1. Information We Collect
B2B Customer Information You Provide
We collect information you provide directly when you:
- Create a B2B account: Company name, business email address, password (encrypted), company size, use case description, billing contact information
- Generate API keys: API key metadata, client application names, permitted domains/IPs, usage permissions
- Use our API services: Request logs, endpoint usage patterns, response times, error rates, integration configurations
- Manage subscriptions: Company billing information (processed by Stripe), subscription tier selections, usage preferences
- Contact support: Support tickets, technical documentation requests, integration assistance, security incident reports
API Usage Data Automatically Collected
- Request analytics: API endpoint usage, request volume, success/error rates, response times, geographic distribution
- Authentication data: API key usage patterns, rate limiting events, security violations, access attempts
- Technical metadata: IP addresses, user agents, request timestamps, payload sizes (not content), browser information
- Billing metrics: Monthly request counts, tier usage, overage calculations, cost tracking
- Performance data: Latency measurements, error tracking, system performance metrics, uptime statistics
End-User Data Processing (Via Your API Integration)
- Conversation processing: Messages sent through
/chat/messageendpoint (processed by OpenAI, encrypted in our database) - Character preferences: AI companion selections and usage patterns from your application users
- Crisis detection events: Flagged conversations requiring professional intervention resources
- User identifiers: Anonymous user IDs provided by API clients (no personal data collected directly from end-users)
- Usage analytics: Aggregated conversation metrics, character popularity, session duration data
2. Legal Basis for Data Processing (GDPR)
We process your business data under the following legal bases:
Contract Performance (Article 6(1)(b))
- B2B account creation and management
- API service delivery and authentication
- Subscription billing and payment processing
- Customer support and technical assistance
- Service level agreement compliance
Legitimate Interests (Article 6(1)(f))
- API service improvement and optimization
- Fraud prevention and security monitoring
- Business analytics and usage optimization
- Technical support and troubleshooting
- Platform performance monitoring
Consent (Article 6(1)(a))
- Marketing communications to business contacts
- Optional analytics and performance tracking
- Third-party integration partnerships
- Product development feedback participation
Legal Obligation (Article 6(1)(c))
- Business tax and accounting record retention
- Regulatory compliance reporting for enterprise customers
- Law enforcement cooperation when legally required
- Data breach notification requirements
3. How We Use Your Information
Core API Service Delivery
- Provide AI companion API services: Process messages through OpenAI's GPT models to generate AI responses for your application users
- Authenticate API requests: Validate API keys and manage access permissions
- Monitor service performance: Track response times, uptime, and system reliability
- Manage usage limits: Enforce rate limits and subscription tier restrictions
- Generate usage analytics: Provide dashboard metrics and billing calculations
Business Operations
- Account management: Maintain your company account, API keys, and subscription settings
- Billing and payments: Process subscription charges, calculate overages, generate invoices
- Customer support: Respond to technical inquiries, resolve integration issues, provide documentation
- Security monitoring: Protect against unauthorized access, API abuse, and security threats
- Compliance management: Meet enterprise security requirements and audit needs
4. AI Data Processing and OpenAI Integration
How End-User Conversations Are Processed
- API request flow: Your application sends user messages to our
/chat/messageendpoint - OpenAI processing: Messages are forwarded to OpenAI's API for AI companion response generation
- Conversation context: Recent message history included to maintain conversation continuity
- Response delivery: AI responses returned to your application via our API
- No model training: End-user conversations are not used to train OpenAI's models (per their API terms)
Data Security in AI Processing
- Encryption in transit: All data sent to OpenAI encrypted using HTTPS/TLS protocols
- Temporary processing: OpenAI processes conversation data temporarily to generate responses
- No long-term storage: OpenAI does not retain conversation data beyond processing requirements
- API compliance: Our integration follows OpenAI's business data usage and privacy policies
- Conversation encryption: All stored conversation data encrypted in our database using AES-256-GCM
Important: While messages are processed by OpenAI for response generation, all stored conversation data in our database is encrypted and accessible only to authorized systems.
