Privacy Policy

Last updated: June 2026

1. Information We Collect

  • Account Information: When you register, we collect your name, email address, company name, and billing details (processed securely via Stripe).
  • Chat Data: We store conversation history between your AI chatbot and your customers to improve responses and provide analytics.
  • Knowledge Base Content: Documents, FAQs, URLs, and product data you upload to train your chatbot.
  • Usage Data: Dashboard login timestamps, feature interactions, and API call volumes for service optimization.
  • Website Data: Automated crawl data from your e-commerce store (product listings, prices, categories) to power AI responses.

2. How We Use Your Data

  • Service Delivery: Powering your AI chatbot, generating responses, managing knowledge base queries, and providing dashboard analytics.
  • AI Training: Improving response accuracy using your chat data. Your knowledge base documents are workspace-scoped and never shared across tenants.
  • Communication: Sending account notifications, billing receipts, product updates, and support responses.
  • Analytics: Aggregated, anonymized statistics to improve platform performance and feature development.
  • We never sell, rent, or share your personal data with third parties for their own marketing purposes.

3. Data Storage & Security

  • Data Residency: All data is stored on servers located within the European Union (EU) using Hetzner and AWS eu-central-1.
  • Encryption at Rest: AES-256 encryption for all stored data including knowledge base documents and chat logs.
  • Encryption in Transit: TLS 1.3 for all API communications and HTTPS for web traffic.
  • Access Control: Production access is restricted to authorized engineering personnel via SSH key authentication and VPN.
  • Backup: Automated daily backups with 30-day retention in a separate geographic zone.
  • SOC 2: We maintain SOC 2 Type II compliant security practices with annual audits.

4. Your Rights (GDPR & CCPA)

  • Right to Access: Request a copy of all personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your account and associated data.
  • Right to Restrict Processing: Limit how we process your data in certain circumstances.
  • Right to Data Portability: Receive your data in a machine-readable format (JSON).
  • Right to Object: Object to processing for direct marketing or legitimate interests.
  • CCPA Rights: California residents may opt out of the sale of personal information and request disclosure of data collection practices.

5. Data Retention

  • Active Accounts: Data is retained for the duration of your subscription plus 30 days after cancellation.
  • Chat Logs: Individual chat logs are retained for 12 months, after which personally identifiable information is anonymized.
  • Knowledge Base: Documents remain until you delete them or your account is terminated.
  • Backups: Deleted data is purged from backups within 90 days.
  • Billing Records: Retained for 7 years as required by tax regulations.

6. Third-Party Services

  • Stripe: Payment processing. CircuCity AI never stores credit card numbers. Stripe's privacy policy applies to payment data.
  • OpenAI: AI model inference. Chat messages are sent to OpenAI for response generation. No training on your data is performed by OpenAI via API.
  • Hetzner & AWS: Cloud infrastructure providers for compute and storage.
  • Resend: Transactional email delivery for account notifications.
  • Google Analytics (optional): Anonymized website traffic analytics if enabled.

7. Cookies & Tracking

  • Essential Cookies: Session tokens, authentication cookies, CSRF protection. Required for platform functionality.
  • Analytics Cookies: Optional cookies for understanding platform usage patterns.
  • Preference Cookies: Store your dashboard preferences and theme settings.
  • You can control cookie preferences via your browser settings. Disabling essential cookies may impact platform functionality.

8. Contact & DPO

  • Data Protection Officer: privacy@circucity.se
  • Privacy Inquiries: privacy@circucity.se
  • Postal Address: CircuCity AI AB, Stockholm, Sweden
  • Response Time: All requests are acknowledged within 72 hours and resolved within 30 days.
  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.