Privacy Policy

1. Introduction

ChatoSmart ("we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy applies to our website (chatosmart.com) and our live chat platform service.

Data Controller: SmartSoft.al, the operator of ChatoSmart, is the Data Controller responsible for your personal data. For data protection inquiries, contact us at privacy@chatosmart.com.

2. Data We Collect

2.1 Information You Provide

When you register for or use our Service, we collect:

• Account Information: Name, email address, phone number, company name, password
• Profile Information: Profile photo, job title, business details
• Payment Information: Billing address, payment method details (processed securely by our payment providers)
• Communication Data: Messages, chat transcripts, support tickets, feedback
• Configuration Data: Widget settings, customization preferences, integration configurations

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Data: Pages visited, features used, time spent, actions taken
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Access times, error logs, performance data
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies

2.3 Data from Third-Party Sources

We may receive data from:

• Third-party authentication services (Google, Facebook) if you choose to sign in via these providers
• Payment processors for transaction verification
• Integration partners (WhatsApp, Facebook Messenger, Telegram)

2.4 End-User Data (Visitor Data)

When your website visitors interact with the ChatoSmart widget on your website, we process their data on your behalf as a Data Processor. This includes:

• Chat messages and conversations
• Name and email (if provided by the visitor)
• Browser and device information
• Pages visited on your website
• IP address and location data

Important: As a Data Controller for your end-users' data, you are responsible for obtaining necessary consents and providing appropriate privacy notices to your website visitors.

3. How We Use Your Data

3.1 Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: To provide our Service as agreed in our Terms of Service
• Legitimate Interests: To improve our Service, ensure security, and communicate with you
• Legal Obligation: To comply with legal requirements and respond to legal requests
• Consent: For marketing communications and optional features (you can withdraw consent anytime)

3.2 Purposes of Data Processing

We use your personal data to:

• Provide the Service: Create accounts, enable chat functionality, process conversations
• Billing and Payments: Process subscription fees and issue invoices
• Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
• Service Improvement: Analyze usage patterns, develop new features, optimize performance
• Security: Detect fraud, prevent abuse, ensure platform security
• Communications: Send service updates, security alerts, promotional messages (with consent)
• Legal Compliance: Fulfill legal obligations, respond to court orders, enforce our rights

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share data with trusted service providers who assist us in operating our Service:

• Cloud Hosting: Amazon Web Services (AWS), DigitalOcean for data storage and hosting
• Payment Processing: Stripe, PayPal for secure payment processing
• Communication Services: Email providers (SendGrid), SMS providers
• Analytics: Google Analytics, Mixpanel for usage analysis
• Customer Support: Support ticket systems, help desk software

All service providers are bound by data protection agreements and are only authorized to process data on our behalf.

4.2 Integration Partners

If you enable integrations with third-party services (WhatsApp, Facebook, Telegram), data may be shared with these platforms in accordance with their privacy policies.

4.3 Legal Requirements

We may disclose your data if required to:

• Comply with legal obligations, court orders, or government requests
• Protect our rights, property, or safety, or that of our users
• Detect, prevent, or address fraud, security, or technical issues
• Enforce our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Account Data: Retained while your account is active and for 30 days after account deletion
• Chat/Conversation Data: Retained according to your plan's retention period (30-365 days) unless you delete it earlier
• Billing Records: Retained for 7 years as required by accounting and tax laws
• Log Data: Retained for 90 days for security and troubleshooting purposes
• Marketing Data: Retained until you unsubscribe or withdraw consent

After the retention period, we securely delete or anonymize your data.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or Albania, you have the following rights:

6.1 Right to Access

You can request a copy of all personal data we hold about you.

6.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

6.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data, subject to legal obligations.

6.4 Right to Restriction

You can request that we limit the processing of your data in certain circumstances.

6.5 Right to Data Portability

You can request your data in a structured, machine-readable format for transfer to another service.

6.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

6.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

6.8 Right to Lodge a Complaint

You can file a complaint with the Albanian Data Protection Authority (Komisioni i Mbrojtjes së të Dhënave Personale) or your local data protection authority.

To Exercise Your Rights: Contact us at privacy@chatosmart.com or through your account settings. We will respond within 30 days.

7. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data in transit is encrypted using TLS/SSL. Data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls and multi-factor authentication for employees
• Regular Audits: Security audits, vulnerability assessments, and penetration testing
• Data Centers: SOC 2 certified data centers with physical security measures
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Employee Training: Regular security and privacy training for all staff

While we take extensive measures to protect your data, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

8. International Data Transfers

ChatoSmart is operated from Albania. If you access our Service from outside Albania, your data may be transferred to and processed in Albania or other countries where our service providers operate.

For transfers from the EEA, we ensure adequate protection through:

• Standard Contractual Clauses approved by the European Commission
• Ensuring service providers comply with GDPR requirements
• Adequacy decisions where applicable

9. Cookies and Tracking Technologies

9.1 Types of Cookies We Use

• Essential Cookies: Required for the Service to function (login sessions, security)
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Help us understand how you use the Service (Google Analytics)
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

9.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality. You can opt-out of analytics cookies through our cookie consent banner.

10. Children's Privacy

ChatoSmart is not intended for children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@chatosmart.com.

11. Data Processing Agreement (DPA)

For customers who process personal data of their end-users through ChatoSmart, we act as a Data Processor. A Data Processing Agreement (DPA) is available upon request to ensure GDPR compliance. Contact legal@chatosmart.com to request a DPA.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

13. Contact Us

For privacy-related questions, concerns, or to exercise your rights, please contact us:

14. Supervisory Authority

If you have concerns about how we handle your data, you may contact the Albanian Data Protection Authority: