Privacy Policy
Last Modified: 15 May 2026
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Chaticon: Chatbot AI Assistant mobile application, the website chaticon.co, and related services (the "Service").
By using the Service, you consent to the data practices described in this Policy. If you do not agree, please do not use the Service.
1. Who We Are
For privacy inquiries or data subject requests, please contact us at info@chaticon.co.
2. Data We Collect
2.1. Registration Information
When you create an account, we collect:
- Apple Sign-In identifier (when you sign in with Apple, we receive a unique user identifier and, if you choose to share them, your email address and display name).
- Email address (when you sign in via web magic link or where email-based sign-in is offered).
- Device identifier (UUID generated by your device).
- Display name (if you set one).
- Preferred language.
2.2. Conversation and Prompt Data
- Messages and prompts you send through the Service.
- Selected AI model and conversation parameters.
- AI-generated text responses returned to you.
- Images generated through AI image-generation features.
- Search-augmented chat queries ("Deep Search").
2.3. Gem and Entitlement Data
- Current gem balance.
- Gem-grant history (starter grants, daily streak rewards, milestone bonuses, premium-subscription allowance refills, gem-pack purchases).
- Subscription entitlement state (free / premium, plan, renewal date).
2.4. Payment Information
- We do not store full credit or debit card numbers.
- Payment processing is performed by third-party Merchants of Record (Apple, Stripe), who may store payment details under their own privacy policies.
- We store transaction metadata: subscription status, plan type, purchase date, billing period, payment-provider customer identifier (Stripe customer ID / Apple original transaction ID / RevenueCat app user ID).
- For web purchases, we also store a funnel user identifier (funnelUserId) used to bind the web purchase to the in-app account on first sign-in.
2.5. Device and Technical Data
- IP address (used for geolocation, fraud prevention, and service rendering).
- Mobile Advertising ID (IDFA — only if you grant tracking permission via Apple's App Tracking Transparency prompt).
- Device model, operating system, app version.
- Browser type and version (for web).
- Screen resolution.
- Approximate geolocation (country / city — based on IP).
2.6. Usage Data
- App and web events (screen views, button taps, model selections, feature usage).
- Session duration.
- Daily gem-consumption events.
- Subscription, purchase, and gem-grant events.
- Crash logs and performance metrics.
2.7. Server Logs
Our hosting provider (Firebase / Google Cloud) automatically logs:
- Browser type and version.
- Operating system.
- Referrer URL.
- Host name.
- Time of server request.
- IP address.
Logs are kept for a limited period (typically up to 30 days) for security and error analysis (GDPR Art. 6(1)(f)).
2.8. Cookies and Tracking
We use cookies and similar technologies on the website. See Section 6 for details.
2.9. Personal Data of Children
The Service requires users to be at least 13 years of age (or the minimum digital-consent age in their jurisdiction). We do not knowingly collect personal data from children below the applicable minimum age. If we learn that a user is below the applicable minimum age, we will delete the account. Parents or guardians may contact info@chaticon.co.
3. How We Use Your Data
We process personal data for the following purposes:
| Purpose |
Legal basis (GDPR) |
| Providing and operating the Service (chat, image generation, model routing) |
Contract (Art. 6(1)(b)) |
| Processing payments and subscriptions |
Contract |
| Managing your gem balance and entitlements |
Contract |
| Binding web purchases to in-app accounts (funnelUserId mapping) |
Contract |
| Improving the Service (aggregated, anonymized) |
Legitimate interest (Art. 6(1)(f)) |
| Sending product updates and important notices |
Contract / Consent |
| Marketing communications and promotional offers |
Consent (Art. 6(1)(a)) |
| Advertising and audience targeting |
Consent |
| Fraud prevention, abuse detection, content moderation |
Legitimate interest |
| Compliance with legal obligations |
Legal obligation (Art. 6(1)(c)) |
4. How We Share Your Data (Third Parties)
We work with the following categories of third-party service providers. Each provider has access only to data necessary to perform its function and is contractually obligated to protect your data.
4.1. AI Model and Search Providers
Your prompts and conversation context are transmitted to the selected provider in order to generate a response. Providers may use submitted content as described in their own privacy and usage policies.
- OpenRouter, Inc. (USA) — request routing across multiple AI providers.
- OpenAI, L.L.C. (USA) — GPT family text models.
- Anthropic, PBC (USA) — Claude family text models.
- Google LLC (USA) — Gemini family text models.
- xAI Corp. (USA) — Grok family text models.
- Perplexity AI, Inc. (USA) — search-augmented chat.
- fal.ai (USA) — AI image generation (Nano Banana model).
4.2. Payment Processors (Merchants of Record)
- Apple Distribution International Ltd. (Ireland) — App Store subscription and in-app purchase payments.
- Stripe, Inc. (or its affiliated entities) — Website / funnel payments.
- RevenueCat, Inc. (USA) — Subscription state management, entitlement reconciliation, and receipt validation across platforms.
4.3. Analytics and Attribution
- Google Firebase Analytics (Google LLC, USA) — App and website analytics, user behavior tracking.
- Firebase Crashlytics (Google LLC, USA) — Crash reporting.
- Meta Platforms Ireland Ltd. — Facebook SDK / Meta Pixel — App and web analytics, attribution, and audience building.
4.4. Advertising and Marketing
- Meta / Facebook (Meta Platforms Ireland Ltd.) — Meta Ads for advertising, retargeting, and audience building. Data shared: hashed email, device ID, app events (install, purchase, signup), and aggregated audience signals.
- Google Ads (Google LLC) — Search and display advertising, conversion tracking. Data shared: Google Click ID, hashed email, conversion events.
4.5. Push Notifications and Email
- Firebase Cloud Messaging (Google LLC) — Push notification delivery (mobile).
