← Vigil

Legal

Privacy Policy

Effective date: April 8, 2026

Vigil ("Vigil," "we," "us," or "our") operates a software-as-a-service platform that enables businesses to create AI-powered chat assistants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, whether as a business customer ("Customer") or as a visitor interacting with a chat widget deployed by one of our Customers ("End User").

Please read this policy carefully. If you do not agree with its terms, please do not access or use the platform.

1. Information We Collect

1.1 From Customers (business account holders)

  • Account information: Email address and password when you register an account.
  • Billing information: Payment details processed through Stripe (we do not store full card numbers — Stripe handles all payment data).
  • Content you upload: Documents, text, and URLs you provide to build your bot's knowledge base.
  • Configuration data: Bot settings, appearance preferences, business hours, and integration credentials (e.g. Cal.com API keys, stored encrypted).
  • Usage data: How you use the dashboard, feature usage, API call logs.
  • Communication data: Messages you send to our support team.

1.2 From End Users (visitors chatting with your bot)

When a visitor interacts with a Vigil-powered chat widget embedded on a Customer's website, we may collect:

  • Conversation content: Questions the visitor types and responses generated by the bot.
  • Lead form data: Information the visitor voluntarily submits through a lead capture form (e.g. name, email address, phone number, company). These fields are configured by the Customer — we only collect what the Customer's form requests.
  • Session identifiers: Anonymous session IDs used to maintain conversation continuity. These are randomly generated and not linked to personal identity.
  • Interaction metadata: Timestamps, feedback ratings (thumbs up/down), and which responses were helpful.

1.3 Automatically collected technical data

  • IP addresses: Used for rate limiting to prevent abuse. Not linked to personal profiles.
  • Request metadata: HTTP method, endpoint, response time, and status codes for system monitoring.
  • Error logs: Crash reports and application errors for debugging purposes.

2. How We Use Information

To provide the service

  • - Process and store your knowledge base content to power bot responses
  • - Authenticate your account and enforce access controls
  • - Process subscription payments and manage billing
  • - Send email notifications for human handoff escalations, order alerts, and lead captures
  • - Send SMS notifications for the same events (if you purchase credits)

To improve the platform

  • - Analyze aggregate usage patterns to understand which features are most valuable
  • - Identify and fix bugs and performance issues
  • - Develop new features based on customer needs

To communicate with you

  • - Respond to your support requests
  • - Send important service announcements (security updates, policy changes)
  • - Send product updates (you can unsubscribe at any time)

To ensure security

  • - Detect and prevent fraudulent or abusive activity
  • - Enforce rate limits to protect service availability
  • - Monitor for unauthorized access attempts

3. Phone Numbers and Email Addresses

We understand these are sensitive data types. Here is exactly how we handle them:

End User phone numbers and emails from lead forms

  • - Stored securely in our database under the Customer's account
  • - Visible only to the Customer who deployed the bot
  • - Used to send notification emails/SMS to the Customer (not to the visitor) when configured
  • - Never sold or shared with any third party for advertising, marketing, or any other commercial purpose
  • - Never used by Vigil for our own marketing or outreach
  • - Permanently deleted when the Customer deletes the bot or their account

Customer notification settings

  • - You provide a phone number and/or email address to receive bot event notifications
  • - These are used exclusively to deliver the notifications you've enabled
  • - We use Resend (email) and Twilio (SMS) as delivery providers — see section 5
  • - We never share your notification contact details with third parties for any purpose other than delivering your notifications
  • - Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes
  • - SMS messages are sent only for lead captures, order confirmations, and appointment notifications that you have explicitly enabled. Reply STOP to any message to opt out; reply HELP for help

4. How We Share Information

We do not sell personal information. We share data only in the following limited circumstances:

Service providers (sub-processors)

We share data with third-party services that help us operate the platform:

SupabaseDatabase and authentication hostingAll application dataEU / US (configurable)
StripePayment processingBilling informationUnited States
Google (Gemini API)AI language model and embeddingsKnowledge base content and chat queriesUnited States
ResendEmail deliveryRecipient email address, notification contentUnited States
TwilioSMS deliveryRecipient phone number, notification contentUnited States
SentryError tracking and monitoringError logs (no personal data beyond IP)United States
CloudflareCDN for widget.js deliveryNo personal dataGlobal CDN

Legal requirements

We may disclose information if required by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Vigil, our customers, or the public.

Business transfers

If Vigil is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you before your personal data becomes subject to a different privacy policy.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data:

  • - All data transmitted between your browser, our servers, and our databases uses TLS encryption (HTTPS)
  • - Database data is encrypted at rest by Supabase
  • - Row-level security: each account can only access their own data — even platform administrators cannot read other accounts' conversation data through normal application paths
  • - API keys (your bot's public keys) are separate from authentication credentials and have limited scope
  • - Third-party integration credentials (e.g. Cal.com API keys) are encrypted using AES-256-GCM before storage
  • - Regular automated database backups with point-in-time recovery
  • - Rate limiting on all API endpoints to prevent abuse

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

Account data: Retained for the life of your account. Deleted within 30 days of account deletion.

Conversation data: Retained for the life of the associated bot. Permanently deleted when you delete a bot or your account.

Lead submissions: Retained until you delete the lead, delete the bot, or delete your account.

Billing records: Retained for 7 years to comply with financial record-keeping requirements (Stripe manages payment records independently).

Error and access logs: Retained for up to 90 days for security and debugging purposes.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

AccessRequest a copy of the personal data we hold about you.
CorrectionRequest correction of inaccurate or incomplete data.
DeletionRequest deletion of your data. You can delete your bots and account directly from the dashboard, which permanently removes all associated data.
PortabilityRequest your data in a machine-readable format.
ObjectionObject to processing of your data for certain purposes.
RestrictionRequest restriction of processing in certain circumstances.

To exercise any of these rights, contact us at privacy@vigil.chat. We will respond within 30 days.

8. Information for Chat Widget End Users

If you are a visitor chatting with a Vigil-powered widget on another business's website (not on vigil.chat), please note:

  • - The business operating the website (our Customer) is the data controller for your conversation and any information you submit through lead forms.
  • - The Customer's own privacy policy governs how they use the data you provide to them.
  • - Vigil acts as a data processor on behalf of the Customer — we store and process the data to provide the service to them.
  • - Any phone number or email address you submit through a lead form is shared with the Customer and is used by that Customer to contact you — not by Vigil for our own purposes.
  • - Vigil does not sell, share, or market to end users. We have no commercial relationship with chat widget visitors.
  • - To request deletion of your conversation data or lead submission, contact the business whose website you visited.

9. Cookies & Tracking

On the Vigil dashboard (vigil.chat): We use session cookies strictly necessary for authentication. We do not use third-party advertising or tracking cookies.

On Customer websites (the embedded widget): The Vigil widget uses a single session token stored in the browser's session storage (not a persistent cookie) to maintain conversation context. This token is anonymous and randomly generated. The widget does not track visitors across websites or sessions.

10. Children's Privacy

The Vigil platform is not directed to children under 13 years of age (or under 16 in applicable jurisdictions). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@vigil.chat and we will delete it promptly.

11. International Data Transfers

Our infrastructure and some of our sub-processors are based in the United States. If you are located in the European Economic Area (EEA), UK, or other jurisdictions with data transfer restrictions, your personal data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including contractual protections with our sub-processors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the effective date at the top of this page and, where appropriate, by sending you an email. Your continued use of the platform after such changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

Email: privacy@vigil.chat

Subject line: Privacy Request — [your name or account email]

We will respond to privacy requests within 30 days.

Terms of ServiceDocumentationHome