Skip to main content
UK GDPR & DPA 2018

Privacy Policy

Last updated: 28 May 2026

Introduction

This Privacy Policy explains how Comxbot ("we", "us", "our") collects, uses, shares and protects personal data when you use the Comxbot platform, our website, embedded chat widgets and related services (the "Services"). It is written for compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data controller

Comxbot is the data controller for personal data we collect about account holders and workspace members. When you deploy an assistant to your own website or channels, you (the customer organisation, e.g. an FE college) are the controller for the visitor and learner data processed through that assistant, and we act as your processor under a data processing agreement.

Contact: dpo@comxbot.com

What data we collect

  • Account information, name, email address and authentication identifiers, collected through Clerk when you sign up.
  • Workspace data, organisation name, assistant configuration, prompts, knowledge sources, branding settings and member roles.
  • Conversation data, visitor messages, AI responses, citations, intent classifications, handoff context and session metadata.
  • Usage analytics, aggregated platform usage, outcome metrics, latency, error rates and page navigation where consent has been given.
  • Technical data, IP addresses (hashed for demo bots and public widgets where possible), user-agent strings, device type and timestamps.
  • Billing data, handled by Stripe; we receive only the minimum needed to operate your subscription.

Why we collect it (legal basis under UK GDPR Article 6)

  • Contract (Art. 6(1)(b)), providing the Services you have signed up for, including authentication, workspace management and billing.
  • Legitimate interests (Art. 6(1)(f)), securing our infrastructure, preventing fraud and abuse, improving the platform, and product analytics where consent is not required.
  • Consent (Art. 6(1)(a)), optional analytics and marketing cookies and any direct marketing communications.
  • Legal obligation (Art. 6(1)(c)), keeping financial records, responding to lawful requests and meeting UK regulatory duties.

How long we keep it

We keep personal data only for as long as it is needed for the purposes set out in this policy or as required by law. Workspace owners can configure their own retention windows under Settings → Data retention. Default retention is:

  • Conversation transcripts: 90 days (configurable).
  • Session and audit logs: 180 days (configurable).
  • Account data: for the lifetime of the account, plus 30 days after closure.
  • Billing records: 7 years (UK accounting requirement).

Who we share data with

We use a small number of trusted sub-processors to deliver the Services. Each is bound by contractual safeguards and only processes data for the purposes we instruct.

  • Clerk(United States) — authentication and organisation management.
  • Stripe(United Kingdom / Ireland) — subscription billing and payment processing.
  • Resend(United States) — transactional email delivery.
  • OpenAI, Anthropic and Google— AI model providers for assistant responses. Customers may use their own API keys (BYOK) so prompts and responses can be routed through their own provider account.
  • Supabase(European Union) — primary database hosting.

We do not sell personal data and we do not share it for third-party advertising purposes.

Your rights under UK GDPR

You have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Portability — receive your data in a structured, commonly used format.
  • Restriction — limit how we process your data.
  • Objection — object to processing based on legitimate interests or direct marketing.
  • Complain— lodge a complaint with the Information Commissioner's Office (ICO) https://ico.org.uk/make-a-complaint/.

Making a data subject request

You can exercise any of these rights by emailing dpo@comxbot.com or using our in-app data subject request form. We aim to respond within one calendar month. We may need to verify your identity before fulfilling a request.

International transfers

Most data is stored in the United Kingdom and the European Union. Some sub-processors (notably Clerk, Resend and AI model providers) process data in the United States. Where this happens we rely on the UK Addendum to the EU Standard Contractual Clauses (SCCs) and equivalent safeguards approved under the UK GDPR.

Cookies

We use cookies to keep you signed in, secure the site and (with your consent) measure how the platform is used. See our cookie policy for the full list and how to manage them.

Children's data

Comxbot is designed for use by FE colleges and similar institutions whose learners may be 16 years of age and above. Where assistants are deployed to under-18 learners, additional safeguards apply: data minimisation by default, no behavioural advertising, no profiling for decisions with legal effects, and age-appropriate language. Where consent is required from a child under 13, we require parental consent in line with UK GDPR Article 8 and the ICO's Age Appropriate Design Code.

Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, rate limiting, automatic PII redaction in logs, and regular security reviews.

Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or via an in-product notice. The "last updated" date at the top of this page indicates when it was most recently changed.

Contact us

Data Protection Officer: dpo@comxbot.com

Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. ico.org.uk · Helpline: 0303 123 1113.