Privacy Policy
Last updated: June 9, 2026
ElimChat (a brand operated by DakyLabs, "ElimChat", "we", "us" or "our") provides an embeddable AI chatbot platform (Software-as-a-Service) built on Retrieval-Augmented Generation (RAG) for small and medium-sized businesses in Latin America. This Privacy Policy explains what personal data we process, why and on what legal basis we process it, how long we keep it, with whom we share it and what rights you have over it.
This policy is written to comply with Ecuador's Ley Orgánica de Protección de Datos Personales (LOPDP) as our primary jurisdiction, and is also designed to meet the requirements of the EU General Data Protection Regulation (GDPR), Brazil's LGPD, Mexico's LFPDPPP, Colombia's Law 1581, Peru's Law 29733, and the data protection laws of Argentina and Chile. Where any of these laws grants you stronger rights, those rights prevail.
By creating an account, embedding our widget on your website or otherwise using ElimChat, you acknowledge that you have read and understood this policy.
1. Who we are (Data Controller)
ElimChat is a brand of DakyLabs and is the data controller responsible for the personal data processed through the ElimChat platform and the elimchat.com website.
- Brand / Product: ElimChat (a DakyLabs brand)
- Website: elimchat.com
- Privacy / Data Protection Officer (DPO): [email protected]
- General support: [email protected]
- WhatsApp: +593 96 357 5122
- Primary jurisdiction: Ecuador (LOPDP)
Controller vs. processor. When our business customers (the "Client") upload documents and run a chatbot, the Client is the data controller of the end-visitor conversations and any personal data contained in the documents they upload; ElimChat acts as a data processor on the Client's behalf, processing that data solely to provide the service and according to our agreement. For the Client's own account data (email, password, billing and usage), ElimChat is the data controller.
2. What personal data we process
We practice data minimization: we only collect the data we need to run the service. The categories of personal data we process are:
2.1 Client account data
- Email address of the SaaS Client (used as the login identifier and for service communications).
- Password, stored only as a salted cryptographic hash — we never store or have access to your plaintext password.
- Billing and subscription metadata (plan, status, renewal dates). Payment card details are handled by our payment provider and are never stored on our servers.
2.2 Content uploaded by the Client
- Documents you upload to train your chatbot (PDFs, Word files, web pages, FAQs, catalogs). These may contain personal data if you choose to include it; you are responsible for ensuring you have a lawful basis to upload such data.
2.3 Widget conversations (end visitors)
- Messages typed by the end visitors of the Client's website and the chatbot's responses.
- Hashed IP address of end visitors. We do not store raw IP addresses — only a one-way hash used for abuse prevention and rate limiting. The hash cannot be reversed to recover the original address.
2.4 Usage metadata
- Operational metrics such as token counts, number of requests, conversation volume and timestamps, used for billing, quota enforcement and service reliability.
We do not intentionally collect special categories of data (health, religion, political opinions, biometrics, etc.). Please do not submit such data through the chatbot or in uploaded documents unless you have a valid legal basis for doing so.
3. Purposes and legal bases for processing
We process personal data only for the purposes described below, each supported by a lawful basis under the GDPR and the LOPDP:
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide and operate the chatbot service | Account data, uploaded documents, conversations | Performance of a contract (Art. 6(1)(b) GDPR) |
| Billing and subscription management | Account data, usage metadata | Performance of a contract / legal obligation (Art. 6(1)(b) and (c) GDPR) |
| Abuse prevention, rate limiting and security | Hashed IP, usage metadata | Legitimate interest (Art. 6(1)(f) GDPR) |
| Service communications (e.g., account, security, billing notices) | Email address | Performance of a contract / legitimate interest |
| Product improvement and aggregate analytics | Aggregated, non-identifying usage metadata | Legitimate interest (Art. 6(1)(f) GDPR) |
| Marketing emails (only if you opt in) | Email address | Consent (Art. 6(1)(a) GDPR) |
We never use Client documents or end-visitor conversations to train public or third-party AI models. Your data stays isolated to your tenant.
4. Service providers and sub-processors
We rely on a small set of carefully selected providers to deliver the service. Each is bound by a data processing agreement and may only process data on our documented instructions. Our current sub-processors are:
| Provider | Purpose | Location |
|---|---|---|
| DeepSeek | Large Language Model (generates chatbot responses) | See section 5 |
| Resend | Transactional email delivery | United States / EU |
| Hetzner | Cloud hosting (VPS infrastructure) | Germany / Finland (EU) |
| Cloudflare | CDN, reverse proxy, DDoS protection, cookieless analytics | Global edge network |
| Qdrant | Vector database (self-hosted on our infrastructure) | Germany / Finland (EU) |
Our core data — the PostgreSQL database, uploaded documents and the Qdrant vector store — is hosted on EU-based infrastructure (Hetzner, Germany/Finland). We will update this list before engaging any new sub-processor that processes personal data, and you may contact [email protected] to receive notice of changes.
