Privacy Policy
Last updated: 23 March 2026
1. Who We Are
This Privacy Policy describes how Traqqie B.V., trading as Chativ ("Chativ", "we", "us", or "our"), collects, uses, and shares personal data when you use our website at www.usechativ.com and the Chativ platform (together, the "Service").
Traqqie B.V. is a private limited company registered in the Netherlands. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Traqqie B.V. is the data controller of the personal data of its platform customers and website visitors.
Contact details:
Traqqie B.V. (trading as Chativ)
Bankastraat 42, 1094 EG Amsterdam, the Netherlands
KvK (Chamber of Commerce): 96664606
Email: support@usechativ.com
If you are an end user of a Chativ-powered chat widget embedded on a third-party website, the business that operates that website is the data controller for your personal data in the context of that chat. Chativ acts as a data processor on that business's behalf. Please refer to that business's own privacy policy for information about how they use your data. See Section 10 for more detail on this distinction.
2. Scope of This Policy
This policy applies to:
- Platform users — businesses and individuals who create a Chativ account, access the dashboard, and configure chatbot widgets ("Customers").
- Website visitors — anyone who visits www.usechativ.com (our marketing site).
- Widget end users — visitors who interact with a Chativ-powered chat widget embedded on a Customer's website. In this context Chativ acts as a processor; additional information is in Section 10.
3. Personal Data We Collect
3.1 Platform Customers
When you create a Chativ account or use the platform, we collect:
- Email address (used as your login identifier)
- First and last name (optional, collected during profile setup)
- Account activity data (logins, widget configurations, scraping requests)
- Billing information — processed exclusively by our payment provider Paddle; we do not store payment card details
- One-time login codes sent via email (for passwordless authentication)
- Google OAuth profile data (email and name) if you choose to sign in with Google
3.2 Website Visitors
When you visit www.usechativ.com we automatically collect:
- IP address and approximate location (country/region level)
- Browser type and version, operating system
- Pages viewed, time on page, referral source, and click events — via PostHog analytics (see Section 7)
- Any information you submit via contact or lead capture forms
3.3 Widget End Users (processor role)
When an end user interacts with a Chativ widget on a Customer's website, we store on behalf of that Customer:
- Chat message content (questions and AI-generated replies)
- A pseudonymous session identifier (UUID)
- Session timestamp
- Name and email address — only if the end user voluntarily provides them during a lead-capture or escalation flow
- Escalation status (whether a human follow-up was requested)
We do not knowingly collect any special categories of personal data (e.g. health, racial or ethnic origin, political opinions) through the widget. Customers must not configure their widgets in a way that solicits such data without a compliant legal basis.
4. How We Use Personal Data and Our Legal Basis
We process personal data only where we have a valid legal basis under GDPR Article 6.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the platform (account management, widget delivery, crawling, AI responses) | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (login codes, escalation notifications, billing receipts) | Art. 6(1)(b) — performance of a contract |
| Platform security, fraud prevention, and abuse detection | Art. 6(1)(f) — legitimate interests (protecting the platform and its users) |
| Analytics to understand and improve our website and service (PostHog) | Art. 6(1)(f) — legitimate interests (product improvement), subject to Section 7 |
| Compliance with legal obligations (e.g. tax record-keeping via Paddle) | Art. 6(1)(c) — legal obligation |
| Responding to your enquiries and support requests | Art. 6(1)(b) or Art. 6(1)(f) depending on context |
Where we rely on legitimate interests, you have the right to object to that processing at any time (see Section 9). We have conducted balancing tests and concluded that our interests do not override your fundamental rights and freedoms; contact us if you would like a copy of our legitimate interests assessment.
5. AI Processing and Disclaimer
5.1 How AI is used
Chativ's chat widget is an artificial intelligence system. When a visitor sends a message through a Chativ-powered widget, their message — along with relevant excerpts from the Customer's knowledge base and the conversation history — is transmitted to a third-party AI model provider (currently OpenRouter, which routes requests to large language models including DeepSeek and potentially others). The AI model generates a reply, which is streamed back to the visitor.
In accordance with Article 50 of Regulation (EU) 2024/1689 (EU AI Act), our widget is designed to make clear to end users that they are interacting with an AI system and not a human. Customers must not disable or circumvent this disclosure.
5.2 No training on your data
Conversation data processed through Chativ is never used to train AI models, either by Chativ or (to the extent contractually required by our sub-processor agreements) by OpenRouter or its downstream model providers. Conversation data is used solely for generating real-time responses.
