Privacy Policy

Effective date: 21 May 2026

This policy explains how Assistify collects and uses personal data. Assistify is a B2B SaaS product: an embeddable AI customer-support chat widget. The in-product AI agent is named Aiva.

This policy covers the personal data we handle as a data controller. That includes data about the businesses that use Assistify (our merchants), the people at those businesses, and visitors to our marketing website at assistify.chat. It does not cover the data we process on behalf of our merchants when their website visitors use the chat. For that, see the section "Controller and processor: which is which" below.

Who we are and how to contact us

Assistify is operated by NATIV STUDIO OÜ, a company registered under number 17290338, with its registered address at Järvevana tee 9, Kesklinna linnaosa, 11314 Tallinn, Estonia.

For any question about this policy or about how we use your personal data, contact us at [email protected].

Data protection officer: we have not appointed a data protection officer, as we are not required to under Article 37 of the GDPR. Privacy questions are handled by the contact above.

Controller and processor: which is which

Data protection law distinguishes between a controller (the party that decides why and how personal data is used) and a processor (the party that handles data on a controller's instructions).

Assistify as a controller. For our own merchant accounts, billing, product-usage data, and marketing-website visitors, Assistify decides why and how the data is used. This policy explains those activities.

Assistify as a processor. When a merchant installs our chat widget on their website, the merchant is the controller of their website visitors' data. Assistify acts as the processor: we provide the chat technology and handle visitor data only on the merchant's instructions. Those activities are governed by our Data Processing Agreement (DPA) with each merchant. Website visitors should read the Chat Privacy Notice, which explains the chat in plain language.

What data we collect as a controller

Merchant account data. When someone creates or manages an Assistify account, we collect: the merchant business name, the work email of the account user, job title, a hashed password, a two-factor authentication secret, OAuth tokens for integrations the merchant connects, and a Stripe customer reference and plan.

Billing data. We collect the information needed to manage a paid subscription. Card payments are processed by Stripe; Stripe handles card details and we do not store full card numbers.

Product-usage data. As merchants use the dashboard and the product, we collect usage and diagnostic information so we can operate, secure, and improve the service. This includes application and platform logs and error reports. Our product analytics are aggregated and computed in-house on our own EU infrastructure; we do not embed any third-party analytics SDK.

Marketing-website visitors. When someone visits assistify.chat, we collect limited information through our website, such as pages viewed and basic device and connection data. See the "Cookies on the marketing site" section below.

Why we use this data and our lawful basis

We rely on the following lawful bases under the GDPR.

  • Contract (Article 6(1)(b)). To create and manage merchant accounts, provide the service, and handle billing and subscriptions.
  • Legal obligation (Article 6(1)(c)). To keep accounting and tax records and to meet other legal requirements.
  • Legitimate interests (Article 6(1)(f)). To operate and secure the service, prevent fraud and abuse, monitor and fix errors, and produce aggregated analytics that help us understand and improve the product. We have weighed these interests against your rights and freedoms. You can object to processing based on legitimate interests (see "Your rights" below).
  • Consent (Article 6(1)(a)). For any non-essential cookies on our marketing site and for any optional marketing communications. You can withdraw consent at any time.

We do not use identifiable conversation data to train AI models.

Who we share data with

We use a small set of trusted service providers (sub-processors) to run Assistify. Each one handles data only on our instructions and under a contract that requires appropriate protection. They fall into these categories:

  • AI language-model providers, located in the EU and the United States, which generate Aiva's automated chat replies. They do not train their models on the data.
  • Payment processing, used only for merchant subscriptions; it does not receive website-visitor chat data.
  • Transactional email delivery, used to send account and notification emails.
  • Error monitoring, used to detect and diagnose technical faults.

Each merchant receives the current, named sub-processor list that applies to their website visitors' data as part of the Data Processing Agreement.

Uploaded chat files are stored in AnewVision Cloud, which is Assistify's own EU-hosted storage operated by the same legal entity as Assistify. It is not a third-party sub-processor.

We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and security of Assistify, our merchants, or others. If our business is reorganised, merged, or sold, personal data may be transferred as part of that transaction, subject to this policy.

This section covers our own controller activities. When a merchant connects their own e-commerce platforms or notification channels to the widget, data may flow to services the merchant chooses. That is the merchant's decision as controller and is described in the Chat Privacy Notice and the DPA.

International transfers

All production processing operated by Assistify, and our primary PostgreSQL database, are hosted in the EU.

Some of our service providers, including the AI language-model providers that power Aiva, are located outside the EU, for example in the United States. Where personal data is transferred outside the EU or the EEA, we rely on appropriate safeguards: the EU-US Data Privacy Framework where the provider is certified, and otherwise the European Commission's Standard Contractual Clauses together with a transfer impact assessment. You can ask us for more detail, including the specific provider concerned, using the contact above.

How long we keep data

We keep merchant account data for the life of the contract. When the contract ends, we delete the account data, except for records we must keep to meet legal obligations such as accounting and tax, which we retain for the period required by law.

We keep application and platform logs for 90 days. We keep security audit logs for 365 days.

Retention periods for website-visitor chat data (for example conversations, messages, and uploaded files) are set out in the Chat Privacy Notice and the DPA. Auto-deletion runs daily.

How we protect data

We use technical and organisational measures designed to protect personal data, including encryption in transit, encryption at rest, hashed passwords, two-factor authentication for accounts, access controls, error monitoring, security audit logging, and EU-based hosting. No system is perfectly secure, but we work to keep our measures appropriate to the risk.

Your rights

If you are in the EU or the EEA, you have the following rights over your personal data, under Articles 15 to 22 of the GDPR:

  • access to your data;
  • correction of inaccurate or incomplete data;
  • erasure of your data in certain circumstances;
  • restriction of processing in certain circumstances;
  • data portability for data you provided to us, where processing is based on consent or contract;
  • objection to processing based on legitimate interests, and to direct marketing at any time;
  • the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects, where that applies;
  • the right to withdraw consent at any time, where we rely on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. We may extend this where the law allows, and we will tell you if we do.

If you are a website visitor who used a merchant's chat, the merchant is the controller of that data. Please exercise your rights with the merchant whose website you were using. Assistify gives merchants self-service tools and assists them with these requests, and we also publish a fallback contact in the Chat Privacy Notice.

Cookies on the marketing site

Our marketing website at assistify.chat uses strictly necessary cookies to function. We do not embed third-party analytics on the marketing site; any non-essential cookie would be set only with your consent. The Assistify chat widget itself has its own cookie and storage notice; see the Cookie and Storage Notice for the full details, including the cookies and storage items used inside the widget.

Your right to complain

If you have a concern about how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Estonian data protection authority, the Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia (www.aki.ee). You may also complain to the supervisory authority in the EU or EEA country where you live or work.

Governing law

This policy and any dispute relating to it are governed by Estonian law, and the courts of Tallinn, Estonia have jurisdiction, without affecting any mandatory consumer protection rules of your country of residence.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, notify merchants. Please review this policy periodically.