5. International data transfers
Our primary infrastructure is located in the European Union (Germany and Finland). Some sub-processors may process data outside your country of residence, including outside the EU (for example, when chatbot prompts are sent to the DeepSeek LLM, or when email is delivered via Resend in the United States).
Where personal data is transferred to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs), and we apply technical measures (such as minimizing the personal data sent to the LLM) to reduce risk. You may request a copy of the relevant safeguards by writing to [email protected].
6. Cookies and tracking technologies
ElimChat does not use advertising, profiling or cross-site tracking cookies. We only use:
- Essential session cookies (JWT): strictly necessary to keep you securely logged in to your account. These are not used for tracking and cannot be disabled without breaking core functionality, so under the GDPR/ePrivacy rules they do not require consent.
- Cloudflare Web Analytics: a privacy-first, cookieless analytics tool that gives us aggregate traffic statistics without setting cookies, fingerprinting visitors or collecting personally identifiable information.
Because we do not deploy non-essential cookies, we do not display a cookie consent banner.
7. Data retention
We keep personal data only for as long as it is needed for the purposes described in this policy:
- Active accounts: Client account data, uploaded documents and conversations are retained for as long as your account remains active.
- Cancellation / grace period: after you cancel, your data enters a 30-day grace period. During this period the data is soft-deleted (no longer used to serve the chatbot) and can be restored if you reactivate your account.
- Permanent deletion: once the 30-day grace period ends, your data is hard-deleted from our production systems, including documents and vector embeddings, subject to removal from routine backups within the backup rotation cycle.
- Legal obligations: certain billing and tax records may be retained for longer where required by applicable law, in which case they are kept isolated and used only for that purpose.
8. How we protect your data
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure or destruction, including:
- Tenant isolation: a strict multi-tenant architecture enforced at the database level (row-level security), so one Client's data is never accessible to another.
- Encryption in transit: all traffic is served over HTTPS/TLS.
- Password hashing: passwords are stored only as salted hashes; we never see your plaintext password.
- IP minimization: visitor IP addresses are hashed rather than stored in raw form.
- Access control: internal access to production systems is limited to authorized personnel on a need-to-know basis.
- Backups: regular, secured backups to enable recovery from incidents.
If a personal data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority and affected individuals without undue delay, as required by applicable law.
9. Your data protection rights
Depending on your jurisdiction (GDPR, LOPDP, LGPD, LFPDPPP, Law 1581, Law 29733 and others), you have the following rights over your personal data:
- Access: obtain confirmation of and a copy of the data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion of your data.
- Restriction: ask us to limit how we process your data in certain cases.
- Portability: receive your data in a structured, machine-readable format and transmit it to another provider.
- Objection: object to processing based on our legitimate interests.
- Withdraw consent: withdraw any consent at any time, without affecting prior lawful processing.
- No automated decisions: not be subject to decisions producing legal effects based solely on automated processing.
To exercise any of these rights, contact our DPO at [email protected]. We will respond within the timeframe required by applicable law (generally within 30 days, extendable where the law allows). We may ask for information to verify your identity before acting on a request. Exercising your rights is free of charge unless the request is manifestly unfounded or excessive.
End visitors: if you interacted with a chatbot on a third-party website powered by ElimChat, the website operator is the controller of that conversation. Please direct your request to that operator; we will support them in fulfilling it as their processor.
You also have the right to lodge a complaint with your local data protection authority — for example, the Superintendencia de Protección de Datos Personales in Ecuador, or the competent supervisory authority in your country.
10. Children's privacy
ElimChat is a business tool and is not directed to children. We do not knowingly collect personal data from children below the age of digital consent applicable in their jurisdiction (16 in the EU unless a member state sets a lower age, and the equivalent minimum age under LOPDP and other LATAM laws). If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or sub-processors. When we do, we will revise the "Last updated" date at the top of this page. If the changes are material, we will provide a more prominent notice (for example, by email or an in-product notice) before they take effect. We encourage you to review this page periodically.
12. Contact us
If you have any questions, concerns or requests regarding this Privacy Policy or how we handle your personal data, you can reach us at:
- Privacy / Data Protection Officer: [email protected]
- General support: [email protected]
- WhatsApp: +593 96 357 5122
- Website: elimchat.com
ElimChat is a brand of DakyLabs. We are committed to handling your personal data responsibly and transparently.