Privacy Policy

Account Information: When you register, we collect your name, email address, and a hashed (bcrypt-encrypted) password. We never store your plaintext password.

Contact Data: Any contacts, notes, deal information, follow-up logs, and related data you add to your Client Vault are stored in our database and belong to you.

Billing Information: Payment details (credit card numbers, bank information) are processed exclusively by Stripe, Inc. We never receive, store, or process raw payment card data. Stripe stores and handles all financial data under their own PCI-DSS compliance.

Usage Data: We collect anonymized usage logs to improve the platform — including page visits, feature interactions, and error reports. This data does not identify you personally.

Imported Contacts: If you use our Google Contacts import or CSV/vCard import features, the data you import is stored in your account vault and used solely to provide the service to you.

We use your information to: provide and operate the Chatalott platform; process payments and manage subscriptions through Stripe; send transactional emails (account creation, billing receipts, follow-up reminders you have configured); calculate and distribute Ambassador Program commissions; improve and debug the platform; and comply with legal obligations.

We do not sell your personal data to any third party. We do not use your contact vault data for advertising or any purpose other than providing the service to you.

Our AI features (text generation via Groq, image generation via Fal.ai) are powered by third-party AI providers. When you use these features, the prompt or context you provide may be transmitted to these providers to generate a response.

Important: We only send the minimum data necessary to generate your requested output. Your data is not used to train AI models by either Groq or Fal.ai under our current agreements. AI-generated content is stored in your account only if you explicitly save it.

The Ambassador Program is administered through Stripe Connect. If you join the Ambassador Program and become eligible for payouts, you will be directed to connect your Stripe account. Stripe collects, verifies, and stores all payout banking information directly. Chatalott does not have access to your bank account or routing numbers.

Ambassador commission records (amounts, referral counts, payout dates) are stored in our database to accurately calculate and display your earnings history.

Tax Status: Ambassadors are independent contractors, not employees of Chatalott. You are responsible for reporting and paying applicable taxes on commissions you receive. If your earnings exceed applicable tax reporting thresholds (such as IRS thresholds in the US or CRA thresholds in Canada), Stripe will issue the appropriate tax forms (e.g., 1099 or T4A) on our behalf.

Authorized Chatalott administrators may, for the purpose of customer support and debugging, access your account in a read-only impersonation mode (commonly referred to as “God View”). This allows our support team to reproduce issues you report without requiring your password.

This access is logged, is accessible only to authorized staff, and is used exclusively for support purposes. We do not access your account without a legitimate support reason. You may request a log of any administrative access to your account by emailing support@chatalott.com.

If your subscription is cancelled, your account enters a 60-day grace period during which your data remains intact and accessible in read-only mode. After 60 days, contact data, deals, meetings, and follow-up logs are permanently deleted.

You may request immediate deletion of your data at any time by emailing support@chatalott.com. We will process deletion requests within 30 days.

We use industry-standard security practices including TLS/HTTPS encryption in transit, HSTS with preload, a strict Content Security Policy, bcrypt password hashing, rate-limited authentication endpoints, optional TOTP two-factor authentication, environment variable isolation for secrets, and row-level access controls. Our database is hosted on Neon (PostgreSQL), a SOC 2 compliant provider. For a full rundown see our Security page.

No system is 100% secure. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the incident, as also committed to in our Data Processing Addendum.

We use session cookies to keep you logged in and functional cookies required for the platform to operate. We do not use tracking or advertising cookies. You may clear cookies at any time through your browser settings, which will log you out of the platform.

Chatalott offers a Chrome browser extension called “Chatalott - Postalott” that automates scheduling posts to Facebook using Facebook's native scheduling interface.

How the Extension Works: The extension simulates user interactions (clicks, keystrokes, image uploads) on Facebook's website to schedule posts. It does not use any private APIs, workarounds, or unauthorized access methods. The extension only functions when you are already logged into Facebook in your browser and have actively initiated scheduling.

Facebook Credentials: We never see, receive, store, or transmit your Facebook password. The extension interacts with Facebook only through your existing browser session.

Permissions: The extension requests access only to facebook.com and chatalott.com — nothing else. We follow Google's data minimization principles and request only the minimum permissions necessary to provide the service.

Data Collected by the Extension: When a post succeeds or fails, the extension sends a status update to your Chatalott dashboard. This includes: success or failure status, reason for failure (e.g., “Dialog timed out”), and a timestamp. These logs do not contain your Facebook profile information, private messages, or any personal data beyond what you entered in your Chatalott templates.

No Remote Code Execution: All automation logic is self-contained within the extension package. We do not fetch or execute code from external servers.

Post History Retention: Scheduling logs are stored for 90 days so you can review your activity, then automatically deleted.

Third-Party Disclaimer: Chatalott is not affiliated with, endorsed by, or connected to Meta Platforms, Inc. (Facebook). The extension uses Facebook's public web interface in the same manner a user would manually.

What We Access: When you connect your Google Calendar to Chatalott, we request permission to read your calendar events and create new events. We access only the calendars you explicitly authorize.

How We Use Calendar Data: We use your calendar data solely to: display your upcoming events within the Chatalott dashboard; allow you to schedule meetings and follow-ups with your contacts; and sync meeting reminders with your calendar. We do not modify or delete your existing calendar events without your explicit action.

Data Storage: Calendar event data (titles, times, attendees) may be cached temporarily in our database to improve performance. This cached data is refreshed on each sync and is not used for any purpose other than displaying your schedule.

Data Sharing: We do not share, sell, or transfer your Google Calendar data to any third party. Calendar data is never used for advertising, AI model training, or any purpose beyond providing the calendar sync feature to you.

Revoking Access: You can disconnect your Google Calendar at any time from your Chatalott settings. Upon disconnection, we immediately delete all cached calendar data and revoke our access tokens. You can also revoke access directly from your Google Account permissions at myaccount.google.com/permissions.

Limited Use Disclosure: Chatalott's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use the following third-party services, each governed by their own privacy policies: Stripe (payments), Neon (database hosting), Groq (AI text generation), Fal.ai (AI image generation), Vercel (hosting and edge functions), Resend (transactional email). We share only the minimum data necessary with each provider to perform their function.

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data. To exercise any of these rights, email support@chatalott.com with your request. We will respond within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local data protection authority.

Chatalott is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting an updated “Last updated” date. Continued use of the platform after changes constitutes acceptance of the updated policy.