Privacy Policy (Chatric)

Last updated:

31 October 2025

Controller:

Swavvy AB (org. no. 5590083670)

Supervisory authority (SE):

IMY (Integritetsskyddsmyndigheten)

Scope

This policy covers personal data processed when you: (i) visit Chatric websites/apps (e.g., chatric.ai), (ii) create and use a Chatric account, and (iii) connect your own systems (e.g., GA4, Google Ads, Meta Ads, Shopify/WooCommerce, BigQuery, Hightouch).

Roles under GDPR

  • Controller (your account & operations data): For account details, security/authentication, product operations, support, and service communications, Swavvy AB is the controller.
  • Processor (your connected data): When you use Chatric to analyze or activate Customer Data (e.g., marketing/e-commerce datasets, "conversion history"), we act strictly on your documented instructions as your processor, governed by our Data Processing Addendum (DPA).
  • Independent controllers: Platforms you connect (Google, Meta, Shopify, etc.) are typically independent controllers for their services.

Data we process

As Controller

  • Account data: name, email, profile image URL, organization/workspace identifiers, role, locale.
  • Security & authentication: password hashes/SSO IDs, session identifiers (via the chatric.sid cookie), IP/device/browser metadata, login and audit logs.
  • Service operations: support requests, service messages, error reports, availability metrics.
  • Billing (if applicable): plan/subscription and invoicing metadata; payments handled by our payment provider as independent controller (we do not store card numbers).

As Processor (your instructions)

  • Customer Data you connect: marketing/e-commerce records and conversion history from GA4/Google Ads/Meta Ads/Search Console/Shopify/WooCommerce/BigQuery/Hightouch, etc., as configured by you.
  • Connector credentials: OAuth tokens/API keys you authorise. Stored server-side only, encrypted at rest using a managed KMS, rotated where supported, and deleted on revocation/account closure.
  • Chat content: prompts, outputs, and attachments processed to fulfill your requests. When these contain Customer Data, we act as processor.

Please avoid submitting special category data (GDPR Art. 9), children's data, financial account numbers, national IDs, or precise geolocation. Do not provide such data unless you have a lawful basis and we've agreed safeguards in writing.

Google User Data - Access, Use, Storage, Sharing, Transfers & Deletion

This section explains how we handle Google user data obtained via Google APIs (e.g., Google Analytics 4 Data API and Google Ads API) for OAuth verification purposes.

Scopes we request

  • Google Analytics Data API (GA4): https://www.googleapis.com/auth/analytics.readonly (read reports/metrics/dimensions).
  • Google Ads API: https://www.googleapis.com/auth/adwords (API's single scope; we use it for read operations only, enforced by code and the account's permission level).

We request only the minimum scopes needed for the features you use. The exact scopes are shown on the OAuth consent screen.

What we access

  • Identifiers & metadata you select (e.g., GA4 property IDs; Google Ads customer IDs).
  • Report data you query (metrics, dimensions, date ranges) to answer your questions and populate insights/dashboards.

How we use Google user data

  • To retrieve reports/metrics you explicitly request and show them back to you in Chatric.
  • To generate AI-assisted insights from those results (summaries, explanations, trends) visible to you.
  • To map and cache minimal context (e.g., your connected account/property IDs and field selections) to speed up future queries.

We do not use Google user data for advertising, profiling across customers, or unrelated purposes. Our use is limited to providing or improving user-facing features, in line with the Google API Services User Data Policy (Limited Use).

What we store

  • OAuth tokens/refresh tokens: stored server-side, encrypted at rest (KMS).
  • Light configuration/cache: connection metadata, query templates, and (optionally) short-lived cached results to improve performance.
  • No raw bulk export of Google user data occurs unless you explicitly trigger an export/sync.

Sharing & disclosure of Google user data

  • No selling of Google user data.
  • No human access to Google user data except (i) with your explicit consent, (ii) to investigate abuse/security issues, or (iii) to comply with law.
  • Sub-processors: We may share data with our infrastructure/service providers only to operate the Service (e.g., hosting, auth, inference, monitoring) under contracts that meet Google's Limited Use Policy and GDPR Art. 28. See our Sub-processor Page.

