Privacy Policy for Taros

1. Introduction

Taros ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy outlines our practices regarding data collection, usage, and security when you use our AI-powered customer support platform.

When you create an account, subscribe, or configure settings, Taros acts as the Data Controller of your account information. When your customers interact with the Taros chat widget, Taros acts as a Data Processor. We process this chat data solely on your behalf and in accordance with your instructions.

If you use Taros through a certified partner or reseller, the partner may act as the primary subscriber and administrator. In such cases, Taros remains the Data Processor for end-user chat data, and the subscriber or partner remains responsible as Data Controller toward end-users.

If you are an end-user interacting with a Taros-powered chat widget on a third-party website, your use of that widget is also subject to the privacy policy of the website operator. We encourage you to review their privacy policy for information on how they handle your data.

2. Information We Collect

To provide and improve our services, we collect data across the following categories.

When you register for an account, we collect personal identifiers necessary to establish your identity, such as your name, email address, and profile preferences. If you choose to sign in using third-party providers (e.g., Google, Microsoft, or GitHub), we receive basic profile information and authentication tokens as permitted by your privacy settings with those services.

To maintain platform security and analyze performance, our systems automatically collect technical information when you access our services. This includes your hashed or anonymized IP address, browser type, device characteristics, timezone settings, and session timestamps. We also track interaction metrics, such as reliability scores and session duration, to monitor the health of our AI systems.

We process the data you explicitly provide to configure your AI agents. This includes the organization details, billing information, and member roles necessary to manage your team. Crucially, this includes the training materials you upload, such as PDF documents, text files, website URLs for crawling, and manual Q&A pairs—which are used strictly to generate the knowledge base for your specific organization.

We process the content of conversations exchanged through our chat widget, including user messages and bot responses. We do not associate chat sessions with persistent user profiles or identities unless the user explicitly provides contact details (e.g., via a lead capture form).

If you apply for a position with us, we collect the professional information you provide, including your name, contact details, CV/Resume, and references, solely for the purpose of evaluating your application.

3. AI Data Usage & Isolation

We prioritize the confidentiality of your business data.

All training data (documents, URLs) is processed and stored in isolated environments strictly to generate responses for your specific organization. This includes storing compressed text in secure cloud storage and vector embeddings in dedicated vector databases. We do not use your data to train AI models for other customers. We do not permit our third-party AI providers to use your data to train their general foundational models.

Our AI chatbot provides information and support based on your knowledge base.

4. How We Use Your Information

We process your data for the following purposes: to operate the platform, authenticate users, and manage chat sessions; to refine the specific bot assigned to your organization; to detect abuse, rate-limit requests, and secure user accounts; to analyze usage trends and improve system performance; and to fulfill legal obligations, including accounting and tax laws.

If you are in the EEA, we process data based on contract (to provide the services you signed up for), legitimate interests (for security, analytics, and recruitment), legal obligation (for tax and bookkeeping compliance), and consent (where you have explicitly agreed, such as for marketing or CV retention).

We may use aggregated and anonymized data for analytical purposes, benchmarking, and marketing.

With your consent, we may send you marketing communications about new features, updates, or offers related to our services. You will only receive marketing emails if you have explicitly opted in to receive them. You can withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us at [email protected]. Withdrawing consent will not affect transactional emails related to your account, such as billing confirmations or security notifications.

5. Data Sharing and Third-Party Service Providers

We do not sell your data. We share data only with trusted third-party vendors ("sub-processors") essential for providing our services. All vendors are vetted for security and operate under Data Processing Agreements (DPAs).

We utilize industry-leading cloud providers to host our databases, vector indexes, and application servers. Primary data storage is located within the European Union.

We transmit text data to third-party AI providers (currently including, but not limited to, OpenAI, Anthropic and Mistral) solely for the purpose of generating embeddings and responses. We enforce strict privacy settings to prevent external model training.

We use third-party services to securely store uploaded files and deliver content globally via CDNs. We use external tools for CAPTCHA verification, error tracking, and system health monitoring. We use internal communication platforms to notify our support team of new inquiries.

We use analytics tools, such as datafa.st, to understand how users interact with our platform and to improve our services. These tools collect anonymized usage data and do not track individual users across websites.

We use third-party payment processors, including Stripe and Polar.sh, to handle billing and payment transactions. These processors collect and process your payment information, such as credit card details, directly. We do not store your full payment card information on our servers. The payment processor used may vary depending on your location.

6. Data Retention

We retain data only as long as necessary.

• Chat logs are retained for 90 days by default (configurable), after which they are permanently deleted or anonymized.
• Credit transaction records are retained for 60 days, after which they are permanently deleted.
• Active accounts are retained while the account is active.
• Financial records are retained for 5 years plus the current financial year, in accordance with the Danish Bookkeeping Act (Bogføringsloven).
• Job applications are deleted immediately upon rejection unless consent is given for future consideration.

You may request full account deletion at any time. Upon termination or deletion of your account, Taros will retain your data for a period of 90 days, after which it will be permanently deleted, except for data we are legally required to retain (e.g., billing records).

7. Data Security

We implement robust technical and organizational measures to protect your data.

• All data is encrypted in transit (TLS/HTTPS) and sensitive fields are hashed or encrypted at rest.
• We enforce strict role-based access control for internal staff.
• We implement measures to prevent XSS and injection attacks.
• IP addresses and device fingerprints are hashed where possible.

8. Cookies and Local Storage

We utilize browser storage technologies to maintain chat sessions and preserve user preferences. We use analytics tools, to collect anonymized usage data and improve our services. We do not use third-party tracking cookies for advertising purposes. We do not currently respond to Do Not Track (DNT) browser signals.

9. Your Rights

Depending on your location (including the EEA/EU and the United Kingdom), you have rights regarding your personal data, such as access, correction, and deletion. For UK residents, we process your data in accordance with the UK General Data Protection Regulation (UK GDPR).

As a subscriber, you can access, update, or delete your account information directly within the Taros dashboard or by contacting [email protected].

Taros processes chat data on behalf of our subscribers. Because we do not require end-users to create accounts or verify their identity, we are generally unable to link specific chat logs to a specific individual. Since we cannot verify your identity within our system, we may be unable to fulfill specific requests to access or delete chat history. However, to ensure your privacy, all chat logs are automatically deleted or permanently anonymized 90 days after the conversation ends.

If you believe our processing infringes data protection laws, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at www.datatilsynet.dk. UK residents may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. California Privacy Rights

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), including the right to request access to your personal information, request deletion of your personal information, and opt out of the sale of your personal information. Taros does not sell personal information. To exercise your rights, please contact us at [email protected].

11. Data Location & International Transfers

Our primary infrastructure is located within the European Union, to ensure data sovereignty and compliance with European data protection standards.

We use third-party service providers to deliver our services, some of which are headquartered outside the European Union. Where personal data is transferred to countries outside the EU/EEA, we ensure appropriate safeguards are in place in accordance with GDPR Article 46, including Standard Contractual Clauses (SCCs) approved by the European Commission and Data Processing Agreements (DPAs) with all sub-processors.

For a current list of our sub-processors, please contact us at [email protected].

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have it removed.

13. Governing Law

This Privacy Policy shall be governed by the laws of Denmark. Any disputes shall be subject to the exclusive jurisdiction of the Danish courts.

14. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes by updating the "Last updated" date above.

15. Contact Us

If you have questions about this Privacy Policy, please contact us at [email protected] or through the contact form available on our website.