Privacy Policy

1. Scope of This Policy

1.1 What This Policy Covers

This Privacy Policy applies to personal data that Relaya collects directly from subscribers — individuals or organizations who create a Relaya account, configure a chat space, and use the Relaya admin panel. In this role, Relaya acts as a data controller: we determine why and how subscriber account data is collected and processed.

1.2 What This Policy Does Not Cover

This Privacy Policy does not apply to the personal data of end users — the individuals who participate in chat sessions through a Relaya widget embedded on a subscriber's platform. Relaya processes that data as a data processor on behalf of the subscriber, who is the data controller for their end users' data.

End users who have questions about how their personal data is handled should contact the operator of the chat space (the subscriber), not Relaya. The subscriber's own privacy policy governs their end users' rights. The DPA embedded in Relaya's Terms of Service sets out Relaya's processor obligations in full.

Relaya will assist subscribers in fulfilling data subject requests passed through from their end users. See Section 10.4 below.

2. Data We Collect About Subscribers

2.1 Subscriber Account Data

2.2 What Relaya Does Not Collect From Subscribers

• Payment card numbers or full payment details — all payment processing is handled by Paddle as Merchant of Record
• Phone numbers or physical mailing addresses
• Any data beyond what is necessary to provide the service

2.3 End-User Data Relaya Processes (Processor Disclosure)

Although end-user chat data is not covered by this Privacy Policy (see Section 1.2), we disclose the categories of data Relaya processes on subscribers' behalf for transparency and to support subscriber compliance:

IP address detail: End-user IP addresses are checked at two enforcement points — OTP login and WebSocket connection — against the IP ban list and, where applicable, a local geo-restriction database (MaxMind) to resolve a country code. The IP is not stored per message and is not used to build individual tracking profiles. Country-level geo-restriction checks use the IP to resolve a country code only; that resolution is not persisted.

3. How We Use Subscriber Data

3.1 Purposes and Legal Bases (GDPR)

3.2 How Subscriber Data Is Used

• To provide and operate the Relaya service — authentication, access control, tier enforcement
• To communicate about the account — trial expiry notices, subscription status changes, service announcements
• To enforce the Terms of Service
• To improve the service using de-identified and aggregated usage data

3.3 How Subscriber Data Is Not Used

• Not used to train machine learning or AI models
• Not sold or rented to third parties
• Not used for targeted advertising
• Not shared with third-party analytics vendors — Relaya does not use Google Analytics, Mixpanel, or similar external analytics services. Any internal usage analytics are de-identified and aggregated and do not leave Relaya's infrastructure.

4. Data Retention

4.1 Subscriber Account Data

4.2 End-User Chat Data (Processor Disclosure)

The default message retention period is 180 days, enforced by a nightly automated cleanup process. Messages that have been reported and are pending moderator review are excluded from automatic deletion. On subscriber termination, all subscriber and end-user data is permanently deleted within 30 days.

4.3 Subscriber Responsibility on Termination

After termination, subscriber data is retained for 30 days to allow data export. After that 30-day window, all data — including end-user messages — is permanently deleted. Subscribers are responsible for exporting any data they need before the retention window closes.

5. Data Sharing and Sub-Processors

5.1 Infrastructure Sub-Processors

Relaya uses the following sub-processors to deliver the service. All are disclosed here and in the DPA embedded in the Terms of Service:

5.2 No Advertising or External Analytics

Relaya does not use third-party advertising networks. Relaya does not share subscriber or end-user data with external analytics vendors. Any usage analytics Relaya collects for internal product improvement are de-identified and aggregated and do not leave Relaya's infrastructure.

5.3 Legal Disclosures

Relaya may disclose personal data when required by applicable law, a valid court order, or to protect the rights and safety of Relaya, its subscribers, or the public. Where permitted by law, Relaya will notify affected subscribers of any such disclosure.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of Relaya's assets, subscriber data may be transferred to the acquiring party. Affected subscribers will be notified in advance, and the acquiring party will be required to honor equivalent privacy commitments — or subscribers will have the opportunity to terminate their accounts before the transfer takes effect.

6. International Data Transfers

Relaya's infrastructure is located in the United States (Linode/Akamai, Newark region). Subscribers and their end users located in the EU/EEA, United Kingdom, or other jurisdictions with data transfer restrictions should be aware that their data is processed in the United States.

Transfer mechanisms: The Data Processing Agreement embedded in Relaya's Terms of Service constitutes a written processor agreement as required by GDPR Article 28. For EU/EEA data subjects, Relaya relies on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms as applicable. For UK data subjects, Relaya relies on the UK GDPR international data transfer framework.

Relaya uses commercially reasonable measures to ensure that any international data transfer is subject to appropriate safeguards consistent with applicable law.