Data retention & deletion for Google user data

  • Report results: retained according to your workspace settings (default within the general "Chat history" and "Customer Data" retention windows below).
  • Tokens: retained for the life of the connection; deleted on revocation or account closure.
  • Deletion on request: Disconnect the Google connection in-app or email info@chatric.ai; we will remove tokens and dependent cached data within a reasonable period.

Your choices & revocation

You can revoke Chatric's access in your Google Account → Security → Third-party access at any time (remove Chatric). After revocation, we can no longer access your Google data and will delete tokens from our systems.

Compliance with Google requirements

We comply with the Google API Services User Data Policy (including Limited Use): we limit use to user-facing features; do not transfer data except to provide or improve those features; do not sell Google user data; and only allow human access under the exceptions above.

Authentication (Firebase)

We use Firebase Authentication (Google) to sign you in (e.g., with Google or Facebook). When you choose a provider, we receive basic info permitted by you (e.g., name, email, profile image). We use this to: (i) authenticate/manage your account, (ii) secure access and enable login across devices, and (iii) establish access to data sources you authorize (e.g., request connector tokens on your behalf). Firebase Auth may process auth data outside your country (including the United States); for such transfers, we implement Standard Contractual Clauses and other safeguards. See provider privacy notices.

Purposes & legal bases

Controller purposes

  • Provide, maintain, and secure the service (Art. 6(1)(b) contract).
  • Detect/prevent abuse and ensure availability (Art. 6(1)(f) legitimate interests).
  • Support, service communications, and incident notices (Art. 6(1)(b)/(f)).
  • Billing, accounting, and regulatory compliance (Art. 6(1)(c) legal obligation).
  • Optional product updates or marketing emails (Art. 6(1)(a) consent; withdraw anytime).

Processor purposes

  • Transform, analyze, and activate your Customer Data and generate responses only per your instructions and the DPA (Art. 28).

Cookies & similar technologies

We set only one strictly necessary session cookie (chatric.sid) to operate the service. We do not set analytics, marketing, or cross-site tracking cookies. See the Cookie Policy.

International transfers

We host and process personal data for our application infrastructure exclusively within the EEA (GCP europe-west1). Exception: Firebase Authentication and certain AI inference may involve third-country processing (e.g., United States). For these transfers, we implement EU Standard Contractual Clauses and supplementary safeguards. If any additional third-country transfer becomes necessary, we will implement required safeguards and notify customers as required.

Retention

  • Account data: life of account + 12 months (unless a longer period is legally required).
  • Chat history: up to 24 months by default (shorter periods available on request/org setting).
  • Security/audit logs: ~90 days (then aggregated/anonymised).
  • Backups: rolling ~35 days.
  • Connector tokens: life of the connection; deleted on revocation/account closure.
  • Customer Data (processor): retained according to your configuration and deleted or returned upon termination or written request, as set out in the DPA.

Security

Encryption in transit (TLS) and at rest. Session cookie is HttpOnly, Secure, SameSite=Lax/Strict; session state is stored server-side. Connector tokens are stored server-side only, encrypted with KMS-managed keys; least-privilege access; audit logging; token revocation flows. Secure SDLC, vulnerability management, incident response, and breach notification in line with GDPR.

Sharing & sub-processors

We share personal data with vendors that help us operate Chatric (e.g., cloud hosting, authentication, AI inference, error/performance monitoring). These act as our processors under written contracts. We maintain a public Sub-processor Page and will notify customers of material changes in advance where feasible.

Your rights

You have the rights of access, rectification, erasure, restriction, portability, objection, and (where processing is based on consent) withdrawal of consent at any time. For Processor data, contact your organization first; we will support them in fulfilling the request. You can lodge a complaint with IMY or your local supervisory authority.

Children

Chatric is not intended for children. We do not knowingly process data of individuals under 16 (or the local age of digital consent).

Contact & DPO/representative

Privacy contact: info@chatric.ai

Changes

We may update this policy. We will post changes here and, where appropriate, notify admins in-app or by email.