Privacy Policy

Tebstack ("we," "our," or "us") operates a SaaS platform that provides AI-powered customer support tools for Tebex storefronts. This Privacy Policy covers all data processing activities related to the Tebstack platform, including the Tebby AI agent, embedded support widget, staff dashboard, and billing systems.

This policy applies to:

• Store operators — individuals or organizations who create a Tebstack account to manage their Tebex storefronts.
• Staff members — individuals invited by a store operator to manage support tickets.
• Visitors — end users who interact with the embedded support widget on a Tebex storefront powered by Tebstack.

Account information. When you register, we collect your name, email address, and password (hashed). If you register via OAuth (e.g. Google, Discord), we receive your name, email, and profile picture from that provider.

Store configuration data. We store the settings you configure for your Tebstack stores, including store name, custom domain, platform type, currency, Tebby AI system prompt, knowledge base entries, staff permissions, and Tebex API keys (encrypted at rest).

Support ticket data. We store all support ticket content, including messages submitted by visitors, replies from staff or Tebby AI, internal staff notes, and any attachments. This data is associated with your store and is necessary to provide the support management service.

Visitor information. When a visitor opens a support ticket via the embedded widget, we may collect their name, email address, and any other information they voluntarily provide in the support flow. If Tebex transaction verification is enabled, we collect the Tebex Transaction ID they provide.

Usage data. We automatically collect information about how you use the Services, including pages visited, features used, timestamps, IP addresses, browser type, and device information. This data is used for debugging, security, and improving the Services.

Payment information. Billing and payment data is processed directly by Stripe. We store only a reference to your Stripe customer ID, current subscription tier, and credit balance. We do not store full card numbers or other sensitive payment data.

Communications. If you contact us by email or through support channels, we retain those communications to assist with your inquiry.

We use the data we collect to:

• Provide, operate, and maintain the Services.
• Power Tebby AI — your store configuration and ticket content are passed to Anthropic Claude to generate support responses.
• Process payments and manage your subscription and credit balance.
• Authenticate users and manage account security.
• Send transactional emails (account confirmations, password resets, billing receipts) via Resend.
• Monitor and analyze usage to detect fraud, abuse, and security threats.
• Improve the Services by understanding usage patterns and identifying areas for enhancement. We do not sell your data or use it to train AI models without your consent.
• Comply with legal obligations.

Our legal bases for processing personal data under the GDPR include: performance of a contract (to deliver the Services), legitimate interests (security, fraud prevention, service improvement), legal obligation, and — where required — consent.

Tebby AI is powered by Anthropic Claude, a large language model provided by Anthropic, PBC. When Tebby AI is enabled on a store:

• Visitor messages, conversation history, and relevant store context (system prompt, common Q&As, product information you have configured) are sent to Anthropic's API to generate responses.
• This data transfer is governed by our Data Processing Agreement with Anthropic. Anthropic does not use API inputs to train their models by default. See Anthropic's Privacy Policy for details.
• Store operators are responsible for ensuring that visitor data shared with Tebby AI is covered by appropriate disclosures to their visitors.
• Internal staff notes marked as internal are excluded from AI context sent to visitors and are not shared with visitors through any channel.

We periodically analyze aggregated, anonymized support ticket patterns to improve Tebby's store-specific context. This analysis is performed within our own systems and does not involve sharing individually identifiable ticket data with third parties beyond what is described above.

We share personal data only as described in this policy. Our current sub-processors are:

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We may disclose data if required by law, court order, or to protect the rights, property, or safety of Tebstack, our users, or the public.

If Tebstack is acquired or merged with another company, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Services before your data is transferred and becomes subject to a different privacy policy.

All payments are processed by Stripe, Inc.. When you subscribe or purchase credits, you are submitting payment information directly to Stripe. We receive confirmation of successful payments and access to subscription status, but we never see or store your raw card details.

Stripe may collect additional data for fraud prevention and compliance purposes under their own privacy policy. Stripe is PCI-DSS Level 1 certified.

We use cookies and similar technologies for:

• Authentication — session cookies that keep you logged in to your Tebstack account (managed by Supabase Auth).
• Preferences — storing your theme preference (dark/light mode).
• Security — CSRF protection tokens.

We do not use third-party advertising cookies or cross-site tracking. We do not use Google Analytics or similar behavioral analytics services.

The embedded support widget placed on your visitors' browsers uses a minimal session cookie to maintain ticket access. Store operators are responsible for disclosing this cookie use in their own store's cookie or privacy notices.

We retain your data for as long as your account is active or as needed to provide the Services. Specifically:

• Account data — retained while your account is active. You may delete your account at any time; account data is deleted within 30 days of account closure.
• Support ticket data — retained for 24 months from the date of ticket creation, or for the duration of your active subscription, whichever is longer. Operators may delete individual tickets at any time.
• Billing records — retained for 7 years to comply with accounting and tax obligations, even after account closure.
• AI credit logs — retained for 12 months for dispute resolution purposes.
• Usage and security logs — retained for 90 days.

After the applicable retention period, data is securely deleted or anonymized.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data, subject to legal retention requirements.
• Portability — request your data in a machine-readable format.
• Restriction — request that we restrict processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Opt-out of sale — we do not sell your personal data, so this right is satisfied by default.

To exercise any of these rights, contact us at privacy@tebstack.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

Visitors who have submitted tickets via the embedded widget may request deletion of their data by contacting the store operator or by contacting us directly. We will relay verified deletion requests to the relevant store operator.

We implement industry-standard security measures to protect your data, including:

• All data in transit is encrypted using TLS 1.2 or higher.
• Sensitive values such as Tebex API keys are encrypted at rest using AES-256.
• Database access is protected by Row-Level Security (RLS) policies enforced at the database level, ensuring users can only access their own data.
• Authentication is managed by Supabase Auth with support for OAuth.
• Our infrastructure runs on established cloud providers with SOC 2 compliance.

Despite our efforts, no system is completely secure. In the event of a data breach that affects your personal data, we will notify affected users as required by applicable law.

If you discover a security vulnerability, please disclose it responsibly by emailing privacy@tebstack.com.

The Services are not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If we learn that we have inadvertently collected such data, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@tebstack.com.

Tebstack and its sub-processors operate primarily in the United States. If you are accessing the Services from outside the United States, your data will be transferred to and processed in the United States or other countries where our sub-processors operate.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. By using the Services, you consent to such transfers to the extent permitted by applicable law.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify you by email or a prominent notice in the Services at least 15 days before the changes take effect.

We encourage you to review this policy periodically. Your continued use of the Services after changes take effect constitutes your acceptance of the updated policy.

For privacy-related questions, requests, or concerns, please contact our privacy team: