Overview

Chatoku ("we", "us", "our") operates a live-chat support platform accessible at this domain. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what choices you have.

By registering an account, embedding our widget on your website, or using any part of the Service, you agree to this Privacy Policy. If you are using Chatoku on behalf of a business, you represent that you have authority to bind that business to this policy.

We distinguish between two categories of people whose data we process:

• Clients — businesses and individuals who register accounts and use the Chatoku dashboard.
• Visitors — end-users who interact with a Chatoku-powered chat widget embedded on a client's website.

Data We Collect

2.1 Account & Registration Data

When you create an account we collect:

• Full name
• Email address
• Password (stored as a bcrypt hash — we never store your plaintext password)
• Account role (client or agent)
• Plan tier (including Free), billing cycle (if applicable), and plan status
• Wallet balance and credit transaction history

2.2 Payment Data

For paid activity, payments are processed in cryptocurrency via NOWPayments. Free-plan users may use Chatoku without payment data until they initiate a paid transaction. We do not handle credit-card numbers or bank details. For paid transactions, we store:

• NOWPayments payment ID and order ID
• Payment currency (ETH, TRX)
• Price amount (USD equivalent) and crypto amount due
• Payment wallet address (blockchain address generated by NOWPayments)
• Payment status and confirmation timestamp
• Plan key and billing cycle associated with each payment

Blockchain transactions are inherently public. Once a transaction is broadcast to the network, the wallet address and amounts become part of a public ledger outside our control.

2.3 Team Member Data

When a client invites agents to their team we store the invited agent's name, email address, and role. Agents must accept the invitation using the link sent to their email before an account is created.

2.4 Widget & Conversation Data

Conversations started through an embedded chat widget generate:

• Visitor-provided name and email (if entered in the pre-chat form)
• All messages exchanged between visitors and agents, including timestamps
• Agent assignments and conversation status changes (open, closed, escalated)
• Unread-message flags and read receipts
• Widget identifier that links the conversation to a client's widget configuration

2.5 Technical & Usage Data

We automatically collect standard server-side data when you use the Service:

• IP address and approximate geographic location (country/region)
• Browser type, operating system, and device type (from User-Agent header)
• Pages visited within the dashboard and timestamps
• Laravel session identifiers (stored in a secure, signed, encrypted cookie)
• Error logs and performance metrics for service stability

We do not use third-party analytics SDKs (e.g., Google Analytics) on the dashboard. Log data is retained for a maximum of 30 days for debugging purposes.

How We Use Data

We use the data we collect strictly to operate and improve the Service:

• Account management — create and authenticate your account, enforce role-based access, and manage team invitations.
• Service delivery — route chat messages in real time, maintain conversation history, and display dashboard analytics.
• Billing and payments — for paid usage, initiate crypto payment requests via NOWPayments, verify incoming blockchain transactions via HMAC-authenticated webhooks, credit your wallet, and activate or renew subscriptions.
• Security and fraud prevention — verify request authenticity (HMAC signatures), protect against CSRF attacks, detect abusive patterns, and enforce rate limits.
• Service communications — send transactional emails such as team invitations. We do not send marketing emails unless you separately opt in.
• Service improvement — use aggregated, anonymised usage metrics to identify feature demand and fix bugs. Individual user data is never used for this purpose.

We do not sell, rent, or license your personal data to third parties. We do not use your data or your visitors' data to build advertising profiles.

Legal Basis for Processing

Where the GDPR or similar laws apply, we process personal data under the following legal bases:

• Contract performance — processing your account data, payment data, and conversation data is necessary to provide the Service you signed up for.
• Legitimate interests — security logging, fraud detection, and service-stability monitoring, where these interests are not overridden by your rights.
• Legal obligation — retaining certain records where required by applicable law.
• Consent — where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

For visitors interacting with a client's embedded widget, the client is the data controller for conversation content; Chatoku acts as a data processor on the client's behalf. Clients are responsible for obtaining any consent required from their visitors under applicable law and for maintaining their own privacy notices.

Data Sharing

We share personal data only in the following limited circumstances:

5.1 NOWPayments

When you initiate a paid transaction we send your user ID and the payment amount to NOWPayments to generate a payment address. NOWPayments may also send us your transaction details via a signed webhook. NOWPayments operates under its own Privacy Policy. We do not share your name or email address with NOWPayments.

5.2 Infrastructure Providers

We host the Service on third-party cloud infrastructure (servers, object storage). These providers act as processors and are bound by data processing agreements that prohibit them from using your data for any purpose other than providing the agreed services.

5.3 Email Delivery

Transactional emails (invitation links) may be sent via an email delivery provider. The recipient's email address is transmitted to deliver the message and is not retained by the provider beyond the delivery window.

5.4 Legal Disclosures

We may disclose data if required by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of any person. We will notify affected users where permitted by law.

5.5 Business Transfers

If Chatoku is acquired, merged, or its assets transferred, personal data may be transferred as part of that transaction. We will notify users and give them the opportunity to delete their accounts before data is transferred to an entity with materially different privacy practices.

