Privacy Policy
Last updated: April 8, 2026
1. Introduction
Greetler ("we," "us," or "our") provides an AI-powered chat concierge service for service businesses — including law firms, dental practices, cosmetic surgery practices, home services companies, real estate agencies, and similar (collectively, "Firms"). This Privacy Policy explains how we collect, use, disclose, and safeguard information from Firms that subscribe to our service, visitors to our website (greetler.com), and users of our portal (app.greetler.com).
For information about how we handle data from website visitors who interact with the chat widget on Firm websites, please see our Widget Privacy Notice.
2. Information We Collect from Firms
Account Information:
- Email address and name provided during signup
- Website URL for your business
- Portal settings and configuration preferences (tone, custom instructions, FAQ overrides)
Website Content:
- Publicly available content from your business's website (crawled during onboarding to build the AI knowledge base)
Billing Information:
- Billing is handled by Paddle (UK). We do not store or have access to payment card details.
Automatically Collected:
- Server logs (IP address, browser type, request timestamps) — retained for up to 30 days
- Portal usage data (pages visited, features used)
3. How We Use Firm Information
- To provide, maintain, and improve the Service
- To build and maintain the AI knowledge base from your website content
- To send transactional emails (portal links, lead notifications, weekly reports)
- To produce aggregated analytics for your portal dashboard
- To process billing through our payment provider
- To detect and prevent abuse, fraud, or security incidents
- To communicate about your account, service changes, or support requests
4. Greetler as a Data Processor
When Firms use Greetler on their websites, Firms are the data controller for the personal data of their website visitors (chat messages, contact information from lead forms, etc.). Greetler acts as a data processor on behalf of the Firm.
We process visitor data solely to provide the Service to the Firm — including generating AI responses, capturing leads, and producing analytics. We do not use visitor data for our own marketing or any purpose unrelated to providing the Service.
For Firms that require a formal data processing agreement, our Data Processing Addendum (DPA) is available and incorporated by reference into our Terms of Service.
5. AI Processing and Sub-processors
Firm website content and visitor chat messages are processed by third-party AI models to generate responses. Under OpenAI's API data usage policy, API inputs and outputs are not used to train their models. We do not use any data to train AI models ourselves.
Sub-processors:
| Provider | Location | Purpose |
|---|---|---|
| OpenAI | USA | AI response generation, embeddings |
| Paddle | UK | Payment processing |
| Vultr | USA | Cloud hosting, data storage |
| Zoho | EU | Transactional email delivery |
| PostHog | USA | Product analytics (identified Firm users only) |
We will notify Firms before adding new sub-processors that handle personal data.
6. Data Sharing
We do not sell personal information. We share Firm data only with:
- Sub-processors: As listed above, solely to provide the Service
- As required by law: In response to valid legal process, court orders, or government requests
7. International Data Transfers
Our servers are located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. For EU/EEA Firms, transfers are conducted in compliance with applicable data protection laws, including the use of Standard Contractual Clauses (SCCs) where required. Our DPA includes SCCs as an appendix.
8. Data Retention
- Account data: Retained while your account is active
- Visitor conversations and leads: Retained while your account is active; you may export or delete at any time
- Server logs: Retained for up to 30 days
- Post-termination: All data deleted within 30 days of account termination
9. Security
We implement industry-standard measures to protect data:
- TLS encryption for all data in transit
- JWT-based authentication with short-lived access tokens
- Secure httpOnly cookies for session management
- Per-firm data isolation in database queries
- Rate limiting and abuse detection
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Data Breach Notification
In the event of a data breach affecting personal data, we will:
- Notify affected Firms within 72 hours of becoming aware of the breach
- Provide details about the nature of the breach, data affected, and steps taken
- Notify relevant supervisory authorities as required by applicable law
- Cooperate with Firms in fulfilling their own notification obligations to visitors
11. Cookies and Tracking
Our portal (app.greetler.com) uses essential cookies for authentication. We do not use advertising cookies on any of our properties.
Product analytics (PostHog): The marketing site (greetler.com) and the portal (app.greetler.com) use PostHog to understand how Firms discover and use the Service. PostHog is configured in identified-only mode, which means we do not create profiles for anonymous visitors — a profile is only created once a Firm signs up and is associated with their account. PostHog uses cookies on these properties solely for product analytics. The embeddable chat widget that runs on Firm websites does not load PostHog and does not use cookies (see Widget Privacy Notice).
12. Your Rights
All Firms: You may access, correct, export, or delete your data at any time through the portal or by contacting us.
EU/EEA Firms (GDPR): Our legal basis for processing your data is performance of a contract (our Terms of Service). You have the right to access, rectification, erasure, data portability, restriction of processing, and to lodge a complaint with your local data protection authority.
California Firms (CCPA/CPRA): You have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of the sale of personal information. We do not sell personal information.
To exercise any rights, contact us at privacy@greetler.com. We will respond within 30 days.
13. Children's Privacy
The Service is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Firms of material changes via email at least 30 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised.
15. Contact Us
For questions about this Privacy Policy or to exercise your data rights:
Email: privacy@greetler.com
Related Documents
- Widget Privacy Notice — For website visitors who chat with the widget
- Terms of Service — Governs use of the Greetler service
- Data Processing Addendum — GDPR data processing terms