Privacy Policy

Last Updated: October 27, 2025
Effective Date: October 28, 2025
Version: 1.0.0

1. Introduction

Welcome to Sapat.chat (“we,” “us,” “our,” or “Company”). We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our live chat, ticketing, and helpdesk services (collectively, the “Services”).

This policy complies with the General Data Protection Regulation (GDPR), EU Regulation 2016/679, and other applicable data protection laws.

By using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Company Name: Sapat.chat
Legal Entity: Nikola Stojkovic PR Borca
Registration Number: 66221679
Address: Prelivacka 50, 11211 Beograd, Srbija
Email: privacy@sapat.chat
Website: https://sapat.chat

Contact Person:
Nikola Stojkovic
Email: privacy@sapat.chat
If you have any questions about how we handle your personal data, please contact us at the email address above.

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Account Information:

Name (first name, last name or display name)
Email address
Password (encrypted and hashed)
Profile photo/avatar (optional)
Job title or role (optional)

Chat and Support Data:

Chat messages and conversation history
Support ticket content and descriptions
File attachments (images, documents, screenshots)
Email correspondence related to support requests
Feedback, ratings, and reviews
Survey responses

Billing Information (processed via DodoPayments, not stored with us):

Billing name and address
Payment method information (handled securely by DodoPayments as Merchant of Record)
Transaction history and invoices
Subscription details

3.2 Information We Collect Automatically

Technical Data:

Referral source and URL
Pages visited and navigation patterns (via Plausible.io - anonymized, no personal data)
Device type, browser, and operating system (from User-Agent string)

Usage Data:

Login and logout times
Features used and frequency
Chat session durations
Response times and metrics
Error logs and diagnostic data
Performance data

Location Data:

General geographic location (country, region, city) derived from IP address
IP addresses are processed by Plausible.io for location detection and immediately discarded (not stored)
See: https://plausible.io/data-policy

3.3 Information from Third Parties

Single Sign-On (SSO) Providers:
If you authenticate using Google, Microsoft, or other SSO providers, we receive:

Profile information (name, email, profile photo)
Account verification status
OAuth tokens (for authentication purposes only)

Payment Processor (DodoPayments):

Transaction confirmation
Payment status
Subscription information
Refund and chargeback notifications

We process your personal data based on the following legal grounds:

4.1 Contract Performance (Article 6(1)(b))

Creating and managing your account
Providing live chat, ticketing, and helpdesk services
Processing payments and billing
Delivering customer support

4.2 Legitimate Interests (Article 6(1)(f))

Improving our Services and user experience
Analytics and performance monitoring
Fraud prevention and security
Internal research and development
Marketing communications (with opt-out option)

4.3 Legal Obligations (Article 6(1)(c))

Complying with tax and accounting requirements
Responding to lawful requests from authorities
Maintaining records for regulatory compliance
Preventing illegal activities

Optional features like location services
Marketing cookies and analytics
Sharing data with third-party integrations you enable
Processing sensitive data (if applicable)

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

5.1 Service Delivery

Create and manage your user account
Authenticate and authorize access to Services
Facilitate live chat conversations between customers and support agents
Create, manage, and resolve support tickets
Store conversation history for continuity
Process file attachments and shared content
Send transactional emails (ticket updates, password resets, receipts)

5.2 Payment Processing

Process subscription payments via DodoPayments (our Merchant of Record)
Generate invoices and receipts
Handle refunds and disputes
Manage subscription renewals and cancellations
Comply with tax regulations (VAT, GST, sales tax)

5.3 Service Improvement

Monitor service performance and uptime
Analyze usage patterns to improve features
Conduct A/B testing for optimization
Develop new features based on user needs
Fix bugs and resolve technical issues

5.4 Communications

Send service announcements and updates
Notify you about policy changes
Respond to your inquiries and support requests
Send marketing emails (with opt-out option)
Request feedback and conduct surveys

5.5 Security and Fraud Prevention

Detect and prevent fraudulent activities
Protect against unauthorized access
Monitor for security threats and vulnerabilities
Investigate suspicious behavior
Enforce our Terms of Service

5.6 Legal and Compliance

Comply with legal obligations and court orders
Respond to lawful requests from authorities
Protect our legal rights and interests
Resolve disputes and enforce agreements
Maintain audit trails and records

We share your personal data only in the following circumstances:

6.1 Service Providers (Data Processors)

We work with trusted third-party service providers who process data on our behalf:

Infrastructure and Hosting:

Cloud hosting providers (e.g., AWS, Google Cloud, DigitalOcean)
Database services
Content delivery networks (CDNs)
Backup and disaster recovery services

Payment Processing:

