← Back to Wittsy

Privacy Policy

Last updated: 14 March 2026

This Privacy Policy explains how Smart Weavers SRL ("Wittsy", "we", "us", "our") collects, uses, stores, and protects personal data in connection with the Wittsy AI chatbot service ("Service"), the Wittsy website (wittsy.co), and the Wittsy dashboard (app.wittsy.co).

We are committed to protecting your privacy and processing personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Romanian data protection law (Law 190/2018), and other applicable legislation.

1. Data Controller and Processor

Context Role Who
Website visitor data (collected via chatbot) Data Processor Smart Weavers SRL processes visitor data on behalf of the Client (the business that installed the chatbot)
Client account data (business owner registration, billing) Data Controller Smart Weavers SRL collects and controls this data directly
Wittsy website visitors (wittsy.co) Data Controller Smart Weavers SRL

Our details:

  • Company: Smart Weavers SRL
  • CUI (Tax ID): 36495210
  • Trade Registry: J3/1508/2016
  • Country: Romania, European Union
  • Data Protection Contact: hello@wittsy.co
  • Website: https://wittsy.co

We are not required to appoint a Data Protection Officer under GDPR Article 37 (fewer than 250 employees, processing is not our core activity at large scale). All data protection enquiries should be directed to hello@wittsy.co.

2. What Data We Collect

2.1 Website Visitor Data (collected via the chatbot widget)

When a visitor interacts with a Wittsy chatbot installed on a Client's website, we process the following data as a Data Processor on behalf of the Client:

Automatically collected:

Data Purpose Retention
Chat messages (visitor questions and AI responses) Provide the chatbot service 90 days default (configurable per Client plan)
Session ID (randomly generated UUID) Maintain conversation continuity across page loads Stored in visitor's browser localStorage; never transmitted to third parties
Browser language preference Determine response language Used at request time; not stored separately
Timestamps Conversation ordering, analytics Same as conversation retention

Voluntarily provided by the visitor:

Data Purpose Retention
Name Lead capture — forwarded to the Client Until Client deletes
Email address Lead capture — forwarded to the Client Until Client deletes
Phone number Lead capture — forwarded to the Client Until Client deletes

Contact details are collected only when the visitor voluntarily provides them during a conversation (e.g., in response to the chatbot asking if they would like the business to follow up). The chatbot does not extract or infer contact information from other sources.

What we do NOT collect from visitors:

  • We do not log visitor IP addresses at the application level
  • We do not use cookies in the chatbot widget (it uses browser localStorage only — see Section 9)
  • We do not use device fingerprinting, tracking pixels, or cross-site tracking identifiers
  • We do not collect location data, browsing history, or visitor behaviour outside the chat conversation
  • We do not process any special categories of personal data (Article 9 GDPR) intentionally; visitors should be advised by the Client not to share sensitive personal data in chat

2.2 Client Data (business owner)

When a business subscribes to Wittsy, we collect and process the following data as a Data Controller:

Data Purpose Legal Basis
Business email address Account access, notifications, service communications Performance of contract (Art. 6(1)(b))
Business name and domain Service provisioning, widget configuration Performance of contract (Art. 6(1)(b))
Knowledge base content Power the AI chatbot's responses Performance of contract (Art. 6(1)(b))
Password (stored hashed with bcrypt, never in plain text) Account authentication Performance of contract (Art. 6(1)(b))
Billing information (processed by Stripe) Payment processing Performance of contract (Art. 6(1)(b))
Usage data (message counts, response times) Quota tracking, analytics dashboard, service improvement Legitimate interest (Art. 6(1)(f))

2.3 Wittsy Website Visitors (wittsy.co)

The Wittsy product website does not use analytics cookies, tracking scripts, or third-party advertising tools. If you interact with the Wittsy chatbot on our website, your messages are processed under the same terms as Section 2.1.

