This page provides information about our GDPR compliance practices. It is not legal advice. For specific legal questions, please consult with a qualified legal professional.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU's data protection law that gives individuals control over their personal data. It applies to any organization processing personal data of EU residents, regardless of where the organization is based.
As an AI chatbot platform, BubblaV processes personal data including website content you provide and conversations between your visitors and the chatbot. We take our GDPR obligations seriously.
Your Role, Our Role
You: Data Controller
As our customer, you determine the purposes and means of processing personal data collected through your chatbot. You're responsible for:
- Obtaining consent from your website visitors
- Your own privacy policy disclosures
- Responding to data subject requests from your visitors
BubblaV: Data Processor
We process personal data on your behalf according to your instructions. Our responsibilities include:
- Processing data only per your instructions
- Implementing security measures
- Assisting with data subject requests
How We Comply
We've implemented the following measures to ensure GDPR compliance:
- Lawful basis for all processing (contract performance, legitimate interest)
- Data minimization - we only collect what's necessary for the service
- Storage limitation - defined retention periods with automatic cleanup
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls with role-based permissions
- Regular security assessments and vulnerability scanning
- Documented incident response procedures
- Data subject rights facilitation within 30 days
AI & Your Data
Your Data is NOT Used for AI Training
We want to be absolutely clear: your website content and conversation data is never used to train AI models.
BubblaV uses Retrieval-Augmented Generation (RAG). This means your content is stored in a vector database for retrieval during conversations - it does not modify or improve the underlying AI model weights.
Our AI providers (e.g., Google Gemini) have committed that customer data processed through their API is not used for model training.
Sub-Processors
We use the following third-party services to provide our platform:
| Provider | Purpose | Location | Certification |
|---|---|---|---|
| AI Model Providers | Foundation models for response generation (currently Google Gemini via Vercel Gateway) | United States | ISO 27001, SOC 2 |
| Supabase | Database, authentication, vector storage | Europe | SOC 2 Type 2 |
| Vercel | Application hosting and edge functions | Europe | SOC 2 Type 2 |
| Stripe | Payment processing and subscription management | United States | PCI-DSS Level 1 |
International Data Transfers
Our data storage and application hosting are both located in the Europe region, ensuring that your core data remains within the European Union.
Some of our sub-processors (AI Model Providers, Stripe) are located in the United States. For any EU-to-US data transfers that may occur, we rely on:
- Standard Contractual Clauses (SCCs) - EU-approved contract terms for international transfers
- Supplementary measures - Encryption and access controls as additional safeguards
Our providers (Supabase, Vercel, Stripe, AI Model Providers) maintain their own GDPR compliance programs and DPAs.
Data Processing Agreement (DPA)
We offer a Data Processing Agreement (DPA) to customers who need formal documentation of our processing relationship under GDPR Article 28.
Our DPA covers:
- Subject matter, duration, nature and purpose of processing
- Types of personal data and categories of data subjects
- Technical and organizational security measures
- Sub-processor authorization and notification procedures
- Data subject rights assistance
- Data return and deletion obligations
Standard Agreement Only
To keep our service affordable and efficient for everyone, we do not sign custom Data Processing Agreements or non-disclosure agreements manually. We have invested significant legal resources to create a balanced, standard DPA that complies with GDPR and protects both parties.
To request a DPA: Contact us at support@bubblav.com or through our contact form.
Chat Widget Privacy
No Tracking Cookies
The BubblaV chat widget is designed with privacy in mind. We use LocalStorage to store chat history locally on the visitor's device.
- No third-party tracking cookies
- No cross-site tracking
- Chat history stays on the user's device until cleared
GDPR Clause for Your Privacy Policy
If you use BubblaV on your website, you should inform your visitors. You can use this template snippet in your own Privacy Policy:
We use BubblaV to provide customer support via chat on our website. BubblaV processes data (such as chat messages and contact information you provide) on our behalf. Data is stored and processed in the Europe region, ensuring enhanced GDPR compliance. Some AI processing may occur in the United States, in which case GDPR standard contractual clauses apply. BubblaV does not use your conversation data to train their AI models.
Your Data Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data we hold
- Right to Rectification: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data ('right to be forgotten')
- Right to Restriction: Request limitation of processing in certain circumstances
- Right to Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
To exercise your rights: Contact us at support@bubblav.com. We will respond within 30 days.
Governing Law
BubblaV is operated under Swedish law. Any disputes relating to data protection will be subject to the jurisdiction of Swedish courts and the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).