⚠️ Draft template. Before going live, replace every [PLACEHOLDER] and have this reviewed by a lawyer. This text is a starting point, not legal advice.

Privacy Policy

Last updated: [DATE] · Effective: [DATE]

This Privacy Policy explains how [COMPANY NAME] ("Talkimi", "we", "us") collects, uses, and protects personal data when you use our website talkimi.ai and the Talkimi service (the "Service").

We act as a data controller for personal data processed on this website, and as a data processor for conversation data processed through the Service on behalf of our customers.

1. Who we are

Controller: [COMPANY NAME], [LEGAL FORM], registered at [REGISTERED ADDRESS], Company ID: [COMPANY ID / IČO], VAT ID: [VAT ID / IČ DPH].

Contact for privacy matters: privacy@talkimi.ai

2. What data we collect

2.1 Data you provide

Account data: name, email address, password, company name, billing address.
Payment data: processed by our payment provider [e.g. Stripe] — we do not store your full card number.
Content you upload: documents, FAQs, URLs, and other materials used to train the chatbot for your use case.
Support correspondence: messages you send to our support team.

2.2 Data collected automatically

Usage data: pages viewed, clicks, feature usage, session duration.
Device data: IP address, browser type and version, operating system, screen resolution, language settings.
Cookies and similar technologies: see section 7 below.

2.3 Conversation data (processor role)

When our customers deploy Talkimi on their website, end-user conversations pass through our Service. We process this data only on documented instructions from our customers (the respective data controllers) under a Data Processing Agreement.

3. Why we process your data (legal bases)

Contract performance (Art. 6(1)(b) GDPR): creating your account, providing the Service, billing.
Legitimate interests (Art. 6(1)(f) GDPR): service improvement, security, fraud prevention, basic analytics.
Consent (Art. 6(1)(a) GDPR): marketing emails, non-essential cookies — you can withdraw consent anytime.
Legal obligation (Art. 6(1)(c) GDPR): accounting, tax, responding to authorities.

4. Who we share data with

We share personal data only with trusted processors who help us operate the Service:

Hosting and infrastructure: [e.g. AWS, Vercel, Cloudflare]
AI model providers: [e.g. OpenAI, Anthropic] — conversations are sent to generate responses
Payment processing: [e.g. Stripe]
Email delivery: [e.g. Postmark, Resend]
Analytics: [e.g. Plausible, PostHog]

We never sell your personal data. We may disclose data if required by law or to protect our rights.

5. International transfers

Some of our processors are located outside the EEA (e.g. in the United States). In such cases we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, additional safeguards such as encryption and data minimization.

6. How long we keep data

Account data: until you delete your account + 30 days backup retention.
Conversation logs: [e.g. 90 days], unless the customer configures a different retention period.
Billing records: 10 years, as required by tax law.
Marketing consent records: until you withdraw consent + 3 years for evidence.

7. Cookies

We use cookies and similar technologies for:

Strictly necessary: session, authentication, security (no consent required).
Analytics: anonymized traffic measurement (consent-based, may be privacy-first provider without cookies).
Preferences: language, theme, dismissed notices.

You can manage cookies in your browser settings. Blocking essential cookies may break the Service.

8. Your rights under GDPR

If you are in the EEA, UK, or Switzerland, you have the right to:

Access — get a copy of the data we hold about you.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — request deletion of your data.
Restriction — limit how we process your data.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — at any time, without affecting prior lawful processing.
Lodge a complaint — with your local data protection authority (e.g. [LOCAL DPA]).

To exercise these rights, email privacy@talkimi.ai. We respond within 30 days.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Security

We apply appropriate technical and organizational measures including encryption in transit (TLS 1.2+) and at rest, access controls, audit logs, and regular security reviews. No method is 100% secure, but we continuously improve.

11. Changes to this policy

We may update this Privacy Policy. Material changes will be announced by email and/or via the Service. The "Last updated" date above always reflects the current version.

12. Contact

Questions? Email privacy@talkimi.ai or write to [COMPANY NAME], [REGISTERED ADDRESS].