ChatFlow Limited ("ChatFlow," "we," "us," or "our") is committed to protecting your personal information. This Privacy Policy describes how we collect, use, store, and disclose your data in compliance with the Jamaica Data Protection Act (JDPA 2020), the General Data Protection Regulation (GDPR – EU/UK), and other applicable international privacy laws.
This Policy applies to all users of our website, platform, mobile applications, and managed services, as well as business clients and their end-users. We align our practices to the Office of the Information Commissioner's Eight Data Protection Standards.
Data Controller: ChatFlow Limited, Lot 342 Portobello Pasture Drive, Montego Bay, St. James, Jamaica
Contact: [email protected]
Data Protection Officer/Privacy Contact: Data Protection Officer – [email protected]
Data Processor Role: For enterprise customers, when we process end-user/customer data according to your instructions, we act as a Data Processor under JDPA/GDPR. In those cases, our Data Processing Addendum (DPA) governs.
Registration: Where required by the JDPA, ChatFlow will register as a Data Controller with the Office of the Information Commissioner (OIC) and keep registration particulars up to date.
1. Information We Collect
We collect personal and non-personal information in the following categories:
1.1 Personal Information You Provide
- Identity Data: name, job title, company name, date of birth (where required for verification)
- Contact Data: email address, phone number, physical address, billing information
- Account Data: login credentials, security questions, authentication tokens, profile preferences
- Support Data: records of communications with ChatFlow (emails, live chat, support tickets, call recordings where permitted)
- Marketing Data: preferences, survey responses, opt-in records, event registrations
- Verification Data: proof of identity/authority to act for an organization (if required)
1.2 Automatically Collected Data
- Technical Data: IP address, browser type/version, operating system, device ID, network information, referrer URLs, timestamps
- Usage Data: time of access, pages visited, features used, session duration, clickstream data, performance metrics
- Cookies & Tracking Technologies: session cookies, analytics tags, preference cookies, and similar technologies (see Section 11)
1.3 Client & End-User Data (Enterprise Clients)
When enterprise clients integrate ChatFlow, we may process:
- Conversation Data: user prompts, chat transcripts, attachments, metadata (time, channel, language, sentiment scores), escalation results
- End-User Information: contact details provided by your customers during interactions (e.g., name, order ID), as configured by the customer
- Integration Data: data from customer systems (e.g., ticket IDs via APIs/webhooks)
Important: ChatFlow acts as a Data Processor for enterprise clients under GDPR/JDPA when handling end-user data, and as a Data Controller for direct user relationships.
2. Legal Basis for Processing (JDPA/GDPR)
We only process personal data where a lawful basis applies:
Legal Basis | Examples | Purpose |
---|
Consent | Newsletter sign-up, demo requests, marketing preferences | You have given clear consent for specific purposes |
Contractual Necessity | Account creation, service delivery, authentication, billing | Processing required to deliver services you request |
Legal Obligation | Tax compliance, audit requirements, regulatory reporting | Processing necessary to comply with laws/regulations |
Legitimate Interests | Security, fraud prevention, analytics, product improvement | Improving services, preventing fraud, securing systems (provided your rights are not overridden) |
3. How We Use Your Information
We process your data to:
- Provide and manage access to ChatFlow services and maintain platform functionality
- Personalize customer experiences and adapt language/dialect recognition
- Authenticate users and prevent unauthorized access to accounts
- Communicate service updates, billing notices, security alerts, and compliance notifications
- Perform analytics to improve AI training, system efficiency, and user experience
- Detect, investigate, and prevent fraud, cyber-attacks, or platform abuse
- Comply with audit, tax, and regulatory obligations in Jamaica and internationally
- Provide customer support and troubleshoot technical issues
- Conduct quality assurance and safety evaluations of our AI models
Training & Improvement Policy:
- Enterprise Customer Data: We do not use your governed end-user content to train publicly available foundation models. Any model tuning for your tenant is either (i) restricted to your tenant or (ii) performed only with your documented permission.
- Site & Account Data: We may use aggregated/de-identified usage data to improve Services. We will not attempt to re-identify de-identified data.
We will not sell or rent your personal data.