5.3 AI accuracy disclaimer
AI-generated responses are produced automatically and may contain inaccuracies, errors, or outdated information. Chativ makes no warranties, express or implied, as to the accuracy, completeness, or fitness for any particular purpose of AI-generated content. Responses do not constitute professional advice (legal, medical, financial, or otherwise). Users rely on AI-generated content at their own risk.
Chativ shall not be liable for any loss or damage arising from reliance on AI-generated responses, including but not limited to direct, indirect, incidental, or consequential losses, to the maximum extent permitted by applicable law.
5.4 Model flexibility
Chativ uses OpenRouter as its AI gateway. The specific underlying language model (e.g. DeepSeek, or any successor model) may be changed at any time to improve quality, cost, or compliance. The sub-processors table in Section 6 will be updated when a new model provider is added that involves a new legal entity processing personal data. OpenRouter's own privacy policy governs how it handles requests sent through its API.
6. Third Parties and Sub-processors
We share personal data only with service providers acting as data processors on our behalf, and only to the extent necessary to provide the Service. We do not sell personal data.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Railway | Cloud hosting (application and database) | United States | EU Standard Contractual Clauses (SCCs) |
| OpenRouter | AI model API gateway (routes chat messages to language models) | United States | EU Standard Contractual Clauses (SCCs) |
| DeepSeek | Large language model provider (accessed via OpenRouter) | China | OpenRouter SCCs; no-training contractual commitment |
| Paddle | Payment processing and subscription billing (Merchant of Record) | United Kingdom / United States | UK adequacy / SCCs; Paddle Privacy Policy |
| Resend | Transactional email delivery | United States | EU Standard Contractual Clauses (SCCs) |
| PostHog | Product analytics (website and platform usage) | United States / EU | EU Standard Contractual Clauses (SCCs) or EU region |
| OAuth authentication ("Sign in with Google") | United States | EU Standard Contractual Clauses (SCCs) | |
| Google Fonts / Google CDN | Web font delivery (Inter typeface) | United States / Global CDN | EU Standard Contractual Clauses (SCCs) |
We enter into Data Processing Agreements (DPAs) with all sub-processors and require them to process data only on our documented instructions and in accordance with GDPR. We will update this table when material changes to our sub-processor list occur.
7. Analytics and Cookies
7.1 PostHog analytics
We use PostHog to collect anonymised usage analytics on our marketing website and platform. PostHog records events such as page views, button clicks, and feature interactions to help us understand how people use Chativ and where we can improve.
PostHog is configured to proxy analytics events through our own subdomain to reduce data sent directly to third-party servers. We rely on legitimate interests (Art. 6(1)(f)) as our legal basis for this analytics processing, on the basis that it is necessary for product improvement and does not override your privacy rights given the pseudonymous nature of the data.
If you wish to opt out of PostHog analytics, you can do so by enabling the "Do Not Track" setting in your browser or by using a browser extension that blocks analytics scripts. You may also contact us at support@usechativ.com to request opt-out.
7.2 Essential cookies
We set strictly necessary session and CSRF cookies to authenticate logged-in users and protect against cross-site request forgery attacks. These cookies are essential for the platform to function and do not require your consent under the ePrivacy Directive.
7.3 Third-party assets
Our website loads fonts from Google Fonts and scripts from unpkg.com (CDN). When your browser fetches these resources, your IP address is shared with those providers. We are working to self-host these assets to eliminate this transfer.
8. International Data Transfers
Traqqie B.V. is established in the Netherlands (EEA). Some of our service providers are located outside the EEA, including in the United States and China. Where we transfer personal data outside the EEA to countries that have not received an adequacy decision from the European Commission, we rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Articles 46(2)(c) and 46(2)(d), as supplemented where necessary by additional technical and organisational measures.
Transfer to China (DeepSeek via OpenRouter): China does not have an EU adequacy decision. Chat message content routed to DeepSeek is subject to OpenRouter's SCCs and data processing terms. We have assessed the legal landscape and concluded that, combined with the no-training contractual commitment, the residual risk to data subjects is low given the ephemeral nature of the data (messages are sent for real-time AI processing and are not retained by DeepSeek). Nonetheless, you should disclose this to your own end users in your privacy policy if you are a Chativ Customer.
Copies of the relevant SCCs are available on request at support@usechativ.com.