3. How We Use Data

We process personal data for the following purposes only:

  1. Provide the chatbot service — receive visitor messages, generate AI responses, maintain conversation continuity
  2. Lead capture and notification — when visitors voluntarily share contact details, store them and notify the Client
  3. Dashboard analytics — provide aggregate conversation statistics to Clients (message counts, response times, conversation topics)
  4. Account management — authentication, billing, service notifications, technical support
  5. Service maintenance and security — abuse prevention, rate limiting, error monitoring, security incident detection
  6. Legal compliance — meet obligations under GDPR, Romanian law, and other applicable legislation

We do NOT:

  • Sell, rent, or trade personal data to any third party
  • Use visitor conversation data for advertising, profiling, or marketing purposes
  • Profile or track visitors across different Client websites
  • Make automated decisions with legal or similarly significant effects based on personal data (Article 22 GDPR)
  • Use personal data for purposes incompatible with the purposes described above

4. Legal Basis for Processing (GDPR Article 6)

Processing Activity Legal Basis GDPR Article
Chatbot service (visitor messages) Legitimate interest of the Client (Data Controller) in providing customer service Art. 6(1)(f)
Lead capture (visitor voluntarily provides contact details) Consent (by voluntarily providing the information in conversation) Art. 6(1)(a)
Client account registration and billing Performance of contract with the Client Art. 6(1)(b)
Usage analytics (aggregated, non-personal) Legitimate interest in service improvement Art. 6(1)(f)
Security monitoring and abuse prevention Legitimate interest in protecting the Service and its users Art. 6(1)(f)
Legal and regulatory compliance Legal obligation Art. 6(1)(c)

Legitimate interest assessment: Where we rely on legitimate interest, we have conducted a balancing test and determined that our processing does not override the fundamental rights and freedoms of data subjects. The processing is limited to what is necessary to provide the Service, involves minimal personal data, and data subjects can reasonably expect such processing when interacting with a chatbot on a business website.

5. Data Sharing and Sub-Processors

We share personal data only with the following third-party service providers ("sub-processors"), strictly for the purposes of delivering the Service. We have data processing agreements in place with each sub-processor.

Sub-Processor Purpose Data Processed Location Legal Safeguards
Google LLC (Gemini API) AI response generation Visitor messages and KB content (sent per request) United States Google Cloud Data Processing Addendum (CDPA) with SCCs; EU-US Data Privacy Framework (DPF)
Cloudflare, Inc. CDN (widget delivery), DNS, reverse proxy HTTP request metadata at network level Global (edge network) Cloudflare DPA with SCCs; EU-US DPF
ROMARG SRL VPS server hosting All stored data (encrypted at rest and in transit) Romania, EU Data remains within the EU
Stripe, Inc. Payment processing Client billing data only (not visitor data) United States Stripe DPA with SCCs; EU-US DPF; PCI DSS Level 1
Google LLC (Google Workspace) Email communications Client email addresses, notification content United States Google Workspace DPA with SCCs; EU-US DPF

We do not share visitor personal data with any party other than those listed above.

Changes to our sub-processor list will be reflected in this Privacy Policy. Clients who have signed a Data Processing Agreement with us will be notified of sub-processor changes in accordance with that agreement.

Google Gemini API — Data Usage Commitment

Wittsy uses the paid tier of the Google Gemini API. Under Google's Gemini API Additional Terms of Service (effective December 2025):

  • Google does NOT use prompts or responses for model training on the paid tier
  • Data is processed solely to generate responses and deliver the service
  • Google acts as a Data Processor under the Cloud Data Processing Addendum (CDPA)
  • Limited, short-term retention of prompts may occur for abuse detection and legal compliance, in accordance with Google's Prohibited Use Policy
  • The CDPA includes Standard Contractual Clauses (SCCs) for GDPR-compliant international data transfers

6. International Data Transfers

Some of our sub-processors process data outside the European Economic Area (EEA), primarily in the United States. We ensure lawful transfers through the following mechanisms:

