Admin Login Get started
Legal

Privacy policy

Privacy policy under the GDPR

Last update: May 2026

Controller

The data controller within the meaning of the GDPR is the person named in the Imprint.

Martin Janda · Am Weißen Berg 5 · 61476 Kronberg · info@trustchat.de

Purposes of processing

TrustChat is a platform for operating website chatbots. Processing serves authentication, configuration and operation of the bots, the chat functionality itself, and protecting the platform from abuse.

Legal bases

Art. 6 (1) (b) GDPR (contract performance) for providing the platform and chats; Art. 6 (1) (c) GDPR (legal obligation) for retention duties; Art. 6 (1) (f) GDPR (legitimate interest) for security logs, rate limit and abuse protection.

Processors and third-party services

  • OpenAI L.L.C., USA — processes chat content to generate answers. Third-country transfer secured by EU Standard Contractual Clauses. Purpose: chat functionality, embeddings.
  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — hosts the platform.
  • Keycloak (operated in-house) — identity and access management for tenant owners.

Cookies in use

  • OAuth2 session cookie (Keycloak): required for sign-in to the admin UI. Lifetime: until logout / session end.
  • tc-theme: stores the chosen UI variant (light/dark). Lifetime: 1 year.
  • tc-locale: stores the chosen language. Lifetime: 1 year.
  • XSRF-TOKEN: protects admin actions against cross-site request forgery. Lifetime: until session end.

Retention

Configuration data (tenants, bots, sources) is stored as long as the account is active. Chat histories and leads are deleted automatically after 12 months unless a longer statutory retention applies. Security logs are kept for 30 days.

Your rights

You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), objection (Art. 21) and data portability (Art. 20). Send requests to the email in the Imprint. You also have the right to complain to a supervisory authority — competent in Hesse: the Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

Notice for website visitors (public widget)

When you chat through the TrustChat widget on a third-party website, your input is transferred to the LLM provider configured by the website operator (OpenAI in the USA for the MVP). The website operator — not TrustChat — is responsible for that website. The notice is shown in the chat window before your first send.