Privacy Policy
Last updated: 02/06/2026
This policy describes how Chatbot Flow (published by Winevizer SRL) processes personal data in connection with the provision of its service. It applies to our customers (WordPress administrators who subscribe to a plan) as well as to visitors of websites where the widget is installed.
1. Data Controller
Winevizer SRL
Résidence de la Bascule, 33 — 7000 Mons (Belgium)
Company number: BE 1034.941.894 — VAT: BE1034941894
Represented by Sébastien Demoustiez, director.
General contact: contact@chatbot-flow.com
GDPR / DPO contact: gdpr@chatbot-flow.com
2. What data do we collect?
We only collect data that is necessary to provide the service.
2.1 For the customer (WordPress administrator)
- Admin email address, company name, site URL
- Billing address, VAT number (if applicable), country
- Stripe Customer ID (card data is collected and stored exclusively by Stripe, never on our servers)
- Widget configuration preferences (colours, triggers, additional content)
- Minimal technical logs (timestamps, error codes) for diagnostics
2.2 For visitors of sites where the widget is installed
- Messages exchanged with the chatbot
- URL and title of the page being viewed at the time of the exchange
- Device type (mobile / desktop) and an anonymous session identifier (technical cookie
cf_session) - If the visitor voluntarily chooses to: name, email, phone via the "Contact me" form
No advertising tracking data, no digital fingerprinting, no third-party pixels.
3. Why we process this data and the legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the subscribed service | Performance of contract |
| Billing the subscription | Performance of contract + legal obligation (accounting) |
| Indexing site content (RAG) | Performance of contract |
| Notifying the admin (daily summary, lead alerts) | Legitimate interest |
| Fraud prevention / abuse detection | Legitimate interest |
| Following up with a visitor who has left their contact details | Consent (visitor's voluntary action) |
4. Hosting and data location
All application data (conversations, leads, vector knowledge base, configurations) is hosted with OVHcloud, in France (European Union).
Each customer has a logically isolated space in the vector database (separated by client_id) so that your content is never mixed with another customer's.
5. Sub-processors and recipients
To operate, Chatbot Flow relies on the following sub-processors. All are bound to us by a data processing agreement (DPA) compliant with GDPR Article 28.
| Sub-processor | Role | Location |
|---|---|---|
| OVH SAS | Application server and database hosting | France (EU) |
| OVH SAS (SMTP) | Sending transactional emails (notifications, invoices) | France (EU) |
| Stripe Payments Europe Ltd | Payment processing and billing | Ireland (EU) — global infrastructure |
| OpenAI Ireland Ltd | Language models (LLM) — Managed plan customers only | Ireland (EU), with possible sub-processing in the United States |
| Google Ireland Ltd | reCAPTCHA / Gemini — bot protection and alternative LLM | Ireland (EU), with possible sub-processing in the United States |
6. Transfers outside the European Union
Although our main sub-processors have their contracting entities within the European Union, OpenAI and Google may technically process certain requests on infrastructure located in the United States.
These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and, for OpenAI and Google, by their certification under the EU–US Data Privacy Framework (DPF). No data is transferred to a third country that does not provide an adequate level of protection.
Content sent to OpenAI via API calls is not used to train their models, in accordance with their current API terms of service.
7. Data retention
- Customer account and configurations: for the duration of the subscription, plus 30 days after cancellation to allow data export.
- Conversations and collected leads: for the duration of the subscription, plus 30 days after cancellation.
- Invoices and accounting data: 7 years (Belgian statutory requirement).
- Technical logs: maximum 90 days.
Once the above periods expire, data is permanently deleted. At any time during the subscription, the customer can export their conversations and leads from their WordPress dashboard.
8. Cookies
The chatbot widget sets a single strictly necessary technical cookie:
cf_session— an anonymous session identifier that allows the visitor to resume their conversation if they reload the page. Duration: 30 days. No tracking, no sharing.
Chatbot Flow does not set any advertising, third-party analytics or remarketing cookies.
9. Your GDPR rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Access: obtain a copy of data relating to you
- Rectification: correct inaccurate data
- Erasure: request deletion of your data
- Restriction: temporarily limit processing
- Portability: retrieve your data in a structured format (CSV/JSON)
- Objection: object to processing based on legitimate interest
- Withdrawal of consent at any time where consent is the legal basis
To exercise these rights, write to gdpr@chatbot-flow.com. We respond within a maximum of one month, in accordance with GDPR Article 12.3.
10. Complaint to a supervisory authority
If you believe that our processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the Data Protection Authority (APD) in Belgium:
Autorité de protection des données (Data Protection Authority)
Rue de la Presse 35, 1000 Brussels, Belgium
contact@apd-gba.be — www.autoriteprotectiondonnees.be
You may also contact the supervisory authority of your country of residence if you reside in another EU Member State.
11. Security
We implement reasonable technical and organisational measures to protect your data: TLS encryption for all communications, SHA-256 hashing for API keys, HMAC signatures on webhooks, logical isolation per customer, secrets separation, infrastructure hardening, logging and regular security reviews.
12. Changes to this policy
We may update this policy from time to time. Any material change will be notified to customers by email at least 15 days before it takes effect. The date at the top of this page reflects the most recent update.