7. Cookies and Session Technology

7.1 What Relaya Uses

7.2 What Relaya Does Not Use

• Advertising cookies or third-party tracking pixels
• Analytics cookies from external vendors (Google Analytics, Mixpanel, or similar)
• Browser fingerprinting technologies

7.3 Third-Party Iframe Context

When the Relaya chat widget is deployed as an embedded iframe on a subscriber's website, the browser may classify Relaya's session cookie as a third-party cookie and prompt the end user to grant storage access (per the browser's Storage Access API). This is a one-time prompt per browser/site combination. Subscribers should disclose this behavior to their end users in their own privacy notices.

8. Security

Relaya uses commercially reasonable technical and organizational measures to protect subscriber and end-user data:

• Encryption in transit: All data transmitted between clients and the Relaya server is encrypted via TLS. Certificates are automatically renewed under *.relaya.chat.
• Session security: Session cookies are configured httpOnly: true, secure: true, sameSite: 'none' — not accessible to JavaScript.
• No passwords stored: Authentication uses one-time codes (OTP). No passwords are stored by Relaya.
• Data isolation: Each subscriber's data is logically isolated by space identifier. No subscriber can access another subscriber's space data.
• Database protection: The PostgreSQL database is not internet-exposed; it runs on a private Docker network accessible only to authorized server processes.
• Encrypted backups: Database backups are encrypted and stored on Backblaze B2 via restic.

Breach notification: In the event of a confirmed personal data breach, Relaya will notify affected subscribers within 72 hours of confirmation, consistent with GDPR Article 33. Subscribers are then responsible for notifying their supervisory authority and affected end users as required by applicable law.

No system is completely secure. Relaya uses commercially reasonable measures but cannot guarantee absolute security against all threats.

9. Your Privacy Rights

9.1 Rights for All Subscribers

All subscribers have the right to:

• Access a copy of the personal data Relaya holds about them
• Correct inaccurate data (such as updating a registered email address)
• Delete their account and associated data (subject to the 30-day post-termination retention window)
• Export their data before account termination

To exercise these rights, contact Relaya at hello@relaya.chat.

9.2 Additional GDPR Rights (EU/EEA/UK Subscribers)

Subscribers in the EU, EEA, and United Kingdom have the following additional rights under the GDPR and UK GDPR:

• Restriction of processing — request that Relaya pause processing while a dispute is resolved
• Object to processing — object to processing based on legitimate interests
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent — where processing is consent-based (e.g., marketing communications)
• Lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, the CNIL in France)

Response timeframe: Relaya will respond to rights requests within 30 days. For complex requests, Relaya may extend this period by up to 60 additional days with prior notice explaining the reason.

9.3 CCPA Rights (California Residents)

California residents have the right to:

• Know what personal information Relaya has collected, used, or disclosed in the past 12 months
• Request deletion of their personal information (subject to legal retention exceptions)
• Opt out of the sale of personal information — Relaya does not sell personal information
• Non-discrimination for exercising CCPA rights

9.4 End-User Rights (Processor Context)

End users (participants in a Relaya chat space) should direct privacy rights requests — including deletion, access, or correction requests — to the subscriber who operates the chat space, not to Relaya directly. Relaya acts as a data processor for end-user data and will assist subscribers in fulfilling such requests. Subscribers may submit deletion or data access requests on behalf of their end users to hello@relaya.chat. Relaya will respond within 30 days.

10. Children's Data

The Relaya service is not directed to children and may not be used by persons under 13 years of age.

• COPPA (US): Relaya does not knowingly collect personal information from children under 13. If Relaya becomes aware that data from a child under 13 has been collected, it will delete that data promptly.
• GDPR (EU/EEA): The minimum age for processing consent is 16 in most EU member states (or lower where permitted by national law, but no lower than 13). Relaya does not knowingly process data from children below the applicable minimum age.
• Subscriber responsibility: Subscribers are responsible for age compliance on their own platforms. Relaya's Terms of Service prohibits deploying the service for use by children under 13.
• Notification: If a subscriber or any party notifies Relaya that a minor's data has been collected through the service, Relaya will delete that data. Contact hello@relaya.chat.

11. Changes to This Policy

• Material changes: Relaya will provide at least 30 days advance notice by email to registered subscribers before material changes to this Privacy Policy take effect.
• Minor changes: Non-material clarifications may be made without advance notice. The “effective date” at the top of this page will be updated.
• Legal compliance changes: Changes required by applicable law may take effect immediately, with notice provided as soon as practicable.
• Continued use: Continued use of the Relaya service after the notice period for a material change constitutes acceptance of the updated Privacy Policy.

12. Contact

For privacy-related questions, rights requests, or to report a concern about how Relaya handles personal data, contact us at:

JAB Ventures, Inc. d/b/a Relaya
Email: hello@relaya.chat

Relaya will respond to all privacy inquiries within 30 days.