— Privacy

YOUR DATA. yours.
only.

What we collect, why, what we will never do, and the rights you have under GDPR and CCPA. Last updated: 2026-05-14.

Last updated: 2026-05-14

What we collect

Four categories, nothing more.

Account info

Your email address and name when you sign up. We use this to identify your account and send you product emails.

Bot config

The settings you choose for your bot — its name, widget appearance, and the source URLs or PDFs you train it on. This is your content; we only process it to power your bot.

Usage

Aggregate metrics like token counts and response latency. Used to bill correctly, enforce plan limits, and improve performance. Not linked to individual conversation content.

Conversations

Messages sent to your bot by your site's visitors. Stored so you can review them in the dashboard. Retained for 90 days by default — you can configure this or delete on demand.

Payment metadata

Billing is handled by Dodo Payments (Merchant of Record). We receive confirmation of successful payment and your plan tier. We never see, store, or touch your card number.

Why we collect it

Three reasons, no more.

Run the service

We need your account info to authenticate you, your bot config to power your widget, and conversation data to show you what your visitors asked.

Bill correctly

Usage metrics tell us which plan you're on and whether you've hit a limit. We pass payment events to Dodo for subscription management.

Improve the product

Aggregate, anonymised performance data (latency, error rates) helps us make the service faster and more reliable. We do not use individual conversation content for this.

What we don't do

Hard lines we won't cross.

No AI training

We do not use your knowledge sources, bot configuration, or conversation logs to train or fine-tune any AI model — ours or anyone else's. Your content stays yours.

No selling

We do not sell your data to third parties. Full stop.

No cross-site tracking

We do not track your visitors across other websites or build advertising profiles. Our analytics tools (Plausible and PostHog) run cookieless, with session recording disabled, and are never used for advertising.

No unauthorised sharing

We do not share your data with anyone except the subprocessors listed below, and only to the extent required to run the service. We will share if required by law, and we will tell you if we legally can.

Cookies and analytics

Minimal. Purposeful. No ad tech.

Analytics

We use Plausible Analytics (cookieless, aggregated page-view counts, no personal data) and PostHog for product analytics, configured to keep nothing on your device (in-memory only — no cookies or local storage) with session recording disabled. Because neither sets cookies, no consent banner is required under the ePrivacy Directive; this processing relies on our legitimate interest and you can opt out at any time.

Session cookies

When you sign in, Supabase Auth sets a session cookie so you stay logged in. It is secure (HTTPS-only), HttpOnly (not accessible to JavaScript), and scoped to saavos.com. It expires when your session ends or you log out.

Subprocessors

Who touches your data and why.

Vercel

Hosting and edge compute. SOC 2 Type II certified. Processes all web traffic and runs our server-side code.

Supabase

Database, authentication, and file storage. SOC 2 Type II certified. All your account data and bot data lives here.

Anthropic

Large language model (Claude) for generating bot responses. Conversation content is sent to Anthropic's API to produce answers. Anthropic does not train its models on data sent through the API, and its API terms include GDPR-compliant data processing terms.

OpenAI

Embeddings only (text-embedding-3-small). Your source content is sent to OpenAI to convert into vector representations for search. OpenAI's API does not use your data to train models (opt-out is on by default via API).

Resend

Transactional email (account confirmation, notifications). We send your email address to Resend only when sending you a message.

Dodo Payments

Payment processing and subscription management. Merchant of Record — they handle tax and compliance. They receive your billing email and payment details. We only receive confirmation and plan status.

PostHog

Product analytics. Receives cookieless usage events (page views, feature clicks) so we can improve the product. Session recording is disabled and no identifiers are persisted on your device.

Your rights (GDPR / CCPA)

You can ask us anything about your data.

Access

You can ask us what data we hold about you. We'll send a full export within 30 days.

Deletion

You can ask us to delete your account and all associated data. We'll confirm deletion within 30 days and purge everything within another 30.

Export

You can request a machine-readable export of your data (account info, bot config, conversation logs) in JSON format.

Correction

If any information we hold about you is wrong, you can ask us to correct it.

Object & restrict

You can object to or ask us to restrict processing that relies on our legitimate interests (such as product analytics). Tell us and we'll stop.

California — Do Not Sell or Share

We do not sell or share your personal information, and have not in the past 12 months. California residents may exercise the access, deletion, and correction rights above free from discrimination.

How to reach us

Email founder@5minbot.com with the subject line “GDPR request” (or “CCPA request” for California residents). We aim to respond within 5 business days and complete requests within 30 days.

Data retention

We don't keep data longer than needed.

Account data

Kept until you delete your account. When you delete, we begin purging within 30 days.

Conversation logs

Retained for 90 days by default. You can configure a shorter window in your bot settings, or delete logs on demand from the dashboard.

Deleted data

Data marked for deletion is purged from all systems (including backups) within 30 days.

International transfers

EU data, US infrastructure.

Standard clauses

If you are based in the EU or EEA, your data may be processed in the United States by Vercel, Anthropic, and OpenAI. These transfers are covered by Standard Contractual Clauses (SCCs) as required under GDPR Chapter V. Supabase offers EU-region hosting if you need data residency.

Children

This service is not for under-13s.

Age limit

saavos is intended for business and developer use. We do not knowingly collect personal data from children under 13. If we discover we have, we will delete it immediately. Contact founder@5minbot.com if you have concerns.

Changes

We'll tell you when this changes.

Notification

Material changes to this policy will be announced by email to all active accounts and posted to our changelog. The “Last updated” date at the top always reflects the current version.

Contact

Questions? Just ask.

Email

founder@5minbot.com. We're a small team and we respond to every message.

Related