Privacy Policy

Quibbl · Drafted April 2026 · Effective date pending publication

1. Who this policy is for

Quibbl is a hosted website chat widget (the "Service") that businesses ("Site Owners") embed on their websites. People who chat with the widget on a Site Owner's website are "Visitors."

This policy describes how Quibbl handles data for both groups, in two distinct legal roles:

Site Owner data — Quibbl is the data controller. Account email, configuration, billing details, and authentication tokens are collected and processed by Quibbl to provide the Service.
Visitor data — Quibbl is a data processor acting on behalf of the Site Owner, who is the controller. When a Visitor types a message, Quibbl processes that message under the Site Owner's instructions to produce a chatbot response. Visitors should consult the privacy policy of the website they are visiting for the controller's contact details and lawful basis.

Contact: [email protected]

VERIFY: Your registered legal entity (LLC name, state of incorporation, registered office address) needs to be added here. Required by GDPR Art. 13(1)(a) for EU customers.

2. Data we collect from Site Owners

2.1 Account data

Email address (via Amazon Cognito sign-in)
Name (if provided in the Cognito user pool)
An internal Cognito user identifier (the "subject" or sub)

2.2 Configuration data

The chatbot's behavior is driven by structured fields you fill in: site name, allowed origins, brand name, tone, FAQ entries, pricing plans, hours, escalation rules, allowed topics, greeting, and similar prompt-driving content. We store these so the bot can quote them verbatim. They are visible to anyone who can authenticate to your account.

2.3 Billing data

When you subscribe, payment is processed by Stripe. Quibbl does not see your card number, CVV, or full payment instrument; Stripe does. Quibbl stores the Stripe customer identifier, subscription identifier, current subscription status (active, past_due, canceled, etc.), and the current period end date so the dashboard can show "Active, renews on…". Site Owner email is shared with Stripe to associate the account.

2.4 Operational data

Server logs (request paths, response codes, internal request IDs, timestamps) generated by our application servers and AWS infrastructure
Stripe webhook event records, retained for billing reconciliation
Error reports if a request fails

VERIFY: Confirm whether the BFF logs Site Owner IP addresses or User-Agent strings on dashboard requests. The current code base does not appear to log either explicitly, but ALB access logs (if enabled) would. State whichever is true.

3. Data we process about Visitors (on behalf of Site Owners)

When a Visitor opens the chat widget on a Site Owner's site, the following happens:

3.1 Browser-stored visitor identifier

The widget generates a random UUID and stores it in the Visitor's browser localStorage under the key sc_visitor. This identifier is sent on each chat request so the same browser sees a continuous conversation. It is functional storage required to operate the chat; it is not used for advertising, cross-site tracking, or analytics. Visitors can clear it by clearing site data for the embedding site.

3.2 Conversation messages

Visitor messages and the bot's responses are sent over HTTPS to Quibbl's API and forwarded to our agent runtime, which calls a language model provider to generate the response (see Section 4 — Sub-processors). Conversation turns are stored so the same Visitor sees their conversation when they return.

VERIFY: Once the DynamoDB-backed conversation store is wired in production (currently in-memory), state the actual retention. Today, the in-memory implementation means turns are lost on each pod restart; this is not durable storage and should be characterized truthfully until the table is in place.

3.3 Visitor metadata

The originating site (matched against the Site Owner's allowed origins)
The widget public key the request was made with
Timestamps and internal request identifiers

VERIFY: Confirm whether visitor IP addresses are logged. The Go BFF code does not appear to read X-Forwarded-For or RemoteAddr at the application layer, but ALB access logs may capture them. Disclose accurately.

3.4 Escalation records

When the bot escalates a conversation to a human, Quibbl records the reason, summary, urgency, conversation references, and a transcript URL. The full conversation transcript is delivered to the Site Owner via the configured channel (today: Slack; planned for general availability: email and a one-click web link).

VERIFY: The email and web-link escalation channels are not yet implemented in the code base as of this draft. Either ship those channels before this policy goes into effect, or describe only the channels that exist on the effective date.

3.5 What we do not collect from Visitors

No advertising cookies, no third-party trackers, no fingerprinting
No location data beyond what may appear in HTTP request metadata
No camera, microphone, or device sensor access
No marketing emails to Visitors

4. Sub-processors

Quibbl uses the following third parties to operate the Service. Each receives only the data necessary for its role, under contract.

