Privacy Policy
Last updated: December 19, 2025
Introduction
IncrediChat ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.
IncrediChat is a product name of MenuWays Ltd., a company registered in Israel. All references to "IncrediChat", "we", "us", or "our" in this Privacy Policy refer to MenuWays Ltd.
By using IncrediChat, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access our services.
This Privacy Policy should be read together with our Terms of Service and Data Processing Agreement.
Data Controller and Data Processor Roles
Understanding our role in data processing is important for knowing your rights and our responsibilities.
IncrediChat (MenuWays Ltd.) Acts in Two Distinct Capacities:
We are the data controller for:
- Your account registration information (name, email, company name)
- Billing and payment information
- Your usage of our dashboard and website
- Communications between you and IncrediChat
- Aggregate usage statistics (not conversation content)
As data controller, we determine the purposes and means of processing this data.
We are the data processor for:
- Chat conversations between your website visitors and your AI assistant
- Voice chat text transcripts (if voice chat is enabled - no audio is recorded or stored)
- Lead capture form submissions from your visitors
- Any personal data your visitors provide through the chat widget
As data processor, you (our customer) are the data controller for this data. We process it solely on your behalf pursuant to our Data Processing Agreement.
This distinction affects how you exercise your rights. If you are an end user who interacted with a chat widget on another website, please contact that website's operator (the data controller) regarding your personal data.
Information We Collect
Personal Information You Provide
We collect personal information that you voluntarily provide to us when you:
- Register for an account
- Subscribe to our services
- Contact us for support
- Participate in surveys or promotions
- Sign up for our newsletter
This information may include:
- Name and email address
- Company name and job title
- Billing information and payment details (processed by our payment providers)
- Phone number (if provided)
- Any other information you choose to provide
Information Collected Automatically
We automatically collect certain information when you use our services:
- Device Information: Browser type and version, operating system, device type
- Log Data: IP address, access times, pages viewed, referring URL
- Usage Data: Features used, actions taken, time spent on pages
- Location Data: Approximate location based on IP address (country/region level)
Conversation Data (Processed on Behalf of Customers)
As a data processor, we collect and process conversation data from chat widgets on behalf of our customers:
- Chat messages between website visitors and the AI assistant
- Lead capture form submissions (name, email, phone if submitted)
- Voice chat text transcripts (no audio files are created or stored - see Voice Chat Processing below)
- Visitor IP addresses and device information
- Conversation timestamps and metadata
Voice Chat Processing (If Enabled)
When voice chat is enabled on your widget:
Real-Time Speech-to-Text
- Audio is streamed directly to our speech recognition service (Deepgram)
- Audio is processed in real-time to generate text transcripts
- No audio files are created, stored, or recorded
- Only the text transcript is retained in your conversation history
What This Means: Think of it like using voice-to-text on your smartphone. You speak, it converts to text, but no audio recording is created. That's exactly how our voice chat works.
What We Do NOT Do:
- Create audio recordings (.mp3, .wav, etc.)
- Store voice files for playback
- Archive audio in any form
- Enable playback of past voice conversations
What IS Stored:
- Text transcripts of spoken words
- Conversation metadata (timestamp, participant)
- Standard chat conversation data
Consent: When a visitor uses voice chat, their browser requests microphone permission (browser-level consent). By granting permission and speaking, they consent to speech-to-text processing as described in this policy.
Legal Compliance: This speech-to-text processing does NOT constitute "call recording" under wiretapping or two-party consent laws, as no audio recordings are created or stored. Text transcripts are processed under standard data processing agreements.
How We Use Your Information
We use the information we collect for the following purposes:
Service Delivery
- Provide, operate, and maintain our services
- Process your transactions and manage your subscription
- Send you technical notices, updates, and support messages
- Respond to your comments, questions, and requests
Service Improvement
- Monitor aggregate usage patterns and trends (not conversation content)
- Analyze how users interact with our dashboard and website
- Detect, prevent, and address technical issues
- Develop new features and services
Communications
- Send you transactional emails (receipts, subscription updates)
- Send promotional communications (only with your consent)
- Notify you about changes to our services or policies
Security and Compliance
- Protect against fraud, unauthorized access, and abuse
- Comply with legal obligations
- Enforce our Terms of Service
Conversation Data - Important Disclosure
IncrediChat acts as a data processor for conversation data, processing it solely on behalf of our business customers (the data controllers).
