Privacy Policy
Last Updated: April 7, 2026
1. Who We Are
This Privacy Policy explains how TheRackey OÜ (“Chasivo”, “we”, “us”, “our”), a company registered in the Republic of Estonia (registry code: 16903336), collects, uses, stores, and protects personal data in connection with:
- Our marketing website at chasivo.com
- Our application at app.chasivo.com (the “Service”)
Registered Office: TheRackey OÜ Nelgi 30, 11213 Tallinn, Estonia
Contact:
- General: hey@chasivo.com
- Privacy and data requests: privacy@chasivo.com
- Legal matters: legal@chasivo.com
- Security incidents: security@chasivo.com
We act as a data controller when we process your personal data for our own purposes (account management, billing, analytics, marketing). We act as a data processor when we process data you upload about your customers on your behalf. The distinction matters — see Section 7.
2. What Data We Collect
2.1 Data You Provide Directly
| Data Category | Examples | When Collected |
|---|---|---|
| Account data | Name, email address, business name | Registration, profile settings |
| Billing data | Name, email, billing address, plan selection | Subscription signup (card numbers are handled by Stripe — we never see or store them) |
| Business data | Company name, address, industry, logo, currency preference | Onboarding, settings |
| Contact data | Phone number (optional), additional contact details | Account settings, marketing forms |
| Invoice data | Invoice numbers, amounts, due dates, line items, payment terms, tax details | Invoice creation |
| Customer records | Your customers’ names, email addresses, phone numbers, company names, contact roles, notes | Customer management |
| Payment records | Payment amounts, dates, methods, promise-to-pay commitments | Payment tracking |
| Communication content | Email subject lines, email bodies, attachments, notes | Inbox, email integration |
| Settings and preferences | AI tone preference, chasing mode, email signature, notification preferences | Settings configuration |
2.2 Data We Generate
| Data Category | Description | How Generated |
|---|---|---|
| AI risk scores | Numerical score (0-100) predicting likelihood of late payment per invoice | AI analysis of payment history |
| AI customer profiles | Behavioral analysis including average days late, preferred pay day, warmth score, reliability score | AI analysis of customer payment patterns |
| AI-drafted emails | Follow-up email drafts generated for your review | AI processing of invoice and customer context |
| AI intent classifications | Categorization of inbound messages (payment confirmation, dispute, question, etc.) | AI analysis of message content |
| Analytics and metrics | DSO, ADD, CEI, aging reports, cash flow forecasts | Statistical calculation from your invoice and payment data |
2.3 Data Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Device and browser data | IP address, browser type, operating system, screen resolution | Security, analytics, debugging |
| Usage data | Pages visited, features used, session duration, timestamps | Product improvement, analytics |
| Geolocation data | Approximate location derived from IP address | Regional compliance, analytics |
2.4 Data from Gmail Integration
When you connect your Gmail account, we access the following via OAuth (you can revoke access at any time from Settings):
| Data | OAuth Scope | Purpose |
|---|---|---|
| Email address | Profile | Account identification |
| Email messages (subject, body, headers, metadata) | gmail.readonly | Syncing customer conversations into your Chasivo inbox |
| Send capability | gmail.send | Sending invoices and follow-up emails from your email address |
| Authentication tokens | OAuth2 | Maintaining the connection securely |
What we store: Email address, authentication tokens (encrypted in Supabase Vault), message metadata, email subject lines, and email bodies for synced conversations relevant to your customers. Email message bodies are encrypted at rest using AES-256 symmetric encryption (pgcrypto). Only the authenticated user can decrypt their own messages through the application.
What we do NOT do:
- We do not use your email data to serve advertisements
- We do not share your email data with third parties except the service providers listed in Section 5
- We do not allow Chasivo staff to read your emails unless required for security investigation, abuse prevention, or legal compliance. All admin access to user data is recorded in an immutable audit log
- We do not use your email data to train AI models
Disconnecting: When you disconnect your email account, we stop syncing new emails and revoke your OAuth tokens at Google. Previously synced messages remain in your Chasivo inbox (encrypted at rest). To delete synced messages, you may delete your account or contact privacy@chasivo.com.