  • EU-US Data Privacy Framework (DPF): Google LLC, Cloudflare, Inc., and Stripe, Inc. are certified under the EU-US Data Privacy Framework
  • Standard Contractual Clauses (SCCs): Incorporated into our data processing agreements with all non-EU sub-processors as a supplementary safeguard
  • Data minimisation: We transmit only the minimum data necessary for each sub-processor to perform its function

Your primary data (conversations, leads, knowledge base, account data) is stored on servers located in Romania (EU), operated by ROMARG SRL. Data does not leave the EU except when transmitted to the sub-processors listed above for the specific purposes described.

7. Data Retention

Data Type Retention Period Basis
Conversations and messages 90 days (default; configurable per Client plan) Service provision; automatically deleted after retention period
Leads (visitor contact details) Until Client deletes, or account termination + 30 days Client controls their lead data
Visitor feedback (thumbs up/down) Duration of Client subscription Service improvement
Knowledge base content Until Client deletes or account termination + 30 days Service provision
Client account data Until account termination + 30 days Contract; 30-day grace period for data export
Billing records and invoices 10 years from date of transaction Romanian fiscal code (Law 82/1991)
Security and abuse logs 90 days Legitimate interest in security

After the applicable retention period, data is permanently deleted from our active systems. Removal from encrypted backups occurs within a further 60 days.

Client-controlled retention: Clients may delete individual conversations, leads, and KB documents at any time via the dashboard. Deleted data is removed from active systems immediately and from backups within 60 days.

8. Your Rights

8.1 If You Are a Website Visitor

The Client (the business whose website you visited) is the Data Controller for the data collected through the chatbot. To exercise your data protection rights, please contact the business directly.

If you contact us at hello@wittsy.co, we will make reasonable efforts to assist you in coordination with the relevant Client. However, we may need to verify your identity and identify the relevant Client before processing your request.

Your rights include:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18) — limit processing of your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

8.2 If You Are a Client (Business Owner)

As the Data Controller for your own account data, you can exercise the following rights:

Right How to Exercise
Access your data View via dashboard or email hello@wittsy.co
Rectify your data Update via dashboard settings or email us
Delete your data Email hello@wittsy.co to request full account deletion
Export your data Email hello@wittsy.co to receive data in JSON/CSV format
Restrict processing Email hello@wittsy.co
Object to processing Email hello@wittsy.co
Withdraw consent Email hello@wittsy.co

We will respond to all data subject requests within 30 days as required by GDPR Article 12(3). In complex cases, we may extend this by a further 60 days with prior notification. No fee is charged for reasonable, non-repetitive requests.

8.3 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The relevant authority for Romania is:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) - Website: https://www.dataprotection.ro - Email: anspdcp@dataprotection.ro - Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania

You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

9. Cookies, Local Storage, and Similar Technologies

9.1 Chatbot Widget

The Wittsy chatbot widget does not use cookies. It uses the browser's localStorage API to store a single item:

Key Purpose Contains Expiry
Session ID Maintain conversation continuity when the visitor navigates between pages Randomly generated UUID Persists until browser localStorage is cleared

This session ID is: - Generated randomly on the visitor's device - Not linked to any personal information or cross-site identifiers - Not transmitted to any third party - Used solely to associate messages within the same conversation session

Under the ePrivacy Directive (2002/58/EC, as amended), storage that is strictly necessary for a service explicitly requested by the user does not require consent (Article 5(3), exemption). Since the session ID is essential for the chatbot to function as requested by the visitor, no consent is required for this storage.

9.2 Wittsy Dashboard (app.wittsy.co)

The dashboard uses a server-side session cookie for authentication:

Cookie Purpose Duration Type
Session cookie Maintain authenticated login state Expires after 24 hours of inactivity Strictly necessary (no consent required)

The dashboard also uses localStorage for the theme preference (light/dark mode). This is a strictly necessary functional storage that does not contain personal data.

