Chobit Privacy Policy
Effective date: 2026-05-26 Last updated: 2026-05-26
This Privacy Policy explains what personal data Chobit collects when you use the service, why we collect it, how long we keep it, and the rights you have over it.
If you use Chobit in local mode (self-hosted on your own hardware), this policy applies only to the cloud-managed services (tailnet control plane, push notifications, email delivery, billing). Your companion's chat, memory, and persona data stay on your machine and are not collected by the operator.
This policy applies to:
- The web application (signup, account, billing, top-ups).
- The mobile companion app on iOS and Android.
- The companion service (both hosted and local modes).
- All cloud-managed services (identity, tailnet, billing, push, email).
0. Our role: data processor
For all tenant data — chat messages, memory, persona, configuration, integration tokens — the user is the data controller and [OPERATOR_NAME] is the data processor. We process your data to run the service for you: receiving it from your devices, dispatching inference, returning results, and storing it on your behalf.
This classification applies in both hosted mode (operator's VPS) and local mode (your own GPU workstation). It is consistent with our Data Processing Addendum with our GPU compute provider (RunPod), who acts as a sub-processor.
The operator acts as a data controller for the following categories:
| Data | Purpose |
|---|---|
| Email address (account data) | Identify your account |
| IP addresses (transient logs) | Abuse prevention, debugging |
| Payment metadata (provider, amount, credits) | Bookkeeping, tax |
| Billing ledger entries | Reconciliation |
| Device public keys (Ed25519, X25519) | Authentication |
| Recovery codes (hashed) | Account recovery |
1. Who we are
The data processor for tenant data and controller for operational data is:
- [OPERATOR_NAME], established in [COUNTRY].
- Privacy contact: [PRIVACY_EMAIL].
For users in the EU/EEA or the UK, you may also contact our representative at the same address. For users in California, see Section 11 for your CCPA/CPRA-specific rights.
2. What data we collect, and why
We try to collect the minimum needed to run the service. The categories below are exhaustive for all modes.
2.1 Account data
| Data | Source | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Email address | You, at signup | Identify your account, send magic-link / one-time codes | Contract (Art. 6(1)(b)) |
| Account ID, deployment mode | Generated server-side | Route requests to your companion | Contract |
| Device public keys (Ed25519, X25519) | Your enrolled device | Per-device authentication and end-to-end encryption | Contract |
| Recovery codes (hashed) | Generated server-side, shown to you once | Account recovery if you lose your phone | Contract |
We do not ask for, store, or process your real name, date of birth, phone number, address, or any government-issued identifier as part of the core service.
2.2 Authentication and session data
| Data | Purpose | Legal basis |
|---|---|---|
| Login codes (short-lived, hashed) | Passwordless login flow | Contract |
| Session tokens | Authorize requests to your companion and your account | Contract |
| Private network access keys | Allow your devices to reach your companion privately | Contract |
| IP address (transient logs only) | Abuse prevention, debugging | Legitimate interests (Art. 6(1)(f)) |
2.3 Companion data (the things you tell your companion)
This is the data the product is built around. It lives on your companion's storage and is the most sensitive category we handle. In hosted mode it resides on the operator's VPS; in local mode it resides on your GPU workstation.
| Data | Purpose | Legal basis |
|---|---|---|
| Chat messages between you and your companion | Provide the conversational service | Contract |
| Long-term memory and notes the companion builds about you | Personalize replies over time | Contract |
| Persona / system prompt / configuration you set | Shape your companion's behavior | Contract |
| Third-party integration tokens you provide (e.g. Discord, Telegram) | Let your companion act on those platforms on your behalf | Contract |
How this data is protected, and what that does and does not mean.
Chat between the app and your companion is encrypted in transit with forward secrecy. Notifications that pass through our infrastructure carry only ciphertext, which we cannot read.