Sub-processor	Role	Data shared	Region
Amazon Web Services (AWS)	Hosting, networking, database (DynamoDB), authentication (Cognito), TLS certificates (ACM), CDN (CloudFront), storage (S3)	All Site Owner and Visitor data is stored on AWS infrastructure	United States (us-east-1)
Ollama Inc.	Language model inference (Ollama Cloud API), used to generate the bot's responses	The Visitor's current message and the relevant conversation context, plus the system prompt rendered from the Site Owner's configuration	United States VERIFY
Stripe	Subscription billing and payment processing	Site Owner email, the Stripe customer/subscription identifiers, subscription metadata (site_id, plan_id), and payment-method details that the Site Owner enters directly into Stripe Checkout (Quibbl never sees those)	Global; Stripe operates from the United States and Ireland
Doppler & Stakater Reloader	Secret management; injects environment variables (API keys, signing secrets) into our application pods	No Site Owner or Visitor data; only Quibbl-controlled credentials	Doppler hosts in the United States VERIFY
GitHub (CI/CD only)	Source control and continuous deployment	Application source code only; no Site Owner or Visitor data	United States

VERIFY: Confirm Ollama Inc.'s data-processing terms, specifically (a) what region(s) their inference runs in, (b) their data-retention policy for prompts and responses, and (c) whether they offer a Data Processing Addendum (DPA) you have signed. Update this row accordingly. If Ollama logs prompts for any duration, that must be disclosed.

VERIFY: If any future channel (email handoff via SES, SendGrid, Postmark; SMS via Twilio; etc.) is introduced, add it to this table before the channel goes live.

VERIFY: Confirm a Data Processing Addendum is in place with each sub-processor in this table. AWS, Stripe, and GitHub all offer standard DPAs; sign and retain them.

5. The Visitor message lifecycle

This section describes exactly what happens when a Visitor types a message.

The widget script (loaded from Quibbl's hosting infrastructure) reads the Site Owner's public key from the page and the visitor identifier from localStorage.
The message is sent over HTTPS to Quibbl's API, with the public key and visitor identifier in request headers.
Quibbl validates that the request originated from one of the Site Owner's configured allowed origins and that the public key resolves to a registered site.
Quibbl forwards the message and the relevant conversation context to our agent runtime, which calls Ollama Cloud to generate a response.
The response streams back to the widget over a server-sent events connection.
The conversation turn is persisted so the Visitor sees continuity on next page load.

No portion of this flow involves advertising networks, analytics services, or third-party tracking. The only third party that sees the Visitor's message text is Ollama, which generates the response.

6. How we use data

Quibbl uses Site Owner and Visitor data only to:

Provide the Service (operate the chat widget, render responses, deliver escalations)
Process billing through Stripe
Maintain account access and authentication via Cognito
Detect and prevent abuse, fraud, and security incidents
Comply with legal obligations
Communicate with Site Owners about their account, the Service, or material changes to it

Quibbl does not:

Sell, rent, or share Site Owner or Visitor data with third parties for their own marketing
Use Visitor messages to train, fine-tune, or improve any AI model, ours or anyone else's
Run advertising or behavioral profiling
Build cross-site visitor profiles

VERIFY: Confirm with Ollama in writing that they do not train on inference inputs/outputs. If their default policy permits training and you have not opted out, that disclosure must change. (Many open-weight inference providers offer a no-train clause for paid plans — verify yours.)

7. Retention

Data	Retention
Site Owner account record	For the life of the account; deleted within 30 days of account closure VERIFY
Site configuration	For the life of the site; deleted within 30 days of site deletion VERIFY
Conversation turns	Retained while the Visitor identifier remains active VERIFY
Escalation records	Retained for the life of the site, for audit and reply-routing purposes
Stripe billing records	Retained as required by tax and accounting law (typically 7 years in the United States)
Server and access logs	30–90 days VERIFY
Visitor browser identifier (`sc_visitor` in localStorage)	Persists in the Visitor's own browser until they clear it

VERIFY: The retention values above are placeholders that match common SaaS practice. Set them to what your code actually does, and what your operations team will commit to enforcing. The conversation-turn retention in particular needs a concrete TTL once the DynamoDB store is in production.

