Skip to content
Legal

Privacy Policy

Last updated: 2026-05-08

This Privacy Policy describes how Mevichat ("Mevichat", "we", "our") collects, uses, and shares information when you use Mevichat ("the Service"), our AI customer support platform available at mevichat.com and through embedded widgets on customer websites.

This policy applies to two distinct groups:

  • Customers — businesses and developers who sign up for a Mevichat account, configure a chatbot, and embed it on their own website.
  • Visitors — end users who interact with a Mevichat-powered chat widget on a customer's website.

If you are a Visitor, the customer who deployed the widget is the data controller for your conversation. Mevichat acts as a data processor on their behalf. Direct your privacy requests to that customer first; we will assist them on request.

1. What we collect

From Customers

  • Account information. Name, email address, password (hashed), company name, billing address, and any optional profile details you provide.
  • Workspace content. URLs you submit for crawling, sitemap data, and the contents of files you upload (PDF, DOCX, Markdown, Notion exports). We compute vector embeddings from this content so the assistant can retrieve relevant passages.
  • LLM provider keys. If you choose to bring your own key (BYOK), we store the encrypted API key for Anthropic, OpenAI, or Azure OpenAI. Keys are sealed with customer-scoped envelopes.
  • Operational metadata. Workspace settings, persona configuration, members, roles, audit log entries, and billing records.
  • Usage data. API calls, conversation counts, model selections, latency and cost telemetry, and feature interactions in the dashboard.

From Visitors (interacting with a customer's widget)

  • Conversation transcripts. The questions you type and the answers the assistant returns, plus citations to source material.
  • Session metadata. A short-lived session identifier, browser user agent, IP-derived country (not the full IP after first use), and timestamps.
  • Optional rating. Thumbs-up/thumbs-down or numeric rating you submit on an answer.
  • Page context. The URL of the page where the widget is embedded, so the assistant can scope answers to that page.

We do not collect names, email addresses, or other identifying information from Visitors unless the customer explicitly chooses to ask for them through the widget.

Cookies and similar technologies

Mevichat.com uses a small set of first-party cookies for authentication, CSRF protection, and language preference. We use Plausible Analytics, a privacy-friendly analytics service that does not set tracking cookies and does not collect personal data. The embeddable widget itself uses session storage, not cookies, on customer websites.

2. How we use information

We use the information described above to:

  • Provide and operate the Service — authenticate you, run conversations, render the dashboard, send transactional email.
  • Generate AI answers — your workspace content and the conversation in progress are sent to the LLM provider you have configured (Anthropic, OpenAI, Azure OpenAI, or our hosted Mevichat Mini). We do not train any LLM on your data, and our subprocessors are contractually bound to the same.
  • Calculate billing — count conversations, apply plan quotas, generate invoices.
  • Improve the Service — diagnose errors, study latency, measure feature adoption. Aggregated and de-identified telemetry only.
  • Protect the Service — detect abuse, prevent fraud, enforce rate limits, and comply with legal obligations.
  • Communicate — send product announcements, security advisories, and policy updates. Marketing emails require explicit opt-in and can be unsubscribed at any time.

3. Legal bases (GDPR)

Where the GDPR applies, we rely on one of the following bases:

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to operate, secure, and improve the Service in ways you would reasonably expect.
  • Consent — for marketing communications and any optional cookies.
  • Legal obligation — for accounting, tax, and regulatory record-keeping.

4. How we share information

We share information only as described below.

  • LLM providers. When you configure a BYOK key, your conversations and the retrieved context pass through that provider (Anthropic, OpenAI, or Azure OpenAI). Each provider's privacy and retention terms apply to that data while it is in transit and processing on their side. Our Mevichat Mini is hosted by us and never leaves our infrastructure.
  • Subprocessors. We use vetted infrastructure providers for hosting, email delivery, analytics, error reporting, and payment processing. Our current list is published at /trust. We give 30 days' notice before adding or replacing a subprocessor.
  • Customer-facing sharing. If you are a Visitor, the customer who runs the widget can read conversation transcripts, ratings, and analytics in their operator dashboard.
  • Legal and safety. We may disclose information when required by law, to enforce our terms, or to protect the rights, property, or safety of users and the public. We resist overbroad requests and notify the affected customer when permitted.
  • Business transfers. If we are involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify customers in advance.

We do not sell personal information. We do not allow advertisers to track users across sites.

5. Data residency and international transfers

By default, customer data is stored in the European Union (Frankfurt). Customers on the Scale plan may request EU-only residency with no cross-border replication. Mevichat Mini inference runs on our EU infrastructure.

When you choose a BYOK provider hosted outside the EU (for example, Anthropic or OpenAI in the United States), conversations are transferred there for inference. We rely on Standard Contractual Clauses and the relevant adequacy decisions where applicable. Visitors interacting with a widget can be informed of this through the customer's own privacy notice.

6. Retention

| Data | Default retention | Customer override | |---|---|---| | Conversation transcripts | 90 days | Configurable up to 24 months on Pro and Scale | | Embeddings and indexed content | Lifetime of the workspace | Re-indexed on every crawl | | Account records | Lifetime of the account, then 30 days for export | Deletion on request, immediately on account closure | | Audit logs | 12 months | Up to 7 years on Scale | | Billing records | 10 years (legal requirement, EU) | Cannot be shortened |

When you delete a workspace or close your account, we permanently remove the corresponding content within 30 days, except where law requires longer retention.

7. Security

We protect your data with engineering controls and operational practices, including:

  • TLS 1.3 in transit and AES-256 at rest.
  • Customer BYOK keys sealed with customer-scoped envelopes; the plaintext key is never logged.
  • Production access through SSO with hardware security keys, audited to a per-action level.
  • GDPR alignment. Our Trust Center at /trust documents the current state.
  • 24/7 monitoring with paging, post-incident reviews, and customer communication for any incident affecting your data.

If we detect a personal data breach affecting your information, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct or update inaccurate information.
  • Delete your information (right to erasure).
  • Restrict or object to processing.
  • Receive your information in a portable format.
  • Withdraw consent for processing that relies on consent.
  • Lodge a complaint with a data protection authority — your local DPA in the EU, or another regulator that has jurisdiction.

Customers can act on these requests directly from the operator dashboard or by contacting privacy@mevichat.com. Visitors should contact the customer that deployed the widget; if that customer cannot help, write to privacy@mevichat.com and we will route the request.

We respond within 30 days. We may verify your identity before fulfilling a request to prevent unauthorized access.

9. Children

Mevichat is not directed to children under 16 and is not intended to collect personal information from them. If you become aware that a child has provided personal information through a Mevichat-powered widget, please contact us so we can delete it.

10. Automated decision-making

Mevichat generates answers using language models. These answers are informational and do not produce legal effects on Visitors without human review. Customers configure escalation rules so out-of-scope or high-stakes questions are routed to a human agent.

11. Changes to this policy

We may update this Privacy Policy as the Service evolves or as the law changes. Material changes will be announced by email to account owners at least 14 days in advance. Continued use of the Service after the effective date means you accept the new policy.

12. Contact

For privacy questions, requests, or concerns:

  • Email: privacy@mevichat.com
  • Postal: Mevichat, Dubai, United Arab Emirates
  • Data Protection Officer: dpo@mevichat.com

Our EU representative under Article 27 GDPR is listed on the Trust Center at /trust.