Privacy Policy

Qallie SAS ("Qallie", "we", "our", or "us") is committed to protecting the privacy and personal data of our users, their customers, and website visitors. This Privacy Policy explains how we collect, use, store, and share your information when you use the Qallie platform, our website at qallie.com, or interact with a Qallie-powered chat widget.

Qallie acts as a data processor on behalf of businesses that use our platform (the "data controllers"). When you interact with a chat widget on a business's website, that business determines how your data is used. This policy covers our own data practices.

By using our services, you agree to the practices described in this policy. If you do not agree, please do not use our services.

We collect the following categories of personal data:

2.1 Account Data

When you create an account: name, email address, business name, business type, and billing information. This data is necessary to provide our services.

2.2 Chat & Conversation Data

Messages exchanged between guests and the AI assistant or business managers. This includes text messages, voice transcriptions, and metadata such as timestamps and language preferences.

2.3 Usage Data

Information about how you use the platform: pages visited, features used, AI token consumption, login times, and device/browser information.

2.4 Widget Visitor Data

When a visitor interacts with a Qallie widget: IP address (anonymized after 30 days), browser type, language preference, and conversation content. We do not use tracking cookies in the widget by default.

2.5 Payment Data

Payment processing is handled by Stripe and PayPal. We do not store full credit card numbers. We retain transaction IDs, amounts, and billing addresses for invoicing purposes.

We process personal data for the following purposes:

• Service delivery — Operating the platform, processing AI conversations, managing reservations, and delivering chat functionality.
• Account management — User authentication, billing, subscription management, and customer support.
• Service improvement — Analyzing usage patterns to improve our AI, fix bugs, and develop new features. We use aggregated, anonymized data for this purpose.
• Communication — Sending transactional emails (invoices, trial reminders, security alerts). We never send marketing emails without explicit opt-in consent.
• Legal compliance — Fulfilling our obligations under GDPR, tax regulations, and applicable laws.

Legal basis for processing (GDPR Art. 6): contract performance (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), and consent where applicable (Art. 6(1)(a)).

We retain your data only as long as necessary for the purposes described above:

• Account data — Retained for the duration of your account, plus 30 days after deletion request (grace period).
• Conversation data — Retained for 12 months, then automatically deleted unless the business configures a shorter period.
• Usage & analytics data — Retained in anonymized form for up to 24 months.
• Billing data — Retained for 7 years as required by EU tax regulations.
• Widget visitor IP addresses — Anonymized after 30 days.

When you delete your account, we initiate a 30-day grace period during which you can cancel the deletion. After 30 days, all personal data is permanently and irreversibly deleted, including conversation history, uploaded files, and media.

We share data with the following categories of third-party service providers, all of which are GDPR-compliant:

• AI providers — OpenAI and Anthropic process conversation text to generate AI responses. Conversations are sent via API and are not used to train their models.
• Voice processing — OpenAI Whisper (speech-to-text) and OpenAI TTS / ElevenLabs (text-to-speech) for voice mode features.
• Payment processing — Stripe and PayPal handle payment transactions.
• Email delivery — Resend delivers transactional emails on our behalf.
• Cloud infrastructure — Our servers are hosted in EU data centers. File storage uses S3-compatible object storage within the EU.

We do not sell, rent, or trade your personal data to third parties. We do not share data with advertising networks or data brokers.

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18) — Request that we limit how we process your data.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON/ZIP).
• Right to object (Art. 21) — Object to processing based on legitimate interest.
• Right not to be subject to automated decisions (Art. 22) — Our AI provides assistance, not automated decision-making with legal effects.

To exercise any of these rights, use the data export and account deletion features in your account settings, or contact our Data Protection Officer at [email protected]. We will respond within 30 days.

Our website uses the following cookies:

• Essential cookies — Required for the platform to function (authentication, session management, CSRF protection). These cannot be disabled.
• Analytics cookies — Used to understand how visitors use our website. These are only set with your explicit consent.

The Qallie chat widget does not set tracking cookies. When a business enables the widget, a cookie consent banner is displayed to visitors, and chat functionality works identically regardless of whether cookies are accepted or declined.

You can manage your cookie preferences at any time through the cookie settings on our website or through your browser settings.

We implement appropriate technical and organizational measures to protect your data:

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access to personal data is restricted to authorized personnel on a need-to-know basis.
• We conduct regular security assessments and vulnerability testing.
• Multi-tenant isolation ensures that each business's data is strictly separated.
• API authentication uses secure, revocable tokens.

Your data is stored and processed within the European Union. When data is processed by sub-processors outside the EU (e.g., OpenAI in the USA), we ensure adequate protection through:

• EU Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs) with all sub-processors
• Verification that sub-processors maintain appropriate security certifications

Qallie is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

Qallie SAS
[Registered address placeholder]
Email: [email protected]

You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., CNIL in France, BfDI in Germany, AEPD in Spain).