary.
3. Why we use it and the lawful basis (GDPR Art. 13/14)
- Account data, your content, and AI memories — Contract (Art. 6(1)(b) GDPR): required to provide the service you signed up for.
- LLM usage + performance logs (tokens, cost, latency, model) — Legitimate interest (Art. 6(1)(f)): billing accuracy and service-quality monitoring. No conversation content is stored in these logs.
- Security and abuse signals (IP, auth events, rate limit hits) — Legitimate interest: fraud and abuse prevention.
- Moderation records — Legal obligation (Art. 6(1)(c)): DSA Art. 17 requires a durable audit trail of every content removal.
- Product analytics (PostHog events) — Consent (Art. 6(1)(a)): we fire these only after you accept on the cookie banner. EU/UK visitors are default-reject.
- AI model training — Consent (Art. 6(1)(a)): opt-in only; default OFF for EU/UK/CA users and globally during our current launch phase. We never train on data we know or believe to come from a minor.
4. Automated decision-making and AI profiling (Art. 22)
Parts of chatbrat.ai make automated decisions using machine-learning signals:
- A content-classifier routes each message to an appropriate LLM tier based on message content and relationship stage.
- A safety classifier scans user input and AI output against the Platform's content ceiling.
- A memory system ranks past conversation turns for semantic relevance so characters “remember” you across sessions.
These decisions are not used for hiring, credit, legal, or other high-stakes contexts within the meaning of GDPR Art. 22. You can request a human review of any moderation outcome by emailing [email protected].
5. Who we share data with (sub-processors)
We use a small set of vendors to run chatbrat.ai. Each has a data processing agreement (DPA) and, where the vendor is outside the EEA, an appropriate transfer safeguard (Standard Contractual Clauses). We never sell your personal data.
| Processor | Purpose | Location(s) | Transfer safeguard |
|---|---|---|---|
| Supabase | Primary database (Postgres) + auth + file storage | United States (us-east-1) | Standard Contractual Clauses (SCCs) + DPA |
| Vercel | Web hosting, edge middleware, serverless functions | United States + global edge (Frankfurt, Dublin, etc.) | Standard Contractual Clauses (SCCs) + DPA |
| Groq Cloud | LLM inference for chat responses | United States | SCCs + no-training clause in DPA |
| OpenAI | LLM inference and content moderation (fallback + safety layer) | United States | API-only, no-training DPA in place |
| DeepSeek | LLM inference for specific routing tiers | China / United States (API) | API-only, no-training where available — EU data routed via Nebius/Fireworks |
| Nebius AI | LLM inference — primary model host (Qwen-3-235B) | European Union (Amsterdam) | GDPR-compliant EU processing, DPA |
| Fireworks AI | LLM inference — fallback model host | United States | API-only, no-training clause, SCCs |
| Together AI | LLM inference — supplementary tier | United States | API-only, no-training clause, SCCs |
| Cerebras | LLM inference — fast-tier routing | United States | API-only, no-training clause |
| fal.ai | Image and video generation for characters and scenarios | United States | API-only, generated outputs only, SCCs |
| Resend | Transactional email (welcome, account, safety notices) | United States | DPA + SCCs |
| PostHog | Product analytics (consent-gated; EU/UK visitors opt-in only) | United States | DPA + SCCs; EU cloud region available on upgrade |
| Langfuse | LLM observability and tracing (engineering diagnostics) | EU / United States | DPA + SCCs |
6. International transfers
Most of our vendors are headquartered in the United States. Transfers of EU/UK personal data to the United States rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where applicable, the vendor's certification under the EU-US Data Privacy Framework. Primary LLM inference for EU/UK users routes to Nebius AI (Amsterdam, EU) by default.
7. How long we keep your data (retention)
| Category | Period | Note |
|---|---|---|
| Account profile (email, display name, age verification status) | Life of account + 30 days | Deleted on DSR request within 30 days. |
| Conversation history (active / hot) | 90 days from last active turn | Moved to cold storage after 90 days. |
| Conversation history (cold storage) | 180 days from last active turn | Permanently purged at 180 days unless account is still active. |
| Generated AI memories (semantic summaries) | Life of account | Purged with account on deletion. |
| User-created characters / scenarios | Life of account | Pseudonymised on account deletion if content is public; fully purged if private. |
| LLM usage logs (model, cost, runtime — no conversation content) | 13 months | Billing and cost auditing. |
| Account deletion audit record | 24 months | Minimal audit row — request timestamp, outcome. No personal data beyond account ID. |
| Security logs (IP, auth events) | 90 days | Abuse detection and rate limiting. |
| Analytics events (PostHog, consent-gated) | 12 months | Aggregate usage. Pseudonymous. |
| Moderation records (content removals, bans) | 3 years | DSA Art. 17 audit trail; required for regulatory compliance and appeals. |
8. Your rights (DSR — 30-day SLA)
We respond to all Data Subject Requests within 30 days (extended to 90 days only for complex requests, with prior notice). You have the right to:
- Access — a copy of the data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — delete your account and associated data. Available self-serve in Settings or via email request.
- Portability — export your data in a machine-readable (JSON) format.
- Restriction — pause processing while a dispute is resolved.
- Objection — object to processing based on our legitimate interest.
- Withdraw consent — turn off any consent-based processing (analytics, AI training) at any time from Settings.
- AI training opt-out — specifically opt out of use of your data for AI model training at any time. Default is OFF for EU/UK/CA users. See Your Privacy Choices.
To exercise any right, email [email protected] from the address on your account with the subject line "Privacy Request".
9. Children's data
chatbrat.ai is an 18-and-over service. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email [email protected] and we will delete the account within 48 hours. We do not use data from any account we know or believe to belong to a minor for AI training or any purpose other than account termination and regulatory reporting.
10. Data breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify our supervisory authority within 72 hours (GDPR Art. 33) and notify affected users without undue delay where the breach presents a high risk (Art. 34).
11. Right to complain
If you believe we have mishandled your personal data, you have the right to lodge a complaint with your local supervisory authority:
- EU residents: your national data-protection authority.
- UK residents: Information Commissioner's Office (ICO).
- California and other US state residents: see Your Privacy Choices.
12. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects the most recent revision. Material changes will be announced by email to the address on your account at least 30 days in advance.
13. Contact
Privacy questions and DSR requests: [email protected]. DPO and EU/UK representative contact will be published when appointed — tracked as a launch gate.