ChicoSoft ("ChicoSoft," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our public website; use our authenticated workspace and internal business systems (including CRM, quotations, master service agreement generation, invoicing, receipts, and project records); or engage us for professional services such as custom websites and e-commerce, social media and short-form video, community management, paid advertising operations, AI chatbots and LLM usage, integrations, and related consulting.

By using our services or providing information to us, you acknowledge this policy. If you do not agree, please discontinue use of our services and refrain from submitting personal data.

This policy should be read together with our Terms of Service. Specific engagements may also be governed by separate statements of work, quotations, or master service agreements.

ChicoSoft is a technology company offering web, social media, and AI-related services to businesses. For the purposes of applicable privacy law, ChicoSoft typically acts as the controller of personal data described in this policy when collected through our website and workspace, unless we process certain data strictly on behalf of a client under written instructions (for example, when delivering a client project), in which case our client may be the controller for that processing.

Contact: For privacy inquiries, you may reach us at the contact details provided on our Contact page (for example hello@chicosoft.com) or through your account representative when you are an existing customer.

This policy covers personal data processed through: (a) our public marketing and informational websites; (b) authenticated workspaces and internal applications used to deliver and manage our relationship with you, including tools for CRM (clients and leads), preparing and storing quotations with SKU-based line items, generating master service agreements and related documents, finance records such as invoices and receipts, project tracking, and user/role administration; and (c) professional services and deliverables we provide under contract (for example hosted sites, integrations, or chat experiences).

Where we deliver a solution that collects data from your end users (for example a contact form, e-commerce checkout, or customer-facing chatbot), you are typically responsible for providing your own privacy notice to those end users and for lawfully obtaining any required consents. We process such data as described here and in your Project Agreement—often as a processor on your instructions for hosted components we operate for you.

We may collect the following categories of information, depending on how you interact with us:

Account and identity data: name, email address, password hashes (when you use email sign-in), profile details, and role or permission assignments for workspace access.

Authentication data: when you use optional third-party sign-in (such as Google OAuth), we receive identifiers and profile elements that the provider shares with us according to your consent and their policies.

Business, sales, and project data: company name; billing or procurement contacts; CRM fields you or we maintain; project requirements; files and attachments; communications; quotation identifiers; SKU or service selections; pricing, discounts, and commercial terms reflected in quotes; data needed to prepare or export master service agreements and statements of work; invoice, tax, and payment-related identifiers and status; and similar content submitted in connection with sales, delivery, or support.

Technical and usage data: IP address, device and browser type, approximate location derived from IP, timestamps, diagnostic logs, application error data, and security-related events necessary to operate and protect our systems.

We collect personal data directly from you, from your organization, from integrated tools you authorize, and automatically through cookies and similar technologies where applicable.

We use personal data to: provide, operate, and improve our website and workspace; authenticate users and enforce role-based access controls; process inquiries and deliver professional services; generate quotations, invoices, and contractual documents as part of normal business operations; communicate about service changes, security, and support; comply with law and enforce our terms; and detect, prevent, and respond to fraud, abuse, or security incidents.

We do not sell your personal information as defined under applicable U.S. state privacy laws. We do not use your data for automated decision-making that produces legal or similarly significant effects solely by automated means, except where required by law and described to you.

Depending on your location, we may rely on one or more of the following bases: performance of a contract with you or your organization; legitimate interests that are not overridden by your rights (for example, securing our services and improving reliability); compliance with legal obligations; and consent where we expressly request it (such as certain marketing communications or optional cookies, if used).

Where consent is the basis, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Certain services involve artificial intelligence and automation, including large language models (LLMs), retrieval-augmented generation (RAG) over knowledge bases, conversational chatbots, workflow automation, and integrations with third-party AI or messaging providers. Depending on the engagement, we may process prompts, conversation content, embeddings, logs, and performance metrics as needed to configure, operate, monitor, secure, and improve the agreed solution.

