Privacy Policy

Effective Date: February 7, 2026 Last Updated: February 7, 2026 Version: 1.0

1. Introduction

hiroi ("we", "us", "our") operates the hiroi platform at https://hiroi.ai ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information.

We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Service, including registered users (chatbot owners) and end-users (visitors who interact with chatbot widgets on third-party websites).

2. Data Controller and Processor Roles

hiroi acts as a data processor when handling conversation data on behalf of registered users.
Registered users (chatbot owners) act as data controllers for end-user conversation data collected through their chatbot widgets.
hiroi acts as a data controller for registered user account data.

For enterprise customers, our Data Processing Agreement governs the processor relationship.

3. Information We Collect

3.1 Account Information (Registered Users)

When you create an account, we collect:

Data	Source	Purpose
Email address	Google OAuth	Account identification, notifications
Display name	Google OAuth	Personalization
Profile picture URL	Google OAuth	Avatar display
Authentication credentials	Passkey/Magic link	Account access

3.2 Chatbot Configuration Data

When you use the Service, we store:

Bot configurations (name, personality, system prompt)
Widget site settings (domains, authentication mode)
Knowledge base documents (RAG uploads)
Appearance customizations

3.3 Conversation Data

When end-users interact with chatbot widgets, we collect:

Data	Purpose	Sensitivity
Chat messages	AI response generation	High - may contain PII
IP address	Rate limiting, abuse prevention	PII - anonymized after 90 days
User agent	Debugging, analytics	Low
Referrer URL	Context, analytics	Low
Visitor identifier	Session continuity	Pseudonymous

3.4 Usage and Analytics Data

We automatically collect:

Feature usage patterns (aggregate)
API request metadata (timestamps, response codes)
Error and performance data

3.5 Payment Information

Payment processing is handled by Stripe. We store only:

Stripe customer identifier (not your card details)
Transaction history (amounts, dates)

We do not store credit card numbers, CVVs, or bank account details.

3.6 Activity Logs

For security and audit purposes, we log:

Authentication events (login, logout, failed attempts)
Account changes (settings updates, bot modifications)
IP addresses and user agents for security events

4. How We Use Your Information

We use the information we collect to:

Purpose	Legal Basis
Provide and operate the Service	Contract performance
Process AI-powered conversations	Contract performance
Authenticate and secure accounts	Legitimate interest
Prevent abuse and enforce rate limits	Legitimate interest
Send essential account notifications	Contract performance
Generate aggregate analytics	Legitimate interest
Process payments	Contract performance
Comply with legal obligations	Legal obligation

We do not use your data for:

Selling to third parties
Advertising or marketing profiling
Training AI models (your conversation data is not used to train models)

We share data with the following categories of service providers:

Provider	Data Shared	Purpose
OpenAI	Conversation content, system prompts	AI response generation
Google	OAuth tokens	Authentication
ElevenLabs	Text content	Voice synthesis
Stripe	Customer ID, transaction data	Payment processing
Infrastructure provider	All data (encrypted)	Hosting

For a complete list of sub-processors, see our Subprocessors page.

We do not sell your personal information to third parties.

6. Data Retention

We retain your data for the following periods:

Data Type	Retention Period	After Retention
Account data	Until account deletion + 30 days	Permanently deleted
Conversation data	1 year	Permanently deleted
IP addresses	90 days	Anonymized (set to null)
Activity logs	2 years	Permanently deleted
Consent records	5 years	Permanently deleted (legal requirement)
Payment records	7 years	Anonymized (tax/legal requirement)
Data export files	7 days	Permanently deleted

You can request earlier deletion through your account settings or by contacting us.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you. Use the "Export My Data" feature in your account settings, or contact us.

7.2 Right to Rectification

You can update your account information through your profile settings.

7.3 Right to Erasure

You can delete your account through account settings. Account deletion includes a 30-day grace period during which you can cancel the deletion. After the grace period, all personal data is permanently removed.

7.4 Right to Data Portability

You can export your data in a machine-readable format (JSON) through your account settings.

7.5 Right to Restrict Processing

You can request that we restrict processing of your data in certain circumstances.

Where processing is based on consent, you can withdraw consent at any time through your account settings.

7.7 Right to Object

You can object to processing based on legitimate interest by contacting us.

7.8 Automated Decision-Making

AI-generated chatbot responses constitute automated processing. You can request human review of decisions that significantly affect you.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit: All data transmitted via TLS 1.2+
Encryption at rest: Database encryption
Access controls: Role-based access, principle of least privilege
Authentication security: Secure session management, CSRF protection, rate limiting
API key security: Keys are hashed, never stored in plaintext
Audit logging: All access and changes are logged

For more details, see our Security Policy.

9. Cookies

We use cookies and similar technologies as described in our Cookie Policy.

10. International Data Transfers

Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place for international transfers, including:

Standard contractual clauses where required
Data processing agreements with all sub-processors
Evaluation of recipient country data protection laws

11. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will promptly delete it.

12.1 Third-Party Website Visitors

When you interact with a chatbot widget on a third-party website:

The chatbot owner (registered user) is the data controller for your conversation data
hiroi processes your data as a data processor on behalf of the chatbot owner
The chatbot owner's privacy policy governs the collection of your data on their website
hiroi collects IP address and user agent for rate limiting and abuse prevention

12.2 Chatbot Owner Obligations

If you are a registered user deploying chatbot widgets, you are responsible for:

Including appropriate privacy disclosures on your website
Obtaining necessary consent from your website visitors
Complying with applicable data protection laws for your jurisdiction

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

Email notification to your registered email address
Prominent notice within the Service
Updated "Last Updated" date at the top of this page

Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Data Protection Officer

For privacy-related inquiries, contact:

hiroi - Privacy Email: [email protected]

15. Supervisory Authority

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority.

16. Contact

For questions about this Privacy Policy:

hiroi Email: [email protected]