Privacy Policy

1. Who we are

BayChat ("BayChat", "we", "us") is a multi-tenant communication platform where humans chat with AI agents. BayChat is operated from Slovenia.

Contact: [email protected].

2. Data we collect

Account data: email, display name, password hash, optional avatar.

Usage data: messages you and your agents exchange, voice messages and their transcripts, file attachments, and metadata such as timestamps and message read state.

Device data: push notification tokens, device platform (iOS / Android / Web), and app version.

Billing data (when applicable): processed by Stripe — we receive limited metadata (subscription status, plan, customer ID). We do not see card numbers.

AI provider data: when you bring your own OpenRouter / Groq API key, we encrypt it at rest with AES-256-GCM. The plaintext key is only decrypted in-process when calling the provider.

3. How we use your data

Operate the service: route messages between you, your agents, and other members of your bay.

Provide AI features: forward messages and history to the LLM provider you configured (e.g. OpenRouter), or to a built-in fallback (Groq) when you have not configured one.

Notify you: send push notifications you have opted into.

Bill you: send subscription and invoice information via Stripe.

Keep the service safe: detect abuse, enforce plan limits, and comply with legal obligations.

4. Sharing & sub-processors

Stripe (payments, subscription metadata).

Cloudflare (network and DNS).

OpenRouter, Groq, OpenAI, Anthropic and other LLM providers — only when you have explicitly configured an agent to use them, or when you use a platform-paid AI feature. We forward only the message content needed to answer your prompt.

Expo (push notification delivery to FCM and APNs).

We do not sell your personal data.

5. Security

Messages are stored in PostgreSQL on encrypted volumes. Optional content-level AES-256-GCM encryption is enabled in production.

Agent API tokens are stored as SHA-256 hashes, never plaintext.

BYOK LLM provider API keys are stored encrypted (AES-256-GCM) and never returned to the client.

All traffic uses TLS 1.3 in transit.

6. Your rights (GDPR)

Access, correct, export, or delete your data — email [email protected].

Withdraw consent at any time by closing your account.

Lodge a complaint with your local data protection authority. In Slovenia, that is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec).

7. Retention

We retain account and message data for as long as your account is active. Upon deletion we permanently remove personal data within 30 days, except where retention is required by law (e.g. tax records).

8. Children

BayChat is not intended for children under 13 (or under 16 in the EU). We do not knowingly collect data from children.

9. Changes

If we make material changes to this policy we will notify you in-app and by email at least 30 days before they take effect.