Privacy Policy

Last updated: March 26, 2026

This Privacy Policy describes how The Brand Arsenal (“Company,” “we,” “us,” or “our”) collects, uses, and shares information in connection with your use of the Apex platform, website (apexchat.io), and related services (collectively, the “Service”). By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect your name, email address, password (stored in hashed form), and organization/business name. If you connect a payment method, our payment processor (Stripe) collects and processes your billing information — we do not store full credit card numbers on our servers.

1.2 Tenant & Team Data

As a multi-tenant platform, we store data associated with your tenant account including team member profiles, roles, permissions, and account settings. Each tenant’s data is logically isolated from other tenants.

1.3 Conversation & Message Data

We store messages exchanged between your end-customers and your team (or AI) through the Service, including message content, timestamps, sender information, channel source, attachments, and metadata. This data is necessary to provide the core functionality of the Service and is stored within your tenant’s isolated data partition.

1.4 End-Customer (Contact) Data

When your customers interact with the Service through any connected channel, we collect their name (if available), email address, external platform identifiers (e.g., Facebook PSID, Instagram IGID, phone numbers), browser information (for web widget), and conversation history. This data belongs to your tenant and is processed on your behalf.

1.5 Knowledge Base & AI Training Data

Content you upload or import to the knowledge base — including FAQ entries, product Q&A, glossary terms, scraped website content, and uploaded documents — is stored and processed to generate vector embeddings for AI retrieval. This content is used exclusively to power AI responses for your tenant.

1.6 E-Commerce Integration Data

If you connect Shopify, BigCommerce, Magento, or WebShopManager, we access and temporarily cache order data, customer profiles, and product information as needed to provide in-chat customer context. We store OAuth tokens securely; we do not store full order databases.

1.7 Usage & Analytics Data

We automatically collect information about how you use the Service, including pages visited, features used, conversation volumes, AI resolution rates, CSAT scores, and performance metrics. This data is used to improve the Service and provide you with analytics.

1.8 Technical Data

We collect IP addresses, browser type and version, device information, operating system, referral URLs, and access timestamps for security, fraud prevention, and service optimization.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process and route customer conversations across channels
  • Power AI responses using your knowledge base, FAQ, glossary, and conversation context
  • Generate vector embeddings for RAG (Retrieval-Augmented Generation) retrieval
  • Improve AI response quality through your tenant’s feedback loops (customer ratings, agent corrections)
  • Train and customize AI brand voice, tone, and personality for your tenant
  • Process payments and manage billing
  • Send transactional emails (account verification, password resets, billing notices)
  • Provide customer support to you
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

3. AI & Machine Learning

3.1 Per-Tenant AI

The AI features of the Service operate on a per-tenant basis. Your knowledge base content, conversation history, brand voice settings, and feedback are used exclusively to improve AI responses for your tenant. We do not use one tenant’s data to train or improve AI for another tenant.

3.2 Third-Party AI Providers

We use Anthropic’s Claude API to generate AI responses. Customer messages and relevant knowledge base context are sent to Anthropic for processing. Anthropic’s data usage is governed by their own privacy policy and API terms. As of this writing, Anthropic does not use API inputs/outputs for model training.

3.3 Embeddings

Text content is converted to vector embeddings for semantic search. These embeddings are stored in our database and cannot be reverse-engineered into the original text.

4. Data Sharing & Disclosure

We do not sell your personal information. We share data only in these circumstances:

  • Service Providers: We use third-party services to operate the platform (hosting, payment processing, email delivery, AI processing). These providers have access only to the data necessary to perform their functions and are contractually obligated to protect it.
  • Channel Providers: When you connect channels (Facebook, Instagram, WhatsApp, Slack, Telegram, TikTok, SMS via Twilio), messages are transmitted through those platforms pursuant to their own terms and privacy policies.
  • E-Commerce Platforms: When you connect your store, we exchange data with Shopify, BigCommerce, Magento, or WebShopManager as necessary to provide integration features.
  • Legal Requirements: We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Conversation and message data is retained according to your plan and tenant settings. When you delete your account, we will delete or anonymize your data within 90 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (e.g., fraud prevention, dispute resolution).

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Hashed and salted passwords (bcrypt)
  • Tenant data isolation at the database level
  • Optional two-factor authentication (TOTP)
  • IP allowlisting and domain locking for admin access
  • Security headers (X-Content-Type-Options, X-Frame-Options, CSP, HSTS)
  • Regular security reviews and dependency audits

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your personal data (subject to legal retention requirements)
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@apexchat.io. We will respond within 30 days.

8. International Data Transfers

The Service is operated from the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take appropriate safeguards to ensure your data is protected in accordance with this policy.

9. Cookies & Tracking

We use cookies and similar technologies for:

  • Essential cookies: Authentication, session management, CSRF protection, 2FA verification
  • Functional cookies: Remembering your preferences and settings
  • Analytics cookies: Understanding how the Service is used (aggregate, non-personally-identifiable)

The embeddable chat widget uses localStorage to maintain visitor sessions. No third-party advertising trackers are used on the Service.

10. Children’s Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the “sale” of personal information (we do not sell personal information); and (d) not be discriminated against for exercising your rights. To make a request, email privacy@apexchat.io.

12. GDPR (European Users)

If you are in the European Economic Area (EEA) or United Kingdom, our legal bases for processing are: (a) performance of a contract (providing the Service); (b) legitimate interests (improving the Service, security, fraud prevention); and (c) consent (where applicable). You have additional rights under GDPR including the right to lodge a complaint with your local data protection authority.

13. Data Processing Agreement

As a tenant, you are the data controller for your end-customer data, and we act as a data processor on your behalf. If you require a formal Data Processing Agreement (DPA), contact us at legal@apexchat.io.

14. Shopify & GDPR Compliance

For Shopify App Store compliance, we provide mandatory GDPR endpoints for customer data requests, customer data erasure, and shop data erasure. Shopify merchants can submit data requests through their Shopify admin panel.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

The Brand Arsenal
Email: privacy@apexchat.io
Website: apexchat.io