This Privacy Policy explains how CoilChat ("CoilChat", "we", "us") collects, uses, and protects personal information. It applies to our website at coilchat.com, our application at app.coilchat.com, and the embeddable chat widget (together, the "Service").
CoilChat plays two roles. For account and website data, we act as a data controller. For the conversations and visitor data processed on behalf of a customer who uses CoilChat on their own site, we act as a data processor — the customer is the controller of that data and their own privacy policy governs it. If you are an end visitor chatting on a customer's website, please also refer to that customer's privacy policy.
Information we collect
Account information
When you create a workspace we collect your name, email address, workspace name, a securely hashed password, and (if you enable it) two-factor authentication settings. We also store teammates you invite and their roles.
Workspace content
To provide the Service we store the knowledge sources you connect (documents, crawled pages, database records you sync), the chat conversations handled by your workspace, and any configuration you set.
Visitor data (collected via the widget on a customer's site)
When a visitor uses the chat widget, we process the messages they send and, to help the support team, technical and contextual metadata such as IP address, approximate location derived from it (country/region/city), browser, operating system, device type, language, the page URL and referrer, and — if the customer enables a pre-chat form or the visitor provides it — a name and email. Visitors may also attach images or voice messages, which are stored to deliver the conversation.
Usage & technical data
We collect standard logs and metrics needed to run and secure the Service (e.g. request metadata, error logs, and aggregate usage counts).
How we use information
- To provide, maintain, and improve the Service — including answering questions, routing chats to human agents, and powering the learning loop.
- To authenticate users, secure accounts, and prevent abuse.
- To communicate with customers about their account, support requests, and important changes.
- To comply with legal obligations and enforce our terms.
We do not sell personal information, and we do not use customer or visitor conversation content to train shared or third-party foundation models.
AI processing & sub-processors
The Service uses third-party AI providers to generate answers and to create the embeddings used for retrieval. When the assistant produces a reply, the relevant conversation context and retrieved knowledge are sent to the configured AI model provider to generate that response. We work only with providers that contractually agree not to use the data to train their models. We also rely on infrastructure sub-processors (cloud hosting and TLS) to operate the Service.
A current list of sub-processors is available on request via privacy@coilchat.com.
How we share information
We share personal information only: (a) with sub-processors who help us operate the Service, under appropriate confidentiality and data-protection terms; (b) with the customer whose workspace the data belongs to (for visitor data); (c) when required by law or to protect rights and safety; and (d) in connection with a merger or acquisition, with notice where required.
Data retention
We retain account and workspace data for as long as a workspace is active. Customers can delete knowledge sources (removing their content), reset their knowledge base, and request deletion of their workspace. When a workspace is deleted, we delete or anonymize its data within a reasonable period, except where retention is required by law or for legitimate business needs such as backups, which are purged on a rolling schedule.
Security
We take security seriously. Measures include strict per-workspace data isolation, encryption of connector credentials at rest (AES-256-GCM), TLS encryption in transit, hashed passwords, optional two-factor authentication, role-based access controls, CSRF protection, content-validated and sandboxed file handling, and safeguards against server-side request forgery on outbound connectors. No system is perfectly secure, but we work continuously to protect your data.
Your rights & choices
Depending on your location, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Account holders can manage much of their data directly in the dashboard. To exercise other rights, contact us at privacy@coilchat.com. If you are an end visitor on a customer's site, please direct requests to that customer (the controller); we will assist them as their processor.
Cookies & local storage
The dashboard uses a strictly necessary, signed session cookie to keep you logged in — it is not used for advertising. The chat widget uses your browser's local storage to remember an in-progress conversation and basic preferences. We do not use third-party advertising or cross-site tracking cookies.
International transfers
We and our sub-processors may process data in countries other than your own. Where required, we put appropriate safeguards in place for such transfers.
Children
The Service is not directed to children under 16, and we do not knowingly collect their personal information.
Changes to this policy
We may update this policy from time to time. We will revise the "Last updated" date above and, for material changes, provide additional notice where appropriate.
Contact us
Questions or requests about privacy? Email privacy@coilchat.com or write to us via our contact page.