Privacy Policy
Last updated: July 10, 2026
1. Introduction
TideReply ("we", "our", "us") operates an AI-powered customer support chatbot platform. TideReply is operated by Evorbi MB, company code 307850591, VAT LT100020298712, registered at A. Juozapavičiaus pr. 19A-50, LT-45252 Kaunas, Lithuania. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
We are committed to processing personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.
We act as a data controller for our business customers' account data and as a data processor for the end-user chat data that flows through our platform on behalf of our business customers. Our business customers are the data controllers for their end users' chat interactions.
For privacy-related inquiries, contact us at support@tidereply.com.
2. Data We Collect
Account Data
When you register for TideReply, we collect your email address, business name, and website URL. This information is necessary to create and manage your account.
Knowledge Content
You may provide knowledge content including website pages (via crawling), uploaded files (PDF, DOCX, Excel, CSV), and FAQ entries. This content is processed to power your AI chatbot's responses.
Chat Data
We collect messages exchanged between your website visitors and the AI chatbot (or human agents during live takeover), session identifiers, conversation metadata, and escalation details. This data is stored on a per-business basis with strict tenant isolation.
Usage & Analytics Data
We collect aggregate usage metrics such as message counts, response times, resolution rates, and escalation frequency. These are used to power your analytics dashboard.
Technical Data
When end users interact with the chat widget, we may collect IP addresses, browser type, device information, and referring page URLs for security, fraud prevention, and service improvement purposes.
Cookies
We use an essential authentication session cookie for logged-in business users. On our own website (not the embeddable widget), we use PostHog (EU-hosted) for product analytics, which stores a first-party analytics identifier, and we load advertising measurement tags via Google Tag Manager to measure our marketing campaigns. We also store campaign parameters (such as UTM tags and ad click IDs) in your browser's local storage to attribute sign-ups to campaigns. The embeddable chat widget does not set cookies on the host website.
3. How We Use Your Data
- To power your AI chatbot with accurate, knowledge-grounded responses.
- To provide analytics and insights through your admin dashboard.
- To send escalation notification emails when configured.
- To enable live human takeover of conversations.
- To improve and maintain the security of our service.
- To prevent fraud, abuse, and unauthorized access.
- To comply with legal obligations.
- To provide customer support when you contact us.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your data under the following legal bases:
- Performance of a contract: Processing necessary to provide our service to you, including account management, knowledge processing, and chatbot delivery.
- Legitimate interests: Service improvement, security, fraud prevention, and aggregate analytics, where these interests are not overridden by your data protection rights.
- Consent: Where you have given explicit consent for specific processing activities. You may withdraw consent at any time.
- Legal obligation: Processing necessary to comply with applicable laws and regulations.
5. Data Sharing & Third Parties
We share data only with the third-party subprocessors needed to deliver our service, and we do not sell your data to any third party. The complete, current list - with each provider's purpose, the data it processes, and its processing location - is maintained on our Subprocessors page.
Our subprocessors operate under data processing agreements (DPAs) and are contractually required to protect your data; any exceptions (such as optional, customer-enabled integrations) are noted on the Subprocessors page. Where a subprocessor processes data outside the EEA, the transfer is covered by an appropriate safeguard such as the Standard Contractual Clauses.
6. AI & Content Processing
When you add knowledge to TideReply, your content is split into smaller chunks and converted into mathematical vector embeddings using OpenAI's embedding model. These embeddings enable semantic search - they are numerical representations, not human-readable copies of your content.
When an end user sends a chat message, the message is embedded and matched against your knowledge base to find relevant context. This context, along with recent conversation history, is sent to Anthropic's Claude model to generate a response.
No cross-tenant data leakage: All queries are strictly filtered by your business ID, enforced at both the application layer and the database layer via row-level security (RLS). Your knowledge and conversations are never accessible to other businesses on the platform.
