Last updated: 2026-05-14
What we collect
Four categories, nothing more.
Account info
Your email address and name when you sign up. We use this to identify your account and send you product emails.
Bot config
The settings you choose for your bot — its name, widget appearance, and the source URLs or PDFs you train it on. This is your content; we only process it to power your bot.
Usage
Aggregate metrics like token counts and response latency. Used to bill correctly, enforce plan limits, and improve performance. Not linked to individual conversation content.
Conversations
Messages sent to your bot by your site's visitors. Stored so you can review them in the dashboard. Retained for 90 days by default — you can configure this or delete on demand.
Payment metadata
Billing is handled by Dodo Payments (Merchant of Record). We receive confirmation of successful payment and your plan tier. We never see, store, or touch your card number.
Why we collect it
Three reasons, no more.
Run the service
We need your account info to authenticate you, your bot config to power your widget, and conversation data to show you what your visitors asked.
Bill correctly
Usage metrics tell us which plan you're on and whether you've hit a limit. We pass payment events to Dodo for subscription management.
Improve the product
Aggregate, anonymised performance data (latency, error rates) helps us make the service faster and more reliable. We do not use individual conversation content for this.
What we don't do
Hard lines we won't cross.
No AI training
We do not use your knowledge sources, bot configuration, or conversation logs to train or fine-tune any AI model — ours or anyone else's. Your content stays yours.
No selling
We do not sell your data to third parties. Full stop.
No cross-site tracking
We do not track your visitors across other websites or build advertising profiles. Our analytics tools (Plausible and PostHog) run cookieless, with session recording disabled, and are never used for advertising.
No unauthorised sharing
We do not share your data with anyone except the subprocessors listed below, and only to the extent required to run the service. We will share if required by law, and we will tell you if we legally can.
Cookies and analytics
Minimal. Purposeful. No ad tech.
Analytics
We use Plausible Analytics (cookieless, aggregated page-view counts, no personal data) and PostHog for product analytics, configured to keep nothing on your device (in-memory only — no cookies or local storage) with session recording disabled. Because neither sets cookies, no consent banner is required under the ePrivacy Directive; this processing relies on our legitimate interest and you can opt out at any time.
Session cookies
When you sign in, Supabase Auth sets a session cookie so you stay logged in. It is secure (HTTPS-only), HttpOnly (not accessible to JavaScript), and scoped to saavos.com. It expires when your session ends or you log out.
Subprocessors
Who touches your data and why.
Vercel
Hosting and edge compute. SOC 2 Type II certified. Processes all web traffic and runs our server-side code.
Supabase
Database, authentication, and file storage. SOC 2 Type II certified. All your account data and bot data lives here.
Anthropic
Large language model (Claude) for generating bot responses. Conversation content is sent to Anthropic's API to produce answers. Anthropic does not train its models on data sent through the API, and its API terms include GDPR-compliant data processing terms.
OpenAI
Embeddings only (text-embedding-3-small). Your source content is sent to OpenAI to convert into vector representations for search. OpenAI's API does not use your data to train models (opt-out is on by default via API).
Resend
Transactional email (account confirmation, notifications). We send your email address to Resend only when sending you a message.
Dodo Payments
Payment processing and subscription management. Merchant of Record — they handle tax and compliance. They receive your billing email and payment details. We only receive confirmation and plan status.
PostHog
Product analytics. Receives cookieless usage events (page views, feature clicks) so we can improve the product. Session recording is disabled and no identifiers are persisted on your device.
Your rights (GDPR / CCPA)
You can ask us anything about your data.
Access
You can ask us what data we hold about you. We'll send a full export within 30 days.
Deletion
You can ask us to delete your account and all associated data. We'll confirm deletion within 30 days and purge everything within another 30.
Export
You can request a machine-readable export of your data (account info, bot config, conversation logs) in JSON format.
Correction
If any information we hold about you is wrong, you can ask us to correct it.
Object & restrict
You can object to or ask us to restrict processing that relies on our legitimate interests (such as product analytics). Tell us and we'll stop.
California — Do Not Sell or Share
We do not sell or share your personal information, and have not in the past 12 months. California residents may exercise the access, deletion, and correction rights above free from discrimination.
How to reach us
Email founder@5minbot.com with the subject line “GDPR request” (or “CCPA request” for California residents). We aim to respond within 5 business days and complete requests within 30 days.
Data retention
We don't keep data longer than needed.
Account data
Kept until you delete your account. When you delete, we begin purging within 30 days.
Conversation logs
Retained for 90 days by default. You can configure a shorter window in your bot settings, or delete logs on demand from the dashboard.
Deleted data
Data marked for deletion is purged from all systems (including backups) within 30 days.
International transfers
EU data, US infrastructure.
Standard clauses
If you are based in the EU or EEA, your data may be processed in the United States by Vercel, Anthropic, and OpenAI. These transfers are covered by Standard Contractual Clauses (SCCs) as required under GDPR Chapter V. Supabase offers EU-region hosting if you need data residency.
Children
This service is not for under-13s.
Age limit
saavos is intended for business and developer use. We do not knowingly collect personal data from children under 13. If we discover we have, we will delete it immediately. Contact founder@5minbot.com if you have concerns.
Changes
We'll tell you when this changes.
Notification
Material changes to this policy will be announced by email to all active accounts and posted to our changelog. The “Last updated” date at the top always reflects the current version.
Contact
Questions? Just ask.
founder@5minbot.com. We're a small team and we respond to every message.