You have the right to access, correct, delete, and export your personal data at any time. You can withdraw consent and object to processing. To exercise any right, email privacy@nocta.chat. We respond within 30 days. You may also lodge a complaint with ANSPDCP (anspdcp.ro) or any EU supervisory authority.
Data Controller
Rauta ER PFA
Bucharest, Romania, European Union
Email: privacy@nocta.chat
Website: https://nocta.chat
This policy applies to: (i) visitors to nocta.chat; (ii) registered clients using the nocta.chat platform; (iii) end users who interact with AI chatbots powered by nocta.chat embedded on third-party websites. For end users of embedded chatbots, the client (website operator) is the primary data controller for the conversation data; nocta.chat acts as a data processor on behalf of that client.
Data We Collect
- IP address (anonymised after 24h)
- Browser type and operating system
- Pages visited, referrer URL, time on site
- Cookie consent preferences
- Contact form submissions: name, company, email, phone, message
- Company name, contact name, email address, phone number
- Billing information (processed by Stripe — we do not store card data)
- VAT number and billing address
- Platform usage data (conversations, tokens, leads captured)
- Knowledge base content uploaded to the platform
- Support communications
- Session ID (UUID, not linked to a real identity by default)
- Chat messages sent to and received from the AI
- Lead data voluntarily submitted: name, email, phone, company
- Browser metadata (user-agent) for rate limiting
- IP address (for rate limiting — not stored long-term)
- We do not collect biometric data
- We do not collect special categories of data (health, religion, political views) — clients must not instruct us to do so
- We do not track users across websites (no cross-site tracking)
- We do not sell personal data to third parties
- We do not use chat data to train AI models
Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Operating the chatbot service for clients | Performance of a contract | Art. 6(1)(b) |
| Sending invoices and billing communications | Legal obligation | Art. 6(1)(c) |
| Lead capture (end user data submitted voluntarily) | Legitimate interest of the client | Art. 6(1)(f) |
| Analytics cookies (with consent) | Consent | Art. 6(1)(a) |
| Marketing communications to clients | Legitimate interest / Consent | Art. 6(1)(a)(f) |
| Security, fraud prevention, rate limiting | Legitimate interest | Art. 6(1)(f) |
| Compliance with accounting and tax law | Legal obligation | Art. 6(1)(c) |
Purposes of Processing
Providing the AI chatbot platform, processing chat messages through AI providers, managing knowledge bases, capturing and routing leads, issuing support tickets.
Processing subscription payments via Stripe, issuing invoices, managing plan upgrades/downgrades, handling cancellations and refunds.
Aggregated, anonymised analytics to improve platform performance, identify bugs, and develop new features. Never using individual chat content for model training.
Rate limiting (30 req/min per IP), fraud detection, preventing abuse of the AI API, protecting the integrity of the platform and client data.
Responding to support queries, sending product updates (with opt-out option), notifying clients of platform changes, required legal notices.
Compliance with Romanian tax law, EU GDPR obligations, responding to lawful data access requests from competent authorities, maintaining audit trails.
Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Chat session messages | 30 days (auto-purged by system) | Operational necessity |
| Lead data (captured by chatbot) | Until deleted by client or account termination | Client's legitimate interest |
| Client account data | Duration of subscription + 12 months | Contract / legal obligation |
| Billing records and invoices | 10 years | Romanian Fiscal Code Art. 25 |
| Support communications | 3 years | Legitimate interest |
| Cookie consent logs | 13 months | GDPR Art. 7(1) accountability |
| Server logs (IP + request) | 7 days (rolling) | Security / legitimate interest |
| Knowledge base content | Until deleted by client or account termination | Contract |
Chat sessions and messages older than 30 days are automatically and permanently deleted by the platform every hour. This is a built-in privacy-by-design feature that cannot be overridden.
Third-Party Processors
Chat messages are processed by third-party AI providers (Anthropic and/or OpenAI) to generate responses. By using a nocta.chat-powered chatbot, end users' messages are transmitted to these providers under their respective data processing agreements. Clients must disclose this in their own privacy policy when embedding the widget.
Claude AI models process chat messages to generate responses. Data is processed under Anthropic's Data Processing Agreement. No training on customer data. Data center: USA (with EU SCCs in place).