9.3 Wittsy Website (wittsy.co)

The wittsy.co product website does not use any cookies, analytics scripts, or third-party tracking tools beyond the Wittsy chatbot widget described in Section 9.1.

We do not use: Google Analytics, Facebook Pixel, advertising cookies, social media tracking widgets, or any other third-party tracking technology on any of our domains.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with GDPR Article 32:

Technical measures: - Encryption in transit: TLS 1.2+ for all data transmission (HTTPS enforced) - Encryption at rest: Database stored on encrypted volumes - Access controls: Role-based access; database not directly accessible from the internet - Multi-tenant data isolation: Row-level separation ensures no Client can access another Client's data; all database queries are filtered by Client ID - Password security: Client passwords hashed with bcrypt (never stored or transmitted in plain text) - Input sanitisation: Protection against prompt injection, XSS, and SQL injection - Rate limiting: Per-client and per-session rate limits to prevent abuse and denial-of-service - Network isolation: Internal services communicate over private networks

Organisational measures: - Access to personal data is limited to authorised personnel on a need-to-know basis - All personnel with access to personal data are bound by confidentiality obligations - Regular review of access permissions - Incident response procedures for data breaches (see Section 10.1)

10.1 Data Breach Notification

In the event of a personal data breach, we will:

  1. Notify the affected Client(s) without undue delay and no later than 72 hours after becoming aware of the breach (GDPR Article 33)
  2. Provide details of the breach, its likely consequences, and the measures taken to address it
  3. Assist the Client in fulfilling their notification obligations to the supervisory authority and affected data subjects where required (GDPR Article 34)

11. Children's Data

The Service is designed for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children.

If a child interacts with a chatbot installed on a Client's website, the Client (as Data Controller) is responsible for ensuring appropriate measures are in place, including age-appropriate privacy notices where required by applicable law.

If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate parental consent, we will take reasonable steps to delete such data promptly.

12. AI Transparency

Wittsy uses artificial intelligence (third-party large language models, currently Google Gemini) to generate chatbot responses. In accordance with the EU AI Act (Regulation (EU) 2024/1689) transparency requirements:

  • AI disclosure: The chatbot clearly identifies as an AI assistant. It does not pretend to be a human and does not deny being an AI when asked.
  • AI-generated content: All chatbot responses are generated by AI based on the Client's knowledge base. Responses may contain inaccuracies, omissions, or errors. They should not be treated as professional advice.
  • Risk classification: Wittsy is used for general informational purposes (answering questions about a business) and does not make decisions with legal or similarly significant effects on individuals. We classify this as a limited-risk AI system under the EU AI Act, subject to transparency obligations but not the high-risk requirements.
  • Human oversight: Clients can review all conversations via the dashboard, provide feedback, and update their knowledge base to improve response quality.
  • No autonomous decision-making: The chatbot does not make automated decisions affecting individuals' legal rights or vital interests. Lead detection identifies buying intent signals to help businesses follow up, but does not make decisions about the individual.

The chatbot may include links to third-party websites or services (e.g., links within the Client's knowledge base content). We are not responsible for the privacy practices, content, or security of third-party websites. We encourage visitors to review the privacy policies of any third-party sites they visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, the Service, or our data practices. When we make changes:

  • Material changes (affecting what data we collect, how we use it, or who we share it with) will be communicated via email to all registered Clients at least 30 days before they take effect.
  • Non-material changes (clarifications, formatting, or minor updates) take effect upon publication.
  • The "Last updated" date at the top of this page will always reflect the most recent revision.

We recommend reviewing this Privacy Policy periodically, particularly after receiving notification of changes.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data:

  • Email: hello@wittsy.co
  • Company: Smart Weavers SRL
  • CUI: 36495210
  • Trade Registry: J3/1508/2016
  • Country: Romania, EU

We aim to respond to all enquiries within 5 business days.