Scope & who we are

This Privacy Policy applies to personal data processed by Codex Labs Corp (“Chatter Genius,” “we,” “us,” or “our”) when you visit the Website or use the Platform to power AI-assisted conversations over phone, SMS, and email. For Website visitors, we act as a controller. For Platform customers, we generally act as a processor/service provider handling data on our customers' instructions. In some cases (e.g., billing and account administration), we act as an independent controller.

Key definitions

  • Personal data: information that identifies or relates to an identified or identifiable individual.
  • Customer data: conversation content, logs, and metadata that our customers send to or generate within the Platform.
  • Processor / service provider: we process Customer data on a customer's documented instructions to deliver the services.

Information we collect

Data we process depends on your relationship with us and how you use the Website and Platform:

  • Website usage data (with consent where required): page views, referring URLs, approximate geolocation (country/region), device/browser attributes, and events to help us improve content and navigation. See our Cookie Settings.
  • Contact and marketing data: information you submit via forms (name, business email, company, role, message), demo requests, and preferences (opt-in/opt-out).
  • Account & authentication data (Platform): names, work emails, roles, tenant/organization, hashed credentials or SSO identifiers, session tokens, and logs required to operate secure sessions.
  • Communication & conversation data (Platform, customer-directed): phone calls, SMS/MMS, and emails handled by the Platform; media and transcripts; model prompts/responses; and associated metadata (timestamps, numbers/addresses, routing, usage). Customers control the substance, retention, and purpose of this data.
  • Usage & billing data: subscription plan, seats, included/overage usage (minutes/messages/emails), invoice details, and payment confirmations from our payment processor.
  • Support data: information you provide to our support team, including attachments or diagnostic logs you choose to share.
  • Vendor & integration data (optional): configuration details for third-party providers (e.g., model vendors, telephony or email providers) if you choose to connect them (BYOV).
  • Sources: directly from you or your organization; automatically via the Website/Platform; from service providers (e.g., analytics, payment processing); and from publicly available business sources.

How we use information

  • Provide the Website and Platform: authenticate users, route and execute conversations, apply policy guardrails and hand-off rules, and deliver analytics (e.g., intent, sentiment, and conversions).
  • Secure and maintain services: fraud and abuse monitoring, incident detection, debugging, service quality, and continuity.
  • Compliance & governance: audit trails, redaction, approval workflows, and reporting configured by customers to help meet internal and regulatory requirements.
  • Improve and develop: aggregate/de-identify trends, evaluate performance, and enhance features (for example, model calibration and analytics quality). We do not use identifiable Customer conversation content to train foundation models without the customer's instruction.
  • Communicate: respond to inquiries; send service, security, and transactional notices; and, with consent where required, send marketing communications (you may opt out at any time).
  • Billing and account administration: record usage, detect overages, and issue invoices.
  • Legal: comply with law, enforce agreements, and protect rights, safety, and integrity of our users and services.

Legal bases

We rely on: (i) contract necessity to provide the Platform and fulfill our agreements; (ii) legitimate interests to secure, maintain, and improve services (balanced against your interests and rights); (iii) consent for optional analytics/marketing cookies and communications; and (iv) legal obligations for recordkeeping and compliance.

AI processing specifics

  • Real-time guardrails: policy checks (e.g., MNPI, PII patterns, toxicity thresholds) and optional redaction run during conversations to help prevent policy violations.
  • Human hand-off: customers can configure rules to transfer to human agents, route to inboxes/queues, or schedule callbacks with context.
  • Model providers: customers may use platform-managed defaults or connect preferred vendors (e.g., Azure OpenAI, Google) subject to those providers' terms. Where a customer chooses BYOV, that provider acts as the customer's vendor, and the customer is responsible for its configuration and notices.
  • Training: we do not use identifiable Customer conversation content to train third-party foundation models. We may use de-identified or aggregated data to improve service operations, analytics accuracy, reliability, and security.
  • Automated decision-making: our Platform may route or prioritize interactions automatically (e.g., escalation based on policy triggers). These automations support customer workflows and are not intended to produce legal or similarly significant effects on individuals without human oversight.

