This Privacy Policy describes how TopGChat ("we," "us," "our," or the "Company") collects, uses, processes, stores, shares, and protects personal information and data obtained from users ("you," "your," or "User") of our artificial intelligence chat platform and related services (collectively, the "Service"). This Privacy Policy applies to all users of the Service, whether registered account holders or anonymous visitors, and governs all interactions with our Platform, website, application programming interfaces, and any associated services or features.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. This Privacy Policy is incorporated into and forms an integral part of our Terms and Conditions. If you do not agree with the practices described in this Privacy Policy, you must immediately discontinue use of the Service. Your continued use of the Service following any changes to this Privacy Policy constitutes your acceptance of such changes.
This Privacy Policy is designed to comply with applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), and other relevant privacy legislation in jurisdictions where we operate or have users. We are committed to protecting your privacy and handling your personal information with transparency, integrity, and in accordance with applicable legal requirements.
We collect various types of information from and about users of our Service, which can be categorized into several distinct classes of data. The collection of this information is necessary for the provision of our Service, improvement of user experience, compliance with legal obligations, and protection of our legitimate business interests.
Account and Registration Information: When you create an account with TopGChat, we collect personal information that you voluntarily provide during the registration process. This includes your email address, which serves as your unique identifier and primary communication channel, and your password, which is stored in hashed and encrypted form using industry-standard cryptographic algorithms. We may also collect optional profile information such as your name, username preferences, or other identifying information you choose to provide. This information is necessary for account creation, authentication, security verification, password recovery, and communication regarding your account status, billing matters, and service updates.
User Content and Interaction Data: In the course of using our Service, you generate substantial amounts of content and interaction data. This includes all text prompts, questions, instructions, and messages you submit to AI models through our Platform; all files you upload for processing, including images, documents, PDFs, and other supported file formats; conversation histories comprising both your inputs and AI-generated responses; project names, descriptions, and custom system instructions you create; preferences and settings you configure within the Service; and metadata associated with your interactions such as timestamps, selected AI models, token counts, and feature usage. This content is essential for providing you with AI-powered responses, maintaining conversation continuity, enabling access to your historical interactions, and improving the quality and relevance of our Service.
Payment and Billing Information: When you purchase credits or make payments through our Service, we collect transaction-related information necessary for processing your purchase. While our payment processing is handled by Stripe, Inc., a certified PCI-DSS compliant third-party payment processor, we receive and store certain transaction information including the amount of credits purchased, transaction identifiers, payment method type (e.g., Visa ending in 1234), billing email address, transaction timestamps, and payment status confirmations. We do not directly collect, process, or store complete credit card numbers, CVV codes, or other sensitive payment credentials on our servers. All sensitive payment information is transmitted directly to and stored securely by Stripe in accordance with payment card industry data security standards.
Technical and Device Information: We automatically collect certain technical information about your device and how you interact with our Service. This includes your Internet Protocol (IP) address, which may be used to derive your approximate geographic location at the country or city level; browser type, version, and language settings; operating system and device type; screen resolution and display characteristics; referring website addresses and exit pages; clickstream data showing your navigation path through our Service; and unique device identifiers or browser fingerprints used for anonymous user tracking in our free tier. We also collect performance metrics such as page load times, server response times, error messages, and crash reports to monitor and improve Service reliability and performance.
Usage Analytics and Service Metrics: We collect comprehensive information about how you use our Service to understand usage patterns, optimize features, and improve user experience. This includes detailed records of feature utilization such as which AI models you select, frequency of different feature usage, session duration and frequency, total token consumption across different models, credit balance and expenditure patterns, project and conversation organization patterns, file upload frequencies and types, and patterns in your interaction with various Service components. This analytical data helps us understand user needs, identify popular features, detect potential issues, and make informed decisions about Service improvements and resource allocation.
