Goldilocks

Privacy Policy

Last updated: February 2025

1. Who We Are and Scope

Goldilocks ("we", "us", or "our") operates the Goldilocks AI-powered conversation platform. We are based in Victoria, Australia. For privacy enquiries, contact us at legal@goldilocks.chat.

This Privacy Policy applies to: (a) Customers – account holders who use our admin dashboard (app.goldilocks.chat), including tenant admins and team members; and (b) End Users – visitors to our Customers' websites who interact with the Goldilocks chatbot widget.

2. Information We Collect

From Customers (Account Holders)

  • Name, email address, and company name
  • Password (stored in hashed form)
  • OAuth profile data when you sign in with Google (email, name, profile image)
  • MFA data if you enable two-factor authentication (TOTP secret and backup codes, stored in hashed form)
  • Billing details – payment card and billing information are collected and processed directly by Stripe. We do not store full card numbers on our servers.

From End Users (via the Service)

  • Chat messages and conversation content
  • Self-reported identity (name, email) if shared during a conversation
  • Contact data passed by our Customers via the identify API (customerId, name, email, and custom fields they configure)
  • Session and conversation identifiers

From Content Customers Upload

  • Documents, FAQs, knowledge base articles, and other training content
  • Website content crawled when Customers enable website ingestion

Automatically Collected

  • Usage metrics (message counts, chat sessions, document retrievals, article views)
  • Log data (IP address, timestamps, user agent) for security and audit purposes
  • Cookies – we use essential session and authentication cookies. We use a maintenance-mode cookie when the service is in maintenance. We do not use advertising or third-party tracking cookies.

3. How We Use Your Information

  • To provide, maintain, and improve our services (AI responses, widget, analytics)
  • To process billing, subscriptions, and manage your account
  • For security, fraud prevention, and audit logging
  • To send technical notices, support messages, and respond to enquiries
  • For product improvement using only anonymized or aggregated data – we do not train AI models on your data
  • To execute workflows you configure (e.g. sending data to your webhooks, Zapier, Make, Slack, or escalation tools)

4. Third-Party Processors and Overseas Disclosure

We use the following sub-processors to operate our service. Personal information may be disclosed overseas.

  • OpenAI (United States) – AI processing. Under our agreement with OpenAI, your data is not used to train their models.
  • Stripe (United States) – Payment processing.
  • Google (multi-region) – OAuth authentication.
  • Mailgun (United States) – Transactional email.
  • Google Cloud Platform – Hosting and database (we use Australian regions where available, such as australia-southeast1).

When you configure webhooks, Zapier, Make, Slack, or similar integrations, data flows to endpoints you control. We are not responsible for how those third parties handle data.

If you are in Australia and believe we have breached the Privacy Act, you may complain to the Office of the Australian Information Commissioner (OAIC): oaic.gov.au.

5. Data Sharing

We do not sell your personal information. We may share information with:

  • Service providers listed above, under agreements that protect your data
  • Law enforcement or regulators when required by law (e.g. subpoenas, court orders)
  • Integration partners you explicitly configure (e.g. your Zendesk, Slack)
  • Successors in the event of a merger or acquisition, with notice to you

6. Data Retention

  • Account data: For the duration of your account plus 30 days
  • Conversations and messages: Up to 2 years
  • Payment and invoice records: 7 years (for legal and tax requirements)
  • Audit logs: 1 year
  • Backups: 7 days to 12 months depending on backup type

You may request earlier deletion of your data by contacting us at legal@goldilocks.chat. We may retain certain information where required by law or for legitimate legal, regulatory, or dispute-resolution purposes.

7. Security

  • All data is encrypted in transit (TLS) and at rest (AES-256)
  • Tenant data is isolated – your data is never mixed with other accounts
  • We do not train AI models on your data
  • Access controls and optional multi-factor authentication
  • Regular security reviews and updates

8. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to individuals, we will notify affected individuals and relevant authorities as required by law. In Australia, we comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. For individuals in the EU, we will notify your supervisory authority within 72 hours where required under the GDPR, and notify affected individuals without undue delay where there is a high risk to their rights.

We maintain an incident response process and will take reasonable steps to contain, assess, and remediate any breach.

9. Your Rights

Depending on your location, you may have the right to:

  • Australia (Australian Privacy Principles): Access (APP 12), correction (APP 13), and to complain to the OAIC
  • European Union (GDPR): Access, rectification, erasure, data portability, restrict processing, object, withdraw consent, and complain to your supervisory authority
  • California (CCPA): Know what data we hold, delete your data, and opt out of sale (we do not sell personal information). You also have the right to non-discrimination.

To exercise these rights, contact us at legal@goldilocks.chat. Customers can export their data via our API.

10. Cookies and Similar Technologies

We use essential cookies for session management and authentication. When maintenance mode is active, we set a cookie to indicate this. We do not use advertising or third-party analytics cookies. You can manage or disable cookies through your browser settings, though this may affect your ability to use the Service.

11. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the Service. Your continued use after such notice constitutes acceptance of the updated policy.

13. Contact

For questions, requests, or complaints about this Privacy Policy or our handling of your data: