Features Integrations Pricing Resources Blog About Contact Log in Join for Free

Privacy Policy

Last updated: May 12, 2026

Table of Contents

  1. Introduction
  2. Who We Are (Data Controller)
  3. Information We Collect
  4. How We Use Your Information
  5. Legal Basis for Processing (GDPR)
  6. Data Sharing & Third-Party Processors
  7. International Data Transfers
  8. Data Retention
  9. Data Security
  10. Your Rights Under GDPR
  11. End User (Visitor) Privacy
  12. AI & Automated Decision-Making
  13. Cookies & Tracking Technologies
  14. Children's Privacy
  15. Changes to This Policy
  16. Contact & Data Protection

1. Introduction

KDVR GARMS SRL, operating as Relio ("we," "our," or "us"), is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, process, store, share, and protect information when you use the Relio platform ("Service"), visit our website at https://relio.chat, or interact with our embeddable chat widget ("Widget").

This Privacy Policy applies to:

  • Customers: Individuals or businesses that create accounts on Relio and use our services to deploy AI chat assistants on their websites.
  • End Users (Visitors): Individuals who interact with the Relio chat widget embedded on a Customer's website.
  • Website Visitors: Individuals who browse the Relio marketing website at https://relio.chat.

This Privacy Policy should be read alongside our Terms of Service and Cookie Policy. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are (Data Controller)

The data controller for your personal data is:

  • Company: KDVR GARMS SRL
  • Address: Marin Constantin 1
  • Email: [email protected]
  • Website: https://relio.chat

For data protection inquiries, please contact us at [email protected] with "Privacy" in the subject line.

3. Information We Collect

3.1. Information You Provide Directly (Customer Data)

  • Account Information: Name, email address, password (hashed), company name, and profile details when you create an account.
  • Store Information: Website domain, store platform (Shopify, WooCommerce, etc.), import method selection, and store configuration details.
  • Product Data: Product titles, descriptions, images, prices, stock status, categories, attributes, and manufacturer information uploaded or imported to the Platform.
  • Knowledge Base Content: URLs, PDF documents, and text content added to the knowledge base to train the AI assistant.
  • Chatbot Configuration: Bot name, personality tone, avatar image, greeting messages, color preferences, quick action buttons, and other design settings.
  • Billing Information: Payment method details are processed and stored exclusively by Stripe. We only store your Stripe customer ID, subscription ID, and Plan type — we never store credit card numbers, CVVs, or complete payment credentials.
  • Communications: Content of emails, support requests, contact form submissions, and any other communications you send to us.
  • Team Member Information: Names, email addresses, roles, and access permissions for team members you invite to your account.

3.2. Information Collected Automatically

  • Usage Data: Pages visited within the admin dashboard, features used, configuration changes, product imports, and other interactions with the Platform.
  • Device & Browser Information: Browser type and version, operating system, screen resolution, device type, and language preferences.
  • Log Data: Server logs including IP address, access timestamps, referring URLs, and error logs.
  • Session Data: Session identifiers, authentication tokens, and CSRF tokens used for security purposes.

3.3. Conversation Data (End User Interactions)

When End Users interact with the Relio chat widget on a Customer's website, we collect:

  • Chat Messages: The full text of messages exchanged between the End User and the AI assistant.
  • Visitor Hash: A one-way SHA-256 hash of the End User's IP address and User-Agent string. We never store the original IP address — only the irreversible hash is retained for session identification and analytics.
  • Interaction Metadata: Timestamps, products recommended, products clicked, conversation duration, confidence scores, and the number of messages exchanged.
  • Lead Information: If the End User voluntarily submits information through a lead capture form (name, email, phone number, order details), this data is collected and stored as part of the lead record.
  • Click Data: Product link clicks within the chat widget, including the product clicked, timestamp, and referral information.
  • Sales Attribution Data: For Shopify and WooCommerce integrations, purchase data associated with chat interactions for revenue attribution purposes.

3.4. Cookies & Local Storage

We use cookies and browser local storage as described in our Cookie Policy. The Widget uses localStorage to persist conversation state across page navigations within the same browsing session.