5. Data Storage and Encryption
Advanced Encryption Implementation
- Conversation encryption: All end-user chat messages encrypted using AES-256-GCM before database storage
- API key security: API keys hashed using bcrypt with salt for secure storage
- Business data encryption: Company information and billing data encrypted at rest
- Transport security: All API communications secured with HTTPS/TLS 1.3 encryption
- Database security: MongoDB Atlas with encryption at rest and role-based access controls
Data Storage Locations
- Primary storage: MongoDB Atlas cloud database with EU/UK data residency options
- Backup systems: Encrypted automated backups with geographic distribution
- CDN and caching: Cloudflare CDN for performance (no personal data cached)
- API logs: Secure log storage with automated retention and deletion policies
6. Data Sharing and Third-Party Providers
We share data with trusted third parties only as necessary for API service delivery:
Essential Service Providers
OpenAI (US) - AI conversation processing for end-user messages
- Data shared: Conversation messages and context for AI response generation
- Legal basis: Contract performance for AI services
- Safeguards: Business Associate Agreement, API terms compliance, no model training
Stripe (US/EU) - Payment processing for B2B subscriptions
- Data shared: Company billing information, subscription details, usage charges
- Legal basis: Contract performance for payment processing
- Safeguards: PCI DSS compliance, Standard Contractual Clauses
Resend (EU) - Email delivery for account verification and notifications
- Data shared: Business email addresses, account notifications, billing alerts
- Legal basis: Contract performance for email services
- Safeguards: GDPR compliance, data processing agreement
MongoDB Atlas (Global) - Secure cloud database hosting
- Data shared: Encrypted business and conversation data
- Legal basis: Contract performance for data storage
- Safeguards: Data processing agreement, encryption, access controls
International Data Transfers
Some service providers are located outside the UK/EU:
- OpenAI (United States): Protected by Standard Contractual Clauses and adequate security measures
- Stripe (United States): Protected by Standard Contractual Clauses and PCI DSS compliance
- Transfer safeguards: We ensure appropriate safeguards including encryption, access controls, and contractual protections
7. Enterprise Customer Data Processing
Customer End-User Data Handling
- Data minimization: We process only data necessary for AI response generation
- Purpose limitation: End-user data used solely for providing AI companion services
- No profiling: We do not create profiles or analyze individual end-user behavior patterns
- Aggregated analytics: Usage statistics provided to customers are anonymized and aggregated
- Customer control: Customers maintain primary relationship and responsibility for their end-users
Data Processing Agreements (DPAs)
- Enterprise agreements: Separate DPAs available for enterprise customers with specific compliance requirements
- HIPAA readiness: Technical and administrative safeguards support HIPAA-covered entity requirements
- SOC 2 compliance: Regular security audits and compliance reporting available
- Custom terms: Flexible data processing terms for large enterprise implementations
8. Data Retention and Deletion
Retention Periods
- Business account information: Retained until account deletion or 3 years after last API usage
- API usage logs: Retained for 12 months for billing, analytics, and security purposes
- Conversation data: Retained until deleted by customer or account closure (customer-controlled)
- Billing records: Retained for 7 years as required by UK business and tax law
- Support communications: Retained for 3 years for service improvement and dispute resolution
- Security logs: Retained for 2 years for security monitoring and incident response
Data Deletion Process
- Customer-initiated deletion: API customers can delete conversation data through dashboard or API calls
- Account deletion: Complete account closure permanently deletes all business data within 30 days
- Automated deletion: Inactive business accounts (no API usage for 2 years) receive deletion notices
- Secure deletion: Deleted data is cryptographically wiped and cannot be recovered
- Backup purging: Deleted data removed from all backup systems within 90 days
9. Your Privacy Rights Under GDPR and UK Law
Your Business Data Rights
Under GDPR and UK data protection law, your organization has the following rights:
- Right of Access (Article 15): Request copies of all business data we hold about your organization
- Right to Rectification (Article 16): Correct any inaccurate or incomplete business information
- Right to Erasure (Article 17): Request deletion of your business data ("right to be forgotten")
- Right to Restrict Processing (Article 18): Limit how we process your data in certain circumstances
- Right to Data Portability (Article 20): Receive your data in structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis
How to Exercise Your Rights
- API dashboard: Many rights can be exercised through your business account dashboard
- Email requests: Contact privacy@companionframe-api.com for formal data rights requests
- Identity verification: We may need to verify business authorization before processing requests
- Response timeframe: We respond to rights requests within 30 days (may extend to 60 days for complex requests)
