1. Introduction
Gehtsoft USA LLC ("Gehtsoft," "we," "us") operates the Form Assistant service. This Privacy Policy describes how we collect, use, store, and protect personal data when you use our Service, including the embeddable chat widget, API, organizer dashboard, and participant interfaces.
2. Data We Collect
2.1 Chat Widget Users (Form Assistance)
When you use the Form Assistant chat widget on a client's website, we collect:
| Data | Purpose | Storage Duration |
|---|---|---|
| Your chat messages (questions you type) | To generate AI responses | Per tenant retention policy (default: indefinite) |
| AI responses to your messages | Conversation history | Same as above |
| Field label you selected on the form | To provide field-specific guidance | Same as above |
| Field value you entered in the form | Context-aware AI guidance | Not stored. Used transiently for the current request only. |
| Session identifier (random UUID) | Conversation continuity | Stored in browser localStorage until cleared. On server per retention policy. |
| IP address | Rate limiting and abuse prevention | In-memory only (24-hour TTL). Not permanently stored for widget users. |
Important: If you type personal information (such as your name, SSN, or address) directly into a chat message, that information will be stored as part of the chat transcript. We recommend asking general questions rather than including personal data in your messages.
2.2 Webinar/Meeting Participants
| Data | Purpose | Storage Duration |
|---|---|---|
| Email address | Identity verification | Until deletion/anonymization request |
| Chat messages | Webinar interaction | Per meeting history setting |
| Display name | Chat identification | Same as above |
| Consent timestamp | GDPR compliance | Indefinite (legal requirement) |
2.3 Organizer and Admin Accounts
| Data | Purpose | Storage Duration |
|---|---|---|
| Username, email, display name | Authentication and profile | Until account deletion |
| Password | Authentication (stored as BCrypt hash) | Until account deletion |
| IP address | Audit trail for security | Indefinite |
2.4 Data We Do NOT Collect
- Browser fingerprints or device identifiers
- Location data (beyond IP-derived)
- Cookies for tracking or advertising
- No analytics, advertising, or tracking SDKs are used
3. How We Use Your Data
We use collected data for:
- Providing the Service — Processing chat questions, generating AI responses, maintaining conversation context
- Security — Rate limiting, abuse prevention, authentication, audit logging
- Service Improvement — Aggregate usage statistics (token consumption, request counts) per tenant
- Communication — Email verification and webinar notifications
- Legal Compliance — GDPR consent tracking, audit trail, data export/deletion
We do not use your data for advertising, marketing profiling, selling to third parties, or training AI models.
4. Third-Party Data Sharing
4.1 OpenAI (AI Processing)
To generate AI responses, we send your chat question, the form field name and current field value, conversation history, and system prompt to OpenAI's API. OpenAI processes this data under their API data usage policy. As of the effective date, OpenAI does not use API data to train their models.
4.2 Google Fonts (Landing Page Only)
Our landing page loads fonts from Google Fonts CDN. This is a standard font delivery service and does not involve sharing user data with Google.
4.3 No Other Third Parties
We do not share data with advertising networks, data brokers, analytics providers, social media platforms, or any other third parties.
5. Cookies and Local Storage
| Type | Name | Purpose | Duration |
|---|---|---|---|
| localStorage | chat-session-id |
Chat session continuity | Until browser data cleared |
| localStorage | demo-consent-accepted |
Remember consent for demo | Until browser data cleared |
| HttpOnly Cookie | admin_refresh_token |
Organizer authentication | 7 days |
| HttpOnly Cookie | participant_refresh_token |
Participant authentication | 7 days |
We do not use tracking cookies, advertising cookies, or any third-party cookies.
6. Data Security
We implement the following security measures:
- Encryption in transit — All communications use HTTPS/TLS
- Password hashing — BCrypt with salt
- API key authentication — Per-tenant data isolation
- Input sanitization — Protection against injection attacks
- Rate limiting — Per-IP and per-session limits
- HttpOnly/Secure cookies — Prevent XSS cookie theft
- Audit logging — All security-relevant actions recorded
7. Data Retention and Deletion
- Chat transcripts: Retained per tenant configuration. Automatic cleanup available (configurable retention period, default 180 days when enabled).
- Meeting data: Per-meeting history lifetime setting plus global retention policy.
- User accounts: Retained until deletion request.
- Audit logs: Retained indefinitely for security and compliance.
8. Your Rights (GDPR and Applicable Law)
If you are located in the European Economic Area, United Kingdom, or a jurisdiction with similar data protection laws, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your personal data ("right to be forgotten")
- Data Portability — Receive your data in a structured, machine-readable format
- Restriction — Request restriction of processing
- Objection — Object to processing of your personal data
- Withdraw Consent — Withdraw consent at any time without affecting prior processing
For organizers/admins: Use the data management features in your account settings (self-service data export and account deletion).
For webinar participants: Contact the webinar organizer or email us at the address below.
For chat widget users: Chat transcripts are associated with a random session ID, not your identity. To delete your chat history, contact the website operator or email us with your session ID.
9. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
10. International Data Transfers
The Service is operated from the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Policy Version" and "Last Updated" date at the top of this document will be updated. Material changes will be communicated through the Service or via email to registered users.
12. Contact
For privacy-related inquiries, data access requests, or complaints:
Gehtsoft USA LLC
Email: contact@gehtsoftusa.com