We do NOT use conversation data to:
- Train, improve, or develop our AI models or any machine learning systems
- Conduct analytics for IncrediChat's own business purposes
- Build profiles, datasets, or derivative works for any purpose beyond service delivery
- Share with third parties for their own purposes
Conversation data is processed in real-time to provide AI responses and is stored only as directed by our business customers. We access conversation content only as technically necessary to deliver the service.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis |
|---|---|
| Providing the Services, account management, billing | Contract Performance (Art. 6(1)(b)) - Processing necessary to perform our contract with you |
| Processing conversation data on behalf of customers | Contract Performance (Art. 6(1)(b)) - Processing necessary under our Data Processing Agreement |
| Fraud prevention, security, service improvement | Legitimate Interests (Art. 6(1)(f)) - Our legitimate interest in protecting our services and improving user experience. These interests do not override your fundamental rights. |
| Tax records, accounting, legal compliance | Legal Obligation (Art. 6(1)(c)) - Processing required to comply with applicable laws |
| Marketing emails, newsletters | Consent (Art. 6(1)(a)) - Your explicit consent, which you may withdraw at any time |
| Non-essential cookies and analytics | Consent (Art. 6(1)(a)) - Your explicit consent via our cookie banner |
Withdrawing Consent: Where we rely on consent as the legal basis, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, contact us at privacy@incredichat.com or use the unsubscribe link in our emails.
Data Sharing
We do not sell your personal information. We may share your information only in the following limited situations:
Service Providers (Sub-processors)
We share data with trusted third-party vendors who perform services on our behalf:
- Cloud Infrastructure: Microsoft Azure (data hosting and storage)
- AI Services: OpenAI (conversation processing - no data retention by OpenAI)
- Speech Services: Deepgram (speech-to-text), ElevenLabs (text-to-speech)
- Payment Processing: Polar, Paddle (billing and subscriptions)
- Email Services: For transactional and marketing communications
- Analytics: Google Analytics (aggregated website analytics only)
All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes. See our Sub-processors page for a complete list.
Legal Requirements
We may disclose information if required by law or in response to:
- Valid legal process (subpoenas, court orders, government requests)
- Requests from law enforcement or regulatory authorities
- Protection of our rights, privacy, safety, or property
- Prevention of fraud or illegal activities
Where legally permitted, we will notify you of such requests.
Business Transfers
In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email and/or prominent notice on our website of any change in ownership and your choices regarding your information.
With Your Consent
We may share information for any other purpose with your explicit consent.
International Data Transfers
Your information may be transferred to, stored, and processed in countries outside your country of residence, including Israel, the United States, and other countries where our service providers operate.
For transfers from the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to countries without an adequacy decision
- UK International Data Transfer Agreement: For UK transfers, we use the UK Addendum to the EU SCCs
- Adequacy Decisions: Where applicable, we rely on adequacy decisions (e.g., Israel has received an adequacy decision from the European Commission)
- Supplementary Measures: We implement additional technical and organizational measures as needed
For more details on international transfers, see our Data Processing Agreement.
Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion request |
| Conversation data | As configured by customer, up to subscription end + 30 days |
| Voice chat transcripts | Stored as text only (no audio files created); retained with conversation data |
| Billing records | 7 years (legal/tax requirements) |
| Support communications | 3 years from last contact |
| Marketing preferences | Until consent is withdrawn |
| Website analytics (aggregated) | 26 months |
When data is no longer needed, we securely delete or anonymize it. You can request earlier deletion of your data by contacting us (subject to legal retention requirements).
Your Rights
Depending on your location, you have certain rights regarding your personal information:
Rights Under GDPR (EEA, UK, Switzerland)
- Right of Access (Art. 15): Request a copy of your personal data and information about how it is processed
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent
- Right Not to be Subject to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing with legal or significant effects
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection law.
- EU/EEA Residents: Contact the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred. Find your authority at EDPB Members.
- UK Residents: Contact the Information Commissioner's Office (ICO)
- Israeli Residents: Contact the Israeli Privacy Protection Authority (הרשות להגנת הפרטיות)
How to Exercise Your Rights
To exercise any of these rights:
- Email us at privacy@incredichat.com
- Use the self-service features in your account dashboard (data export, deletion)
We will respond to your request within 30 days (or 45 days for CCPA requests). We may need to verify your identity before processing your request. If we cannot fulfill your request, we will explain why.
Note for End Users: If you interacted with a chat widget on another company's website and wish to exercise your rights regarding that conversation data, please contact that company directly (they are the data controller for that data).
