Legal

Privacy Policy

We try to keep these short, plain, and free of dark patterns. If anything's unclear, email [email protected] — a human reads them.

Last updated: May 11, 2026

Who's the controller

Kaya Core, Inc. (the legal owner of Praatbox) is the data controller for personal data processed through praatbox.com and the Praatbox dashboard. We are reachable at [email protected].

When you embed the Praatbox widget on your own site, you are the controller for visitor data and we act as your processor under our Data Processing Agreement (DPA).

What we collect

For customers (people with a Praatbox account): name, work email, company name, hashed password, and audit metadata (sign-in IPs, user-agent, audit log entries). For end visitors of a customer's site (people chatting with the widget): conversation transcripts, message timestamps, browser/locale/referrer/page URL, optional name and email if the visitor provides them, and CSAT ratings submitted at session end.

  • Account data — name, email, company, hashed password
  • Conversation data — messages, timestamps, AI confidence signals, CSAT ratings
  • Visitor data — anonymous unless the visitor identifies themselves in the widget
  • Billing data — handled by Stripe; we never see card numbers
  • Audit log — team-level actions (invites, removals, settings changes) per Art. 32 GDPR

Where the data lives

Praatbox runs on Cloudflare Workers with Cloudflare D1 (SQLite-on-edge) for application data and Cloudflare KV for rate limiting. All Praatbox-managed data is stored within the EU. We do not transfer personal data outside the EEA without explicit DPA-grade safeguards. The widget asset and dashboard are served from Cloudflare's global CDN edge for performance, but the persistent data layer (D1) remains EU-region.

Sub-processors

We use a small number of sub-processors to operate Praatbox. We list them here and notify customers in writing before adding or replacing one (DPA §6).

  • Cloudflare, Inc. — application hosting (Workers, Pages), database (D1), object storage (R2 where applicable), CDN, DDoS protection. EU region.
  • Stripe Payments Europe, Ltd. — subscription billing, invoicing, card processing. We never see card numbers.
  • Resend, Inc. — transactional email (sign-up confirmations, billing receipts, password resets, team invites).
  • Manus AI (Forge) — large-language-model inference for AI replies. Conversation content is sent in-flight to generate a single response and is not retained by the provider beyond what their terms specify.
  • Google Firebase Authentication — identity provider for dashboard sign-in (email/password and SSO).

How long we keep it

Account data: for the lifetime of the active subscription, plus 30 days after cancellation to allow re-activation. After that, we delete or anonymise the account record within 90 days.

Conversation data: 12 months by default, then deleted. You can shorten the retention window per license from the dashboard, or request immediate deletion at [email protected].

Audit log: 24 months for security forensics; longer only if a specific incident makes longer retention necessary.

Billing records: retained for the period required by applicable tax law in Kaya Core, Inc.'s jurisdiction (typically 7 years).

Who can see it

You and the team members you invite. Praatbox engineering only with a paged-in incident and a logged audit reason — every access is recorded. We don't sell, rent, or 'enrich' your data, and we don't use customer conversations as training data for any model (see §AI training).

Your rights

Under GDPR (and equivalent EU/UK/Swiss law) you have the right to access, rectify, erase, restrict processing, port, and object to processing of your personal data. You may also withdraw consent at any time and lodge a complaint with your local supervisory authority (in the EU, this is typically the data protection authority of the member state where you live or work; UK residents can contact the ICO).

Email [email protected] to exercise any of these rights. We respond within 30 days. There is no fee for ordinary requests.

Cookies

The marketing site (praatbox.com) sets no third-party cookies and uses cookieless analytics for traffic counts. The dashboard (app.praatbox.com) sets a strictly-necessary Firebase Auth session cookie. The embedded widget uses browser localStorage to persist a session id so visitors can resume a conversation; no third-party cookies are set on the host site.

Full details on the Cookie Policy page.

Security

Data in transit: TLS 1.2+ everywhere. Data at rest: encrypted by Cloudflare. Access control: principle of least privilege, role-based, audited. We follow OWASP-aligned application security practices and run regular dependency scans.

If you believe you've found a vulnerability, email [email protected] (or use our /security disclosure page) — we acknowledge within one business day.

AI training

We do not train any AI model on your private conversation data. Our LLM provider (Manus AI / Forge) processes the conversation in flight to generate one response; per their terms they do not retain or train on the request. The auto-classifier we run in-house is trained only on synthetic data and on aggregate, non-identifying signal (e.g. 'escalation rate by topic' counts) — never on the message content itself.

Changes

If we make material changes to this policy we'll email account owners at least 30 days in advance and update the 'Last updated' date below. Continued use after the change date constitutes acceptance for that account; you may export and delete your data at any point before that.