AI outputs can be incorrect, incomplete, or biased. Unless expressly agreed in writing, AI-generated materials are assistive and should be reviewed by qualified humans before reliance for regulated, safety-critical, or high-stakes decisions. Do not submit special categories of personal data or highly sensitive information to AI features unless we have agreed appropriate safeguards.

Where we use analytics or product telemetry on our own applications, we aim to minimize personal data and use it to understand reliability, security, and usage patterns.

We share personal data only as needed to operate our business. Categories of recipients include: infrastructure and database providers (we use Supabase for authentication, database storage, and related platform capabilities); hosting and deployment partners (such as Vercel or comparable edge/hosting services for our web application); email and communication providers; payment processors when you pay us through supported channels; AI or LLM infrastructure providers when an engagement explicitly uses those services; professional advisers where required; and authorities when required by law or to protect rights and safety.

We may disclose information in connection with a merger, acquisition, or asset sale, subject to appropriate confidentiality and continuity safeguards.

We require subprocessors to implement appropriate contractual and security measures. A current list of key providers may be maintained internally and provided upon reasonable request for enterprise customers.

Our service providers may process data in the Philippines, the United States, the European Union, and other regions where they operate data centers. When we transfer personal data across borders, we implement safeguards consistent with applicable law, such as standard contractual clauses or equivalent mechanisms where required.

We retain personal data only as long as necessary for the purposes described in this policy, including to meet legal, accounting, or reporting requirements. Retention periods vary by data category; for example, account data may be retained for the life of the account plus a reasonable period thereafter, and business records may be retained as required for tax and contract obligations.

We implement administrative, technical, and organizational measures designed to protect personal data, including access controls, encryption in transit where supported, monitoring, and least-privilege access for personnel. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your credentials.

If we become aware of a personal data breach that poses a risk to individuals, we will assess the incident and may notify regulators and affected individuals as required by applicable law (including, where relevant, requirements under the Philippines Data Privacy Act and National Privacy Commission guidance).

Depending on applicable law, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal data, or to request portability. You may also have the right to lodge a complaint with a supervisory authority.

To exercise rights, contact us using the details on our Contact page. We may need to verify your request. If we process data on behalf of a client as a processor, we may direct you to that client where appropriate.

You can control certain account settings within the workspace where features exist. For marketing emails, you may use unsubscribe mechanisms when provided.

If you are an administrator for an organization, you are responsible for your users' accounts and for ensuring your organization has lawful bases to share any personal data with us. End users seeking access, correction, or deletion related to data held on behalf of a client organization may need to contact that organization first; we will assist as required by law and contract.

Philippines: We aim to align our practices with Republic Act No. 10173 (Data Privacy Act of 2012) and relevant issuances of the National Privacy Commission (NPC). You may have rights to access, correct, and object under applicable NPC rules, subject to verification and legal exceptions.

European Economic Area, United Kingdom, and Switzerland: Where GDPR, UK GDPR, or Swiss law applies, we act as controller or processor as described in this policy and applicable agreements. You may have rights including access, rectification, erasure, restriction, objection, and data portability, and the right to lodge a complaint with a supervisory authority. International transfers rely on appropriate safeguards where required.

United States (state privacy laws): Where laws such as the California Consumer Privacy Act/California Privacy Rights Act or other state laws apply, we provide the rights and notices required by those laws, including where applicable the right to know, delete, correct, and opt out of certain sharing (we do not sell personal information for monetary consideration).

We may use cookies, local storage, and similar technologies for session management, preferences, analytics, and security. You can control cookies through browser settings; disabling cookies may affect functionality.

Our services are not directed to children under 16 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps.

We may update this Privacy Policy from time to time. We will post the revised version with an updated 'Last updated' date and, where appropriate, provide additional notice (such as email or a prominent notice in the workspace).

Questions about this policy or our privacy practices: use the Contact page or email hello@chicosoft.com. For data protection requests, include sufficient detail to identify your account or relationship with us.