Google API Compliance: Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the Service | Account, invoice, customer, payment, communication data | Performance of contract (Art. 6(1)(b)) |
| AI features (risk scoring, profiling, email drafting, intent classification, dispute resolution) | Invoice data, customer records, payment history, communication content (sanitized — see Section 4) | Performance of contract (Art. 6(1)(b)) — AI features are part of the Service you subscribed to |
| Automated chasing (Autopilot mode) | Invoice data, customer records, AI-generated drafts | Performance of contract (Art. 6(1)(b)) + your explicit configuration enabling Autopilot |
| Billing and subscription management | Billing data, plan selection | Performance of contract (Art. 6(1)(b)) |
| Email integration | Email content, OAuth tokens | Performance of contract (Art. 6(1)(b)) + your explicit authorization via OAuth |
| Security and fraud prevention | IP address, device data, usage patterns | Legitimate interest (Art. 6(1)(f)) — protecting the Service and users |
| Analytics and product improvement | Usage data, aggregated and anonymized feature usage | Legitimate interest (Art. 6(1)(f)) — improving the Service |
| Legal compliance | Billing records, invoice data, account data | Legal obligation (Art. 6(1)(c)) — tax and accounting requirements |
| Marketing communications | Email address, name | Consent (Art. 6(1)(a)) — you can unsubscribe at any time |
| Customer support | Account data, communication content | Performance of contract (Art. 6(1)(b)) |
4. How We Use AI
Chasivo uses artificial intelligence to help you manage accounts receivable. This section explains what AI does, how it works, and your rights.
4.1 AI Features
| Feature | What It Does | AI Model |
|---|---|---|
| Customer profiling | Analyzes payment history to identify patterns (average days late, preferred pay day, warmth score) | Claude Haiku 4.5 (Anthropic) |
| Risk prediction | Scores invoices 0-100 for likelihood of late payment with specific signals and recommended actions | Claude Haiku 4.5 (Anthropic) |
| Email drafting | Generates personalized follow-up email drafts matching your tone and escalation level | Claude Haiku 4.5 (Anthropic) |
| Intent classification | Categorizes inbound messages (payment confirmation, dispute, question, delay notification) | Claude Haiku 4.5 (Anthropic) |
| Dispute resolution | Suggests resolution approaches for payment disputes based on context | Claude Sonnet 4.6 (Anthropic) |
| AI chat assistant | Answers questions about your account data and provides guidance | Gemini 2.5 Flash-Lite (Google) |
4.2 Data Sanitization
Before sending any data to AI models, we strip personally identifiable information using our sanitizeForAI() function. Email addresses, phone numbers, and other PII are removed before processing. AI model outputs are validated using validateAIOutput() before being stored or displayed.
4.3 AI Providers Do Not Train on Your Data
Neither Anthropic nor Google use your data to train their AI models. This is contractually guaranteed in our agreements with both providers.
4.4 Human Oversight
You control how AI operates on your account:
- Manual mode — AI assists with analysis only. All communications are composed by you. No data is sent to AI models.
- Copilot mode — AI drafts content; you review and approve before anything is sent.
- Autopilot mode — AI sends follow-up communications automatically based on your configured rules. You accept full responsibility for auto-sent communications.
You can switch modes at any time in Settings.
4.5 AI on the Free Plan
The free plan does not include AI features. No data is sent to AI models on the free plan. AI features require Solo plan or above.
4.6 Limitations
AI-generated content is provided as suggestions only. It may contain errors or inaccuracies. AI outputs are not legal, financial, or medical advice. You are responsible for reviewing and approving all AI-generated content before acting on it.