4. How We Use Your Information

4.1. Service Delivery

  • Providing, operating, and maintaining the Relio platform and all its features.
  • Processing product data through our semantic AI pipeline (normalization, embedding generation, vector indexing) to enable intelligent product recommendations.
  • Generating AI-powered conversational responses using large language models.
  • Delivering real-time chat functionality, live chat handoff, and messenger features.
  • Processing payments and managing subscriptions through Stripe.
  • Authenticating users and managing account access through Auth0.

4.2. Analytics & Insights

  • Generating analytics dashboards showing conversations, clicks, conversion rates, revenue attribution, and usage metrics.
  • Identifying top recommended products, top clicked products, peak usage hours, and other performance metrics.
  • Providing confidence distribution analysis for AI response quality monitoring.

4.3. Service Improvement

  • Analyzing anonymized usage patterns to improve platform features and user experience.
  • Monitoring AI response quality and safety guardrail effectiveness.
  • Debugging errors, diagnosing technical issues, and optimizing performance.
  • Developing new features based on aggregated usage insights.

4.4. Communications

  • Sending essential service notifications (plan changes, billing alerts, security notices, terms updates).
  • Responding to support requests and inquiries.
  • Sending lead notifications to Customers when leads are captured through the Widget.
  • Sending usage alerts when approaching plan limits.

4.5. Security & Fraud Prevention

  • Rate limiting and spam detection to prevent abuse of the chat system.
  • Monitoring for unauthorized access, suspicious activity, and security threats.
  • Maintaining audit logs for administrative actions.

5. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA) and other jurisdictions where GDPR applies, we process personal data based on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to perform our contract with you (the Terms of Service), including account management, service delivery, billing, and support.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including service improvement, security, fraud prevention, and analytics — provided these interests are not overridden by your data protection rights.
  • Consent (Article 6(1)(a)): Where we rely on your consent for specific processing activities (e.g., optional marketing communications, non-essential cookies), you have the right to withdraw consent at any time.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, including tax reporting, regulatory requirements, and responding to lawful requests from authorities.

6. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only with third-party service providers who assist us in operating the Platform, and only to the extent necessary to provide our services:

  • OpenAI — Processes chat messages and product data to generate AI responses and vector embeddings. Subject to OpenAI's Terms of Use and data processing policies.
  • Stripe — Processes payment transactions, subscription management, and billing. Subject to Stripe's Privacy Policy. Your payment card details are stored exclusively by Stripe.
  • Auth0 — Provides authentication and identity management services. Subject to Auth0's Privacy Policy.
  • Hetzner — Provides server hosting infrastructure located in Germany/Finland (EU). Subject to Hetzner's data processing agreement.
  • Shopify / WooCommerce — When Customers integrate these platforms, product and order data flows between the Customer's store and Relio through their respective APIs.

We may also disclose personal data if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to: (a) comply with legal obligations; (b) protect our rights or property; (c) prevent fraud or other illegal activities; or (d) protect the personal safety of users or the public.

7. International Data Transfers

Our primary servers are located within the European Union (Germany/Finland). However, some of our third-party service providers (including OpenAI and Stripe) may process data in the United States or other countries outside the EEA. When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Reliance on adequacy decisions where applicable.
  • Contractual data processing agreements with all sub-processors.

8. Data Retention

  • Account Data: Retained for as long as your account is active, plus 30 days after account deletion to allow for data recovery.
  • Product Data: Retained for as long as your account is active. Deleted within 30 days of account termination.
  • Conversation Data: Individual conversations expire after 24 hours for active session purposes. Historical conversation records are retained according to your plan and for analytics purposes for the duration of your subscription.
  • Lead Data: Retained for the duration of your subscription. You can delete individual leads at any time through the dashboard.
  • Billing Records: Retained as required by applicable tax and accounting laws (typically 5-10 years depending on jurisdiction).
  • Server Logs: Retained for up to 90 days for security and debugging purposes.
  • Visitor Hashes: Retained as part of conversation records. Since hashes are irreversible, they cannot be traced back to individual IP addresses.