8. Security

All traffic in transit is encrypted (TLS 1.2+, AWS Application Load Balancer with ACM-managed certificates)
Data at rest in DynamoDB and S3 is encrypted using AWS-managed keys
Site Owner authentication uses Amazon Cognito with industry-standard JWT-based session tokens
Application secrets (API keys, signing secrets) are managed by Doppler and never committed to source control
Stripe webhook signatures are verified before any state change
The Service runs in an isolated AWS account dedicated to Quibbl infrastructure

If we become aware of a data breach affecting Site Owner or Visitor personal data, we will notify affected Site Owners (and, where required, supervisory authorities) within 72 hours of becoming aware, in line with GDPR Art. 33.

VERIFY: Confirm that DynamoDB encryption at rest is enabled (it is by default for AWS-owned and AWS-managed key tables; if you use customer-managed KMS keys, mention them). Confirm S3 buckets used by the Service have default encryption set.

9. Site Owner rights

As a Site Owner, you have the following rights regarding the data Quibbl holds about your account:

Access — request a copy of your account data and configurations
Correction — request correction of inaccurate account data
Deletion — request deletion of your account; we comply within 30 days, subject to retention obligations for billing records
Portability — receive your configuration and conversation data in a machine-readable format VERIFY
Object — object to specific processing of your data
Withdraw consent — cancel your subscription and delete your account at any time through the dashboard

Send requests to [email protected]. We will respond within 30 days.

VERIFY: Build the data-export feature before this clause goes into effect. "Receive your data in machine-readable format" is a GDPR Article 20 requirement and should not be promised in writing without an actual mechanism.

10. Visitor rights

If you are a Visitor who chatted with a widget powered by Quibbl, the Site Owner whose site you visited is the data controller for your conversation. To exercise rights regarding your conversation (access, deletion, etc.), contact the Site Owner first using the contact information on their website.

If you are unable to reach the Site Owner, or you have a concern that involves Quibbl directly (a security incident, abuse of the platform), you may contact us at [email protected] and we will assist within the bounds of our role as a data processor.

You can stop being identified by Quibbl on a particular site at any time by clearing site data for that site in your browser, which removes the sc_visitor identifier.

11. International transfers

Quibbl operates the Service from the United States (AWS region us-east-1). If you are in the European Economic Area, the United Kingdom, or Switzerland and your conversation is processed by the Service, your data is transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism with our sub-processors, where available, and on the equivalent UK International Data Transfer Addendum for UK transfers.

VERIFY: Confirm SCCs are in place with AWS, Stripe, and Ollama. AWS and Stripe offer standardized SCC modules in their DPAs; Ollama may not yet, depending on their stage. If a sub-processor lacks an SCC mechanism, you may not lawfully transfer EEA personal data to them.

VERIFY: If you intend to serve EU customers at GA, consider whether an EU regional deployment is needed. Some EU buyers will not accept US-only processing regardless of SCCs in place.

12. California residents (CCPA / CPRA)

Quibbl does not sell personal information and has not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months.

California residents who are Site Owners may exercise the rights described in Section 9. California residents who are Visitors should contact the Site Owner whose site they visited; if Quibbl is contacted directly, we will route the request appropriately.

We honor Global Privacy Control (GPC) signals as a "do not sell or share" request, although as noted, we do not sell or share in any case.

13. Other US states

Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and other US states with comprehensive privacy laws have rights similar to those in Section 9 and Section 10. Contact [email protected] to exercise them.

14. Children

The Service is not directed to children under 16, and Quibbl does not knowingly collect data from children under 16. Site Owners are responsible for ensuring that their use of the Service complies with COPPA and other child-protection laws applicable to their audience.

15. AI disclosure

The chat widget is powered by an artificial intelligence system, not a human. The widget identifies itself as such; Site Owners are responsible for any additional disclosure required by their jurisdiction (for example, California SB 1001).

16. Cookies and similar storage

The Service uses one piece of browser storage on a Visitor's device: a UUID stored in localStorage under the key sc_visitor, used solely to thread the Visitor's conversation. The Service does not use marketing cookies, analytics cookies, or third-party trackers. Quibbl's marketing website (quibbl.io) may use additional functional cookies; see the cookie notice on that site.

17. Changes

We will notify Site Owners of material changes to this policy by email or through the dashboard at least 30 days before the changes take effect. The current version is always posted at quibbl.io/privacy.

18. Contact

Privacy questions and rights requests: [email protected]
General contact: [email protected]
Legal entity: VERIFY — insert registered entity name and address

VERIFY: If you appoint an EU representative under GDPR Art. 27 (required if you offer the Service to EU data subjects without an EU establishment), add their name, address, and contact details here.