4.7 EU AI Act Classification
Chasivo’s AI features are classified as limited risk under the EU AI Act (Regulation 2024/1689). We are not a credit scoring service — our risk scores are advisory tools for accounts receivable management, not determinative of any person’s creditworthiness or access to financial services. We comply with the transparency obligations under Article 50 by clearly labeling all AI-generated content within the Service (“AI Draft”, “AI Profile”, “AI Risk Score”, etc.).
5. Service Providers (Subprocessors)
We share personal data with the following service providers, all of whom are contractually bound to process data only on our instructions:
5.1 Infrastructure
| Provider | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc | United States (AWS us-east-1) | Database hosting, authentication, real-time | All customer data, account data, encrypted OAuth tokens | EU-US Data Privacy Framework |
| Railway Corp | United States | Application hosting | Application data in transit | Standard Contractual Clauses |
| Hostinger | Lithuania / Netherlands (EU) | Website hosting (chasivo.com) | Website visitor data | No transfer required (EU-based) |
5.2 AI Providers
| Provider | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Anthropic PBC | United States | AI text generation (risk scoring, profiling, email drafting, intent classification, dispute resolution) | Sanitized invoice and customer data (PII removed via sanitizeForAI()) | Standard Contractual Clauses |
| Google LLC | United States | AI chat assistant, Gmail integration, Google Fonts | Chat queries (sanitized), email data (via OAuth), IP address (Fonts) | EU-US Data Privacy Framework |
5.3 Payments
| Provider | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Stripe Inc | United States | Subscription billing, payment processing | Name, email, billing address, plan selection (Stripe handles card numbers directly — we never see them) | EU-US Data Privacy Framework |
5.4 Communications
| Provider | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Resend Inc | United States | Transactional email delivery (welcome emails, invoice notifications, password resets) | Email address, name, email content | Standard Contractual Clauses |
5.5 Monitoring
| Provider | Location | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Sentry (Functional Software Inc) | United States | Error monitoring and performance tracking | IP address, browser data, error stack traces | EU-US Data Privacy Framework |
5.6 Subprocessor Changes
We will notify you at least 30 days before adding a new subprocessor. You may object within that period. If we cannot address your objection, you may terminate your account. Details are in our Data Processing Agreement.
6. Cookies and Tracking
6.1 Marketing Website (chasivo.com)
| Cookie | Category | Purpose | Duration |
|---|---|---|---|
wordpress_test_cookie | Functional | WordPress login functionality | Session |
wordpress_logged_in_* | Functional | WordPress authentication | Session |
wp-settings-* | Functional | WordPress admin preferences | 1 year |
_lscache_vary | Functional | LiteSpeed Cache | Session |
_ga | Analytics | Google Analytics — page views, traffic sources | 2 years |
_ga_* | Analytics | Google Analytics — session tracking | 1 year |
cmplz_functional | Functional | Complianz — stores your cookie consent choice | 1 year |
cmplz_statistics | Functional | Complianz — stores your analytics consent choice | 1 year |
cmplz_marketing | Functional | Complianz — stores your marketing consent choice | 1 year |
Analytics cookies (Google Analytics) are only set after you consent via the cookie banner. You can withdraw consent at any time using the “Manage Consent” option in the cookie banner.
6.2 Application (app.chasivo.com)
| Cookie / Storage | Category | Purpose | Duration |
|---|---|---|---|
| Supabase auth tokens | Essential | Authentication and session management | Session / refresh token duration |
| Local storage preferences | Essential | UI state, sidebar collapse, theme preferences | Persistent |
Application cookies are essential — they are required for the Service to function and do not require consent.
6.3 Managing Cookies
You can control cookies through:
- The Complianz cookie consent banner on chasivo.com
- Your browser settings (instructions: Chrome, Firefox, Safari)
- For US residents: the Opt-out Preferences page
7. Third-Party Data Subjects (Your Customers)
When you use Chasivo, you upload data about your customers (the people you invoice). These individuals are third-party data subjects — they have rights under data protection law even though they are not Chasivo users.
7.1 Roles
- You are the data controller for your customers’ data. You decide what data to upload and how to use the Service.