California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Your California Rights
- Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, the purpose for collection, and the categories of third parties with whom we share your data.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: Opt out of the "sale" or "sharing" of your personal information. Note: IncrediChat does not sell or share your personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: You will not be discriminated against for exercising any of your CCPA/CPRA rights.
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to purposes necessary to provide the services.
Categories of Personal Information We Collect
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers: Name, email address, phone number, account credentials, IP address
- Commercial Information: Subscription history, payment records, service usage
- Internet Activity: Browsing history on our website, interactions with our services
- Professional Information: Company name, job title (if provided)
- Geolocation Data: Approximate location based on IP address
"Do Not Sell or Share My Personal Information"
IncrediChat does not sell personal information as defined under CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. Therefore, we do not offer an opt-out mechanism for "sale" or "sharing" because we do not engage in these practices.
How to Exercise Your Rights
California residents may exercise their rights by:
- Emailing us at privacy@incredichat.com
- Using the data export and deletion features in your account dashboard
We will respond to verifiable requests within 45 days, as required by law. You may designate an authorized agent to make a request on your behalf (written authorization required).
Shine the Light Law
Under California Civil Code Section 1798.83 ("Shine the Light" law), California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
Israeli Privacy Law
If you are an Israeli resident, this section applies to you in addition to the general privacy policy. IncrediChat complies with the Israeli Privacy Protection Law, 5741-1981 (חוק הגנת הפרטיות, התשמ"א-1981) and its regulations.
Your Rights Under Israeli Law
- Right to Review: You have the right to review any personal information about you that is stored in our databases.
- Right to Correction: If you find that the information is inaccurate, incomplete, unclear, or not up to date, you may request its correction or deletion.
- Right to Deletion: You may request the deletion of your personal information from our systems.
- Right to Object: You have the right to object to the processing of your personal data for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.
Data Protection Registration
Our databases are registered with the Israeli Privacy Protection Authority (הרשות להגנת הפרטיות) as required by Israeli law.
Data Transfer
Your data may be transferred to, stored, and processed in countries outside of Israel. We ensure that adequate safeguards are in place to protect your data in accordance with Israeli law requirements and, where applicable, the requirements of other jurisdictions.
Marketing Communications
In accordance with Israeli law (Amendment 40 to the Communications Law), we will only send you marketing communications with your prior explicit consent. You may withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting us.
Contact for Israeli Residents
For privacy-related inquiries or to exercise your rights under Israeli law, please contact us at privacy@incredichat.com.
Data Breach Notification
IncrediChat has implemented procedures to detect, investigate, and respond to potential data breaches.
Our Commitment
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify Authorities: Report the breach to relevant supervisory authorities within 72 hours of becoming aware of it, as required by GDPR and applicable laws
- Notify Affected Individuals: Inform affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- Notify Business Customers: Inform our business customers within 48 hours if their end users' data is affected, enabling them to fulfill their own notification obligations
- Document the Incident: Maintain records of all data breaches, including the facts, effects, and remedial actions taken
Notification Contents
Our breach notifications will include:
- A description of the nature of the breach
- The categories and approximate number of individuals and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate harm
- Contact information for our data protection team
Contact for Security Concerns
If you believe your data has been compromised or you have discovered a security vulnerability, please contact us immediately at security@incredichat.com.
Security
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Security Measures
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication, principle of least privilege
- Infrastructure: Hosted on enterprise-grade cloud infrastructure with SOC 2 certification
- Monitoring: 24/7 security monitoring and intrusion detection
- Assessments: Regular security assessments, vulnerability scanning, and penetration testing
- Employee Training: Regular security awareness training and background checks
- Incident Response: Documented incident response and disaster recovery procedures
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
Children's Privacy
Our Service is not directed to children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children under these ages.
If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@incredichat.com. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.
For Business Customers: If you intend to use IncrediChat in contexts where children may interact with the chat widget, you are responsible for ensuring compliance with COPPA, GDPR-K, and other applicable children's privacy laws, including obtaining verifiable parental consent where required.
Changes to This Policy
We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make changes:
- We will update the "Last updated" date at the top of this page
- For material changes, we will notify you via email and/or a prominent notice on our website at least 30 days before the changes take effect
- We encourage you to review this Privacy Policy periodically
Your continued use of our services after changes become effective constitutes acceptance of the revised Privacy Policy. If you do not agree with the changes, you should stop using our services and may request deletion of your data.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
Data Protection Contact
MenuWays Ltd. (trading as IncrediChat)
Email: privacy@incredichat.com
You may also contact us via our contact page.