Widget & Visitor Data

The embeddable Chatoku widget is a JavaScript snippet that clients add to their websites. When a visitor opens the widget:

• A unique session token is generated and stored in the visitor's browser sessionStorage (not a cookie). This token expires when the browser tab is closed and is never synced across devices.
• The session token is used to resume a conversation if the page is refreshed within the same browser session.
• If the visitor provides a name and/or email to start a chat, these are transmitted over HTTPS and stored alongside the conversation record.
• The widget communicates with our servers only when the visitor actively opens the chat or sends a message — it does not fingerprint, track, or report passive browsing behaviour.

The widget HMAC key is issued to each client and used to authenticate embed code origin. Clients are responsible for keeping their HMAC key confidential. A compromised key should be rotated immediately via the dashboard.

Cookies & Storage

7.1 Dashboard Cookies

The Chatoku dashboard sets the following cookies:

• Session cookie (chatoku_session) — HTTP-only, Secure, SameSite=Lax. Stores your encrypted session state. Expires at browser close (or per your "remember me" setting).
• CSRF token cookie (XSRF-TOKEN) — used to protect form submissions from cross-site request forgery. Not HTTP-only; readable by the JavaScript running on this domain only.

We do not set advertising cookies, third-party tracking cookies, or analytics cookies.

7.2 Widget sessionStorage

The embedded widget uses sessionStorage (not localStorage or cookies) to store a temporary visitor session token. This storage is cleared automatically when the browser tab is closed and is not accessible by the parent website's code.

7.3 Managing Cookies

You can configure your browser to refuse or delete cookies. Disabling the session cookie will prevent you from logging into the dashboard. Disabling the XSRF-TOKEN cookie will prevent form submissions from working. The widget sessionStorage cannot be disabled without disabling sessionStorage globally in your browser.

Data Retention

We retain data for as long as your account is active and for a limited period thereafter:

• Account data — retained while your account is active. Upon account deletion we anonymise or delete your personal data within 30 days, except where retention is required by law.
• Conversation and message data — retained for the lifetime of your account. Upon termination, conversation data is deleted within 90 days unless you export it first.
• Payment records — retained for a minimum of 7 years to comply with financial record-keeping obligations.
• Server logs — retained for 30 days, then permanently deleted.
• Invite link tokens — deleted immediately upon use or upon manual revocation.

If your account is terminated for cause (violation of our Terms of Service), we may retain certain records related to the violation for up to 3 years to prevent re-registration and protect other users.

Security

We apply industry-standard technical and organisational measures to protect your data:

• Encryption in transit — all data is transmitted over HTTPS/TLS. WebSocket connections (Laravel Reverb) use WSS.
• Encryption at rest — database files are stored on encrypted volumes.
• Password hashing — passwords are hashed with bcrypt (cost factor ≥ 12). We never store or log plaintext passwords.
• HMAC authentication — NOWPayments webhooks are verified using HMAC-SHA512 signatures. Widget API requests may be authenticated with client-issued HMAC keys.
• CSRF protection — all state-changing requests require a valid CSRF token.
• Session security — sessions are regenerated on login and stored in encrypted, HTTP-only, Secure cookies.
• Role-based access control — the admin role, client role, and agent role each have strictly scoped permissions enforced at the server level.

No security measure is 100% effective. If you discover a potential vulnerability, please contact us responsibly at the address in Section 15 before disclosing it publicly.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by law within 72 hours of becoming aware of the breach.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

10.1 GDPR Rights (EEA / UK)

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data (subject to legal retention obligations).
• Restriction — ask us to restrict processing of your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting past processing.

10.2 CCPA Rights (California Residents)

• Know — request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Delete — request deletion of personal information we have collected (subject to exceptions).
• Opt out of sale — we do not sell personal information, so no opt-out is required.
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

10.3 Exercising Your Rights

To exercise any of the above rights, contact us at the address in Section 15. We will respond within 30 days. We may need to verify your identity before fulfilling a request. We will not charge a fee for reasonable requests.

If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection supervisory authority.

Children's Privacy

The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 13 years of age (or under 16 in the EEA). If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it promptly.

Clients who deploy the Chatoku widget on websites directed at children bear sole responsibility for ensuring their use of the Service complies with COPPA, GDPR-K, and any other applicable children's privacy laws.

International Data Transfers

We may process and store your data on servers located outside your country of residence, including in countries that may not have data protection laws equivalent to your own. Where we transfer personal data internationally we rely on:

• Adequacy decisions issued by the European Commission;
• Standard Contractual Clauses (SCCs) approved by the European Commission; or
• Other lawful transfer mechanisms recognised under applicable law.

By using the Service you acknowledge that your data may be transferred to and processed in these locations.

Third-Party Services

The Service integrates with or depends on the following third parties, each with their own privacy practices:

• NOWPayments — cryptocurrency payment processing. Privacy Policy ↗
• Laravel Reverb — self-hosted WebSocket server for real-time messaging. No data leaves our infrastructure for this service.
• Google Fonts — loaded on our public pages (landing, onboarding, legal pages) to render typography. Google's servers receive your IP address and User-Agent when fonts load. Google Privacy Policy ↗

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where required by law, notify you by email or by a prominent notice in the dashboard.

Your continued use of the Service after any change becomes effective constitutes acceptance of the revised Policy. If you disagree with a material change, you may delete your account before the change takes effect.

Contact Us

For privacy-related questions, data subject requests, or security disclosures, please contact us:

• Email: [email protected]

We aim to respond to all privacy enquiries within 5 business days. For formal data subject requests under GDPR or CCPA, our maximum response time is 30 days.