At rest, your companion stores your messages, memory, and configuration in readable form, because it has to read them to work. That storage sits on a volume encrypted with keys unique to your account. This protects your data if hardware is lost, stolen, or improperly accessed. It is not, however, zero-knowledge: we hold the technical ability to read companion data at rest. The service is not designed so that reading it is mathematically impossible for us.
What actually keeps that data private is a strict commitment backed by access controls, not a claim that access is impossible. Operator staff have no standing access to the systems that hold your companion's data. There is no "break-glass" or routine-diagnostics path into it. We will not access it for any reason without your express, case-specific consent (for example, if you ask us to help diagnose a problem with your account). We do not read chat or memory contents, and we never use them for any purpose other than running the service for you.
2.4 Billing data
We do not store your card number, bank details, or cryptocurrency wallet addresses. Payments are processed by external providers:
- A third-party payment processor for card / Apple Pay / Google Pay / SEPA payments. They send us a transaction ID and the settled EUR amount, and they retain payment instrument data themselves.
- A self-hosted crypto-payment server for cryptocurrency payments. It records an invoice ID and the settled EUR amount. Cryptocurrency payments are pseudonymous but recorded permanently on the relevant public blockchain. We do not link on-chain addresses back to your account, but we cannot prevent third parties from analyzing the chain.
What we store about a payment:
| Data | Purpose | Legal basis |
|---|---|---|
| Provider name, provider-side transaction ID | Reconciliation with the provider | Legal obligation (accounting) |
| Gross EUR amount (integer cents) and provider fee | Bookkeeping, tax | Legal obligation |
| Credits issued to your wallet | Run the service | Contract |
| Per-call debit ledger (credits plus the cost we paid the compute provider) | Bill you accurately | Contract |
2.5 Operational telemetry
We collect minimal server-side logs (request paths, status codes, error stack traces, timing). These logs may include IP address and account ID but are scrubbed of chat or memory content. They are retained for 30 days for incident response and then deleted.
We do not use third-party analytics SDKs in the mobile app and we do not place tracking cookies on the web app beyond what is strictly necessary for the session.
3. How your data flows
In hosted mode, every model inference call your companion makes is dispatched to an external GPU compute provider (RunPod). The data sent to that provider consists of the prompt and parameters needed to run that single inference, typically a recent conversation window, your persona text, and any retrieved memory chunks. Outputs are returned and forwarded to you over the tailnet.
In local mode, inference runs entirely on your GPU workstation. No inference data leaves your machine. The operator's cloud only handles email delivery, push notifications, and billing.
We have a data-processing arrangement with the GPU provider obliging them to process the data only to execute the inference and not to retain it beyond what is needed for that purpose. The models themselves are ours. Your conversations are never handed to an outside chatbot or generative service that could change, throttle, or retire your companion.
Other categories of recipient:
- Email provider: receives your email address and one-time codes so it can deliver login emails.
- Push providers (Apple and Google): receive opaque ciphertext push payloads addressed to your device tokens. They do not receive readable chat contents.
- Payment processors: see Section 2.4.
We do not sell, rent, or share personal data with advertisers, data brokers, or marketing platforms.
4. International transfers
Some of our processors (notably the GPU compute provider, the email provider, and the push providers) are located outside the EU/EEA, typically in the United States.
Where data is transferred outside the EU/EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (and, where applicable, the UK Addendum) as the transfer mechanism, and we have performed transfer impact assessments. You can request a copy of the relevant SCC summary from [PRIVACY_EMAIL].
5. How long we keep your data
| Category | Retention |
|---|---|
| Account data, devices, recovery codes | Until you delete your account |
| Chat messages and companion memory | Until you delete them, or until 30 days after account closure, whichever comes first |
| Persona / configuration / integration tokens | Until you remove them, or 30 days after account closure |
| Authentication codes (login OTPs) | Minutes (single-use), then deleted |
| Session tokens | Hours to days, by token expiry |
| Operational logs | 30 days |
| Billing ledger entries and invoices | Retained for the period required by tax/accounting law in [COUNTRY] (typically 5 to 10 years), even after account closure |
When you delete your account, a 30-day grace period applies during which your data is suspended but recoverable on request. After that period the companion's databases and all reconstructable personal data are permanently purged, except for billing records that we are legally required to keep (see above) and minimal records of the deletion itself.