9. Data Retention
We retain personal data for no longer than is necessary for the purposes described in this policy.
| Data category | Retention period |
|---|---|
| Platform customer account data (email, name) | For the duration of the account, plus 3 years after account closure (legal / billing dispute purposes) |
| Chat message content and session data (widget end users) | 12 months from the date of the conversation, or until the Customer deletes their account or the individual widget — whichever occurs first |
| End user contact details (name, email captured via lead/escalation) | 12 months from capture, or until the Customer deletes the record or closes their account |
| Billing records (held by Paddle as Merchant of Record) | 7 years (Dutch tax law obligation) |
| Analytics data (PostHog, pseudonymised) | 24 months on a rolling basis |
| Server and access logs | 90 days |
When a Customer deletes their Chativ account, we delete or anonymise all associated personal data within 30 days, except where we are required to retain it by law.
10. Chativ as Data Processor for Customers
When Chativ Customers deploy the chat widget on their own websites, the Customer is the data controller in respect of their website visitors' personal data, and Chativ is the data processor. We process that data only on the Customer's documented instructions (as set out in our Terms of Service and standard widget configuration), and we do not process it for any purpose of our own.
GDPR Article 28 requires a written Data Processing Agreement between a controller and its processors. Chativ's standard DPA is available at www.usechativ.com/dpa/. By accepting Chativ's Terms of Service, Customers agree to the terms of the DPA. Customers who require a negotiated DPA should contact us at support@usechativ.com.
Customers are responsible for ensuring they have an appropriate legal basis to collect personal data from their website visitors and to use Chativ to process it. Customers must update their own privacy policies to disclose the use of Chativ and, where required, obtain consent from their end users.
11. Your Data Subject Rights
Under the GDPR (and the Dutch UAVG), you have the following rights in respect of your personal data where Chativ is the data controller:
- Right of access (Art. 15) — you may request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification (Art. 16) — you may ask us to correct inaccurate or incomplete personal data.
- Right to erasure / "right to be forgotten" (Art. 17) — you may ask us to delete your personal data in certain circumstances, such as where it is no longer necessary for the purposes for which it was collected.
- Right to restriction of processing (Art. 18) — you may ask us to pause processing your data in certain circumstances, for example while a dispute is pending.
- Right to data portability (Art. 20) — where processing is based on your consent or a contract and is carried out by automated means, you may request a copy of your data in a structured, machine-readable format.
- Right to object (Art. 21) — you may object to processing based on legitimate interests at any time. We will stop unless we can demonstrate compelling legitimate grounds.
- Rights related to automated decision-making (Art. 22) — we do not make any decisions that produce significant legal effects solely through automated means.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at support@usechativ.com with the subject line "GDPR Data Subject Request". We will respond within one calendar month of receipt (extendable by a further two months in complex cases). We may need to verify your identity before processing the request.
Widget end users: If you interacted with a Chativ widget on a third-party website and wish to exercise your rights, please contact the website operator directly — they are the data controller for that data. We will cooperate with and assist the Customer to respond to your request.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest
- HTTPS-only access with HTTP Strict Transport Security (HSTS)
- Passwordless authentication (magic-link login codes) eliminating password-related breaches
- CSRF protection on all state-changing requests
- Role-based access controls within the platform
- Regular dependency updates and security patching
- Prompt-injection defences to prevent AI manipulation attacks
No method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours and affected data subjects where required by GDPR Article 34.
13. Children
The Chativ platform is intended exclusively for use by businesses and individuals aged 18 or over. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us at support@usechativ.com and we will delete it promptly.
Customers who deploy a Chativ widget on a website that may be accessed by minors are responsible for complying with applicable children's data protection laws, including GDPR Article 8 and any national implementation thereof.
14. Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection supervisory authority at any time. As Traqqie B.V. is established in the Netherlands, our lead supervisory authority is:
Autoriteit Persoonsgegevens (AP)
PO Box 93374, 2509 AJ The Hague, Netherlands
Website: www.autoriteitpersoonsgegevens.nl
Tel: +31 88 1805 250
We would appreciate the opportunity to resolve any concerns before you contact the authority, so please reach out to us first.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where we have your email address, notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
Minor, non-material updates (e.g. correcting typos, clarifying existing practices) take effect immediately upon publication.
16. Contact
For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact:
Traqqie B.V. (Chativ)
Email: support@usechativ.com
Subject line: "Privacy Enquiry" or "GDPR Data Subject Request"
We aim to acknowledge all privacy enquiries within 3 business days and to resolve them within the statutory one-month deadline.