Privacy Policy
Last updated: 2026-06-06
This policy explains how Scalebloom LLC ("Chatporch", “we”, “us”) handles personal information across:
- The marketing site at chatporch.com.
- The dashboard at app.chatporch.com, where customers sign in to configure their chat widget.
- The embeddable chat widget loaded from embed.chatporch.com onto customer websites, and the chat API that powers it.
We have two distinct groups of users:
- Customers — businesses that sign up for Chatporch to add a chat widget to their website.
- Visitors — end users who interact with the chat widget on a customer’s website.
For chat content created by visitors, the customer (the website operating the widget) is the controller of that data and Chatporch is the processor. Our Data Processing Addendum governs that relationship. For account data created by customers themselves, Chatporch is the controller.
1. Information we collect
1.1 From customers (account holders)
When you sign up for or use the Chatporch dashboard, we collect:
- Account identity — your email address (required), your name, and a profile image if you sign in with Google.
- Authentication data — session tokens, the IP address and user-agent of devices you sign in from, and, if you use Google sign-in, an OAuth identifier and tokens issued by Google.
- Site configuration — the content you create to configure your widget (business description, instructions, knowledge, branding, and similar settings).
- Audit log entries — a record of who changed your site configuration and when.
- Support and communications — anything you send us by email or through forms.
1.2 From visitors using the chat widget
When a visitor opens the chat widget on a customer’s site, we collect and process:
- Chat messages — the text the visitor types and the assistant’s reply.
- A conversation identifier — a randomly generated identifier created in the visitor’s browser and stored in
sessionStorage(it clears when the browser tab closes). - Page context sent for AI grounding — the URL and title of the page where the widget is open, used as context for the AI’s reply but not stored separately from the conversation log.
- Approximate location — the visitor’s country code, derived from network geo data attached by our edge provider. We do not store city, region, latitude, or longitude.
- IP address — used in memory for rate limiting and abuse prevention. We do not store the raw IP in our database. We store only a one-way hashed identifier scoped per customer site, so the same visitor cannot be linked across different customers’ sites.
- Standard request metadata — timing of the request, used for short-lived rate-limit accounting at our edge.
We do not collect names, email addresses, phone numbers, or other contact details from visitors unless the visitor types them into a chat message. Visitors sometimes share personal details in conversation with the widget; that content is treated under retention rules described in section 4.
1.3 From visitors to the marketing site
When you visit chatporch.com:
- Our hosting provider (Netlify) records standard server logs, including IP address, user-agent, and the page requested. We do not currently run analytics scripts on the marketing site. If we add them, we will list them in our Cookie Policy.
- If you submit the contact form, we receive the content of the form and process your inquiry.
2. How we use information
We use the information above to:
- Provide, operate, and improve the Chatporch service.
- Generate AI chat replies for visitors of customer sites.
- Authenticate customers and protect their accounts.
- Enforce rate limits and prevent abuse.
- Send transactional and account-related emails (for example, magic-link sign-in emails).
- Respond to support inquiries.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell personal information and we do not use chat content to train AI models. The AI replies are generated by our model provider (see section 3) using prompts we send for each individual request; that provider, consistent with its then-current API terms, does not use API content to train its models.
3. Service providers (subprocessors)
We rely on the following processors to operate the service:
| Provider | Purpose | Data involved | Region |
|---|---|---|---|
| Cloudflare | Hosting (Workers), edge KV (rate limiting), CDN, DNS | All request data in transit; coarse geo and IP for rate limiting and routing | Global edge |
| Turso | Primary database for accounts, site configuration, conversation logs | All persistently stored data | United States |
| Anthropic | Large-language-model inference for chat replies | Chat messages and the configured system prompt (per request) | United States |
| Mailgun | Transactional email (magic-link sign-in, account notifications) | Recipient email address and message content | United States |
| OAuth sign-in (optional) | Profile email, name, image | United States / Global | |
| Netlify | Hosting for the chatporch.com marketing site | Standard request logs | United States / Global |
| GitHub | Source-code hosting and deploy pipeline | No customer or visitor personal data is sent to GitHub in normal operation | United States / Global |
Each provider acts under a written data-processing agreement with us. We update this list when subprocessors change; customers can subscribe to changes by emailing us at the address in section 11.