DodoPayments (Merchant of Record) - Handles all payment transactions, tax compliance, and billing
See DodoPayments’ Privacy Policy: https://dodopayments.com/privacy-policy

Communication Services:

Email delivery services (e.g., SendGrid, AWS SES, etc.)
SMS providers (for two-factor authentication, e.g., Twilio or similar)
Push notification services

Analytics and Monitoring:

Plausible.io (privacy-first, cookie-free analytics - anonymized data only)
Error tracking services (e.g., Sentry)
Performance monitoring tools

Authentication:

OAuth providers (Google, Microsoft, etc.)
Single Sign-On (SSO) services

All service providers are bound by data processing agreements (DPAs) and are required to:

Process data only according to our instructions
Implement appropriate security measures
Not use data for their own purposes
Comply with GDPR and applicable data protection laws

6.2 Business Transfers

If we are involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

6.3 Legal Requirements

We may disclose your personal data if required to do so by law or in response to:

Court orders or legal processes
Lawful requests from government authorities
Protection of our legal rights and property
Investigation of fraud or security issues
Prevention of harm to individuals
Compliance with applicable laws and regulations

We may share your data with third parties when you explicitly consent, such as:

Integration with third-party tools you enable (CRM, project management, etc.)
Sharing data with your organization’s administrators
Public forums or community features (if applicable)

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you personally for:

Industry research and reports
Marketing and promotional purposes
Service benchmarking
Product development insights

Our Services are hosted and operated globally. Your personal data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including the United States.

Data Transfer Safeguards:

When we transfer data internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers in countries without adequacy decisions.
Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate data protection (e.g., UK, Switzerland, Canada, Japan).
DodoPayments (US): As our payment processor, DodoPayments operates under US law. By using our Services, you consent to this international transfer for payment processing purposes.
Additional Safeguards: Our service providers implement technical and organizational measures including encryption, access controls, and regular security audits.

Your Rights: You have the right to obtain information about the safeguards we use for international transfers by contacting us at privacy@sapat.chat.

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

Account Data:

Active accounts: Retained while your account is active
Deleted accounts: Retained for 30 days (to allow account recovery), then permanently deleted
Some data may be retained longer for legal, accounting, or compliance purposes

Chat and Ticket Data:

Active conversations: Retained indefinitely while account is active
Closed tickets: Retained for 3 years for customer service and quality purposes
After account deletion: Anonymized and retained for analytics (no personally identifiable information)

Billing and Transaction Data:

Retained for 7 years to comply with tax and accounting regulations
Required by law for audit and dispute resolution purposes

Logs and Technical Data:

Security logs: Retained for 1 year
Error logs: Retained for 90 days
Analytics data (Plausible.io): Aggregated and anonymized data retained indefinitely (contains no personal data)
See Plausible.io data retention: https://plausible.io/data-policy

Policy Acceptance Records:

Retained indefinitely for legal compliance and proof of consent (GDPR Article 7)
Includes timestamps, IP addresses, and version accepted

8.2 Deletion Requests

When you request deletion of your data (right to erasure), we will:

Delete or anonymize your data within 30 days
Notify you when deletion is complete
Retain only what is legally required (e.g., transaction records for tax purposes)

As a data subject in the EU/EEA, you have the following rights:

9.1 Right to Access (Article 15)

Request a copy of your personal data
Receive information about how we process your data
How to exercise: Contact privacy@sapat.chat or use the “Export Data” feature in your account settings

9.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data
How to exercise: Update your profile directly or contact privacy@sapat.chat

9.3 Right to Erasure / “Right to be Forgotten” (Article 17)

Request deletion of your personal data
Applies when data is no longer necessary, consent is withdrawn, or processing is unlawful
Exceptions: We may retain data if required by law or for legal claims
How to exercise: Use the “Delete Account” feature or contact privacy@sapat.chat

9.4 Right to Restriction of Processing (Article 18)

Request that we limit how we use your data
Applies during disputes about accuracy or lawfulness of processing
How to exercise: Contact privacy@sapat.chat

9.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format (JSON, CSV)
Transfer your data to another service provider
How to exercise: Use the “Export Data” feature or contact privacy@sapat.chat

9.6 Right to Object (Article 21)

Object to processing based on legitimate interests
Object to direct marketing (including profiling)
How to exercise: Click “Unsubscribe” in emails or contact privacy@sapat.chat

We do not make automated decisions with legal or similarly significant effects
If this changes, we will update this policy and seek your consent

Withdraw consent for processing at any time
Does not affect lawfulness of processing before withdrawal
How to exercise: Contact privacy@sapat.chat or adjust settings in your account

9.9 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you may lodge a complaint with your national data protection authority
EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en
You may also contact us first at privacy@sapat.chat to resolve the issue

Response Time: We will respond to your requests within 30 days. If we need more time, we will inform you and explain the reason for the delay.