Cookies and Tracking Technologies: We employ various tracking technologies including HTTP cookies, local storage, session storage, and similar technologies to enhance your experience and maintain Service functionality. Essential cookies are necessary for core Service operations including user authentication, session management, security features, and maintaining your logged-in state. Functional cookies remember your preferences, selected settings, and chosen AI models to provide a personalized experience. Analytical cookies help us understand how users interact with our Service by collecting aggregated usage statistics and performance metrics. We use both first-party cookies set by our domain and may use third-party cookies from analytics providers or other service partners. You can control cookie preferences through your browser settings, though disabling certain cookies may limit Service functionality.
Communications and Support Data: When you communicate with us through support channels, feedback forms, email correspondence, or other communication methods, we collect the content of your communications, associated metadata such as timestamps and communication channels used, support ticket information including issue descriptions and resolution histories, and any additional information you voluntarily provide in the context of seeking assistance or providing feedback. This information enables us to respond to your inquiries, resolve technical issues, improve our Service based on user feedback, and maintain records of our customer service interactions.
The information we collect serves multiple purposes, all of which are necessary for providing, maintaining, improving, and protecting our Service. We process your personal information based on various legal grounds including contractual necessity, legitimate business interests, legal compliance, and your explicit consent where required.
Service Provision and Core Functionality: The primary purpose for collecting and processing your information is to deliver the Service you have requested. We use your account information to authenticate your identity, maintain your user profile, and provide access to your personalized Service features. Your conversation content and uploaded files are transmitted to third-party AI providers (OpenAI, Anthropic, Google) to generate responses to your queries and process your requests. We store your conversation history to enable you to access previous interactions, maintain context across sessions, and organize your work into projects. We use your usage data to calculate credit consumption, track your account balance, and ensure accurate billing for the computational resources you consume. This processing is necessary for the performance of our contract with you and constitutes the fundamental basis upon which our Service operates.
Payment Processing and Financial Management: We use your payment and billing information to process credit purchases through our third-party payment processor Stripe, verify the success or failure of transactions, maintain accurate records of your purchase history for accounting and tax purposes, calculate and track your credit balance and expenditures, generate receipts and billing statements for your records, detect and prevent fraudulent transactions or payment abuse, and comply with financial record-keeping requirements under applicable laws and regulations. This processing is necessary both for contract performance and compliance with legal obligations related to financial transactions, tax reporting, and anti-money laundering regulations.
Service Improvement and Development: We analyze usage patterns, user behavior, and interaction data to understand how our Service is being used and identify opportunities for improvement. This includes analyzing which features are most valuable to users, identifying pain points or sources of confusion in the user interface, detecting bugs, errors, or performance issues that negatively impact user experience, evaluating the effectiveness of new features or changes we implement, optimizing our infrastructure and resource allocation to ensure reliable and efficient Service delivery, and informing our product development roadmap based on actual user needs and preferences. We may aggregate and anonymize data for statistical analysis and research purposes. This processing is based on our legitimate interest in improving our Service and ensuring we meet user needs effectively.
Communication and Customer Support: We use your contact information to communicate with you regarding your account, service status, and important updates. This includes sending transactional emails such as account verification messages, password reset links, payment confirmations, and credit balance notifications. We also use your information to respond to support requests, troubleshoot technical issues you encounter, and provide assistance with Service usage. With your consent where required, we may send you informational updates about new features, Service improvements, or changes to our Terms and Conditions or Privacy Policy. We maintain records of our communications with you for quality assurance, training purposes, and to ensure consistent and effective support. This processing is necessary for contract performance and based on our legitimate interest in maintaining effective customer relationships.
Security and Fraud Prevention: We process your information to protect the security and integrity of our Service and prevent abuse, fraud, or unauthorized access. This includes monitoring for suspicious account activity or unusual usage patterns that may indicate account compromise, detecting and preventing automated abuse such as bot traffic or credential stuffing attacks, verifying the authenticity of transactions and preventing payment fraud, enforcing our Terms and Conditions and Acceptable Use Policy, investigating potential violations of our policies or applicable laws, and implementing technical and organizational security measures to protect your data from unauthorized access, disclosure, or alteration. We may use IP addresses, device fingerprints, and behavioral analysis to identify and block malicious actors. This processing is based on our legitimate interest in maintaining a secure and trustworthy Service and may also be necessary for compliance with legal obligations.
