Your data is protected.
Always.
SellyChat is built with privacy and security at its core — not as an afterthought. Whether you're serving customers in New York or Berlin, your data stays safe, private, and under your control.
How we protect your data
Security isn't a feature we bolted on — it's the foundation everything is built on.
Encrypted everywhere
All data is encrypted in transit using TLS and at rest using infrastructure-level encryption. User sessions are encrypted by default. Passwords are never stored — only secure one-way hashes.
Export anytime
Need your data? Export any customer's conversation history, workflow data, and interaction records instantly as a structured JSON file. No tickets, no waiting — it's self-serve from your dashboard.
Delete on demand
When a customer asks to be forgotten, you can erase their data with one click. We anonymize conversation content, redact identifiers, and remove workflow logs — permanently and irreversibly.
You control retention
Set how long SellyChat keeps conversations, audit logs, AI sessions, and knowledge documents. Once your retention window expires, data is automatically purged. You decide the rules.
Full audit trail
Every change to your agents, channels, workflows, and integrations is logged — who made the change, what changed, and when. Sensitive fields like passwords and API keys are automatically redacted from logs.
We never sell your data
Your customer conversations are yours. We don't sell, share, mine, or use your data for advertising, training, or any purpose beyond running SellyChat for you. Period.
For European customers
SellyChat supports your GDPR obligations out of the box. Here's what's built into every account.
| Capability | What it does |
|---|---|
| Data Subject Access | Export all data associated with any customer identifier — phone, email, or session ID |
| Right to Erasure | Anonymize all conversation content and personal data for any individual |
| Consent Management | Track and record consent with immutable snapshots, version tracking, and timestamps |
| Consent Withdrawal | Customers can withdraw consent at any time — as easy as giving it |
| Data Retention Controls | Configurable retention periods with automated purging |
| Audit Logging | Tamper-evident logs of all data access and modifications |
| Account Deletion | 30-day grace period with full permanent deletion of all tenant data |
| Data Processing Agreement | We provide a DPA for all customers. Request DPA → |
We don't just handle your data responsibly — we give you the tools to prove it to your customers and regulators.
Infrastructure & security
Multiple layers of protection across every part of the stack.
| Layer | Protection |
|---|---|
| Transit | TLS 1.2+ on all connections |
| Storage | Infrastructure-level encryption at rest |
| Sessions | Application-level encrypted sessions |
| Authentication | Secure password hashing, session management with HTTP-only cookies |
| Access control | Tenant isolation — each account's data is completely separated at the database level |
| Monitoring | Structured logging and audit trails across all sensitive operations |
Sub-processors
We work with a small number of trusted providers to run SellyChat. Each sub-processor is bound by data processing terms.
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting, compute, and storage | Your region |
| Google Vertex AI | AI conversation processing | Your region |
| Stripe / LemonSqueezy | Subscription billing | US / EU |
| Postmark | Transactional emails | US |
We'll notify you before adding new sub-processors.
Frequently asked questions
Your data is hosted on Google Cloud Platform. All storage is encrypted at rest by default.
Yes. You can export your full account data at any time from Settings → Privacy. Individual customer data can also be exported per identifier.
When you delete your account, we keep your data for 30 days in case you change your mind. After that, everything is permanently deleted — conversations, messages, workflows, knowledge bases, and all associated files.
No. Your conversations and customer data are never used to train, fine-tune, or improve any AI models. Your data is processed only to provide you with SellyChat's services.
SellyChat is built with GDPR principles at its core. We provide the technical tools — data export, erasure, consent management, retention controls, and audit logs — that help you meet your own GDPR obligations as a data controller.
Yes. We provide a Data Processing Agreement for all customers. Contact us at privacy@sellychat.com to get started.
Questions about privacy?
If you have any questions about privacy, security, or data handling, reach out to us.
privacy@sellychat.com