4. Data Sharing & Disclosure
We disclose personal information only as needed for the purposes outlined above. Your information may be shared with:
- Authorized Service Providers: cloud hosting (e.g., AWS, Supabase), analytics platforms, payment processors, email delivery services, logging/monitoring tools—all bound by contracts and confidentiality obligations acting under our instructions
- Affiliates & Contractors: developers, account managers, customer success personnel under strict NDAs and access controls for development, support, and account management
- Enterprise Administrators: admins of your business workspace may access certain account data and activity for governance and security purposes
- Legal & Regulatory Authorities: where required by Jamaican or international law, court orders, or to protect our rights, users' safety, and investigate fraud/security incidents
- Business Transfers: in case of merger, acquisition, restructuring, financing, or asset sale (your information may be transferred subject to this Policy)
We maintain a Sub-processor Register describing categories of sub-processors and regions used. International Transfers: Data may be transferred to jurisdictions outside Jamaica and the EU. Where this occurs, we implement Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.
5. International Data Transfers & Residency
- Primary Storage: Kingston, Jamaica data centers (for JDPA compliance)
- Secondary/Backup Storage: AWS and Supabase regions (may include EU/US servers for redundancy)
- Enterprise Options: Clients may request region-locked hosting under enterprise contracts
- Cross-Border Safeguards: Transfers outside Jamaica/EEA occur only with adequate safeguards (e.g., SCCs) and alignment to JDPA cross-border standards
6. Data Retention
We retain data only as long as necessary for the purposes outlined in this policy, unless a longer retention period is required by law. Typical retention periods:
- Client Account Records: retained for contract duration + 6 years for audit/legal compliance
- Chat Transcripts/Logs: retention period defined by client contract (default: 90 days unless otherwise specified in DPA)
- Support & Ticket Logs: up to 24 months (unless longer required for legal purposes)
- Marketing Records: retained until opt-out or maximum of 24 months post-last interaction
- Security & Audit Logs: retained for 12–24 months
- Billing Records: retained for contract term + up to 6 years (audit/legal requirements)
After retention periods expire, data is securely deleted or anonymized using industry-standard methods.
7. Your Privacy Rights (JDPA & GDPR)
Under GDPR and JDPA, you have the following rights:
- Access: Request a copy of your personal data and obtain information about how it's processed
- Rectification: Correct inaccurate or incomplete information
- Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal retention obligations
- Restriction: Ask us to limit how we process your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Opt out of processing based on legitimate interests or direct marketing
- Withdraw Consent: Revoke previously given consent at any time (where processing is based on consent)
Response Times: We will respond without undue delay and within one month under GDPR (extendable by two months for complex requests with notice). JDPA also provides structured timelines—certain notices require a controller response within 30 days.
How to Exercise Your Rights: Submit requests via [email protected]. We may ask for information to verify your identity/authority. If you are an end-user of an enterprise customer, please contact that organization first; we will support them in fulfilling your request as Processor.
Complaints: You may lodge a complaint with the Office of the Information Commissioner (Jamaica) or your local EEA/UK data protection authority.
8. Data Security
We implement comprehensive administrative, technical, and organizational controls to protect your data:
- Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Access Controls: Role-based access, multi-factor authentication (MFA), least-privilege enforcement, periodic access reviews
- Network Security: Network segmentation, continuous monitoring, comprehensive logging, IDS/IPS systems
- Secure Development: Code reviews, dependency scanning, vulnerability management, secure SDLC practices
- Regular Audits: Penetration testing, vulnerability scans, SOC 2/ISO alignment, policy reviews
- Business Continuity: Secure backups, disaster recovery planning, resilience testing
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
9. Personal Data Breaches
If a personal data breach occurs, we will notify the supervisory authority without undue delay and, where feasible, within 72 hours under GDPR where risk is likely; and we will notify affected individuals where required. Jamaica's JDPA framework and OIC guidance similarly require prompt reporting and notifications.
Our breach response includes:
- Immediate containment and assessment of the incident
- Notification to regulatory authorities within required timeframes
- Direct notification to affected individuals when high risk is involved
- Detailed incident reports provided to enterprise customers
- Implementation of remediation measures and security improvements
We maintain internal incident logs and provide customers with incident summaries and remediation steps as applicable.