Legal Compliance and Protection of Rights: We may use and disclose your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests. This includes responding to subpoenas, court orders, or other legal demands; cooperating with law enforcement investigations; complying with tax reporting and record-keeping obligations; enforcing our Terms and Conditions and other policies; establishing, exercising, or defending legal claims; protecting our rights, property, or safety and those of our users or the public; and preventing or investigating potential illegal activities or violations of our policies. This processing is necessary for compliance with legal obligations and based on our legitimate interest in protecting our legal rights and those of others.
We share your information with third parties only in specific circumstances and subject to appropriate safeguards to protect your privacy. We do not sell your personal information to third parties for their marketing purposes. The categories of recipients with whom we share your information include the following.
Third-Party AI Providers: The core functionality of our Service requires transmitting your prompts, uploaded files, and other user content to third-party artificial intelligence providers including OpenAI, L.L.C., Anthropic PBC, and Google LLC. When you submit a query or request to an AI model, your input is transmitted to the respective provider's servers for processing, and the generated response is returned to us and displayed to you. These AI providers process your content according to their own privacy policies and terms of service, which we encourage you to review. OpenAI's privacy practices are governed by their Privacy Policy available at their website; Anthropic's data handling is governed by their Privacy Policy and Commercial Terms; and Google's use of data is governed by their Privacy Policy and Cloud Data Processing terms. We transmit only the information necessary to fulfill your request, which typically includes your prompt text, any uploaded files or images, conversation context where relevant for multi-turn conversations, and technical parameters such as selected model variants and generation settings. We do not control how these third-party AI providers use, store, or process the data we transmit to them, and we disclaim responsibility for their data handling practices.
Payment Processors: We utilize Stripe, Inc. as our third-party payment processor to handle all financial transactions, credit card processing, and payment-related operations. When you purchase credits, your payment information is transmitted directly to Stripe using secure, encrypted connections. Stripe collects and processes your payment card information, billing address, and other payment-related details in accordance with their Privacy Policy and as a Level 1 PCI-DSS certified service provider. We receive confirmation of successful payments and limited transaction information from Stripe but do not receive or store your complete payment card details. Stripe may use your information to process transactions, prevent fraud, comply with legal obligations, and for other purposes described in their privacy documentation.
Infrastructure and Hosting Providers: Our Service is built on infrastructure provided by third-party cloud computing and hosting services. We utilize PostgreSQL database services provided by Neon for storing user accounts, conversation histories, project data, and other Service information. These infrastructure providers have access to information stored on their systems solely for the purpose of providing hosting and infrastructure services to us and are contractually obligated to maintain the confidentiality and security of such information. We implement appropriate technical and contractual safeguards to ensure these providers handle your data securely and in accordance with our instructions and applicable data protection laws.
Email Service Providers: We utilize Resend as our email delivery service provider to send transactional emails, password reset messages, account notifications, and other Service-related communications. These service providers process your email address and the content of messages we send to you solely for the purpose of facilitating email delivery on our behalf. They are contractually prohibited from using your email address for their own marketing purposes or from sharing it with other third parties.
Analytics and Service Optimization: We may use analytics services to better understand how users interact with our Service, identify usage patterns, and improve Service performance. These services may collect technical information such as IP addresses, browser types, page views, and interaction patterns. Any analytics providers we engage are required to handle data in accordance with their privacy policies and applicable data protection regulations. Where possible, we implement measures to anonymize or pseudonymize data before sharing it with analytics providers.
