This Privacy Policy explains how Agents247 ("we", "us") handles personal information of two distinct groups: the businesses that embed our chat widget on their websites ("Customers"), and the website visitors who interact with that widget ("Visitors"). Different obligations apply to each, and we call out which group a given paragraph concerns.
1. Who is responsible for your data
Agents247 operates as the data processor for messages and contact information collected through the embedded widget on a Customer's website. The Customer is the data controller of that Visitor data — they decide why and how it's processed, and they're the party Visitors should contact for access, deletion, or correction requests in the first instance.
For data we collect about Customers directly (account signup, billing, support tickets), Agents247 is the data controller. Contact us at [email protected].
2. What we collect
From Customers (account holders)
- Account information: name, email, hashed password.
- Billing information: we use Stripe to process payments; Agents247 itself does not store credit card numbers. Stripe provides us with the last four digits and the card type for display purposes only.
- Configuration: tenant settings (knowledge-base entries, widget appearance, operating hours, webhook URLs, optional CRM tokens you've authorized).
- Usage telemetry: aggregated counters (conversations per month, messages per conversation), error logs containing truncated request data, and IP addresses of admin logins for security monitoring.
From Visitors (people chatting with the widget)
- Message content: the text you type into the chat widget. This is forwarded to the Customer's configured AI provider (OpenAI or Anthropic) to generate a reply. We do not train any model on this data — see third parties below for the providers' own policies.
- Optional pre-chat fields: if the Customer's widget is configured to ask for your name, email, phone, or other fields before starting a conversation, that information is stored against the conversation record and, if it includes contact details, used to create a lead in the Customer's CRM.
- Browser metadata: the page URL where the widget was loaded, your user-agent string, and your IP address for rate- limiting and abuse prevention.
- Conversation cookie: a single cookie storing the UUID of your current conversation so the chat thread persists if you navigate within the site or reload. See cookies below — this cookie is only set AFTER you consent to it.
3. Third parties we share data with
Visitor messages and configuration data are transmitted to a small set of sub-processors required to deliver the service. Each is bound by a data- processing addendum and processes data only on our documented instructions.
| Sub-processor | Purpose | Region |
|---|---|---|
| OpenAI | AI text generation when the Customer has selected OpenAI as the provider | United States |
| Anthropic | AI text generation when the Customer has selected Anthropic as the provider | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email (account verification, conversation transcripts, notifications) | United States |
| Sentry | Application error monitoring (we scrub PII before sending events) | United States |
OpenAI and Anthropic both confirm in their API terms that they do not use API submissions to train their public models. Refer to OpenAI's API data usage policy and Anthropic's commercial terms for the authoritative statements.
We do not sell personal information to anyone, and we do not share data with advertising networks.
4. How long we keep it
Customers can set a retention window per tenant in their admin settings — conversations and messages older than the window are deleted by a scheduled nightly job. The platform default is 365 days. Once deleted, data is removed from the primary database; database backups roll off within 35 days.
Account records (Customer profiles, billing history) are retained for the duration of the subscription and for 7 years afterwards to comply with tax and accounting obligations, unless you specifically request earlier deletion and we are legally able to honor that request.
5. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal information we hold about you.
- Have it corrected if it's inaccurate.
- Have it deleted ("right to be forgotten").
- Restrict or object to certain processing.
- Receive it in a portable format.
- Withdraw any consent you previously gave.
Visitors: contact the Customer whose website you were chatting on first — they control your data. If you don't get a response within a reasonable time, write to us at [email protected] and we will forward your request and follow up.
Customers: email [email protected] or use the data-export tools in your admin dashboard.
6. Cookies
The embedded widget sets one cookie: cf_conversation, which
stores the UUID of an in-progress conversation. It is set only after
the Visitor accepts the consent banner shown the first time the widget
opens. Declining the banner results in the conversation being held in
browser memory only — refreshing the page starts a fresh thread.
The admin dashboard sets standard Laravel session and CSRF cookies required for authentication. These are first-party, strictly necessary, and not subject to consent under GDPR Article 5(3).
7. Security
We host on infrastructure with SOC 2 Type II controls, encrypt all traffic with TLS 1.2+, encrypt API keys at rest, hash passwords with bcrypt, and apply principle-of-least-privilege to internal access. Despite all of this, no system can be guaranteed secure. If we discover a breach affecting your data we will notify you without undue delay and in any case within 72 hours of becoming aware.
8. International transfers
Our infrastructure and sub-processors are primarily in the United States. Where we transfer personal information out of the EEA, UK, or Switzerland, we rely on the European Commission's standard contractual clauses and supplementary measures as required.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email to Customers and posted at the top of this page at least 30 days before they take effect.
10. Contact
Questions, requests, complaints — email [email protected].