No training of third-party AI models:We do not use your knowledge base, your configuration, or your end users' conversations to train third-party AI models. The AI providers we use (Anthropic and OpenAI) process this data via their APIs under terms that prohibit training their models on API inputs and outputs.
No automated decision-making: The service does not make automated decisions producing legal or similarly significant effects about individuals within the meaning of Article 22 GDPR.
7. E-commerce Platform Integrations
When you connect TideReply to an e-commerce platform such as Shopify, we access your store's catalog data - products, collections, pages, and policies - so the AI can answer customer questions grounded in your own store content.
For order-status lookups, we process the order number and the email address a customer provides in the chat, and verify them against your store before returning any order or fulfillment information. This is used solely to confirm the customer's identity and return the status of their own order; customer names and shipping addresses are not exposed through the chat. We process this store and order data on your behalf as your data processor, subject to the retention and deletion terms in this policy.
8. Data Retention
- Active accounts: Your data is retained for as long as your account remains active and the service is in use.
- Account deletion: When you delete your account, all associated data (knowledge sources, embeddings, conversations, messages) is permanently removed within 30 days.
- Conversations: Conversation data is retained according to your business settings. You may delete individual conversations or all conversation data from your dashboard at any time.
9. Your Rights (GDPR)
If you are located in the EEA, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate personal data.
- Erasure: Request deletion of your personal data.
- Portability: Request a machine-readable copy of your data.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
- Lodge a complaint:You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt). You may also complain to the authority in your country of residence.
To exercise any of these rights, contact us at support@tidereply.com. We will respond within 30 days; complex requests may take up to two further months, in which case we will tell you. We may need to verify your identity before acting on a request.
10. Rights of US Residents (CCPA/CPRA and State Laws)
If you are a California resident, you have the right, subject to certain exceptions, to:
- Know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share it with.
- Access the specific pieces of personal information we hold about you.
- Delete your personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information. We do not sell personal information for money. We may "share" limited identifiers (such as ad click IDs and page views on our own website) with advertising and analytics partners to measure our campaigns; you can opt out by emailing us or by blocking advertising cookies in your browser.
- Limit the use of sensitive personal information. We do not intentionally collect sensitive personal information.
- Non-discrimination for exercising any of these rights.
To exercise these rights, email support@tidereply.com with the subject line "California Privacy Request". We may verify your identity through your account email. Authorized agents must provide signed permission from the consumer. Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and Texas) may have similar rights and can exercise them the same way.
11. Data Security
We implement industry-standard security measures to protect your data, including:
- TLS encryption for all data in transit.
- Encryption at rest for stored data.
- Row-level security (RLS) for complete tenant isolation at the database level.
- Data processing agreements (DPAs) with all sub-processors.
- Regular security reviews and access controls.
12. International Data Transfers
Our sub-processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.
13. Cookies
We set an authentication session cookie for logged-in business users. This cookie is essential for the service to function.
On our marketing website and dashboard we use PostHog (EU-hosted) for product analytics, which stores a first-party identifier so we can understand product usage across visits. We load advertising measurement tags via Google Tag Manager to measure our marketing campaigns, and we keep campaign attribution parameters (UTM tags, ad click IDs) in your browser's local storage. You can clear this data at any time by clearing site data in your browser, and most browsers let you block third-party tags entirely.
The embeddable chat widget does not set any cookies on the host website. Session identifiers for chat conversations are stored in the widget's iframe context and do not affect the host site's cookie environment.
14. Children's Privacy
TideReply is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the admin dashboard. Your continued use of the service after such notification constitutes acceptance of the updated policy.
16. Contact
If you have any questions about this Privacy Policy or our data practices, contact us at support@tidereply.com.
Evorbi MB · company code 307850591 · VAT LT100020298712 · A. Juozapavičiaus pr. 19A-50, LT-45252 Kaunas, Lithuania
Where we send marketing emails, we do so with your prior consent where required by law, and every marketing email contains an unsubscribe link. Service announcements (security, billing, availability) are sent as part of operating your account.