Legal and Regulatory Authorities: We may disclose your information to law enforcement agencies, regulatory bodies, courts, or other governmental authorities when required by law or when we believe in good faith that such disclosure is necessary to comply with legal obligations, respond to valid legal processes such as subpoenas or court orders, protect our rights or property, investigate potential fraud or security incidents, enforce our Terms and Conditions, or protect the safety and security of our users or the public. In such cases, we will disclose only the minimum information necessary to fulfill the legal requirement, and we will notify you of such disclosure where legally permitted and practically feasible.
Business Transfers and Corporate Transactions: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity or successor organization as part of the business transition. In such circumstances, we will provide notice before your personal information is transferred and becomes subject to a different privacy policy. We will require any successor entity to honor the commitments made in this Privacy Policy unless you explicitly consent to changes.
Aggregated and De-identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, or other purposes. This may include statistical data about Service usage patterns, model preferences, feature adoption rates, or other insights derived from user behavior. Such aggregated data does not contain personal identifiers and cannot be traced back to individual users.
We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with our legal obligations, resolve disputes, enforce our agreements, and protect our legitimate business interests. The specific retention periods vary depending on the type of information and the purpose for which it is processed.
Account Information: We retain your account information, including your email address, hashed password, and account settings, for as long as your account remains active. If you request deletion of your account, we will deactivate your account and delete or anonymize your personal information within a reasonable timeframe, typically within thirty (30) days of your deletion request, except where we are required or permitted to retain certain information by law. We may retain limited information such as email address in hashed form or transaction records for legitimate business purposes including fraud prevention, legal compliance, and financial record-keeping requirements.
Conversation History and User Content: Your conversation histories, projects, uploaded files, and other user-generated content are stored indefinitely while your account remains active to enable you to access your historical interactions and maintain continuity across sessions. Upon account deletion, we will delete your conversation history and user content from our primary production systems. However, we may retain copies in backup systems for a limited period, typically up to ninety (90) days, to protect against accidental data loss and ensure system integrity. After this backup retention period, all copies are permanently deleted. Please note that content you transmitted to third-party AI providers may be retained by those providers according to their own retention policies, over which we have no control.
Payment and Transaction Records: We retain payment and transaction information for as long as necessary for accounting, audit, tax compliance, and legal purposes. This typically includes retention for a minimum of seven (7) years from the date of the transaction in accordance with standard accounting practices and legal requirements. This information may include transaction amounts, dates, payment method types, and transaction identifiers, but does not include complete payment card numbers or sensitive payment credentials.
Technical and Analytics Data: Technical information such as IP addresses, device identifiers, and usage analytics may be retained for varying periods depending on the specific purpose. Server logs containing IP addresses are typically retained for thirty (30) to ninety (90) days for security monitoring and troubleshooting purposes. Aggregated and anonymized analytics data that cannot be linked to individual users may be retained indefinitely for research and Service improvement purposes.
Data Storage Location and Security: Your personal information is stored on secure servers located in data centers operated by our infrastructure providers. While we strive to use service providers with robust security practices and geographically distributed infrastructure for reliability, we cannot guarantee the specific physical location of data at any given time due to the distributed nature of cloud computing. We implement encryption for data in transit using Transport Layer Security (TLS) protocols and encryption for sensitive data at rest. Access to personal information is restricted to authorized personnel who require such access to perform their job functions and are bound by confidentiality obligations.
Depending on your jurisdiction and applicable privacy laws, you may have certain rights regarding your personal information. We are committed to facilitating the exercise of these rights in accordance with applicable legal requirements.
Right of Access and Data Portability: You have the right to request access to the personal information we hold about you and to receive a copy of such information in a structured, commonly used, and machine-readable format where technically feasible. You can access much of your personal information directly through your account settings and conversation history within the Service. For additional information not readily accessible through your account, you may submit a request to us through our support channels, and we will provide the requested information within a reasonable timeframe, subject to verification of your identity and any limitations imposed by law.
Right to Correction and Update: You have the right to request correction of inaccurate or incomplete personal information we hold about you. You can update many aspects of your account information directly through your account settings. For information you cannot update yourself, you may contact us with a correction request, and we will make reasonable efforts to update the information promptly upon verification of the accuracy of the correction.
