Privacy Policy
Effective Date: February 11, 2026
Summary
QuackChat is an AI chatbot platform. You give us a website URL, we crawl the public pages, and we use that content to power a chatbot that answers questions for your visitors. We store chat logs for analytics. We do not sell your data. Crawled content and chat history are retained while your account is active and deleted when you remove a bot or close your account.
Scope
This policy covers three types of users:
- Website visitors: People browsing quackchat.app who may or may not sign up.
- Customers (workspace owners): Users who create an account, set up bots, and embed the widget on their websites.
- End-users: People who interact with QuackChat-powered chatbots embedded on customer websites.
Data We Collect
Account Data
- Email address and display name (from Google OAuth)
- Organization/tenant identifier
- Billing metadata (subscription tier, usage counts)
Crawled Content
- Public webpage text, headings, and structure from URLs you provide
- Page metadata (titles, URLs, crawl timestamps)
Chat Data
- End-user messages sent to your chatbot
- Bot responses generated from your content
- Session identifiers and conversation timestamps
- Optional lead capture data (name, email) if you enable this feature
Chat storage is enabled by default for analytics. You can delete individual conversations or all chat history at any time from your dashboard.
Telemetry & Logs
- IP addresses (for rate limiting and abuse prevention)
- User agent strings
- Request timestamps and response times
- Error logs for debugging
- Usage metrics (message counts, crawl statistics)
Cookies & Local Storage
- Authentication cookies: HTTP-only cookies for session management (access token, refresh token)
- Widget session: Local storage for maintaining chat session continuity in the embedded widget
We do not use tracking or advertising cookies.
How We Use Your Data
- Service delivery: Indexing your content, retrieving relevant passages, and generating chatbot responses
- Customer support: Responding to your inquiries and troubleshooting issues
- Abuse prevention: Rate limiting, blocking malicious requests, protecting against prompt injection
- Product improvement: Analyzing aggregate usage patterns to improve the service
Our Role: Controller vs Processor
- For customer accounts: Slothware Labs is the data controller. We determine how your account data is processed.
- For crawled content and chat data: We act as a data processor. You (the customer) are the controller for the content you provide and the end-user conversations on your bots.
As the controller for your end-users, you are responsible for providing appropriate privacy notices to visitors who interact with your chatbot.
Vendors and Data Sharing
We use the following categories of third-party services:
| Category | Provider | What's Shared |
|---|---|---|
| LLM Provider | OpenAI | Retrieved content snippets + user query (for response generation) |
| Web Crawling | Firecrawl | URLs you provide (for content extraction) |
| Authentication | Google OAuth | OAuth flow for login (email, name) |
| Payments | Stripe | Billing metadata (we never store card details) |
| Re-ranking (optional) | Cohere | Retrieved snippets (for relevance scoring) |
| Hosting | Railway / Neon | All service data (encrypted at rest) |
Security
- Encryption in transit: All connections use TLS 1.2+
- Encryption at rest: Database storage is encrypted
- Access controls: Role-based access with least-privilege principles
- Authentication: HTTP-only cookies, JWT tokens with short expiry, refresh token rotation
- Input validation: Prompt injection protection, SSRF prevention, rate limiting
- Tenant isolation: Each customer's data is isolated at the database and vector store level
Data Retention & Deletion
Default Retention
- Crawled content: Retained until you delete the bot or re-crawl (which replaces old content)
- Chat conversations: Retained while your account is active
- Access logs: 90 days
- Error logs: 30 days
Your Controls
- Delete a bot: Immediately removes all crawled content and conversation history for that bot
- Re-crawl: Replaces previous crawled content with fresh data
- Delete conversations: Remove individual or all chat history from your dashboard
- Delete account: All data (bots, content, conversations, account info) is permanently deleted within 48 hours
Backup retention: Database backups are retained for up to 7 days for disaster recovery purposes, after which deleted data is purged from backups.
International Data Transfers
Our primary infrastructure is hosted in the United States. Some vendors may process data in other regions. Where data is transferred internationally, we rely on:
- Standard Contractual Clauses (SCCs) with vendors
- Vendor certifications and compliance programs
Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Request your data in a machine-readable format
- Object/Restrict: Object to or restrict certain processing
To exercise your rights as a QuackChat customer, contact us at the address below.
Children's Privacy
QuackChat is not intended for use by children under 13 years of age (or 16 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
Changes & Contact
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or through a prominent notice on our website. The "Effective Date" at the top of this page indicates when the policy was last revised.
Slothware Labs
Inquiries: subscription@slothwarelabs.com