- Apple Push Notification service (Apple Inc.) — Push notification delivery (iOS).
- Resend, Inc. (USA) — Transactional email delivery (magic link sign-in, receipts, account notifications, marketing where applicable).
4.6. Infrastructure and Storage
- Google Firebase / Google Cloud Platform (Google LLC) — Firebase Authentication, Cloud Firestore (account, conversation, gem-balance, entitlement data), Cloud Functions (backend logic, webhook handlers), Firebase Hosting (assets).
- Vercel Inc. (USA) — chaticon.co web hosting (landing, quiz, funnel).
4.7. Customer Support
- Zendesk, Inc. (USA) — Customer support ticketing and help center.
4.8. Cookie Consent
Cookie consent management may be provided by a third-party consent platform on the website.
4.9. Legal and Compliance
We may disclose personal data to law enforcement, regulators, or other authorities when required by applicable law, subpoena, or court order.
4.10. Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to this Policy.
4.11. We Do NOT Sell Personal Data
We do not sell your personal data to third parties for monetary consideration. Sharing for advertising purposes (Section 4.4) does not constitute a sale under most jurisdictions but may be classified as "sharing" for cross-context behavioral advertising under certain laws (e.g., CCPA / CPRA). You may opt out of such sharing in your device settings or via our cookie consent banner.
4.12. Service Improvement
We may use aggregated, anonymized prompt and response data to improve the Service, monitor routing quality, detect abuse, and develop new features. Aggregated and anonymized data does not constitute personal data under applicable data protection law.
5. International Data Transfers
5.1. The Company is established in the United States (New York). Your personal data may be transferred to and processed in countries outside your country of residence, including the United States and EU member states.
5.2. For transfers from the EU/UK to the United States or other countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where applicable, or equivalent safeguards.
6. Cookies and Tracking Technologies
6.1. We use cookies on our website to:
- Enable basic functionality (necessary cookies).
- Remember preferences (preference cookies).
- Analyze usage (statistical cookies — Firebase Analytics, Meta Pixel).
- Display relevant ads (marketing cookies — Meta Pixel, Google Ads).
6.2. You can manage cookies via the consent banner on first visit, or via your browser settings.
6.3. Mobile app uses Mobile Advertising ID (Apple IDFA), which you can limit via Apple's App Tracking Transparency prompt or in your device settings.
7. Your Rights
Under GDPR (EU), CCPA / CPRA (California), and other applicable laws, you have the right to:
| Right |
What it means |
| Access |
Request a copy of personal data we hold about you. |
| Rectification |
Correct inaccurate or incomplete data. |
| Erasure |
Request deletion of your account and personal data. |
| Restriction |
Restrict processing in certain circumstances. |
| Portability |
Receive your data in a structured, machine-readable format. |
| Object |
Object to processing for marketing or based on legitimate interest. |
| Withdraw consent |
Withdraw consent for processing based on consent. |
| Complain |
Lodge a complaint with your local data protection authority. |
To exercise any right, contact info@chaticon.co. We will respond within 30 days (GDPR) or as required by local law.
7.1. Account Deletion
You can delete your account directly in the app: Settings → Delete Account. Account deletion will:
- Mark your account as deleted and anonymize personal identifiers.
- Permanently remove account data within a reasonable period (typically within 90 days of the deletion request), except where retention is required by applicable law (for example, financial transaction records for tax purposes, fraud prevention, or legal claims).
- Note: Mobile subscriptions purchased via the App Store must be cancelled separately in your Apple ID account settings. Website subscriptions billed via Stripe will be cancelled together with account deletion.
7.2. Marketing Opt-Out
Unsubscribe from marketing emails via the link at the bottom of each email, or in your account settings.
7.3. Advertising / Tracking Opt-Out
Deny tracking via Apple's App Tracking Transparency prompt, reset or limit your Advertising ID in your device settings, or use the cookie consent banner on the website.
8. Data Retention
8.1. We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.
8.2. General retention periods:
- Active account data: retained while your account is active.
- Deleted account data: anonymized following the deletion request, fully removed within a reasonable period (typically within 90 days), except data required for legal retention (for example, billing records for tax purposes — typically 5–10 years depending on jurisdiction).
- Conversation history: retained while your account is active, removed in line with account deletion (subject to provider-side caching at the underlying AI provider, governed by that provider's policy).
- Server logs: up to 30 days.
- Crash and error logs: 90 days.
- Analytics data: up to 14 months (Firebase Analytics default).
- Marketing consent records: retained for the duration of consent + 3 years for proof.
9. Security
9.1. We use industry-standard technical and organizational measures to protect your personal data:
- SSL / TLS encryption for data in transit.
- Encryption at rest for sensitive data (Firestore default encryption).
- Firebase Authentication with secure token management.
- Access controls and authentication.
- Regular security reviews.
- Incident response procedures.
9.2. Despite our measures, no internet transmission is 100% secure. You use the Service at your own risk.
9.3. If we become aware of a personal data breach affecting your rights, we will notify the relevant data protection authority and (where required) you, within 72 hours of becoming aware.
10. California Privacy Rights (CCPA / CPRA)
10.1. If you are a California resident, you have additional rights under CCPA / CPRA, including:
- Right to know what categories of personal information we collect.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising privacy rights.
10.2. To exercise these rights, contact info@chaticon.co or use the "Do Not Sell or Share My Personal Information" link in our cookie consent banner.
11. Changes to This Policy
We may update this Policy at any time. Material changes will be communicated via in-app notification, email, or website banner. Your continued use of the Service after a change constitutes acceptance.
12. Contact
For privacy questions or data subject requests:
Email: info@chaticon.co
Support: support.chaticon.co