Right to Deletion and Erasure: You have the right to request deletion of your personal information, subject to certain exceptions where we are required or permitted to retain information by law. You can request account deletion through our support channels. Upon receiving a valid deletion request, we will deactivate your account and delete your personal information from our active systems within thirty (30) days, except for information we are required to retain for legal, accounting, or security purposes. Please note that deletion of your account is permanent and irreversible, and you will lose access to all conversation history, projects, and any remaining credit balance. We cannot delete information that has been transmitted to third-party AI providers, as such information is subject to those providers' retention policies.
Right to Restriction and Objection: In certain circumstances, you may have the right to request restriction of processing of your personal information or to object to certain types of processing. If you wish to restrict or object to processing, please contact us with details of your request, and we will evaluate it in accordance with applicable legal requirements. Please note that restricting certain types of processing may limit or prevent our ability to provide the Service to you.
Right to Withdraw Consent: Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can manage your communication preferences and withdraw consent for non-essential communications through your account settings.
California Privacy Rights: If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, use, disclose, and sell; the right to request deletion of your personal information; the right to opt-out of the sale of personal information (though we do not sell personal information); and the right to non-discrimination for exercising your CCPA rights. California residents may exercise these rights by contacting us through our designated methods. We will not discriminate against you for exercising any of your CCPA rights.
European Union and UK Privacy Rights: If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR. In addition to the rights described above, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable data protection laws. You also have rights related to automated decision-making and profiling, though we do not engage in automated decision-making that produces legal effects or similarly significant effects on individuals.
Exercising Your Rights: To exercise any of the privacy rights described in this section, please contact us through the support channels available on our Service. We will respond to your request within the timeframe required by applicable law, typically within thirty (30) days. We may require verification of your identity before processing your request to protect against unauthorized access to your personal information. In some cases, we may be unable to fulfill your request due to legal obligations, legitimate business needs, or technical limitations, in which case we will explain the reasons for our inability to comply.
We implement comprehensive technical, administrative, and physical security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. Our security program is based on industry best practices and is regularly reviewed and updated to address emerging threats and vulnerabilities.
Technical Security Controls: We employ multiple layers of technical security controls to protect your information. All data transmitted between your browser or application and our servers is encrypted using Transport Layer Security (TLS) protocol version 1.2 or higher, ensuring that information in transit cannot be intercepted or read by unauthorized parties. Passwords are never stored in plain text; instead, we use bcrypt, a cryptographic hashing algorithm specifically designed for secure password storage, with appropriate salt and computational cost factors to resist brute-force attacks. We implement secure session management using cryptographically secure tokens with appropriate expiration and renewal mechanisms. Our infrastructure employs firewalls, intrusion detection systems, and other network security controls to prevent unauthorized access to our systems. We conduct regular security assessments, vulnerability scans, and penetration testing to identify and remediate potential security weaknesses.
Access Controls and Authentication: Access to personal information stored in our systems is restricted on a need-to-know basis and limited to authorized employees, contractors, and service providers who require such access to perform their job functions. All personnel with access to personal information are bound by confidentiality obligations and receive training on data protection and security best practices. We implement role-based access controls, multi-factor authentication for administrative access, and detailed audit logging of access to sensitive information to detect and investigate potential unauthorized access.
Infrastructure Security: We utilize reputable cloud infrastructure providers that maintain robust physical and logical security controls for their data centers and systems. These providers undergo regular independent security audits and maintain compliance with industry standards such as SOC 2, ISO 27001, and other relevant security frameworks. While we carefully select service providers with strong security practices, we cannot guarantee absolute security, as no method of transmission over the Internet or method of electronic storage is completely invulnerable to attack.
Incident Response and Breach Notification: We maintain an incident response plan to address potential security incidents or data breaches. In the event of a data breach that compromises your personal information, we will assess the nature and scope of the breach, take immediate steps to contain and remediate the incident, and provide notification to affected users and relevant authorities as required by applicable data breach notification laws. Notification will include information about the nature of the breach, the types of information involved, steps we are taking to address the breach, and recommendations for protecting yourself from potential harm.