- Chasivo is the data processor. We process your customers’ data only on your instructions and in accordance with our Data Processing Agreement.
7.2 Your Responsibilities
As the data controller, you are responsible for:
- Having a lawful basis to process your customers’ personal data
- Informing your customers that you use a third-party service (Chasivo) to manage invoices and communications
- Responding to data subject access, deletion, or correction requests from your customers
- Ensuring that automated chasing (Autopilot mode) complies with applicable laws in your jurisdiction
7.3 How We Process Your Customers’ Data
We process your customers’ data to:
- Store and display invoice and payment records
- Send follow-up emails on your behalf (from your email address)
- Generate AI risk scores and customer profiles (data is sanitized before AI processing)
- Track payment promises and communication history
- Generate reports and analytics for your account
We do not:
- Contact your customers directly or independently
- Share your customers’ data with other Chasivo users
- Use your customers’ data for our own marketing
- Make automated decisions that produce legal effects on your customers (risk scores are advisory tools for you, not determinations of your customers’ rights)
7.4 Data Subject Requests
If one of your customers contacts us directly (privacy@chasivo.com) to exercise their data protection rights, we will notify you promptly and assist you in fulfilling the request.
8. International Data Transfers
We are based in Estonia (EU). Some of our service providers are located in the United States. When personal data is transferred outside the EEA, we rely on:
- EU-US Data Privacy Framework — for providers certified under the DPF (Supabase, Stripe, Google, Sentry)
- Standard Contractual Clauses (SCCs) — for providers not certified under the DPF (Anthropic, Resend, Railway)
- UK International Data Transfer Addendum — for transfers from the UK, we use the UK Addendum to the EU SCCs where applicable
Hostinger (our website host) is EU-based and does not require international transfer mechanisms.
9. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and profile data | Duration of service + 90 days after deletion | Account recovery window |
| Invoice and payment records | 7 years after creation | Legal and tax obligations (Estonian Taxation Act, EU VAT Directive) |
| Email communications (encrypted at rest) | Duration of service + 90 days after deletion | Account recovery window |
| AI-generated content and logs | Duration of service + 90 days after deletion | Account recovery window |
| Billing records | 7 years | Legal and tax obligations |
| Analytics and usage data | 26 months | Product improvement |
| Website cookies (analytics) | Up to 2 years | As specified per cookie |
9.1 Account Deletion
When you delete your account:
- Your data enters a 90-day soft-delete period during which it can be recovered if you change your mind.
- After 90 days, your data is permanently and irreversibly deleted from our systems.
- Exception: invoice and billing records required for legal/tax compliance are retained for 7 years, then deleted.
9.2 Inactive Accounts
Accounts with no login or API activity for more than 24 months may be terminated after notice.
10. Data Security
We implement the following technical and organizational measures:
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: AES-256 encryption for stored data. Email message bodies are additionally encrypted at the application level using pgcrypto symmetric encryption, with encryption keys stored separately from encrypted data
- Multi-tenant isolation: Row-Level Security (RLS) on all database tables — users can only access their own data
- OAuth token security: Encrypted storage in Supabase Vault. Tokens are revoked at the provider (Google) when you disconnect
- Access control: Role-based access, principle of least privilege
- Admin audit logging: All administrative access to user data is recorded in an immutable audit trail, including who accessed what, when, and why
- AI data sanitization: PII stripped before AI processing (
sanitizeForAI()), outputs validated (validateAIOutput()) - API security: Rate limiting (Upstash Redis), CORS allowlist, request body size limits, Zod input validation on all API routes
- Security headers: Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy
- XSS protection: DOMPurify sanitization on user-generated content
- Authentication: Supabase Auth with magic links and Google OAuth
- Monitoring: Sentry error tracking, audit logging for sensitive operations
- RLS testing: Automated cross-tenant security testing
11. Your Rights By Region
11.1 European Economic Area and Switzerland (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data and receive a copy
- Rectify inaccurate or incomplete data
- Erase your personal data (“right to be forgotten”)
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time for consent-based processing
- Not be subject to solely automated decision-making that produces legal effects (see Section 4 — our AI features are advisory tools, not automated decisions producing legal effects)
Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Address: Tatari 39, 10134 Tallinn, Estonia Website: www.aki.ee
11.2 United Kingdom (UK GDPR)
You have the same rights as listed in Section 11.1 under the UK General Data Protection Regulation.
