Your data. Your rules.

Your email address and name when you sign up. We use this to identify your account and send you product emails.

The settings you choose for your bot — its name, widget appearance, and the source URLs or PDFs you train it on. This is your content; we only process it to power your bot.

Aggregate metrics like token counts and response latency. Used to bill correctly, enforce plan limits, and improve performance. Not linked to individual conversation content.

Messages sent to your bot by your site's visitors. Stored so you can review them in the dashboard. Retained for 90 days by default — you can configure this or delete on demand.

Billing is handled by Dodo Payments (Merchant of Record). We receive confirmation of successful payment and your plan tier. We never see, store, or touch your card number.

We need your account info to authenticate you, your bot config to power your widget, and conversation data to show you what your visitors asked.

Usage metrics tell us which plan you're on and whether you've hit a limit. We pass payment events to Dodo for subscription management.

Aggregate, anonymised performance data (latency, error rates) helps us make the service faster and more reliable. We do not use individual conversation content for this.

We do not use your knowledge sources, bot configuration, or conversation logs to train or fine-tune any AI model — ours or anyone else's. Your content stays yours.

We do not sell your data to third parties. Full stop.

We do not track your visitors across other websites or build advertising profiles. Our analytics tool (Plausible) is cookieless and does not collect personal data.

We do not share your data with anyone except the subprocessors listed below, and only to the extent required to run the service. We will share if required by law, and we will tell you if we legally can.

We use Plausible Analytics, which is cookieless and collects no personal data. Page view counts are aggregated only. No consent banner required under GDPR.

When you sign in, Supabase Auth sets a session cookie so you stay logged in. It is secure (HTTPS-only), HttpOnly (not accessible to JavaScript), and scoped to saavos.com. It expires when your session ends or you log out.

Hosting and edge compute. SOC 2 Type II certified. Processes all web traffic and runs our server-side code.

Database, authentication, and file storage. SOC 2 Type II certified. All your account data and bot data lives here.

Large language model (Claude) for generating bot responses. Conversation content is sent to Anthropic's API to produce answers. Business Associate Agreement (BAA) available on request. Anthropic's API terms include GDPR-compliant data processing terms.

Embeddings only (text-embedding-3-small). Your source content is sent to OpenAI to convert into vector representations for search. OpenAI's API does not use your data to train models (opt-out is on by default via API).

Transactional email (account confirmation, notifications). We send your email address to Resend only when sending you a message.

Payment processing and subscription management. Merchant of Record — they handle tax and compliance. They receive your billing email and payment details. We only receive confirmation and plan status.

You can ask us what data we hold about you. We'll send a full export within 30 days.

You can ask us to delete your account and all associated data. We'll confirm deletion within 30 days and purge everything within another 30.

You can request a machine-readable export of your data (account info, bot config, conversation logs) in JSON format.

If any information we hold about you is wrong, you can ask us to correct it.

Email founder@5minbot.com with the subject line “GDPR request” (or “CCPA request” for California residents). We aim to respond within 5 business days and complete requests within 30 days.

Kept until you delete your account. When you delete, we begin purging within 30 days.

Retained for 90 days by default. You can configure a shorter window in your bot settings, or delete logs on demand from the dashboard.

Data marked for deletion is purged from all systems (including backups) within 30 days.

If you are based in the EU or EEA, your data may be processed in the United States by Vercel, Anthropic, and OpenAI. These transfers are covered by Standard Contractual Clauses (SCCs) as required under GDPR Chapter V. Supabase offers EU-region hosting if you need data residency.

saavos is intended for business and developer use. We do not knowingly collect personal data from children under 13. If we discover we have, we will delete it immediately. Contact founder@5minbot.com if you have concerns.

Material changes to this policy will be announced by email to all active accounts and posted to our changelog. The “Last updated” date at the top always reflects the current version.

founder@5minbot.com. We're a small team and we respond to every message.