- No cost: Exercising your rights is free unless requests are manifestly unfounded or excessive
10. Cookies and Tracking Technologies
Essential Cookies (Always Active)
- Authentication cookies: Keep business accounts logged in and maintain sessions
- Security cookies: Protect against fraud and unauthorized access to business accounts
- API key cookies: Manage API authentication and key validation
- Functional cookies: Enable dashboard functionality and API management features
Analytics Cookies (Optional - Requires Consent)
- Usage analytics: Understand dashboard usage patterns and popular API features
- Performance monitoring: Track page load times and dashboard performance
- Business journey tracking: Analyze how customers navigate through our business platform
- Feature usage: Measure which API endpoints and features are most utilized
Managing Cookie Preferences
- Cookie consent banner: Set business preferences on first dashboard visit
- Cookie settings page: Update preferences through dashboard cookie settings
- Browser controls: Manage cookies through browser settings
- Opt-out tools: Use third-party opt-out tools for advertising cookies
11. API Security and Access Controls
Authentication and Access Management
- API key authentication: Secure key-based authentication for all API requests
- Rate limiting: Automatic request throttling based on subscription tiers
- IP allowlisting: Optional IP address restrictions for enhanced security
- Role-based access: Different permission levels for team members and applications
Security Monitoring
- Anomaly detection: Automated monitoring for unusual API usage patterns
- Threat detection: Real-time security threat identification and response
- Access logging: Comprehensive logs of all API access and authentication attempts
- Security alerts: Immediate notifications for suspicious activities or security events
12. Important Disclaimers and Limitations
AI Service Limitations
- AI Response Accuracy: Our AI companions may occasionally generate inaccurate, inappropriate, or biased responses that require human oversight
- Crisis Detection: While our system includes crisis detection capabilities, it cannot guarantee detection of all crisis situations or replace professional intervention
- End-User Responsibility: API customers are responsible for implementing appropriate safeguards and user agreements for their end-users
- Professional Care: AI companions are not licensed therapists and cannot replace professional mental health services
Business Service Limitations
- Third-party Dependencies: Service availability may be affected by OpenAI API, payment processors, or cloud hosting providers
- Data Processing: While we encrypt conversation data, API customers should implement additional security measures as appropriate for their use case
- Regulatory Compliance: Customers are responsible for ensuring their use of our API complies with applicable laws and regulations in their jurisdiction
13. Data Security and Breach Response
Security Measures
- Encryption standards: AES-256-GCM for data at rest, TLS 1.3 for data in transit
- Access controls: Role-based access with multi-factor authentication for all business systems
- Security monitoring: 24/7 automated security monitoring and threat detection
- Regular audits: Quarterly security assessments and annual penetration testing
- Staff training: Regular security training for all team members with data access
Data Breach Response Protocol
- Immediate containment: Automated incident response systems to contain potential breaches
- Risk assessment: Rapid evaluation of breach scope and potential impact on business customers
- Customer notification: Immediate notification to affected business customers
- Regulatory reporting: Report qualifying breaches to supervisory authorities within 72 hours
- Remediation: Comprehensive breach response including system hardening and additional safeguards
14. Changes to This Privacy Policy
- Policy updates: We may update this privacy policy to reflect changes in our business practices or applicable law
- Customer notification: Business customers will be notified of significant changes via email and dashboard notifications
- Review period: Material changes include a 30-day review period before taking effect
- Continued use: Continued use of our API services after policy changes constitutes acceptance
- Version control: Previous versions of our privacy policy are available upon request
15. Supervisory Authority and Complaints
If you have concerns about our data processing practices:
- Contact us first: Raise concerns with our privacy team at privacy@companionframe-api.com
- File a complaint: Lodge a complaint with the UK Information Commissioner's Office (ICO)
- ICO contact details:
- Website: ico.org.uk
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- EU customers: May also contact their local data protection authority
Contact Information
For privacy-related questions, data rights requests, or concerns about our data processing:
Data Protection Contact
- Privacy Officer: privacy@companionframe-api.com
- General Support: support@companionframe-api.com
- Security Concerns: security@companionframe-api.com
Company Information
CompanionFrame Limited
Registered in England and Wales
United Kingdom
Response Commitments
- General inquiries: Response within 2 business days
- Data rights requests: Response within 30 days (may extend to 60 days for complex requests)
- Security incidents: Acknowledgment within 24 hours, full response within 72 hours
- Privacy complaints: Response within 5 business days