Privacy Policy

Last updated: 24 April 2026

1. Introduction

Kiran Sp. z o.o. ("we," "our," or "us"), operating under the brand enuchat, is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use the enuchat platform, including our website, embeddable chat widget, operator dashboard, APIs, and related services (collectively, the "Service").

Kiran Sp. z o.o. is registered in Poland (NIP: 5342580173, KRS: 0000723560). Our registered address is Działkowa 95/10, 05-808 Pruszków, Poland.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Account Data

When you register for an account, we collect:

  • Name and email address
  • Password (stored in hashed form only)
  • Organisation/tenant name
  • Role and permissions within your team

2.2 Conversation Data

When conversations occur through the chat widget, we collect:

  • Message content (text sent by visitors and operators)
  • Translated message content
  • Timestamps and conversation metadata
  • Language detection results

2.3 Visitor Data

When a visitor interacts with the chat widget, we collect:

  • A randomly generated visitor ID (stored in the visitor's browser via localStorage)
  • Browser language preference
  • Conversation history associated with the visitor ID

We do not collect visitor IP addresses, geolocation data, or other personally identifiable information from widget visitors unless voluntarily provided in conversation messages.

2.4 Knowledge Base Data

Tenants may upload content to the knowledge base for AI-powered auto-replies. This content is:

  • Stored in our database
  • Processed into vector embeddings for semantic search
  • Used only for providing auto-replies within the respective tenant's widget

2.5 Usage Logs

We automatically collect certain technical information, including:

  • AI feature usage (translation requests, auto-reply requests, embedding operations)
  • Token consumption records
  • API access logs
  • Error and performance logs

2.6 API Connection Data

When Tenants configure API Connections, the following data may be processed:

  • Connection credentials (encrypted at rest using libsodium)
  • Request and response data from external API calls triggered by rules
  • Session variables derived from API responses

External API calls are made to endpoints configured by the Tenant. enuchat acts as a conduit — data sent to external APIs is determined by the Tenant's configuration. Tenants are responsible for ensuring their external API integrations comply with applicable data protection laws.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Deliver chat functionality, translate messages, generate AI auto-replies, and enable knowledge base search
  • AI Processing: Send message content to Anthropic (Claude) for translation, language detection, and auto-replies; send knowledge base content to OpenAI for generating vector embeddings
  • Billing: Track token usage, process payments through Polar, and maintain billing records
  • Rules and Automation: Evaluate chat rules, including AI-powered intent matching, to route conversations and trigger automated responses
  • Security: Detect and prevent fraud, abuse, and unauthorised access
  • Improvement: Analyse usage patterns to improve the Service (using aggregated, non-personal data)
  • Communication: Send service-related notices, such as security alerts or changes to the Service

4. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

4.1 AI Service Providers (Data Processors)

  • Anthropic: Receives message content for translation, language detection, and AI auto-replies. Anthropic does not use your data for model training.
  • OpenAI: Receives knowledge base content for generating vector embeddings. OpenAI does not use your data for model training.

4.2 Infrastructure Providers

We use trusted infrastructure providers to host and operate the Service. These providers process data only on our behalf and under our instructions.

4.3 Payment Processor (Merchant of Record)

Polar Software Inc. ("Polar"), a Delaware corporation registered at 3500 South DuPont Highway, Dover, DE 19901, US, acts as the Merchant of Record for all payment transactions. When you make a purchase, Polar collects and processes your payment data as an independent controller, and is responsible for collecting applicable sales taxes, VAT, and GST. We do not store your payment card details. See Polar's Privacy Policy and Terms of Service.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of enuchat, our users, or the public.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

  • Account and conversation data: Retained while your account is active and for 30 days after account deletion, after which it is permanently deleted.
  • AI usage logs: Retained for 12 months for billing, analytics, and debugging purposes.
  • Translation cache: Cached translations are automatically purged after 7 days.
  • Knowledge base embeddings: Deleted when the corresponding knowledge base entry is removed or the account is deleted.

6. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit: All data is transmitted over TLS (HTTPS)
  • Password security: Passwords are hashed using industry-standard algorithms and never stored in plain text
  • Authentication: JWT-based authentication with token expiration and refresh mechanisms
  • Rate limiting: API and authentication endpoints are rate-limited to prevent abuse
  • Tenant isolation: Strict data isolation between tenants ensures that one tenant cannot access another tenant's data

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have signed up for — account management, chat functionality, translation, AI auto-replies, and billing.
  • Legitimate Interest (Art. 6(1)(f)): Processing for security purposes, fraud prevention, service improvement using aggregated data, and ensuring platform stability.
  • Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics) are only set with your explicit consent via the cookie banner.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, or other legal requirements.

8. Cookies and Tracking

Our use of cookies and similar technologies is described in our Cookie Policy. The chat widget uses localStorage (not cookies) to store visitor identification and conversation state.

9. International Data Transfers

Our primary infrastructure is located within the European Union. However, our AI service providers (Anthropic and OpenAI) may process data in the United States or other jurisdictions.

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to provide an adequate level of data protection.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us at info@enuchat.com.

11. Your Data Protection Rights

11.1 Rights Under GDPR and UK GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request restriction of processing of your personal data
  • Right to Data Portability: Request a copy of your data in a structured, machine-readable format
  • Right to Object: Object to processing of your personal data based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time
  • Right to Lodge a Complaint: Lodge a complaint with your local data protection authority. For Polish residents, this is the President of the Personal Data Protection Office (UODO) at uodo.gov.pl. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us at info@enuchat.com. We will respond within 30 days.

11.2 California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information
  • The right to non-discrimination for exercising your privacy rights

We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.

12. Data Processing Agreement

For Tenants who require a Data Processing Agreement (DPA) under GDPR Article 28, we provide a DPA upon request. In this context, the Tenant acts as the data controller for visitor data collected through their widget, and enuchat acts as the data processor. To request a DPA, please contact us at info@enuchat.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

  • Company: Kiran Sp. z o.o.
  • Brand: enuchat
  • NIP: 5342580173
  • KRS: 0000723560
  • Email: info@enuchat.com
  • Address: Działkowa 95/10, 05-808 Pruszków, Poland