DATA PROTECTION
Last Updated: March 29, 2025
At Chatlify, we are committed to protecting and respecting your data privacy rights. This Data Protection Policy outlines our comprehensive approach to data protection, explains your rights under applicable data protection laws, and details how we handle your personal information.
This policy complements our Privacy Policy and provides more detailed information specifically about data protection practices and your related rights, particularly under the General Data Protection Regulation (GDPR) and similar data protection frameworks worldwide.
1. Introduction
Chatlify, Inc. acts as a data controller for the personal information we collect through our services. We are committed to processing data in accordance with our responsibilities under applicable data protection laws, including but not limited to:
- The General Data Protection Regulation (GDPR) in the European Union and European Economic Area
- The UK GDPR and Data Protection Act 2018 in the United Kingdom
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) in California
- The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
- Various other national and regional data protection laws worldwide
This Data Protection Policy applies to all personal data processed by Chatlify and covers both users and employees. It outlines the specific measures we have implemented to ensure compliance with data protection principles and to safeguard the rights of individuals whose data we process.
2. Data Protection Principles
We adhere to the following data protection principles:
2.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about how we collect and use personal data through our Privacy Policy and other notices.
2.2 Purpose Limitation
We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes. We clearly communicate the purposes for which we collect data at the time of collection.
2.3 Data Minimization
We limit the personal data we collect to what is adequate, relevant, and necessary for the purposes for which it is processed. We regularly review our data collection practices to ensure we're not collecting excessive information.
2.4 Accuracy
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We have mechanisms in place for rectifying or erasing inaccurate data promptly.
2.5 Storage Limitation
We retain personal data only for as long as necessary for the purposes for which it is processed. We have established retention schedules and procedures for securely deleting data when it is no longer needed.
2.6 Integrity and Confidentiality (Security)
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
2.7 Accountability
We take responsibility for how we process personal data and can demonstrate compliance with data protection principles. We document our data processing activities, conduct impact assessments, and maintain appropriate policies and procedures.
3. Your Data Protection Rights
Depending on your location and the applicable data protection laws, you may have some or all of the following rights regarding your personal data:
3.1 Right to Be Informed
You have the right to be informed about how we collect and use your personal data. We provide this information through our Privacy Policy and this Data Protection Policy.
3.2 Right of Access
You have the right to request a copy of the personal data we hold about you, as well as information about how we process it. We will provide this information within the timeframe specified by applicable law (typically within 30 days under the GDPR).
3.3 Right to Rectification
You have the right to request that inaccurate personal data be corrected, or incomplete data be completed. You can update much of your account information directly through your account settings.
3.4 Right to Erasure ('Right to be Forgotten')
You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent and there is no other legal basis for processing.
3.5 Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain situations, such as when you contest the accuracy of the data or when you have objected to processing and we are considering whether we have legitimate grounds to override your objection.
3.6 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means.
3.7 Right to Object
You have the right to object to processing of your personal data in certain circumstances, including when we process data for direct marketing purposes or when we process data based on our legitimate interests.
3.8 Rights Related to Automated Decision Making and Profiling
You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you, except in certain limited circumstances.
3.9 Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on your consent before its withdrawal.
4. Data We Collect
We collect various types of personal data to provide and improve our services. A detailed list of the categories of personal data we collect can be found in our Privacy Policy. In general, the personal data we collect includes:
4.1 Account Information
This includes information you provide when creating and managing your Chatlify account, such as your name, email address, phone number, username, password, and profile information.
4.2 Communication Data
This includes messages, voice communications, and files you send and receive through our platform. While the content of your end-to-end encrypted communications cannot be accessed by Chatlify, we do process metadata related to these communications.
4.3 Usage Data
This includes information about how you interact with our services, such as the features you use, the time and duration of your activities, your device information, and log data.
4.4 Payment Information
If you subscribe to premium services, we collect and process payment-related information. Full payment details are processed by our payment service providers, and we store only limited information necessary for billing purposes.
