🔒 Privacy Policy

Controller: Robert Strecher / RSTCode, Hitzendorf, Styria, Austria
Email: kontakt@rstcode.at
Last Updated: March 2024 | Legal basis: GDPR Art. 13/14

    This Privacy Policy applies to the AI Chat Widget by RSTCode and the associated SaaS platform. It applies to business operators who embed the widget, as well as to end users (visitors of customer websites).
  

1. Controller

The controller pursuant to GDPR for the AI Chat Widget is:

Name: Robert Strecher
Company: RSTCode
Address: Hitzendorf, Styria, Austria
Email: kontakt@rstcode.at
Website: https://rstcode.at

Note for business customers: If you embed the widget on your website, you are the controller for the data processing of your visitors. RSTCode acts as data processor. Please enter into a Data Processing Agreement (DPA) with us.

2. What Data Is Processed?

2.1 Chat Metadata

When the widget is used, the following technical metadata is processed and stored on our EU server:

Data Category	Content	Purpose	Storage Location
Session ID	Anonymous, randomly generated identifier (not personally identifiable)	Linking messages within a chat session	EU server (ALL-INKL, Germany)
Timestamp	Date and time of chat request	Statistics, error analysis	EU server (ALL-INKL, Germany)
Client ID	Identifier of the embedding website	Assignment to correct customer account	EU server (ALL-INKL, Germany)

    Important: Chat content (the text of messages) is not stored by RSTCode. It is transmitted exclusively to Anthropic for AI processing (see 2.2) and is not persisted thereafter.
  

2.2 Message Content (Transfer to Anthropic)

The text of chat messages is transmitted to Anthropic PBC, San Francisco, USA for AI-powered responses. Anthropic operates the Claude AI API.

Processing purpose: AI-powered responses to user queries
Legal basis: Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest), along with Art. 46 GDPR (appropriate safeguards for third-country transfers)
Third-country transfer: USA – secured by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
Anthropic Privacy Policy: https://www.anthropic.com/legal/privacy

Note to end users: Please do not transmit sensitive personal data (e.g., passwords, credit card numbers, health information) through the chat widget, as this data is transferred to the USA for AI processing.

2.3 Uploaded Documents

When customers (operators) upload documents to enhance the AI agent's knowledge base, these are stored on our EU server and transmitted to Anthropic for AI processing. This data is subject to the concluded DPA.

2.4 Browser Session (No Tracking)

The widget uses exclusively the browser's sessionStorage for:

The anonymous session ID (for chat continuity within a browser tab)
The conversation history (only in the active tab, deleted when the tab is closed)
The GDPR notice status (whether the user has acknowledged the privacy notice)

No cookies are set, no tracking is performed, and no data is permanently stored in the browser.

3. Legal Bases for Processing

Processing Activity	Legal Basis
Provision of the SaaS platform to customers	Art. 6(1)(b) GDPR (performance of contract)
Chat metadata (statistics, error analysis)	Art. 6(1)(f) GDPR (legitimate interest: system optimization)
Transfer of chat content to Anthropic	Art. 6(1)(b) GDPR (performance of contract) in conjunction with Art. 46 GDPR (SCCs)

4. Data Processors

RSTCode works with the following data processors:

Provider	Function	Location	Privacy Policy
ALL-INKL.COM	Web hosting, data storage	Germany (EU)	all-inkl.com/info/datenschutz
Anthropic PBC	AI processing (Claude API)	USA (third country)	anthropic.com/legal/privacy

The transfer to Anthropic in the USA is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

5. Retention Periods

Chat metadata: Automatically deleted after a maximum of 90 days
Chat content: Not permanently stored by RSTCode; transfer to Anthropic is exclusively for live processing
Customer data (operators): For the duration of the contractual relationship, deleted within 30 days thereafter; statutory retention obligations (e.g., accounting records 7 years) remain unaffected
Browser sessionStorage: Automatically deleted when the browser tab is closed

6. Data Subject Rights

As a data subject, you have the following rights:

Access (Art. 15 GDPR): Information about what data we process about you
Rectification (Art. 16 GDPR): Correction of inaccurate data
Erasure (Art. 17 GDPR): Deletion of your data, unless statutory retention obligations apply
Restriction (Art. 18 GDPR): Restriction of processing your data
Data portability (Art. 20 GDPR): Receipt of your data in machine-readable format
Objection (Art. 21 GDPR): Objection to processing based on legitimate interests

To exercise your rights, please contact: kontakt@rstcode.at

We respond to requests within 30 days.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection authority:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42, 1030 Vienna, Austria
Website: https://dsb.gv.at
Email: dsb@dsb.gv.at

8. Data Security

RSTCode implements appropriate technical and organizational measures (TOMs) to protect your data:

Encrypted data transmission via HTTPS/TLS
Access restrictions to production systems
Regular security updates
Hosting exclusively on certified EU servers
No permanent storage of chat content

9. Changes to This Privacy Policy

RSTCode reserves the right to update this Privacy Policy when legal requirements or the services used change. The current version is always available at rstcode.at/ki-chat/legal/privacy-en.html.