Anthropic Privacy Policy →
GPT-4o Mini used as automatic fallback if Anthropic is unavailable. Same message data transmitted. No training on customer data per enterprise agreement. Data center: USA (EU SCCs).
OpenAI Privacy Policy →
All payment card data is processed exclusively by Stripe. nocta.chat never stores card numbers or CVVs. Stripe is PCI-DSS Level 1 certified. Data center: EU and USA.
Stripe Privacy Policy →
Platform hosted on EU-based VPS infrastructure. All PostgreSQL data, session data, and knowledge bases are stored within the European Union. No data exported outside EU for storage purposes.
International Data Transfers
Chat messages are transmitted to the USA for AI processing. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914/EU. Anthropic and OpenAI are both Participants in the EU-U.S. Data Privacy Framework. Data is used solely for response generation and is not retained by providers beyond their standard retention period (typically 30 days or less).
All other personal data (client accounts, leads, knowledge bases, billing records) is stored exclusively within the European Union. nocta.chat does not transfer data to any other third countries beyond the AI processing described above.
Your Rights (GDPR Art. 15–22)
You can request a copy of all personal data we hold about you, including the categories of data, purposes, retention periods, and any third parties it has been shared with.
You can request correction of any inaccurate or incomplete personal data we hold about you. Clients can update most data directly via the tenant portal.
You can request deletion of your personal data ("right to be forgotten") where there is no overriding legal basis for continued processing. We will comply within 30 days subject to legal retention requirements (e.g., billing records).
You can request your personal data in a structured, machine-readable format (JSON/CSV). Applies to data you provided to us and processed by automated means on the basis of consent or contract.
You can object to processing based on legitimate interest, including direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
You can request that we restrict processing of your data while a dispute is resolved — for example, if you contest the accuracy of data or have objected to processing.
Email privacy@nocta.chat with the subject line "GDPR Rights Request" and the right you wish to exercise. We will respond within 30 calendar days. We may ask you to verify your identity before processing the request. There is no charge for exercising your rights. If you are unsatisfied with our response, you have the right to lodge a complaint with the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) at anspdcp.ro, or any EU supervisory authority in your country of residence.
Security Measures
All data transmitted between your browser and nocta.chat is encrypted using TLS 1.2/1.3. HTTPS is enforced on all endpoints. SSL certificates are managed via Let's Encrypt.
PostgreSQL database is hosted on encrypted VPS volumes. Backups are encrypted. API keys and credentials are stored as environment variables, never in source code.
Admin and tenant portal access is protected by long-random API keys. Constant-time comparison prevents timing attacks. Rate limiting (30 req/min per IP) prevents brute force and abuse.
We collect only data necessary for the stated purpose. Chat sessions are automatically purged after 30 days. IP addresses are used for rate limiting only and not stored long-term.
In the event of a personal data breach, we will notify affected clients and the ANSPDCP within 72 hours of becoming aware, as required by GDPR Art. 33–34.
We only use sub-processors (Anthropic, OpenAI, Stripe) that maintain enterprise-grade security programs including SOC 2 Type II certification and GDPR Data Processing Agreements.
Children's Privacy
The nocta.chat platform is intended for business use and is not directed at persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through a nocta.chat-powered chatbot, please contact privacy@nocta.chat and we will take appropriate action, including immediate deletion. Clients operating in sectors with child users (e.g., educational platforms) must implement age verification and parental consent mechanisms independently.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will: (i) update the "Effective date" at the top of this page; (ii) notify registered clients by email at least 14 days before the change takes effect; (iii) where required by law, seek renewed consent. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
- v2.0 — 1 March 2026 — Added Stripe billing section, tenant portal data, cookie consent details
- v1.0 — 1 January 2026 — Initial publication
Contact & DPO
Email: privacy@nocta.chat
Response time: Within 30 calendar days
For urgent matters: legal@nocta.chat
Operator: Rauta ER PFA, Bucharest, Romania, EU
ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
www.anspdcp.ro
B-dul G-ral. Gheorghe Magheru 28–30, Sector 1, Bucharest
You have the right to lodge a complaint with any EU supervisory authority in your country of residence.
Document: Privacy Policy v2.0 · Effective: 1 March 2026 · Next review: 1 September 2026 · Governing law: GDPR (Reg. 2016/679) + Romanian Law 506/2004 · Controller: Rauta ER PFA, Romania, EU