Privacy Policy
Last updated: October 2025
Company: COPPER HEART FACTORY SAS
Registered office: Bonne 74380, France
Contact: privacy@directsupport.ai
1. Introduction
This Privacy Policy describes how COPPER HEART FACTORY SAS ("we", "our", "us") collects, uses, and protects personal data in connection with the website directsupport.ai, the SaaS platform app.directsupport.ai, and any chat widgets powered by our technology (together, the "Service").
We comply with the EU General Data Protection Regulation (GDPR) and French data-protection law.
2. Data Controller and Processor Roles
For the directsupport.ai website and our SaaS platform (client accounts), we act as data controller.
For embedded chat widgets installed on our clients' websites, we act as a data processor; the site owner (our client) is the data controller responsible for informing end-users and managing their data rights.
3. Data We Collect
a. From visitors to directsupport.ai
- Technical and security logs (IP address, user agent, timestamps)
- Information you submit voluntarily (e.g., contact forms, waiting-list email)
- Chat messages sent through the chat widget on our own site
b. From SaaS clients (account holders)
- Account data (name, email, company information)
- Billing information (handled by Stripe)
- Authentication data and usage logs
c. From chat end-users (on client websites)
- Conversation content and metadata necessary to operate the chat
- No cookies or trackers are set by our widget beyond those required for functionality
4. Purposes and Legal Bases
| Purpose | Legal basis |
|---|---|
| Operating and securing the Service | Legitimate interest |
| Providing the chat functionality to end-users | Contract performance |
| Managing client accounts and billing | Contract performance |
| Sending service or launch notifications | Consent (waiting list) |
| Preventing repeated free-credit abuse | Legitimate interest |
| Complying with legal obligations (accounting, security) | Legal obligation |
5. Data Retention
| Data type | Retention period |
|---|---|
| Chat messages (end-users) | Deleted after 6 months of inactivity, or sooner if our client deletes their account or calls the deletion API |
| Logs (technical, security) | Up to 6 months, then automatically deleted |
| Client accounts | Deleted 30 days after flag for deletion; data erased or anonymized afterwards |
| Billing data (Stripe) | Retained as required by law (10 years under French law) |
| Waiting-list emails | Used once for launch notification then deleted |
| Hashed emails (anti-abuse) | Retained indefinitely in irreversible form for fraud prevention |
6. Sub-Processors and Partners
We use trusted service providers to deliver the Service:
| Partner | Purpose | Location / Policy |
|---|---|---|
| Stripe, Inc. | Payments and billing | USA – Standard Contractual Clauses, https://stripe.com/privacy |
| Amazon Web Services (AWS) | Hosting, email delivery | EU / USA – SCCs, https://aws.amazon.com/privacy/ |
| Google reCAPTCHA v3 | Bot detection and security | USA – SCCs, https://policies.google.com/privacy |
| Meta (WhatsApp Business API) | Client chat integration | USA – SCCs, https://www.whatsapp.com/legal/privacy-policy |
| OpenAI, L.L.C. | AI language model processing for chat responses | USA – SCCs, https://openai.com/privacy |
Use of these partners is necessary to provide and secure our services. Some data may be transferred outside the EEA under approved EU Standard Contractual Clauses ensuring adequate protection.
6.1. Large Language Model (LLM) Providers
To generate AI-based responses within the chat feature, we use one or more Large Language Model (LLM) providers (for example, OpenAI, L.L.C. (USA) and other similar vendors).
Chat messages and related context are securely transmitted to these providers' APIs for processing and returned to produce AI-generated answers.
LLM providers process this data solely for the purpose of generating the requested output and are not permitted to use it for training their public models or for any marketing purposes.
All such providers operate under appropriate data-processing agreements and, where data may be transferred outside the European Economic Area, under EU Standard Contractual Clauses (SCCs) or other safeguards ensuring GDPR-level protection.
We transmit only the minimum information necessary to perform each operation, and no chat data is shared for advertising, profiling, or unrelated analytics.
7. Data Security
We implement appropriate technical and organizational measures, including:
- Encryption in transit (https, wss)
- Strict access controls and authentication
- Logging and monitoring of infrastructure
- Automatic data-retention limits and deletion
8. User Rights (GDPR Articles 15–22)
You have the right to:
- Access your personal data
- Request correction or deletion
- Restrict or object to processing
- Receive a copy (data portability)
- Withdraw consent (where applicable)
To exercise your rights, contact privacy@directsupport.ai.
If we process data on behalf of a client (chat widget), please contact the relevant website owner directly.
You also have the right to lodge a complaint with the CNIL (www.cnil.fr).
For Client Data Controllers: When your customers request deletion of their chat data, you must use our API endpoint: PATCH /crud/s/message/cmd/delete_client with a JSON body containing: productId, clientUniqueId, and sharedSecret.
9. Cookies and Trackers
We do not use tracking or advertising cookies. Essential technical cookies may be set for session and security purposes only.
Security and Abuse Prevention (reCAPTCHA): Our chat feature uses security tools such as Google reCAPTCHA to protect against spam and automated abuse. These tools may place cookies or collect technical data (e.g., IP address, browser characteristics) solely to verify that a real human is using the chat. Because this functionality is essential to the security and operation of the Service, it is implemented without prior consent under the exemption for cookies strictly necessary for security purposes. Google’s processing is subject to its own Privacy Policy: https://policies.google.com/privacy.
10. International Data Transfers
Where data is transferred outside the European Economic Area, we rely on:
- European Commission adequacy decisions, or
- Standard Contractual Clauses (SCCs) with appropriate safeguards
11. Updates
- We may update this Privacy Policy to reflect legal or service changes
- Users will be notified of material updates via the Service or by email
12. Contact
For any questions or to exercise your rights:
COPPER HEART FACTORY SAS
Bonne 74380, France