Privacy Policy

Last updated: March 2026

1. Introduction

This privacy policy applies to the ChatDirect.ca service (hereinafter "the Service"), an AI chatbot and mini-CRM platform intended for small and medium-sized businesses. ChatDirect is hosted in Canada and complies with Quebec's Act respecting the protection of personal information in the private sector (Law 25) as well as the General Data Protection Regulation (GDPR) of the European Union.

2. Information Collected

2.1 Widget Visitor Data

When a visitor interacts with a ChatDirect chatbot embedded on a client's website, the following information may be collected:

• Messages exchanged with the chatbot (conversations)
• Voluntarily provided information (name, email, phone, company name)
• IP address (anonymized by default in Privacy by Design mode)
• Referring page (URL) and browser language
• Interaction timestamps

2.2 Client Data (portal and administration)

When registering and using the client portal or administration panel:

• Login credentials (username, bcrypt-encrypted password)
• Chatbot configuration (personality, colors, knowledge base)
• Billing information related to the chosen plan
• Conversation history and usage statistics

2.3 Mini-CRM Data

The built-in CRM collects and stores:

• Lead contact information (name, email, phone, company)
• Qualification score (0 to 15, automatically calculated)
• Pipeline status (new, contacted, converted, lost)
• Notes, tags, activity history and reminders
• History of emails sent from the platform

3. Use of Data

Collected data is used exclusively to:

• Provide the AI chatbot and CRM service as described in our terms of service
• Improve chatbot response quality for each client
• Generate usage statistics and analytics reports
• Send service-related notifications (leads, alerts, reminders)
• Ensure technical support and service maintenance

We never sell, rent or share your personal data with third parties for commercial purposes.

4. Hosting and Security

All data is hosted in Canada on OVH servers. The following security measures are in place:

• AES-256-CBC encryption for sensitive data (API keys, configuration information)
• Bcrypt passwords with automatic salting
• Two-factor authentication (2FA) via email for the administration panel
• CSRF protection on all forms
• Security headers: X-Frame-Options, X-Content-Type-Options, HSTS
• Rate limiting on all APIs
• SSRF protection for outgoing webhooks
• Strict validation of all user inputs

5. Cookies and Trackers

ChatDirect operates in zero-cookie mode by default. The chatbot widget does not install any cookies on visitors' browsers.

If a client enables Google Analytics 4 (GA4) in their configuration, it is loaded conditionally and in compliance with applicable regulations. The client is then responsible for their own cookie policy regarding the GA4 tracker.

The client portal and administration panel use session cookies strictly necessary for authentication functionality. These cookies are not subject to consent as they are essential to the service.

6. Data Retention

Data retention duration is configurable by the client, from 30 to 365 days. Beyond the defined period:

• Conversations are automatically deleted
• Visitor data is purged
• Activity logs are erased

CRM data (leads, pipeline, notes) is retained as long as the client account is active, unless manually deleted or explicitly requested.

7. User Rights — Quebec's Law 25

In accordance with Law 25, any concerned person has the following rights:

• Right of access: obtain a copy of their personal information held
• Right of rectification: correct inaccurate or incomplete information
• Right of deletion: request the erasure of their personal information
• Right to portability: receive their data in a structured and commonly used format
• Right to withdraw consent: withdraw consent at any time

Widget visitors can exercise their right of deletion directly via the built-in "Delete my data" feature available in the chatbot.

8. European Rights — GDPR

For users located in the European Union, the following additional rights apply under the GDPR:

• Right to object: object to the processing of their data
• Right to restriction: restrict processing in certain circumstances
• Right to lodge a complaint: file a complaint with a supervisory authority

Legal basis for processing: data processing is based on the performance of the service contract (Article 6.1.b of the GDPR) and, for widget visitors, on the legitimate interest of the client in ensuring efficient customer service (Article 6.1.f).

9. Privacy by Design

ChatDirect adopts a Privacy by Design approach, integrating privacy protection from the design stage:

• IP anonymization: visitor IP addresses are anonymized by default
• Zero-cookie mode: no tracking cookies are installed by the widget
• Configurable retention: each client defines their own retention period
• Conditional GA4: analytics trackers are only loaded if explicitly enabled
• Data export: visitors can request the export of their data at any time
• Deletion on request: built-in visitor data deletion feature

10. Third-Party Providers

To provide the service, ChatDirect uses the following third-party providers:

• AI providers: Anthropic, OpenAI, Google and Mistral. Visitor messages are transmitted to these providers to generate chatbot responses. These providers have their own privacy policies and do not retain data beyond request processing (API mode).
• Email sending: SMTP2GO, SendGrid, Brevo, Mailgun or Amazon SES (depending on configuration) for transactional email delivery.
• CRM webhooks: if configured by the client, lead data may be transmitted to HubSpot, Pipedrive, Monday.com or a custom service. The client is responsible for compliance of the third-party services they connect.
• Twilio: if configured, for sending follow-up SMS.

11. Policy Changes

ChatDirect reserves the right to modify this privacy policy at any time. Any substantive changes will be communicated via a notification in the client portal and/or by email. The last update date is indicated at the top of this page.

12. Contact

For any questions regarding the protection of your personal data or to exercise your rights, please contact us:

• Email: info@chatdirect.ca
• Contact page: chatdirect.ca/en/contact.html
• Location: Quebec, Canada

We commit to responding to any request within 30 days, in accordance with Law 25 and GDPR requirements.