4. Retention
| Data | How long we keep it |
|---|---|
| Chat conversations and individual messages | 90 days from the last message, then deleted by an automated sweep |
| Hashed IP identifier attached to a conversation | Same 90 days, deleted with the conversation |
| Raw visitor IP address | Not stored in our database; held in memory only for the duration of a request and as a short-lived rate-limit counter at our edge |
| Customer account record | For the life of the account, plus a reasonable period after closure to handle wind-down (invoicing, disputes, legal hold), after which it is deleted or anonymized |
| Authentication sessions | Until the session expires or the customer signs out |
| Audit log of configuration changes | For the life of the customer’s site, so customers can review their own change history |
| Marketing site contact-form submissions | For as long as reasonably needed to respond to and follow up on your inquiry |
Customers can delete individual conversations or wipe an entire site’s conversation log at any time from the dashboard. Customers can request account deletion at any time using the contact details in section 11.
5. Sharing information
We share personal information only as follows:
- With subprocessors listed in section 3, strictly to provide the service.
- With the customer (site operator) for visitor data tied to that customer’s chat widget. Visitors should be aware that the website running the widget can see the conversations they have with it.
- For legal reasons — to comply with a valid legal request, to enforce our Terms of Service, or to protect the rights, property, or safety of Chatporch, our users, or others.
- In a business transfer — if Chatporch or Scalebloom is involved in a merger, acquisition, or sale of assets, customer and account data may transfer to the successor, subject to this policy.
We do not sell personal information and we do not share it for cross-context behavioral advertising.
6. AI processing
Chat replies are generated by our model provider (see section 3). For each request, we send:
- The system prompt assembled from the customer’s site configuration.
- The full message history for that conversation, up to a cap.
- The page URL and title where the widget is open (for grounding).
- Approximate visitor country attached by our edge provider.
Our model provider processes this data to generate a response and, consistent with its then-current API terms, does not use API content to train its models. We do not store the assembled system prompt or the AI response separately from the conversation log described in section 4.
7. Cookies and similar technologies
Details are in our Cookie Policy. In short:
- The embed widget uses
sessionStorage, not cookies. Nothing about the embed sets a cookie or tracks visitors across sites. - The dashboard uses a session cookie to keep you signed in.
- The marketing site does not currently set cookies.
8. Your rights
Depending on where you live, you have rights to access, correct, delete, port, or restrict our processing of your personal information, and to object to certain uses. Specifically:
- EU / UK / EEA (GDPR): rights of access, rectification, erasure, restriction, portability, and objection; the right to lodge a complaint with your data protection authority; and the right to withdraw consent.
- California (CCPA / CPRA): rights to know, delete, correct, and limit use of sensitive personal information, and to opt out of “sale” or “share” (we do neither). We do not discriminate against you for exercising these rights.
To exercise any right, contact us at [email protected]. We will verify your request and respond within the timelines required by applicable law.
For visitors of customer sites: if you want to access or delete chat content tied to a specific customer’s widget, contact that customer first — they are the controller. We will assist them in fulfilling your request.
9. International data transfers
We are based in the United States and our primary infrastructure is in the United States. If you access Chatporch from outside the United States, your data will be transferred to and processed in the United States and other countries where our subprocessors operate. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses and equivalent UK/Swiss transfer mechanisms with our subprocessors.
10. Security and children
We use industry-standard practices to protect personal information, including encryption in transit, scoped credentials, and minimization of persisted visitor identifiers. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
Chatporch is not directed to children under 16, and we do not knowingly collect personal information from children under 16. Customers using the widget on sites directed to children must comply with applicable children’s privacy laws (including COPPA for US-based sites directed to children under 13).
11. Contact
Questions, requests, or complaints: [email protected].
Scalebloom LLCCharlotte, NC, United States
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, for customers, notify the email address on file. Continued use of Chatporch after an update constitutes acceptance of the revised policy.