Last Updated: June 18, 2025
Bitte.ai is a conversational AI platform. Bitte.ai is a trademark owned by Mintbase, Inc., a Delaware C Corporation. This Privacy Policy explains how Mintbase ("we", "us" or "our") collects, uses, discloses, and protects personal data when you use the Bitte.ai service (the "Service"), whether directly on bitte.ai or via Bitte.ai chat widgets embedded on client websites. Mintbase is the data controller for Bitte.ai's native (direct) chat service and a data processor for chats embedded on client sites.
Under GDPR, a data controller determines the purposes and means of processing personal data, while a data processor acts only on the controller's instructions. Mintbase (Bitte.ai) is the data controller for any personal data collected through the Bitte.ai platform itself. In contrast, for Bitte.ai chat widgets embedded on a client's website, Mintbase acts as a processor on behalf of the client (the controller). In embedded scenarios, the client (controller) defines why and how the data are processed (including obtaining any necessary consent), whereas Mintbase retains control only over operational aspects (such as how data are stored, for how long, security measures, and engagement of subprocessors). We process embedded chat data only according to the client's documented instructions and the terms of our agreement (as required by GDPR Article 28).
When you interact with Bitte.ai (either natively or via an embedded chat), we collect only the data necessary to provide the service. This includes:
We do not collect any unnecessary personal data. We do not use cookies, tracking pixels, or similar tracking technologies on our platform or in our embedded chat interface. (Our website may use standard cookies, but our chat service does not set any cookies or trackers on users.)
We use the personal data we collect for the following purposes:
For Bitte.ai chats embedded on a client's website, the purpose of the processing is defined by the client (controller). Mintbase (processor) follows the client's instructions regarding processing while maintaining operational control. We do not use embedded chat data for any purpose other than those specified by the client and those listed above.
Where we act as data controller (native chats), our legal bases under Article 6(1) GDPR include:
If we were to rely on consent for any data use, we would obtain explicit consent and allow withdrawal, but Bitte.ai's core service does not require consent-based processing.
Where we act as data processor (embedded chats), the processing is carried out on the instructions of the client-controller under a binding contract. In that scenario, Mintbase's legal basis is our contractual performance and compliance with the client's instructions.
We retain personal data only as long as needed for the purposes above and as permitted by law. By default, chat logs and associated data are retained indefinitely to support product refinement, analytics, and potential compliance needs. However, we recognize the GDPR's "storage limitation" principle: data should not be kept longer than necessary.
Accordingly, for embedded chats, the client may request a shorter retention period in our contract, and we will comply. If a client requests deletion of embedded chat logs (subject to any legal obligations), we will delete or anonymize the data as instructed. For native Bitte.ai usage, if a user requests erasure of their personal data, we will delete it unless we are legally required to retain it. We document retention decisions and justify them based on our purposes.
We implement appropriate technical and organizational security measures to protect personal data, in accordance with GDPR Article 32. This includes encrypting data at rest and in transit, enforcing strict access controls, and regularly reviewing our security practices. We require all personnel and subprocessors to maintain confidentiality and follow security protocols. We also require subprocessors to implement the same safeguards. If a processor subcontractor is used, we select only those that provide sufficient guarantees of security.
We may engage third-party service providers to assist in providing the Service (for example, cloud hosting providers, analytics tools, or AI model services). We do not disclose personal data to any third parties except as described here. When we do engage a subprocessor, we will obtain the client's authorization as required by Article 28, and we will notify clients of any intended changes. Subprocessors will process data only on our behalf and under the same privacy obligations we adhere to.
If we transfer data outside the European Economic Area (EEA) (e.g. to servers in the United States), we will implement appropriate safeguards (such as Standard Contractual Clauses or equivalent measures) to ensure an adequate level of protection, in accordance with GDPR Chapter V.
If you are located in the EU/EEA (or otherwise have GDPR rights), you have certain rights regarding your personal data. These include:
To exercise any of these rights, please contact us as described below. We will respond to legitimate requests without undue delay and within one month (possibly extended by two months if justified), as required by GDPR.
We maintain procedures to detect, investigate, and respond to any personal data breach. In the event of a breach affecting personal data, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it (unless the breach is unlikely to result in a risk to individuals). If the breach is likely to result in a high risk to data subjects, we will also communicate the breach to the affected individuals without undue delay.
If we act as a processor and become aware of a breach, we will inform the client-controller without undue delay so that they can fulfill their notification obligations gdpr-info.eu. We will cooperate fully with authorities and clients in any breach investigation or mitigation.
We have appointed a Data Protection Officer (DPO) to oversee compliance with this Policy and GDPR. Our DPO can be contacted at privacy@bitte.ai. This email also serves as our general privacy contact for inquiries or complaints regarding personal data processing.
Because Mintbase is a non-EU company offering services to EU individuals, we have designated an EU Representative as required by GDPR Article 27. Our EU Representative can be contacted for any GDPR-related matters, and their contact details are available on request.
We may update this Privacy Policy from time to time (for example, to reflect changes in law or our practices). The most current version will always be available at bitte.ai. We encourage you to review this policy periodically.
If you have questions or concerns about this Privacy Policy or our data practices, please contact our DPO at privacy@bitte.ai.