Verification: To protect your privacy, we may verify your identity before processing your request.

No Fee: Exercising your rights is free. However, we may charge a reasonable fee for manifestly unfounded or excessive requests.

10. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies, focused on essential functionality and privacy-respecting analytics.

10.1 Types of Cookies We Use

Essential Cookies (Always Active):

Authentication and session management
Security and fraud prevention
Load balancing and performance
CSRF token protection

These cookies are strictly necessary for the Services to function and cannot be disabled.

10.2 Analytics

We use Plausible.io, a privacy-first, cookie-free analytics service that:

Does not use cookies or track you across websites
Does not collect any personal data
Does not store IP addresses
Is GDPR, CCPA, and PECR compliant
Does not require a cookie consent banner under GDPR

What Plausible.io collects:

Page views and navigation patterns (anonymized)
Referral sources
General location (country, region, city) from IP address - immediately discarded after processing
Device type, browser, and operating system (from User-Agent string)

All data is aggregated and anonymized. No personal information or unique identifiers are collected.

Learn more:

Plausible.io Privacy Policy: https://plausible.io/privacy
Plausible.io Data Policy: https://plausible.io/data-policy

10.3 What We Don’t Use

We do NOT use:

Marketing cookies
Advertising cookies
Social media tracking cookies
Third-party advertising networks
Google Analytics or similar tracking tools
Cross-site tracking or fingerprinting

Essential Cookies:
You can control essential cookies through your browser settings, but disabling them will prevent you from using our Services (you won’t be able to log in or maintain your session).

Plausible.io Analytics:
Since Plausible.io doesn’t use cookies or collect personal data, there is nothing to opt out of. However, if you wish to block analytics entirely, you can:

Use browser extensions like uBlock Origin
Enable Do Not Track (DNT) in your browser - we respect DNT signals
Block the Plausible.io script domain in your browser

10.5 Third-Party Cookies

The only third-party cookies you might encounter are from:

DodoPayments: When processing payments on their checkout pages (governed by their privacy policy)
SSO Providers: When using Google/Microsoft login (governed by their privacy policies)

These cookies are set by the third-party services themselves, not by us.

10.6 Do Not Track (DNT)

We respect Do Not Track signals. If your browser has DNT enabled, we will not load Plausible.io analytics.

11. Data Security

We implement industry-standard security measures to protect your personal data:

11.1 Technical Safeguards

Encryption: All data in transit is encrypted using TLS 1.3
Data at Rest: Database encryption using AES-256
Password Security: Passwords are hashed using bcrypt with salt
Access Controls: Role-based access control (RBAC) and principle of least privilege
Multi-Factor Authentication (MFA): Available for all accounts
Firewall Protection: Web application firewall (WAF) and DDoS protection

11.2 Organizational Safeguards

Regular security audits and penetration testing
Employee training on data protection and security
Background checks for employees with data access
Data processing agreements with all service providers
Incident response plan and breach notification procedures
Regular backups with encryption

11.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours (as required by GDPR Article 33)
Notify affected users without undue delay (as required by GDPR Article 34)
Provide information about the breach, its consequences, and measures taken
Offer guidance on protective actions you can take

However, no security system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

12. Children’s Privacy

Our Services are not intended for children under the age of 16 (or the minimum age required by law in your jurisdiction).

We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@sapat.chat. We will delete such data promptly.

If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information as quickly as possible.

13. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services not operated by us (e.g., knowledge base articles, help documentation, integrations).

We are not responsible for the privacy practices of third parties. When you click on third-party links or use third-party integrations, you are subject to their privacy policies, not ours.

We encourage you to review the privacy policies of any third-party services you use.

Third-Party Integrations:
If you connect third-party tools (e.g., Slack, Zapier, Salesforce) to our Services, data sharing will be governed by:

This Privacy Policy
The third party’s privacy policy
Your integration settings and permissions

14. Marketing Communications

We may send you marketing emails about new features, promotions, surveys, and other news about our Services.

You have the right to opt out of marketing communications at any time:

Click “Unsubscribe” at the bottom of any marketing email
Adjust preferences in your account settings
Contact us at privacy@sapat.chat

Transactional Emails:
Even if you opt out of marketing, you will still receive transactional emails necessary for the Services, such as:

Account verification and password resets
Ticket updates and chat notifications
Billing and payment confirmations
Important service announcements
Policy updates

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

How we notify you of changes:

Email Notification: We will email you at least 30 days before significant changes take effect
In-App Notification: You will see a notice when you log in
Acceptance Modal: If required by law or significant changes, we will ask you to accept the new policy
This Page: The “Last Updated” date at the top will change

Material Changes: If changes materially affect your rights, we will:

Provide clear notice of the changes
Give you the opportunity to review the new policy
Obtain your consent if required by law

Continued Use: By continuing to use our Services after the effective date of the updated policy, you accept the changes. If you do not agree, you must stop using the Services and may request account deletion.

