This Privacy Policy governs the Tellyou chatbot platform, embeddable widget, related integrations (Shopify, WordPress, Crisp, Meta/Instagram, ElevenLabs, etc.) and supporting websites (collectively, the "Service"), operated by Tellyou AI AB ("Tellyou", "we", "us"), a company registered in Sweden.

Controller / contact: Tellyou AI AB, [address], [org. nr.]
Privacy contact: privacy@tellyou.ai
Supervisory authority: Integritetsskyddsmyndigheten (IMY), Sweden — imy.se

1. Our Two Roles

Tellyou plays two distinct roles under the GDPR:

Controller: Account holders — staff of our business customers who sign in to the Tellyou dashboard, and visitors to tellyou.ai. Login email, name, profile picture, billing, product analytics
Processor: End-user chat content — messages, voice and metadata exchanged between a visitor and a chatbot deployed by one of our customers on their own site, store or social channel on behalf of the customer (the Controller). Conversation transcripts, attachments, contact details collected by the bot, Instagram/Messenger DMs received via webhook

For end-user chat content, processing is governed by the Data Processing Agreement (DPA) we enter into with each customer (GDPR Art. 28). End users should read the privacy notice of the website or business operating the chatbot.

2. Personal Data We Collect

As Controller (account holders and site visitors):

Authentication: email, hashed password, OAuth identifiers
Profile: first/last name, optional profile picture, language, role
Billing: company name, VAT number, billing address, payment metadata (card data is handled by our payment processor and never touches our servers)
Product usage and diagnostics: actions in the dashboard, IP address, user agent, approximate location, error logs
Communications you send us (support tickets, emails)
Cookies and similar storage — see §8

As Processor (end users of our customers' chatbots):

Chat transcripts (text and, where the voice agent is enabled, audio recordings and transcriptions)
Identifiers and metadata provided by the channel (e.g. Instagram/Messenger user ID, Shopify customer ID, Crisp session ID, page URL, language)
Any information end users voluntarily provide to the bot (name, email, order number, free-form input)
Derived data such as embeddings/vectors used to power retrieval-augmented responses

We do not knowingly collect data from children under 13. If you believe a child has provided us personal data, contact us and we will delete it.

3. How We Use Personal Data

Provide, secure and maintain the Service (authentication, support, fraud and abuse prevention)
Operate the chatbot: route messages, generate AI responses, deliver them through the configured channels
Improve product quality and reliability (aggregated analytics, debugging)
Communicate with you about your account, security and material changes
Opt-in marketing — only with your consent, withdrawable at any time
Comply with legal obligations (accounting, lawful requests)

Automated decision-making / AI. The Service uses Large Language Models to generate chatbot replies. These responses are advisory; they do not produce legal or similarly significant effects on end users within the meaning of GDPR Art. 22. Customers can configure handoff to a human agent.

4. Legal Bases (GDPR Art. 6)

Contract — providing the Service to account holders and customers.
Legitimate interests — securing the platform, preventing abuse, product analytics, and direct B2B communications. A balancing test is performed; you may object at any time (see §9).
Consent — non-essential cookies, marketing emails, voice recording prompts shown to end users, and any optional features that ask for it.
Legal obligation — bookkeeping, tax, and responding to lawful authority requests.

5. Sub-processors and AI Providers

To deliver the Service we use carefully selected sub-processors under written agreements that include GDPR Art. 28 terms and, where relevant, EU Standard Contractual Clauses (SCCs). An up-to-date list is maintained at tellyou.ai/sub-processors and includes, among others:

Supabase — database, authentication, storage, edge functions (EU region where configured)
Cloudflare — CDN, edge workers, DDoS protection
OpenAI, Anthropic, Google, ElevenLabs and similar LLM/voice providers — generation of chatbot responses and voice synthesis. Prompts and conversation context are transmitted to the selected provider strictly to produce a response. We contractually require that inputs and outputs are not used to train the providers' models.
Meta Platforms (Instagram/Messenger/Whatsapp) — when a customer connects an Instagram or Messenger channel
Shopify — when the Service is installed as a Shopify app
Stripe / payment processor — billing
Email and transactional messaging providers — account notifications

We give customers prior notice of new sub-processors so they may object before activation.

6. International Transfers

Some sub-processors are based outside the EU/EEA, primarily in the United States and the United Kingdom. Transfers are protected by one or more of: (i) an adequacy decision (e.g. UK adequacy, EU–US Data Privacy Framework where the recipient is certified), (ii) the EU Standard Contractual Clauses with supplementary measures, and (iii) encryption in transit and at rest. A copy of the applicable safeguards is available on request.

7. Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

DataRetentionAccount profile and authenticationFor the life of the account + 90 days after deletionBilling and invoice records7 years (Swedish Bokföringslagen)Chat transcripts and AI logs (as processor)According to the customer's configuration; default 12 monthsVoice recordingsDefault 30 days unless the customer configures otherwiseSecurity and access logsUp to 12 monthsBackupsRolling, with maximum 35 days retention

When a customer terminates their contract, end-user chat content is deleted or returned per the DPA, typically within 30 days.

8. Cookies and Local Storage

The Tellyou dashboard and the embeddable widget use cookies and localStorage for: authentication sessions, language preference, security, and aggregated product analytics. Non-essential cookies are only set after consent where required. Customers embedding the widget are responsible for surfacing cookie consent on their own properties; we provide configuration options to defer initialisation until consent is given. See our Cookie Notice for details.

9. Your Rights (GDPR Art. 12–22)

You have the right to:

Access your personal data and obtain a copy
Rectify inaccurate or incomplete data
Erase your data ("right to be forgotten")
Restrict or object to processing, including direct marketing and processing based on legitimate interests
Data portability (machine-readable export)
Withdraw any consent at any time, without affecting prior lawful processing
Lodge a complaint with IMY (imy.se) or your local supervisory authority

To exercise these rights, contact privacy@tellyou.ai. End users of a chatbot deployed by one of our customers should normally contact that customer first; we will assist the customer in fulfilling the request.

10. Security

We apply technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest, scoped access controls and least-privilege roles, single sign-on and MFA for staff, isolated environments, secret management, code review, automated dependency monitoring, audit logging, and regular backups. No system is perfectly secure; we encourage you to use a strong unique password and enable MFA.

11. Data Breach Notification

In the event of a personal data breach we will notify the competent supervisory authority within 72 hours where required by Art. 33 GDPR, and affected individuals or customers without undue delay where Art. 34 applies.

12. Channel-Specific Notes

Meta (Instagram / Messenger): When a customer connects a Meta channel, message content and the sender's platform ID are received via webhook, stored as conversation records, and processed by our AI to produce a reply. We use this data solely to operate the integration and comply with Meta's Platform Terms.
Shopify: Customer/order context is fetched from the merchant's Shopify store strictly to answer the buyer's question; we do not retain order data beyond the conversation context window unless required for support.
Voice agent (ElevenLabs): When voice is enabled, end users are presented with a notice and must agree before recording begins.

13. Selling and Sharing

We do not sell personal data and do not share it with third parties for their own marketing. We disclose personal data only to (a) our sub-processors under §5, (b) professional advisers under confidentiality, (c) acquirers in a merger or asset sale subject to equivalent protections, and (d) authorities where legally required.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product notice at least 30 days before they take effect. The "Last updated" date above always reflects the current version.

From Sweden with