Privacy Policy

Last updated: April 9, 2026

1. Introduction

ChatDirect.ca ("we", "our", "us") operates the chatdirect.ca website and the ChatDirect AI chatbot and mini-CRM platform (the "Service"). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.

We are committed to compliance with Quebec's Act respecting the protection of personal information in the private sector (Law 25) and the European General Data Protection Regulation (GDPR).

2. Data We Collect

2.1 Information You Provide

• Account information: name, email address, company name, and password (hashed with bcrypt) when creating an account or using the client portal.
• Contact form data: name, email, company, and message content submitted via our contact form.
• Chatbot conversations: messages exchanged between website visitors and the AI chatbot (including via SMS, WhatsApp, Facebook Messenger, and Instagram DM).
• Lead information: name, email, phone number, and other details voluntarily provided during chatbot conversations.
• RAG documents: PDF, Word, and TXT files uploaded by clients, and web page URLs indexed for knowledge base enrichment.
• TOTP secrets: encrypted secrets for two-factor authentication (TOTP + backup codes).

2.2 Information Collected Automatically

• Usage data: pages visited, referring URL, conversation timestamps, and interaction patterns.
• Technical data: browser type, device type, and IP address (used for rate limiting and security, not stored long-term).
• Cookies: session cookies for authentication in the admin panel and client portal. No advertising or tracking cookies are used by the ChatDirect platform itself.

3. How We Use Your Data

• To provide and maintain the AI chatbot and mini-CRM Service.
• To process lead capture, scoring, and follow-up sequences configured by the client.
• To send transactional emails (account verification, password reset, support ticket updates).
• To improve our Service, analyze usage patterns, and fix bugs.
• To comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising purposes.

Embeddings generation (RAG): when a client uploads documents or indexes web pages, the text content is sent to the OpenAI API (text-embedding-3-small model) to generate semantic vectors. These vectors are stored in Supabase (PostgreSQL with pgvector) in the United States (AWS us-east-1).

4. Data Hosting and Storage

The application and primary files are hosted on a dedicated OVH server located in Beauharnois, Quebec, Canada. Structured data (accounts, conversations, leads, vector embeddings) is stored in a Supabase database (PostgreSQL) hosted in the United States (AWS us-east-1), with encryption in transit (TLS) and at rest (AES-256).

Sensitive data such as API keys, credentials, and TOTP secrets are encrypted using AES-256-CBC encryption with keys derived from the server configuration.

4.1 Data Isolation (Privacy Wall)

Each client's data is strictly isolated. The ChatDirect team does not have access to client data without explicit temporary authorization (72 hours maximum), granted only for technical support or incident resolution purposes.

5. Data Retention

Conversation data and lead information are retained based on the retention period configured by each client in their chatbot settings. Clients can set retention from 7 days to 365 days, or choose indefinite retention.

When retention expires, or upon client request, data is permanently deleted from our servers.

6. Your Rights

Under Law 25 and the GDPR, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your personal data. Visitors can also use the built-in "Delete my data" button in the chatbot widget.
• Right to portability: receive your data in a structured, commonly used format.
• Right to withdraw consent: withdraw your consent at any time.
• Right to lodge a complaint: file a complaint with the Commission d'acces a l'information du Quebec or your local data protection authority.

To exercise these rights, contact us at info@chatdirect.ca.

7. Cookies

ChatDirect uses only essential cookies required for the functioning of the admin panel and client portal (session management and authentication). The chatbot widget uses localStorage to maintain conversation continuity.

If Google Tag Manager is enabled on the marketing website, it may set analytics cookies subject to their own privacy policies. The chatbot platform itself does not set any third-party cookies.

8. Third-Party Services and Sub-processors

When clients configure their chatbot, conversations may be processed by the following AI providers based on the selected model:

• Anthropic (Claude models) — United States
• OpenAI (GPT models + text-embedding-3-small for RAG) — United States
• Google (Gemini models) — United States
• Mistral — France / EU

Each provider processes data according to their own privacy policies. Conversation data sent to AI providers is used solely for generating responses and is not retained by these providers for training purposes under their API terms of service.

Additional sub-processors:

• OVH (dedicated server hosting) — Canada (Beauharnois, QC)
• Supabase (PostgreSQL database + pgvector) — United States (AWS us-east-1)
• Stripe (payment processing) — United States
• SMTP2GO (primary email delivery) — New Zealand / United States
• Twilio (SMS and WhatsApp Business, if configured by client) — United States
• Meta (Facebook Messenger and Instagram DM, if configured by client) — United States

9. Security Measures

• AES-256-CBC encryption for sensitive data at rest.
• Bcrypt password hashing with individual salts.
• Two-factor authentication (TOTP + backup codes) available on all portals.
• CSRF protection on all forms.
• Rate limiting on all API endpoints.
• HTTP security headers (X-Frame-Options, X-Content-Type-Options, HSTS).
• SSRF protection for webhook URLs.
• Wildcard SSL subdomains for client portals.
• Data isolation (privacy wall) — team access restricted and time-limited (72h).
• Regular security audits (6 audits completed as of April 2026).

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

12. Contact

For any questions regarding this Privacy Policy or your personal data, contact us at:

ChatDirect
Email: info@chatdirect.ca
Quebec, Canada