Chatric logo

BETA

Log in
Sign up

Privacy Policy

Privacy Policy (Chatric)

Last updated: 21 September 2025
Controller: Swavvy AB (“we”, “us”, “our”)
Org. No.: 5590083670
Address: Täppgränd 95, 121 33 Enskededalen, Sweden
Contact: info@chatric.ai
Supervisory authority (SE): Integritetsskyddsmyndigheten (IMY), Sweden

Scope

This policy covers personal data processed when you: (i) visit Chatric websites/apps (e.g., chatric.ai), (ii) create and use a Chatric account, and (iii) connect your own systems (e.g., GA4, Google Ads, Meta Ads, Shopify/WooCommerce, BigQuery, Hightouch).

Roles under GDPR

  • Controller (your account & operations data): For account details, security/authentication, product operations, support, and service communications, Swavvy AB is the controller.

  • Processor (your connected data): When you use Chatric to analyze or activate Customer Data (e.g., marketing/e-commerce datasets, “conversion history”), we act strictly on your documented instructions as your processor, governed by our Data Processing Addendum (DPA).

  • Independent controllers: Platforms you connect (Google, Meta, Shopify, etc.) are typically independent controllers for their services.

Data we process

As Controller

  • Account data: name, email, profile image URL, organization/workspace identifiers, role, locale.

  • Security & authentication: password hashes/SSO IDs, session identifiers (via the chatric.sid cookie), IP/device/browser metadata, login and audit logs.

  • Service operations: support requests, service messages, error reports, availability metrics.

  • Billing (if applicable): plan/subscription and invoicing metadata; payment processing is handled by our payment provider as an independent controller (we do not store card numbers).

As Processor (your instructions)

  • Customer Data you connect: marketing/e-commerce records and conversion history from GA4/Google Ads/Meta Ads/Search Console/Shopify/WooCommerce/BigQuery/Hightouch, etc., as configured by you.

  • Connector credentials: OAuth tokens/API keys you authorize. Stored server-side only, encrypted at rest using a managed KMS, rotated where supported, and deleted on revocation/account closure.

  • Chat content: prompts, outputs, and attachments processed to fulfill your requests. When these contain Customer Data, we act as processor.

Please avoid uploading special category data (GDPR Art. 9), children’s data, financial account numbers, national IDs, or precise geolocation. Do not provide such data unless you have a lawful basis and we’ve agreed safeguards in writing.

Authentication (Firebase)

We use Firebase Authentication (Google) to sign you in (e.g., with Google or Facebook). When you choose a provider, we receive basic info permitted by you (e.g., name, email, profile image). We use this to:

  • authenticate and manage your account,

  • secure access and enable login across devices, and

  • establish access to data sources you authorize (e.g., to request connector tokens on your behalf).

Data location: Our app hosting runs in GCP europe-west1 (EU). Firebase Authentication may process authentication data outside your country (including the United States). For such transfers, we implement Standard Contractual Clauses and other required safeguards. See also the providers’ privacy notices (Google/Firebase and, if used, Meta/Facebook).

Purposes & legal bases

Controller purposes

  • Provide, maintain, and secure the service (Art. 6(1)(b) contract).

  • Detect/prevent abuse and ensure availability (Art. 6(1)(f) legitimate interests).

  • Support, service communications, and incident notices (Art. 6(1)(b)/(f)).

  • Billing, accounting, and regulatory compliance (Art. 6(1)(c) legal obligation).

  • Optional product updates or marketing emails (Art. 6(1)(a) consent; withdraw anytime).

Processor purposes

  • Transform, analyze, and activate your Customer Data and generate responses only per your instructions and the DPA (Art. 28).

Cookies & similar technologies

We set only one strictly necessary session cookie (chatric.sid) to operate the service. We do not set analytics, marketing, or cross-site tracking cookies. See the Cookie Policy.

International transfers

We host and process personal data for our application infrastructure exclusively within the EEA (GCP europe-west1).Exception: Firebase Authentication may involve third-country processing (e.g., the United States). For this transfer, we implement the EU Standard Contractual Clauses and supplementary safeguards. If any additional third-country transfer becomes necessary, we will implement required safeguards and notify customers as required.

Retention

  • Account data: for the life of your account + 12 months (unless a longer period is legally required).

  • Chat history: up to 24 months by default (shorter periods available on request/org setting).

  • Security/audit logs: ~90 days (then aggregated/anonymized).

  • Backups: rolling ~35 days.

  • Connector tokens: for the life of the connection; deleted on revocation/account closure.

  • Customer Data (processor): retained according to your configuration and deleted or returned upon termination or written request, as set out in the DPA.

Security

  • Encryption in transit (TLS) and at rest.

  • Session cookie is HttpOnly, Secure, SameSite=Lax/Strict; session state is stored server-side.

  • Connector tokens stored server-side only, encrypted with KMS-managed keys; least-privilege access; audit logging; token revocation flows.

  • Secure SDLC, vulnerability management, incident response, and breach notification in line with GDPR.

Sharing & sub-processors

We share personal data with vendors that help us operate Chatric (e.g., cloud hosting, email delivery, support tooling, AI infrastructure). These act as our processors under written contracts. We maintain a public Sub-processor List and will notify customers of material changes in advance where feasible.

Your rights

You have the rights of access, rectification, erasure, restriction, portability, objection, and (where processing is based on consent) withdrawal of consent at any time.For Processor data, contact your organization first; we will support them in fulfilling the request.You can lodge a complaint with IMY or your local supervisory authority.

Children

Chatric is not intended for children. We do not knowingly process data of individuals under 16 (or the local age of digital consent).

Contact & DPO/representative

Changes

We may update this policy. We will post changes here and, where appropriate, notify admins in-app or by email.