10. Children's Privacy
Our services are not directed to children under 16 years (or higher age where local law requires). We do not knowingly collect personal information from children. If we discover that a child has provided personal data, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
11. Cookies & Similar Technologies
We use cookies and similar tracking technologies to enhance your experience:
- Strictly Necessary Cookies: Authentication, session management, security, load balancing
- Preference Cookies: Language settings, UI themes, regional preferences
- Analytics Cookies: Product usage trends, performance monitoring (Google Analytics, Mixpanel)
- Marketing Cookies: Advertising effectiveness, campaign tracking (with consent)
You can manage cookies through our Cookie Banner when you first visit our site, or through your browser settings. Disabling essential cookies may impact functionality of our services.
12. Automated Decision-Making & Profiling
We do not engage in solely automated decision-making that produces legal or similarly significant effects about you without appropriate human involvement or your explicit consent.
We use analytics, scoring (e.g., sentiment analysis), and classification to improve support quality and route tickets; these do not make legal or similarly significant decisions about individuals but help us provide better service.
13. Marketing & Communications
- You may opt out of marketing emails at any time via the unsubscribe link in any email
- Service and transactional notices (e.g., billing, security alerts, downtime notifications) are mandatory for account holders
- We respect your communication preferences and provide granular control over message types
- Marketing activities are based on consent (where required) or legitimate interests, with clear opt-out mechanisms
14. Enterprise-Specific Terms (Processor Role)
Where we process Customer Data on behalf of an enterprise customer, we act as a Data Processor:
- Processing Instructions: We process only on documented instructions in the Data Processing Addendum (DPA)
- Confidentiality: All personnel are bound by confidentiality agreements and trained in data protection
- Sub-processors: Engaged under written contracts; we remain responsible for their obligations; we maintain a Sub-processor List and provide notice of material changes
- Security Measures: Appropriate technical and organizational measures as described in Section 8
- Data Subject Rights: We assist customers in fulfilling data subject rights requests and breach obligations
- Data Return/Deletion: Upon contract termination, we return or securely delete Customer Data per the DPA timeline
- Audit Cooperation: We provide audit cooperation and compliance documentation on reasonable request
15. Third-Party Links & Services
Our platform may contain links to external websites or integrate with third-party services. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.
16. Regional & International Compliance
Jamaica (JDPA)
- We adhere to the Eight Data Protection Standards established by the OIC
- We maintain registration as a Data Controller where required by JDPA
- Cross-border transfers follow JDPA standards with appropriate contractual safeguards
EU/EEA & UK (GDPR)
- We respect the one-month data subject access request timeline (extendable for complexity)
- We follow the 72-hour supervisory authority breach notification requirement
- Transfers outside the EEA/UK rely on Standard Contractual Clauses or other valid transfer mechanisms
17. Changes to This Policy
We may update this Privacy Policy to reflect operational, legal, or regulatory changes. If we make material changes, we will:
- Post a prominent notice on our website
- Notify registered users via email where appropriate
- Update the "Last Updated" date at the top of this policy
- Provide reasonable notice period before changes take effect
18. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Supervisory Authorities
- Jamaica (OIC): Office of the Information Commissioner – for registration, standards, and complaints
- EU/UK: Contact details for your local Data Protection Authority or the UK ICO are available online. GDPR breach reporting guidance: UK ICO Breach Reporting
Annex A — JDPA Eight Data Protection Standards & Our Alignment
The Jamaica Data Protection Act establishes eight core principles that guide our data protection practices:
- Fairness & Lawfulness: We process data lawfully with clear legal bases and provide transparent notices
- Purpose Limitation: Data is collected for specified, explicit purposes with no incompatible reuse
- Data Minimization: We collect and process only what is necessary for stated purposes
- Accuracy: We take reasonable steps to keep personal data accurate and up to date
- Storage Limitation: We maintain clear retention schedules and ensure timely deletion/anonymization
- Data Subject Rights: We facilitate access, rectification, erasure, restriction, objection, and portability within statutory timelines
- Technical & Organizational Measures: We implement robust encryption, access controls, and audit procedures
- Cross-Border Transfers: We ensure appropriate safeguards for international data processing
This Privacy Policy was last updated on January 1, 2025 and is effective immediately.