Supervisory authority: Information Commissioner’s Office (ICO) Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom Website: www.ico.org.uk
11.3 United States
California (CCPA/CPRA): If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of the sale or sharing of personal information (we do not sell or share personal information)
- Non-discrimination for exercising your privacy rights
We have not sold consumers’ personal information in the preceding 12 months.
Do Not Track: Our website responds to Do Not Track (DNT) browser signals. If you enable DNT, we will not track your browsing behavior on chasivo.com.
To exercise your rights, use our Opt-out Preferences page or contact privacy@chasivo.com.
11.4 Australia (Privacy Act)
Under the Australian Privacy Principles (APPs), you have the right to:
- Access personal information we hold about you (APP 12)
- Correct inaccurate, out-of-date, or incomplete information (APP 13)
- Complain about a breach of the APPs
We take reasonable steps to ensure that personal information disclosed to overseas recipients (Section 5) is protected in accordance with the APPs (APP 8).
Supervisory authority: Office of the Australian Information Commissioner (OAIC) Website: www.oaic.gov.au
11.5 Canada (PIPEDA)
Under the Personal Information Protection and Electronic Documents Act, you have the right to:
- Access your personal information
- Correct inaccurate information
- Withdraw consent for non-essential processing
- Challenge compliance with PIPEDA’s ten fair information principles
We will respond to access, correction, and deletion requests within 30 days.
Supervisory authority: Office of the Privacy Commissioner of Canada Website: www.priv.gc.ca
11.6 Brazil (LGPD)
Under the Lei Geral de Proteção de Dados, you have the right to:
- Confirm the existence of processing
- Access your data
- Correct incomplete, inaccurate, or outdated data
- Anonymize, block, or delete unnecessary or excessive data
- Data portability
- Delete personal data processed with your consent
- Information about public and private entities with which we share data
- Revoke consent
Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD) Address: Esplanada dos Ministérios, Bloco C, Brasília, DF, Brazil Website: www.gov.br/anpd
11.7 South Africa (POPIA)
Under the Protection of Personal Information Act, you have the right to:
- Access your personal information
- Correct or delete inaccurate, irrelevant, or excessive information
- Object to the processing of your personal information
- Submit a complaint to the Information Regulator
Supervisory authority: Information Regulator South Africa Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 Email: complaints.IR@justice.gov.za
11.8 Other Jurisdictions
If you are located in a jurisdiction not specifically addressed above, we process your data in accordance with the standards described in this Privacy Policy, which meet or exceed the requirements of the EU General Data Protection Regulation — the most comprehensive data protection framework in effect globally.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- We will notify affected users without undue delay if the breach is likely to result in a high risk
- Breach notifications will include: nature of the breach, data affected, likely consequences, and measures taken
Report suspected security incidents to: security@chasivo.com
13. Children
Chasivo is a business-to-business service. It is not designed for or directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, contact privacy@chasivo.com and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you via email or in-app notification at least 30 days before the changes take effect
- We will update the “Last Updated” date at the top of this page
- Your continued use of the Service after the effective date constitutes acceptance
Previous versions of this policy are available upon request.
15. Related Documents
16. Contact and Data Requests
For questions about this Privacy Policy or to exercise your data protection rights:
TheRackey OÜ Nelgi 30, 11213 Tallinn, Estonia Registry code: 16903336
Email: privacy@chasivo.com Website: https://chasivo.com
You may also submit a data request using the form at chasivo.com/privacy to:
- Request access to your processed data
- Request deletion of your data
- Request an export of your data
We will respond to all data requests within 30 days.
This Privacy Policy was last updated on April 4, 2026.