Privacy Policy

Last updated: 2026-04-27

1) Scope

This policy explains how Clueless ("Clueless", "we") handles personal data for our AI chat on merchants' websites (the "Service"). Purchases and order handling are covered by the merchant's privacy terms.

2) GDPR roles

  • Processor (most chat on a merchant site): we process chat data on the merchant's documented instructions under a data processing agreement (DPA).
  • Controller (our own purposes): operating, securing, and improving the Service (including quality review), fraud or abuse prevention, legal compliance, and our own sites.

We are not joint controllers with a merchant unless explicitly stated.

3) Data we process (examples)

  • Chat data: messages, quick-prompt clicks, timestamps, basic session or SDK identifiers.
  • Optional uploads: images you submit for visual or product search.
  • Technical data: device or browser details, IP address, page URL, diagnostics, and crash logs.
  • Merchant data: product catalogue or feed data provided by the merchant.

Please avoid sharing sensitive data. If submitted inadvertently, we minimise or delete where feasible.

4) Purposes, legal bases, and retention

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 10).

4.1 Provide the Service

Operate the AI chat on the merchant's website, including answering questions, product discovery, recommendations, and visual search.

  • Data: chat data, optional uploads, technical data, merchant catalogue or feed data.
  • Legal basis: contract with the merchant (processor context); legitimate interests (controller context).
  • Retention: up to 12 months from last activity, then deleted or anonymised. The merchant may set stricter retention in their DPA.

4.2 Operate, secure, and prevent abuse

Rate limiting, incident response, fraud prevention, and maintaining service availability.

  • Data: technical data, session identifiers, chat metadata (timestamps, request patterns), diagnostics and crash logs.
  • Legal basis: legitimate interests (security and integrity); legal obligation where applicable.
  • Retention: up to 12 months, then aggregated or deleted.

4.3 Improve and evaluate the Service

Quality review, testing, tuning, and safety — including human review of chat samples (see Section 5) and automated evaluation. Where possible, we use de-identified or aggregated data.

  • Data: chat messages (pseudonymised where feasible), session identifiers, telemetry, diagnostics and crash logs.
  • Legal basis: legitimate interests (improving quality and ensuring safety).
  • Retention: quality-review samples up to 90 days after review is completed; telemetry and diagnostics up to 12 months, then aggregated or deleted.

4.4 Our own websites

Operating clueless.chat and related sites, and handling direct contacts.

  • Data: contact details (if submitted), technical data.
  • Legal basis: contract (where applicable); legitimate interests (security and reliability).
  • Retention: up to 12 months, then deleted.

We do not use your chat content to train foundation models on personal data. We may use de-identified snippets to improve product quality. Merchants can disable this in processor context.

5) Human review (beta)

During beta, a limited number of authorised employees may review a random sample of chats with access controls for quality, safety, and debugging. Where technically feasible, we mask or pseudonymise direct identifiers before review. Reviewed samples are not retained beyond the review period unless required for a specific safety or compliance investigation.

Where our processing is likely to result in a high risk to the rights and freedoms of individuals, we conduct a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35.

6) Sharing

  • Merchant: data needed to run the chat on that site (controller: the merchant).
  • Sub-processors: vetted providers for hosting, AI or ML infrastructure, monitoring, and support (bound by data processing terms). A current list of subprocessors is available on request — contact legal@clueless.chat.
  • Compliance and safety: where required by law or to protect users, merchants, or our Service.
  • Business transfers: if our ownership changes, personal data may transfer to the acquirer and will remain protected under this policy or comparable protections. We will provide notice of material changes.

No ads or sale: we do not sell personal data and we do not use the chat SDK for third-party advertising or retargeting.

7) International transfers

If data leaves the EU, EEA, or UK, we use appropriate safeguards (for example EU Standard Contractual Clauses) and technical or organisational measures (encryption, access controls, minimisation). We conduct transfer impact assessments (TIAs) and apply supplementary measures where relevant. A high-level summary is available on request.

8) Cookies and similar tech

If a merchant enables non-essential analytics or experiments, we rely on your consent via the merchant's cookie banner or consent tool (for example IAB TCF where used). You can change preferences in that tool at any time. A current inventory of cookies and similar storage used by the Service is available on request — contact legal@clueless.chat.

9) Security

We use measures such as encryption in transit, access controls, least privilege, audit logging, and incident response. No system is perfectly secure, so please avoid sharing sensitive data.

If we become aware of a personal data breach affecting your data, we will notify the merchant and/or you without undue delay where required by law, and provide information to help meet any regulatory or notification duties.

10) Your rights (EU, EEA, UK)

Depending on law, you can request access, correction, deletion, restriction, portability, and object to processing based on legitimate interests. Where we rely on consent, you can withdraw it at any time.

We aim to respond within one month; we may extend by up to two months for complex requests and will explain why. We may request information to verify your identity before acting on a request.

Automated decisions and profiling. We do not make decisions with legal or similarly significant effects solely by automated means. We may use profiling to personalise product suggestions and ranking. You have the right to object to profiling based on legitimate interests at any time.

Supervisory authority. You have the right to lodge a complaint with a data protection supervisory authority. The Swedish authority is Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden — imy@imy.se — +46 8 657 61 00.

11) Children

The Service is not intended for children under 16. If you believe a child under 16 has provided personal data, contact us and we will delete it promptly.

12) Changes

We may update this policy and will post the new version with a new "Last updated" date.

13) Contact

Poggen Konsult AB (org.nr 556944-7591), trading as Clueless
Drakenbergsgatan 39, 412 69 Göteborg
legal@clueless.chat