Your Role in Security: While we implement substantial security measures, the security of your account also depends on your own practices. You are responsible for maintaining the confidentiality of your password, choosing a strong and unique password that is not used for other services, enabling any available security features such as two-factor authentication if offered, logging out of your account when using shared or public computers, and promptly notifying us of any suspected unauthorized access to your account. We will never ask for your password via email or other unsolicited communications, and you should be cautious of phishing attempts that impersonate our Service.
Our Service integrates with and may contain links to third-party websites, applications, services, and AI providers that are not owned or controlled by TopGChat. This Privacy Policy applies only to information collected by our Service and does not apply to the practices of third parties that we do not own or control.
When you interact with third-party AI providers through our Service (OpenAI, Anthropic, Google), your content is transmitted to and processed by those providers according to their respective privacy policies and terms of service. We encourage you to carefully review the privacy policies and data handling practices of these AI providers, as they may collect, use, store, and share your information in ways that differ from our practices. We are not responsible for the privacy practices, data security, or content of these third-party services.
Similarly, when you make payments through Stripe, your payment information is collected and processed by Stripe according to their Privacy Policy. Any links to external websites or resources provided within our Service are for your convenience and information only. We do not endorse and are not responsible for the content, privacy practices, or availability of such external sites. Your interaction with any third-party service is governed by the privacy policy and terms of that third party.
Our Service is not intended for use by individuals under the age of eighteen (18) years, or under the age of majority in their jurisdiction, whichever is higher. We do not knowingly collect personal information from children under 18. If you are under 18 years of age, you are not permitted to use the Service or provide any personal information to us.
If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take immediate steps to delete such information from our systems. If you believe we might have collected information from a child under 18, please contact us immediately through our support channels so that we can investigate and take appropriate action.
Parents and legal guardians are responsible for monitoring their children's Internet usage and ensuring that minors do not access services for which they are not eligible. We recommend that parents use parental control tools and educate children about safe online practices and the importance of not sharing personal information without permission.
TopGChat operates globally and may transfer, store, and process your personal information in countries other than your country of residence. These countries may have data protection laws that differ from the laws of your jurisdiction and may not provide the same level of protection for personal information.
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission or other relevant authorities, we implement appropriate safeguards to protect your information. These safeguards may include Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.
By using our Service, you acknowledge and consent to the transfer of your personal information to countries outside of your country of residence, including to the United States and other countries where our service providers operate. We take reasonable steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.
We reserve the right to modify, amend, or update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or Service offerings. When we make changes to this Privacy Policy, we will update the "Last updated" date at the top of this page and post the revised Privacy Policy on our Service.
For material changes that substantially affect your privacy rights or how we collect, use, or share your personal information, we will provide additional notice to you. This may include displaying a prominent notice on our Service, sending an email notification to the address associated with your account, or requiring you to affirmatively acknowledge the changes before continuing to use the Service. We will provide such notice at least thirty (30) days before the material changes take effect.
Your continued use of the Service after the effective date of any changes to this Privacy Policy constitutes your acceptance of such changes. If you do not agree to the modified Privacy Policy, you must discontinue use of the Service. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personal information.
If you have any questions, concerns, or complaints regarding this Privacy Policy, our data handling practices, or the exercise of your privacy rights, please contact us through the support channels available on our Service. We are committed to addressing your privacy concerns and will make reasonable efforts to respond to your inquiries within thirty (30) days.
For specific privacy-related requests such as data access, correction, or deletion requests, please use our designated privacy request channels to ensure your request is routed to the appropriate personnel. We may require verification of your identity before processing your request to protect against unauthorized access to your personal information.
If you are located in the European Economic Area, United Kingdom, or Switzerland and are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection authority or supervisory authority. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority, and we encourage you to contact us first.