Privacy Policy

Privacy Policy

Last updated: 2025-10-28

1) Scope

This policy explains how Clueless ("Clueless", "we") handles personal data for our AI chat on merchants' websites (the "Service"). Purchases and order handling are covered by the merchant's privacy terms.

2) GDPR roles

• Processor (most chat on a merchant site): we process chat data on the merchant's documented instructions under a data processing agreement (DPA).
• Controller (our own purposes): operating, securing, and improving the Service (including quality review), fraud or abuse prevention, legal compliance, and our own sites.

We are not joint controllers with a merchant unless explicitly stated.

3) Data we process (examples)

• Chat data: messages, quick prompt clicks, timestamps, basic session or SDK identifiers.
• Optional uploads: images you submit for visual or product search.
• Technical data: device or browser details, IP address, page URL, diagnostics, and crash logs.

Please avoid sharing sensitive data. If submitted inadvertently, we minimise or delete where feasible.

3a) Where we get data

• From you: chat messages, optional uploads, support contacts.
• From the merchant: catalogue or feed and (if enabled) purchase history or customer profile data.
• Automatically: SDK events, device or browser details, IP address, diagnostics, and crash logs.

4) Purposes and legal bases

• Provide the Service on the merchant site - contract with the merchant or legitimate interests.
• Operate, secure, and prevent abuse (rate limiting, incident response) - legitimate interests and legal obligation where applicable.
• Improve and evaluate the Service (quality review, testing, tuning, safety) - legitimate interests; where possible, de-identified or aggregated data.
• Our sites - contract (where applicable) and legitimate interests (security and reliability).

Legal bases (EEA or UK): Depending on context we rely on contract, legitimate interests, consent (for non essential cookies or experiments as required by e privacy rules), and legal obligation (compliance). Where we use legitimate interests, you may object (see rights).

We do not use your chat content to train foundation models on personal data. We may use de-identified snippets to improve product quality. Merchants can disable this in processor context.

5) Human review (beta)

During beta, we may review a sample of chats with access controls for quality, safety, and debugging. Where possible, we mask direct identifiers before review.

6) Sharing

• Merchant: data needed to run the chat on that site (controller: the merchant).
• Sub-processors: vetted providers for hosting, AI or ML infrastructure, monitoring, and support (bound by data processing terms). See: Subprocessors.
• Compliance and safety: where required by law or to protect users, merchants, or our Service.
• No ads or sale: we do not sell personal data and we do not use the chat SDK for third-party advertising or retargeting.
• Business transfers: if our ownership changes, personal data may transfer to the acquirer and will remain protected under this policy or comparable protections. We will provide notice of material changes.

7) International transfers

If data leaves the EU, EEA, or UK, we use appropriate safeguards (for example EU Standard Contractual Clauses) and technical or organisational measures (encryption, access controls, minimisation). We conduct transfer impact assessments (TIAs) and apply supplementary measures where relevant. A high level summary is available on request.

8) Retention (defaults)

• Chat transcripts and uploads (processor context):up to 90 days, then deleted or anonymised (the merchant may set stricter rules).
• Telemetry and diagnostics: up to 180 days, then aggregated or de-identified.

Where we act as processor, any stricter retention in the merchant DPA prevails over the defaults above. We may retain minimal data longer to comply with law or to establish, exercise, or defend legal claims. Backups are deleted on a rolling schedule.

9) Cookies and similar tech

We use only what is strictly necessary to run the chat during beta. If a merchant enables non essentialanalytics or experiments, we rely on your consent via the merchant's cookie banner or consent tool (for example IAB TCF where used). You can change preferences in that tool at any time.

10) Security

We use measures such as encryption in transit, access controls, least privilege, audit logging, and incident response. No system is perfectly secure, so please avoid sharing sensitive data.

If we become aware of a personal data breachaffecting your data, we will notify the merchant and or you without undue delay where required by law, and provide information to help meet any regulatory or notification duties.

11) Your rights (EU, EEA, UK)

Depending on law, you can request access, correction, deletion, restriction, portability, and object to processing based on legitimate interests. Where we rely on consent, you can withdraw it at any time.

We aim to respond within one month; we may extend by up to two months for complex requests and will explain why. We may request information to verify your identity before acting on a request.

Automated decisions and profiling. We do not make decisions with legal or similarly significant effects solely by automated means. We may use profiling to personalise product suggestions and ranking. You have the right to objectto profiling based on legitimate interests at any time.

Supervisory authority (Sweden): Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden - imy@imy.se - +46 8 657 61 00.

12) Marketing communications

We may send service and product updates. You can opt outof marketing at any time via unsubscribe links or by contacting us. Service and transactional messages (for example security updates or changes to terms) may still be sent.

13) Children

The Service is not intended for children under 13. If you believe a child provided personal data, contact us.

14) Changes

We may update this policy and will post the new version with a new "Last updated" date.

15) Contact

Clueless (AB under registration) - legal@clueless.chat