You may delete individual chats, memories, devices, and integration tokens at any time from inside the product. Such deletions are effective immediately and are not subject to the 30-day grace period.
6. AI / model training
We do not use your chat content, memory, persona, integration data, or any other content you provide to the companion to train, fine-tune, evaluate, or otherwise improve any machine-learning model. Not ours, not a third party's. There is no opt-in toggle for this. It is simply not part of the service.
Our GPU compute provider acts as a data processor under a signed Data Processing Addendum and may only process the data we send them for the purposes we instruct, namely executing the inference call. Using that data to train, fine-tune, or evaluate any model is outside the instructed purposes and therefore not permitted.
If we ever wish to change this, for example to invite users to voluntarily contribute conversations to model training, we will do so through an explicit, separately granted opt-in, and we will update this policy.
7. Security
- All transport to public endpoints uses TLS. Internal links between components run over an authenticated private network.
- Chat between your device and your companion is encrypted in transit with forward secrecy, and notifications are encrypted too. At rest, companion data is stored on a volume encrypted with keys unique to your account (see Section 2.3).
- Authentication is passwordless: an email magic-link plus per-device cryptographic keys held in your device's secure enclave. A second enrolled device acts as a 2FA approver.
- Our authentication signing keys are rotated periodically.
- Operator staff have no standing access to the systems holding your companion's data. Access requires your express, case-specific consent and is logged.
No system is perfectly secure. If we become aware of a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by law.
8. Your rights
Subject to the laws that apply to you, you have the right to:
- Access: get a copy of the personal data we hold about you.
- Rectification: correct inaccurate data.
- Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
- Restriction: ask us to limit how we process your data.
- Portability: receive your data in a machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: where processing relies on consent, withdraw it at any time.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email [PRIVACY_EMAIL]. We will respond within 30 days (extendable by up to 60 days for complex requests, as permitted by GDPR Art. 12(3)).
Most of these actions can also be performed directly from inside the product: account deletion, individual chat/memory deletion, integration token removal, and data export are all available from the app's settings.
9. Adults only
The Service is exclusively for adults. You must be at least 18 years old, or older if the age of majority where you live is higher (for example 21 in some jurisdictions). The Service is not directed to minors, and we do not knowingly provide it to them or collect their personal data. If you believe a minor has created an account or given us personal data, contact [PRIVACY_EMAIL] so we can close the account and delete the data.
10. Cookies
The web application uses only strictly necessary cookies and local storage entries needed to keep you logged in and to remember billing-flow state. We do not use advertising, analytics, or cross-site tracking cookies. Because we use no non-essential cookies, no consent banner is shown.
11. California residents (CCPA / CPRA)
If you reside in California, the CCPA/CPRA gives you the following rights in addition to those in Section 8:
- Right to know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it. All of this is described above.
- Right to delete your personal information, subject to legal exceptions (notably accounting records).
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing." We do not sell or share personal information as those terms are defined under CCPA/CPRA, and we have not done so in the preceding 12 months.
- Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the service.
- Right to non-discrimination for exercising your rights.
To exercise these rights, email [PRIVACY_EMAIL]. You may also authorize an agent to make a request on your behalf, and we will ask for proof of authorization.
12. Changes to this policy
We will post any material changes to this policy at this URL and update the "Last updated" date at the top. For substantive changes, we will also notify you by email and inside the app at least 14 days before the changes take effect.
Continued use of the service after a change takes effect constitutes acceptance of the updated policy.
13. Contact
For any privacy question, request, or complaint:
[OPERATOR_NAME] [COUNTRY] [PRIVACY_EMAIL]