9. Data Security

We implement comprehensive security measures to protect personal data:

  • TLS encryption for all data in transit.
  • Passwords hashed with bcrypt (never stored in plaintext).
  • PDO prepared statements for all database operations (SQL injection prevention).
  • CORS validation and CSRF protection for all API and admin endpoints.
  • Session security with secure cookie attributes.
  • Environment variable protection for all secrets and credentials.
  • Production error suppression to prevent information leakage.
  • Privacy-first visitor tracking using irreversible SHA-256 hashing.

Despite these measures, no method of transmission or storage is 100% secure. If you become aware of any security breach, please contact us immediately at [email protected].

10. Your Rights Under GDPR

If you are located in the EEA or another jurisdiction with applicable data protection laws, you have the following rights:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions.
  • Right to Restrict Processing (Article 18): You have the right to request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: You have the right to file a complaint with a supervisory authority (in Romania: ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal).

To exercise any of these rights, please contact us at [email protected] with "Privacy Request" in the subject line. We will respond to your request within 30 days (or as required by applicable law).

11. End User (Visitor) Privacy

This section specifically addresses the privacy of End Users who interact with the Relio chat widget on Customer websites.

11.1. Data Processing Role

When End Users interact with the Widget, Relio acts as a Data Processor on behalf of the Customer (who is the Data Controller). The Customer is responsible for ensuring compliance with applicable privacy laws regarding their End Users, including obtaining any necessary consents and providing appropriate privacy disclosures.

11.2. What We Collect from End Users

  • Chat messages and conversation history (retained for the conversation session, up to 24 hours).
  • A one-way hash of IP + User-Agent (never the raw IP address).
  • Voluntarily submitted lead information (name, email, phone) if the End User fills out a lead form.
  • Click data on product recommendations.
  • Browser localStorage data for session persistence (stays on the End User's device).

11.3. What We Do NOT Collect from End Users

  • We do NOT store raw IP addresses.
  • We do NOT use advertising cookies or tracking pixels in the Widget.
  • We do NOT build cross-site profiles of End Users.
  • We do NOT sell End User data to third parties.
  • We do NOT use End User conversation data for AI model training purposes. Conversations are processed by AI models in real-time but are not used to train or fine-tune the models.

11.4. Customer Responsibility

Customers who deploy the Relio Widget are responsible for:

  • Including the Widget's data processing in their own website privacy policy.
  • Obtaining any legally required consent from End Users before collecting personal data through the Widget (including lead capture forms).
  • Configuring the Widget's Terms & Conditions checkbox feature (available in the Features settings) if required by applicable law.
  • Responding to End User data access, deletion, or rectification requests related to data collected through the Widget.

12. AI & Automated Decision-Making

The Platform uses artificial intelligence and automated processing to:

  • Generate conversational responses to End User queries.
  • Classify user intent (chat, search, lead capture).
  • Perform semantic search to find relevant products.
  • Apply Owner Bias weighting to product recommendations.
  • Detect spam and enforce rate limits.
  • Generate content through the Content Studio.

These automated processes do not produce decisions with significant legal or similarly significant effects on individuals. Product recommendations are informational in nature and do not constitute binding offers, medical advice, or professional guidance. Under Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you. If you believe any automated decision has significantly affected you, please contact us at [email protected].

13. Cookies & Tracking Technologies

We use cookies and similar technologies as follows:

  • Essential Cookies: Required for authentication, session management, and CSRF protection in the admin dashboard. These cannot be disabled.
  • Widget localStorage: The chat widget uses browser localStorage to persist conversation state. This data remains on the End User's device and is not transmitted to our servers except as part of normal chat API requests.
  • Analytics: We may use analytics tools to understand how visitors interact with our marketing website.

For detailed information about the cookies we use, please see our Cookie Policy.

14. Children's Privacy

The Relio platform is designed for business use and is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at [email protected], and we will take steps to delete such data promptly.

Customers are responsible for ensuring that their deployment of the Widget complies with applicable child protection laws, including COPPA (Children's Online Privacy Protection Act) if operating in the United States.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or service offerings. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify Customers via email to the address associated with their Account.
  • For significant changes affecting End User data processing, we will provide at least 30 days' notice before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Contact & Data Protection

For any privacy-related questions, data protection requests, or concerns, please contact us at:

For data protection complaints, you may also contact the Romanian Data Protection Authority (ANSPDCP) at www.dataprotection.ro.