Legal

Privacy Policy

Effective date: May 20, 2026

Draft note: This is a first-draft policy for planning and launch preparation. Confirm actual infrastructure and subprocessors, and have qualified legal counsel review it before production launch.

1. Overview

This Privacy Policy explains how ChatBoba collects, uses, stores, and shares information when you use our multi-model AI chat workspace, including regular chat, AI Studio, profiles, memories, prompts, settings, BYOK provider keys, and managed provider access.

For now, "ChatBoba," "we," "us," and "our" refer to the operators of ChatBoba. Contact us at support@chatboba.com.

2. Information we collect

Account information

We collect information needed to create and secure your account, such as email address, password hash, account status, admin or access settings, session records, password reset tokens, and related security metadata.

Content and workspace information

ChatBoba may store content you create or configure in the product, including:

  • chat messages and conversation history;
  • AI Studio sessions, prompts, styles, bot settings, provider/model selections, and workflow configuration;
  • profile names, profile notes, memory entries, and other personalization data;
  • API key connection status, validation status, provider names, and saved settings;
  • usage information such as token counts, model/provider used, estimated costs, timestamps, and feature usage.

Provider API keys

If you add your own provider API keys, ChatBoba stores them so the app can make requests on your behalf. Where supported and configured, keys are encrypted at rest and are intended to remain hidden from staff or admin plaintext access during normal operation.

You can remove saved keys from ChatBoba, and you can revoke or rotate keys directly with your AI provider at any time. We do not use your BYOK keys to charge other users or to provide platform-managed access.

Important: you remain responsible for your provider accounts, key permissions, usage, key rotation, and provider billing.

Device, logs, and technical data

We may collect basic technical information such as IP address, browser type, device information, request logs, error logs, authentication events, performance logs, and security events. This helps us operate, debug, protect, and improve ChatBoba.

3. What is sent to AI providers

When you send a message or run an AI Studio workflow, ChatBoba sends the information needed to complete that request to the selected AI provider or managed provider route. This may include:

  • your prompt or message;
  • recent conversation history, depending on your settings and system limits;
  • selected AI style, system prompts, language instructions, and workflow instructions;
  • profile or memory context for regular chat when enabled by the product behavior;
  • provider/model configuration and technical metadata needed to process the request.

AI Studio sessions currently use selected styles, prompts, and conversation modes; they may not use the same profile memory/context injection as regular chat.

4. Third-party AI providers

ChatBoba supports providers such as OpenAI, Anthropic, xAI, Google Gemini, and others. If you use BYOK access, requests are made using your provider key and may be subject to that provider's privacy policy, data-use terms, retention rules, abuse monitoring, and billing terms.

If you use ChatBoba-managed provider access, requests may be made using ChatBoba-managed provider credentials and routing. Third-party providers may still process prompts, outputs, and related metadata according to their own terms.

5. How we use information

We use information to:

  • provide chat, AI Studio, profile, memory, prompt, and settings features;
  • authenticate users and protect accounts;
  • validate provider keys and route model requests;
  • show usage, token, and cost estimates;
  • debug, monitor, secure, and improve the service;
  • send operational emails such as password reset messages;
  • enforce our Terms and prevent misuse;
  • comply with legal obligations.

6. BYOK billing separation

For BYOK usage, ChatBoba does not markup token pricing. You pay AI providers directly according to their pricing and billing systems. ChatBoba may store and display estimated usage information, but those estimates are not invoices and may not match provider billing exactly.

7. Cookies, sessions, and local storage

ChatBoba uses cookies or similar technologies to keep you signed in and maintain secure sessions. We may also use browser local storage or session storage for product preferences such as selected profile, style, runtime controls, UI state, onboarding state, or other convenience settings.

You can control cookies and local storage through your browser, but disabling them may break sign-in or product functionality.

8. Analytics and logging

We may collect internal analytics and logs to understand usage, reliability, errors, security events, and feature performance. If third-party analytics tools are added, this policy should be updated with the provider name and data practices.

Placeholder for launch review: [List analytics, hosting, email, logging, and infrastructure providers/subprocessors].

9. How we share information

We may share information with:

  • AI providers when needed to process your requests;
  • service providers that help us host, secure, email, log, analyze, or operate ChatBoba;
  • law enforcement, regulators, or other parties when required by law or needed to protect rights, safety, and security;
  • successors in connection with a merger, acquisition, financing, or sale of assets.

We do not sell your personal information in the ordinary sense of exchanging it for money. If our practices change, this policy should be updated before launch.

10. Security

We use reasonable technical and organizational measures to protect ChatBoba and user data. However, no online service is perfectly secure. You should use strong passwords, protect your email account, limit provider key permissions where possible, and rotate API keys if you suspect compromise.

Because ChatBoba integrates with third-party AI providers, security also depends on your provider account settings, provider key handling, and provider security practices.

11. Data retention

We retain information for as long as needed to provide ChatBoba, maintain security, comply with legal obligations, resolve disputes, and enforce agreements. Some data may remain in backups or logs for a limited period after deletion.

Retention periods should be finalized before production launch: [Add retention schedule for account data, chats, provider keys, logs, sessions, password reset tokens, and backups].

12. Your choices and deletion rights

You may be able to update or delete certain content in the product, such as profiles, memories, prompts, provider keys, settings, and chat history. You may request account deletion or data access by contacting support@chatboba.com.

Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of personal information. We may need to verify your identity before responding.

13. Children

ChatBoba is not intended for children under [age threshold, e.g. 13 or 16 depending on launch region]. We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us.

14. International users

ChatBoba may process information in countries other than where you live. Those countries may have different data protection laws. Region-specific requirements should be reviewed with counsel before production launch.

15. Changes to this policy

We may update this Privacy Policy as ChatBoba changes. If changes are material, we will provide notice through the service, email, or another reasonable method. The effective date above shows when this policy was last updated.

16. Contact

Questions or privacy requests can be sent to support@chatboba.com.