Sharing & disclosure

We do not sell personal data and we do not share personal data for cross-context behavioral advertising. We may disclose data to:

  • Service providers / processors under contracts requiring confidentiality and appropriate safeguards (e.g., hosting, storage, analytics configured by us, email delivery, payment processing, support tooling).
  • Customer-designated vendors (e.g., model providers, telephony, or email systems) when a customer connects them (BYOV). In such cases, the customer controls the integration and is responsible for related disclosures.
  • Professional advisors (legal, accounting) under duty of confidentiality.
  • Legal and safety: where required by law or to protect rights, safety, and the integrity of our services. We assess requests and object where appropriate.
  • Corporate transactions: in connection with mergers, acquisitions, or asset transfers, subject to continued protections and notice where required.

Security

We implement technical and organizational measures designed to protect personal data, including encryption in transit, role-based access controls (RBAC), audit trails, environment segregation, rate limiting, least-privilege access, and continuous monitoring. No system is perfectly secure; we maintain incident response processes and will notify customers and/or individuals as required by law and contracts.

Retention

We retain personal data for as long as necessary to provide the services, comply with legal obligations, resolve disputes, and enforce our agreements. Customers can configure retention for conversation data and can request deletion or export at the tenant level. When retention ends, we delete or de-identify data according to our policies unless a longer period is required by law or to establish, exercise, or defend legal claims.

International data transfers

We may process data in countries other than where it was collected. Where required, we use appropriate safeguards (e.g., standard contractual clauses) and conduct transfer risk assessments for international transfers, including for sub-processors. Optional cookies or BYOV integrations involving international transfers will only be set/used with appropriate notices and, where required, your consent.

Your privacy rights

Depending on your location (e.g., EEA/UK GDPR, Switzerland, California (CPRA), Virginia, Colorado, Connecticut, and other jurisdictions), you may have rights to:

  • Access, correct, or delete your personal data;
  • Receive a portable copy of certain information;
  • Object to or restrict certain processing, including processing based on legitimate interests;
  • Withdraw consent for optional processing (e.g., analytics/marketing) at any time;
  • Opt out of sale/sharing for targeted advertising (we do not sell or share personal data as defined by CPRA);
  • Appeal a decision if we decline to act on your request (where applicable).

To exercise rights, email privacy@chattergenius.ai. We may verify your identity before responding. You may also authorize an agent where permitted by law. If you believe we have not addressed your concern, you may lodge a complaint with your data protection authority.

Website cookies & similar technologies

Our Website uses essential cookies and, with consent where required, functional or analytics cookies. You can change preferences anytime via our Cookie Settings. For Platform sessions, strictly necessary cookies may be required to keep you signed in and secure.

Children

Our Website and Platform are designed for business use and are not directed to children. We do not knowingly collect personal data from children under the age specified by applicable law (e.g., 13 or 16).

Third-party links

The Website may contain links to third-party sites or services. Their privacy practices are governed by their own policies. We encourage you to review them.

Changes to this Policy

We may update this Privacy Policy to reflect technical, legal, or business changes. The “Effective date” above indicates the latest revision. Material changes will be highlighted on this page and/or communicated by other reasonable means.

Contact us

For questions about this Policy or our privacy practices, contact: privacy@chattergenius.ai. If you are a user whose data is processed under a customer's account, please also contact your organization's administrator, who controls the Platform configuration and most processing instructions.

Jurisdiction-specific notices

California (CPRA): We do not sell or share personal data for cross-context behavioral advertising. We use service providers and contractors under written contracts. You may exercise rights listed above by contacting us at the address provided.

EEA/UK/Switzerland: When we act as a processor, our customer is the controller responsible for providing the primary privacy notice to end users and for honoring rights requests related to Customer data. We support customers in fulfilling those requests under our agreements. When we act as an independent controller (e.g., billing, Website analytics), we respond directly to rights requests.