4.5 Special Categories of Data
We generally do not collect or process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.) unless you explicitly provide this information (for example, in your profile) or where required by law. If we do process special categories of data, we will do so with appropriate safeguards and in accordance with applicable law.
5. How We Process Your Data
We process your personal data for various purposes related to providing and improving our services. The specific processing activities include:
5.1 Providing Core Services
- Creating and managing user accounts
- Facilitating communication between users
- Delivering features and functionality of the platform
- Processing payments and managing subscriptions
- Providing customer support and addressing inquiries
5.2 Improving and Developing Services
- Analyzing usage patterns to enhance user experience
- Identifying and fixing bugs or other issues
- Developing new features and functionality
- Conducting research and surveys to understand user needs
5.3 Security and Compliance
- Verifying identity and preventing fraud
- Detecting and preventing security incidents
- Enforcing our Terms of Service and other policies
- Complying with legal obligations and responding to legal requests
5.4 Communication and Marketing
- Sending service-related notifications and updates
- Communicating about new features or products
- Delivering marketing messages (with appropriate consent)
- Personalizing content and recommendations
6. Legal Basis for Processing
Under the GDPR and similar data protection frameworks, we process your personal data based on one or more of the following legal grounds:
6.1 Contractual Necessity
We process data as necessary to fulfill our contractual obligations to you. This includes providing our core services as outlined in our Terms of Service, such as enabling communication between users, managing your account, and delivering the features you expect from our platform.
6.2 Legitimate Interests
We process data when it is in our legitimate interests to do so, provided these interests are not overridden by your rights and freedoms. Our legitimate interests include:
- Improving and developing our services
- Protecting the security and integrity of our platform
- Understanding how our services are used
- Promoting our services and growing our business
- Enforcing our terms and policies
6.3 Consent
We process certain data based on your explicit consent. This includes processing for marketing purposes where required by law, collecting certain optional information, or enabling specific features that require additional data collection. You can withdraw your consent at any time.
6.4 Legal Obligation
We process data when necessary to comply with our legal obligations, such as responding to valid legal requests from law enforcement or regulatory authorities, maintaining records for tax purposes, or fulfilling our obligations under data protection law.
6.5 Vital Interests
In rare circumstances, we may process data to protect someone's vital interests, such as in emergency situations.
6.6 Public Interest
In limited cases, we may process data for tasks carried out in the public interest, as defined by applicable law.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable legal requirements.
7.1 Retention Periods
The specific retention periods depend on the type of data and the purpose of processing:
- Account Information: We retain your account information for as long as your account is active, plus a reasonable period thereafter to facilitate account reactivation, comply with legal obligations, or resolve disputes.
- Communication Metadata: We retain metadata related to communications for a limited period to provide our services, improve our platform, and comply with legal obligations.
- Communication Content: Content of end-to-end encrypted communications is stored on your devices and those of your recipients. When you delete messages, they are removed from our servers (if they were temporarily stored there).
- Usage Data: We retain usage data for a limited period necessary for analytics, security, and service improvement purposes.
- Payment Information: We retain payment information in accordance with applicable financial and tax regulations.
7.2 Data Deletion
When personal data is no longer needed, we take measures to securely delete or anonymize it. Our data deletion processes include:
- Regular automated purging of expired data
- Secure deletion methods that prevent recovery
- Anonymization techniques that remove personal identifiers while preserving statistical value
7.3 Account Closure
When you close your account, we initiate a process to delete your personal data according to our retention schedules, unless we have a legal obligation or legitimate business reason to retain specific information. We may retain certain de-identified or aggregated data that no longer identifies you.
8. International Data Transfers
As a global service, Chatlify may transfer, store, and process your personal data in countries other than your own. We implement appropriate safeguards to ensure that your data receives an adequate level of protection regardless of where it is processed.
