Website AI Assistant

Privacy Policy

Last updated: July 15, 2026

1. Who We Are

Website AI Assistant("we", "our", "us") provides an AI-powered website assistant service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

If you have questions, contact us at support@websiteaiassistant.com.

2. Information We Collect

We collect the following categories of information:

Account Information

  • Email address
  • Password (stored as a salted hash — we never store plaintext passwords)
  • Account creation date and account preferences

Website Content

  • The URL(s) of the website(s) you connect to the Service
  • Content crawled from those websites (page titles, text content, page URLs)
  • Vector embeddings derived from the crawled content (used solely for search)
  • Crawl metadata such as page count, crawl timestamps, and crawl errors

Chat Data

  • Chat messages sent through the embeddable widget (questions and AI-generated responses)
  • A visitor identifier stored in the visitor's browser localStorage for conversation continuity
  • Conversation timestamps and metadata

Usage & Technical Data

  • Usage counters needed to enforce plan limits and monitor AI and crawl costs
  • Operational events such as request timestamps, crawl activity, response latency, and failures
  • IP address and user-agent information in security logs, where available, for rate limiting, abuse prevention, and incident investigation

Lead / Contact Form Data

  • Name, email address, phone number, and message submitted through an enabled widget contact form
  • The page URL where the form was submitted
  • Submission timestamp and abuse-prevention metadata (no raw IP address is stored)

Billing Data

  • Billing information is collected and processed by Paddle, our payment processor. We do not store credit card numbers or full billing addresses on our servers.
  • We receive from Paddle: your name, billing email, transaction IDs, and plan details necessary for account provisioning.

3. How We Use Your Information

We use the collected information for the following purposes:

  • Providing the Service: Indexing your website content, generating AI responses through a large language model (MiMo or another provider you configure), and displaying the chat widget on your site.
  • Account Management: Creating and maintaining your account, authentication, and communicating with you about your subscription.
  • Billing: Processing payments, invoicing, and managing subscriptions through Paddle.
  • Improving the Service: Analyzing usage patterns to improve performance, fix bugs, and develop new features. We do not use customer content to train or fine-tune AI models.
  • Abuse Prevention: Monitoring for unauthorized access, rate limit enforcement, and preventing fraudulent activity.
  • Lead Follow-up: To let the website owner follow up with visitors who asked to be contacted through an enabled widget contact form.
  • Legal Compliance: Complying with applicable legal obligations and responding to lawful requests.

4. Legal Basis for Processing (GDPR)

If you are a resident of the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract Performance: Processing is necessary to provide the Service under our Terms of Service.
  • Legitimate Interests: Processing for security, abuse prevention, and service improvement, where our interests do not override your rights.
  • Consent: Where we rely on consent, you may withdraw it at any time.
  • Legal Obligation: Where processing is required by law.

5. Third-Party Processors

We use the following third-party service providers to operate the Service:

  • Self-hosted PostgreSQL — Database hosting (Postgres + pgvector) on our own infrastructure. The website content, chunks, embeddings, conversations, and usage data are stored here.
  • MiMo— AI model provider for generating chat responses (via the configured model). Website content chunks are sent to MiMo through its API as context for chat prompts. Review MiMo's current API terms before launch to confirm training and retention commitments.
  • OpenAI— Embedding model provider (text-embedding-3-small). Website content is sent to OpenAI for embedding generation and is handled under OpenAI's current API data-use and retention terms.
  • Paddle— Payment processing, invoicing, and tax compliance. Paddle acts as the merchant of record. See Paddle's Privacy Policy.
  • Cloud Hosting Provider — Application hosting and infrastructure (e.g., DigitalOcean, AWS, or similar). Data is stored within our own virtual servers and is not shared with the hosting provider beyond standard infrastructure operations.

6. Cookies & Tracking

We use session cookies for authentication (you must be logged in to access the dashboard). These are essential for the Service to function.

The chat widget uses localStorageon your visitors' browsers to store a visitor identifier, conversation ID, and, where enabled, a signed visitor-session token for continuity and abuse prevention. These identifiers are sent to our widget APIs when the visitor uses the assistant.

We do not currently use third-party tracking, advertising, or analytics cookies. If that changes, we will update this policy and provide any consent controls required by applicable law.

7. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active. Account deletion removes the account and related service data from the primary database immediately after any active paid subscription has been cancelled. Residual copies may remain in restricted operational backups until those backups rotate out.
  • Website content (pages, chunks, embeddings): Retained while the site exists. Removing a site deletes this content from the primary database through cascading database relationships.
  • Chat conversations & messages: Retained for up to 90 days by default, then removed by scheduled cleanup. Deleting the related site or account removes them sooner.
  • Lead/contact submissions: Retained for up to 12 months by default, unless deleted earlier by the customer or with the related site or account.
  • Usage and AI-operation logs: Retained for up to 12 months by default for quota enforcement, cost monitoring, reliability, and abuse prevention.
  • Security and administrator audit logs: Retained for up to 12 months by default. An administrator actor snapshot may remain after account deletion so security-sensitive actions can still be investigated.
  • Billing records: Subscription and transaction records may be retained by us and Paddle for the period required by applicable tax, accounting, chargeback, and financial regulations.

8. Data Security

We implement appropriate technical and organizational security measures, including:

  • Encryption in transit (TLS) for all API and web traffic where HTTPS is configured
  • Tenant isolation enforced in application queries and through scoped database access (each customer's data is queried by site_id/user_id)
  • Server-side authentication with session tokens and salted password hashing (scrypt)
  • Regular security updates and dependency monitoring
  • Access controls limiting staff access to production data

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we follow industry best practices.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Download a copy of account data from your dashboard account page.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Deletion: Delete your account and related service data from your dashboard account page after any active paid subscription is fully cancelled. Legally or operationally required billing, security-audit, and backup records follow the retention periods above.
  • Restriction: Request restriction of processing in certain circumstances.
  • Portability: Request transfer of your data to another service provider.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it.

You can export or delete account data from your dashboard account page. For other rights requests, contact us at support@websiteaiassistant.com. We will respond within the period required by applicable law.

10. Data Transfers

Your data may be processed on infrastructure operated by us, our hosting provider, and the service providers listed above. When applicable law requires a transfer mechanism for processing data outside your jurisdiction, we will use an appropriate mechanism and document the relevant provider terms before enabling that integration in production.

11. Children's Privacy

The Service is not intended for use by children under 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or through the dashboard. We encourage you to review this policy periodically.

13. Contact

For privacy-related inquiries, data requests, or concerns, contact us at:

Website AI Assistant
Email: support@websiteaiassistant.com