Privacy Policy

Last updated July 17, 2026

[PLACEHOLDER] This page is AI-drafted boilerplate pending review by a qualified lawyer. Do not rely on it as final legal advice or a binding agreement.

This Privacy Policy explains what personal data SupportChat collects, why we collect it, who we share it with, and the rights you have over it. It applies to visitors of our marketing site, users of our support platform, and end customers who message a business through our widget or live chat.

Data we collect

Account data: name, work email, password hash, and workspace details when you or your organization sign up. Conversation data: tickets, messages, attachments, and metadata (channel, timestamps, status) exchanged between agents and end customers. Usage data: pages visited, features used, and in-product actions, collected to keep the service reliable and to improve it. Technical data: IP address, browser and device type, and log data captured automatically by our infrastructure and error-monitoring tooling. We do not use advertising or cross-site tracking cookies — see our Cookie Policy for the full list of what we store in the browser.

Why we process your data, and our lawful basis

We process personal data to: provide and operate the service you or your employer subscribed to (performance of a contract); respond to support requests and communicate about your account (legitimate interest / contract); detect abuse, secure the platform, and prevent fraud (legitimate interest); send billing communications and collect payment (contract, legal obligation); and, where you've opted in, send product updates (consent, which you can withdraw at any time). Where SupportChat is not the data controller — for example, when a business uses our widget to talk to its own end customers — that business is the controller and we process data on its behalf as a processor, under a data processing agreement.

Third-party sharing

We share personal data only with the subprocessors listed on our Subprocessors page, each of which is bound by a data processing agreement and processes data solely to provide their service to us (for example: email delivery, payment processing, file storage, AI inference, hosting, and error monitoring). We do not sell personal data, and we do not share it with third parties for their own marketing purposes. We may disclose data if required by law, a valid legal process, or to protect the rights, safety, or property of SupportChat, our customers, or the public.

Your rights

Subject to applicable law (including the GDPR for users in the EEA/UK), you have the right to: access the personal data we hold about you; correct inaccurate data; request erasure ("right to be forgotten"); export your data in a portable format; object to or restrict certain processing; and withdraw consent at any time where processing is based on consent. If SupportChat processes your data on behalf of a business you're a customer of, that business is usually the right controller to contact first — but you can also reach us directly using the contact details below and we will route the request appropriately. You also have the right to lodge a complaint with your local data protection authority.

Data retention

We retain account and conversation data for as long as the workspace remains active, so agents can reference historical tickets. If a workspace is cancelled, we retain its data for a limited period to allow reactivation or export, then delete or anonymize it, except where we must keep it longer to comply with a legal, tax, or accounting obligation, or to resolve disputes. Log and usage data used for security and reliability is retained for a shorter, fixed window and then purged automatically.

Data Processing Agreement

If your organization needs a signed Data Processing Agreement (DPA) to cover SupportChat's processing of personal data on your behalf — including EU Standard Contractual Clauses for international transfers — one is available on request. Contact [email protected] and we'll send it over for signature. We don't publish the DPA text itself here, since the counter-signed version is the one that's contractually binding.

Contact us / Data Protection Officer

Questions about this Privacy Policy, or requests to exercise your data-subject rights, can be sent to [email protected]. [TODO — Kevin: confirm whether a formal Data Protection Officer is designated; if so, add their name/contact here rather than the generic mailbox.]