8.1 Transfer Mechanisms
When we transfer personal data from the European Economic Area (EEA), the United Kingdom, or other regions with data protection laws to countries that may not provide the same level of protection, we use one or more of the following legal mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (BCRs), where applicable
- Adequacy decisions, where the recipient country has been recognized as providing adequate protection
- Derogations for specific situations, such as explicit consent or contractual necessity
8.2 Supplementary Measures
In addition to these transfer mechanisms, we implement supplementary technical, contractual, and organizational measures to enhance the protection of transferred data, such as:
- End-to-end encryption for communications
- Additional contractual commitments with data recipients
- Risk assessments for international transfers
- Data minimization for transferred data
8.3 Data Transfer Assessments
We regularly assess the privacy and security risks associated with international transfers and update our measures as necessary to respond to regulatory changes and evolving best practices.
9. Data Protection Safeguards
We implement comprehensive technical and organizational measures to protect your personal data. These include:
9.1 Technical Measures
- End-to-end encryption for private communications
- Transport Layer Security (TLS) for data in transit
- Encryption for data at rest
- Access controls and authentication mechanisms
- Network security infrastructure, including firewalls and intrusion detection
- Regular security testing and vulnerability scanning
- Logging and monitoring systems
9.2 Organizational Measures
- Data protection training for all staff
- Confidentiality obligations for employees and contractors
- Data protection impact assessments for high-risk processing
- Internal data protection policies and procedures
- Access restrictions based on need-to-know principle
- Incident response plans
- Regular audits and compliance reviews
9.3 Third-Party Management
When we engage third-party service providers who may process personal data on our behalf, we:
- Conduct due diligence to ensure they provide appropriate safeguards
- Enter into data processing agreements that include data protection requirements
- Regularly assess their compliance and security measures
- Limit access and processing to what is necessary for the service they provide
10. Data Protection Officer
Chatlify has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with data protection laws.
10.1 Role of the DPO
Our DPO's responsibilities include:
- Monitoring compliance with data protection laws and our internal policies
- Advising on data protection impact assessments
- Training staff on data protection matters
- Cooperating with supervisory authorities
- Serving as a point of contact for data protection inquiries
10.2 Contact Information
You can contact our Data Protection Officer at:
Data Protection Officer
Chatlify, Inc.
1 Chatlify Way
San Francisco, CA 94103
United States
Email: dpo@chatlify.com
11. How to Exercise Your Rights
We are committed to facilitating the exercise of your data protection rights. You can exercise your rights through the following methods:
11.1 Self-Service Options
Many data-related actions can be performed directly through your account settings, including:
- Updating or correcting your account information
- Downloading a copy of your data
- Adjusting privacy and communication preferences
- Deleting specific content or your entire account
11.2 Direct Requests
For rights that cannot be exercised through self-service options, you can submit a request to our Privacy Team:
- Email: privacy@chatlify.com
- Via the data rights request form on our website
- By mail: Privacy Team, Chatlify, Inc., 1 Chatlify Way, San Francisco, CA 94103, USA
11.3 Response Process
When we receive your request:
- We will acknowledge receipt within a reasonable timeframe
- We may ask for additional information to verify your identity
- We will respond to your request within the timeframe required by applicable law (typically 30 days under the GDPR, with the possibility of an extension for complex requests)
- If we cannot fulfill your request, we will explain why and inform you of any available alternatives
11.4 Appeals and Complaints
If you are not satisfied with our response to your request, you have the right to:
- Appeal the decision by contacting our Data Protection Officer
- Lodge a complaint with a supervisory authority in your country of residence, work, or where the alleged infringement occurred
- Seek judicial remedy through the courts
12. Updates to This Policy
We may update this Data Protection Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
12.1 Notification of Changes
When we make significant changes to this policy, we will:
- Post the updated policy on our website with a revised "Last Updated" date
- Notify you through the app or via email if the changes materially affect your rights or our obligations
- Where required by law, seek your consent to the changes
12.2 Review of Changes
We encourage you to review this policy periodically to stay informed about our data protection practices. By continuing to use our services after changes to this policy, you acknowledge and agree to the updated terms, subject to any consent requirements that may apply.
12.3 Previous Versions
Previous versions of this Data Protection Policy are available upon request to our Privacy Team.