16. Payment Processing by DodoPayments

Important: All payment processing is handled by DodoPayments Inc. as the Merchant of Record (MoR).

What this means:

DodoPayments is the official reseller of our Services
When you make a purchase, you are buying from DodoPayments, but the service is provided by us
DodoPayments handles all payment processing, tax compliance, and chargebacks
Your payment data (credit card, billing address) is collected and stored by DodoPayments, not by us

Data Sharing with DodoPayments:
We share the following data with DodoPayments for payment processing:

Your name and email address
Subscription plan and pricing
Transaction details
Billing address (for tax purposes)

DodoPayments’ Responsibilities:

Payment card data security (PCI DSS compliant)
Tax calculation and compliance (VAT, GST, sales tax)
Invoice generation
Refund processing
Fraud prevention

For payment-related privacy concerns:

Review DodoPayments’ Privacy Policy: https://dodopayments.com/privacy-policy
Review DodoPayments’ Buyer Terms: https://dodopayments.com/buyer-terms
Contact DodoPayments: support@dodopayments.com

Chargebacks and Disputes:
If you wish to dispute a charge, please contact us first at billing@sapat.chat before initiating a chargeback with your bank. Unauthorized chargebacks may result in service suspension per DodoPayments’ policies.

17. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request information about personal data collected, used, disclosed, or sold
Right to Delete: Request deletion of personal data (with exceptions)
Right to Opt-Out: Opt out of the “sale” of personal data (we do not sell data)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

How to exercise your rights: Contact us at privacy@sapat.chat

Do Not Sell My Personal Information: We do not sell personal data to third parties.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@sapat.chat
Support: support@sapat.chat
Mailing Address:
Nikola Stojkovic PR Borca
Prelivacka 50
11211 Beograd, Srbija

Response Time: We aim to respond to all inquiries within 48 hours (business days).

19. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Data Controller: The entity that determines the purposes and means of processing personal data (Nikola Stojkovic PR Borca).

Data Processor: An entity that processes personal data on behalf of the data controller (e.g., our hosting provider).

Data Subject: The individual to whom personal data relates (you).

GDPR: General Data Protection Regulation (EU) 2016/679.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

By using Sapat.chat, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Thank you for trusting us with your personal data.

Privacy Policy

Privacy Policy

1. Introduction

2. Data Controller Information

3. What Personal Data We Collect

3.1 Information You Provide Directly

3.2 Information We Collect Automatically

3.3 Information from Third Parties

4. Legal Basis for Processing (GDPR Article 6)

4.1 Contract Performance (Article 6(1)(b))

4.2 Legitimate Interests (Article 6(1)(f))

4.3 Legal Obligations (Article 6(1)(c))

4.4 Consent (Article 6(1)(a))

5. How We Use Your Personal Data

5.1 Service Delivery

5.2 Payment Processing

5.3 Service Improvement

5.4 Communications

5.5 Security and Fraud Prevention

5.6 Legal and Compliance

6. Data Sharing and Disclosure

6.1 Service Providers (Data Processors)

6.2 Business Transfers

6.3 Legal Requirements

6.4 With Your Consent

6.5 Aggregated and Anonymized Data

7. International Data Transfers (GDPR Chapter V)

8. Data Retention

8.1 Retention Periods

8.2 Deletion Requests

9. Your Rights Under GDPR

9.1 Right to Access (Article 15)

9.2 Right to Rectification (Article 16)

9.3 Right to Erasure / “Right to be Forgotten” (Article 17)

9.4 Right to Restriction of Processing (Article 18)

9.5 Right to Data Portability (Article 20)

9.6 Right to Object (Article 21)

9.7 Rights Related to Automated Decision-Making (Article 22)

9.8 Right to Withdraw Consent (Article 7(3))

9.9 Right to Lodge a Complaint

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

10.2 Analytics

10.3 What We Don’t Use

10.4 Cookie Management

10.5 Third-Party Cookies

10.6 Do Not Track (DNT)

11. Data Security

11.1 Technical Safeguards

11.2 Organizational Safeguards

11.3 Data Breach Notification

12. Children’s Privacy

13. Third-Party Links and Services

14. Marketing Communications

15. Changes to This Privacy Policy

16. Payment Processing by DodoPayments

17. California Privacy Rights (CCPA)

18. Contact Us

19. Definitions