Privacy Policy

Last updated: May 6, 2026

ClientRelay is operated by ClientRelay Technologies, based in Norway. We are committed to protecting your privacy and handling your data transparently.

1. Data Controller

ClientRelay Technologies
Molde, Norway
Email: contact@clientrelay.tech

2. Data We Collect

Data Type	Source	Purpose
Email address	Google OAuth	Authentication, account identification, hub membership
Display name	Google OAuth	UI personalization
Profile photo URL	Google OAuth	Avatar display in dashboard
Knowledge base content	User uploads	Training AI chatbot responses
Chat logs	End-user conversations	Analytics, quality monitoring, lead capture
Lead form submissions	End-user chat interactions	Business lead generation for hub owners
IP address hash	Automatic (rate limiting)	Security - rate limit enforcement. The actual IP address is never stored.
Landing page visit data (anonymous)	Automatic (landing page script)	Anonymous visitor counting - page path, referrer domain, browser language, device type (mobile/desktop). No IP addresses, no cookies, no user identifiers.

3. How We Use Your Data

Service delivery: To authenticate you, display your dashboard, and provide chatbot functionality
AI processing: Knowledge base content is sent to Google Gemini API to generate chatbot responses. Your data is not used to train the AI model. See Google's AI Terms of Service.
Analytics: Chat logs are stored to provide conversation statistics and quality monitoring
Website analytics: Google Analytics 4 collects anonymous usage data (page views, traffic sources, device info) to help us improve the website
Communication: We may use your email for service-related notifications (not marketing)

3a. Legal Basis (GDPR)

Processing	Legal Basis	GDPR Article
Dashboard login (Google OAuth)	Contract — necessary for service delivery	Art. 6.1(b)
Chat messages (anonymous)	Legitimate interest — service improvement	Art. 6.1(f)
IP hash (rate limiting)	Legitimate interest — security	Art. 6.1(f)
Lead data (name, email, phone)	Consent — voluntarily submitted by end-user	Art. 6.1(a)
Landing page analytics (anonymous)	Legitimate interest - aggregate visitor statistics	Art. 6.1(f)

4. Data Storage and Location

All data is stored on Supabase infrastructure within the European Union. Authentication is handled by Supabase Auth (Google OAuth provider).

Database: Supabase PostgreSQL (EU region)
Authentication: Supabase Auth with Google OAuth
AI Processing: Google Gemini API (data sent to Google's servers for response generation)
Website hosting: GitHub Pages (United States)

5. Third-Party Services

Service	Purpose	Data Shared	Location
Supabase Inc.	Database, auth, serverless functions	All application data	EU region
Google LLC	Gemini AI (chatbot), OAuth (dashboard)	Knowledge base content, chat messages, email	USA (EU-US Data Privacy Framework)
GitHub Inc.	Static website hosting (GitHub Pages)	No user data (static files only)	USA (EU-US Data Privacy Framework)
Resend Inc.	Email notifications for lead capture	Recipient email address, lead name	USA (EU-US Data Privacy Framework)
Google LLC (Analytics)	Website traffic analytics (GA4)	Anonymous usage data (page views, device type, traffic source)	USA (EU-US Data Privacy Framework)

Some data may be transferred to countries outside the EU/EEA (USA). Such transfers are protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).

6. Chat Log Data

When end-users interact with chatbots created on the platform:

Chat messages and AI responses are logged for analytics purposes
No personally identifiable information (PII) is intentionally collected from end-users
Chat logs are accessible only to the hub owner who created the chatbot
End-users are not required to authenticate to use chatbots

6a. Shared Data Responsibility

When a business uses a ClientRelay chatbot widget on their website with lead capture enabled, both ClientRelay (as data processor) and the business (as data controller) share responsibility for personal data collected. The business is responsible for informing their end-users about data collection.

7. Data Retention

Data	Retention Period
Chat logs (anonymous)	3 months, then automatically deleted
Lead data (name, email, phone)	2 months, then automatically deleted
Dashboard account	Until account is deleted
Knowledge base	Until you delete it or account is terminated
IP hash (rate limiting)	24 hours (in-memory, not permanently stored)
Landing page analytics	12 months, then automatically deleted
After account deletion	All data deleted within 30 days

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Request your data in a machine-readable format
Object: Object to processing of your data
Withdraw consent: Withdraw consent at any time by deleting your account

For chat data: since chat logs are anonymous, there is no personal data to delete. For lead data: contact us or the website owner for deletion.

We respond to all requests within 30 days. Contact us at contact@clientrelay.tech.

9. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information is collected
The right to request deletion of your personal information
The right to opt-out of the sale of personal information

We do not sell personal information. We do not share personal information with third parties for their marketing purposes.

10. Cookies and Local Storage

The Service uses:

localStorage: To store your authentication session and language preference
Landing page localStorage: A single key (cr_visited) records today's date to avoid counting the same visitor twice per day. No personal data is stored.
Google Analytics cookies: We use Google Analytics 4 (GA4) to collect anonymous website usage statistics. GA4 may set first-party cookies (e.g., _ga, _ga_*) to distinguish unique visitors. No personally identifiable information is collected. See Google's Privacy Policy.
No advertising cookies: We do not use advertising cookies, Facebook Pixel, or similar tracking services

11. Security

We implement industry-standard security measures including:

Row-Level Security (RLS) ensuring data isolation between hubs
OAuth 2.0 authentication (no passwords stored)
HTTPS encryption for all data in transit
EU-based data storage compliant with GDPR

12. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.

13. Supervisory Authority

If you believe we are processing your personal data in violation of GDPR, you have the right to lodge a complaint with the supervisory authority:

Datatilsynet (Norwegian Data Protection Authority)
Phone: +47 22 39 69 00
Email: postkasse@datatilsynet.no
Website: datatilsynet.no

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions or requests:

ClientRelay Technologies
Email: contact@clientrelay.tech
Location: Molde, Norway