Privacy Policy

Last updated: June 2025

1. Information We Collect

File Data

  • ChatGPT export files you upload for conversion
  • File metadata (size, conversation count, creation date)
  • Processing analytics (conversion time, success rates)

Payment Information

  • Payment data is handled entirely by Stripe
  • We receive only payment confirmation, not card details
  • Billing addresses for tax compliance

Technical Data

  • IP address and general location
  • Browser type and version
  • Device information for optimization
  • Usage analytics for service improvement

Browser Storage Technologies

We use various browser storage mechanisms to provide Service functionality and improve user experience:

localStorage:

  • Theme Preference: Stores your light/dark mode selection (key: chatconverter_theme)
  • Google Drive Auth State: Temporary OAuth tokens and connection status
  • Purpose: Persist user preferences across sessions
  • Expiration: Data persists until manually cleared by user or browser

sessionStorage:

  • Temporary Processing State: File upload progress, conversion status
  • Navigation State: Current page/section for single-page app routing
  • Purpose: Maintain state during active browsing session
  • Expiration: Automatically cleared when browser tab/window is closed

IndexedDB:

  • Large File Storage: Temporarily stores uploaded ChatGPT export files during client-side processing
  • Processing Queue: Manages multi-file conversion operations
  • Conversation Cache: Temporary storage for parsed conversation data during conversion
  • Purpose: Enable browser-based processing of files too large for memory
  • Size Limit: Up to 500 MB depending on browser quota
  • Expiration: Data is deleted immediately after successful conversion or within 24 hours if processing fails
  • User Control: Can be manually cleared through browser settings

Cookies:

  • Stripe Payment Session: Session cookies from Stripe for secure payment processing (third-party)
  • No Tracking Cookies: We do NOT use advertising, analytics, or cross-site tracking cookies
  • Duration: Session cookies expire when payment flow completes or browser closes

Data Stored Locally vs. Transmitted:

  • Stays Local: Theme preferences, file content during client-side processing, OAuth tokens
  • Transmitted to Servers: Payment metadata (transaction ID, amount), conversation count analytics, processing success/failure status
  • Never Transmitted: Actual conversation content remains in browser during client-side processing (files < 250MB)

2. How We Use Your Information

  • File Processing: Convert your conversations to requested formats
  • Payment Processing: Handle transactions securely through Stripe
  • Service Improvement: Analyze usage patterns to enhance performance
  • Customer Support: Provide assistance with technical issues
  • Legal Compliance: Meet regulatory requirements

3. Data Processing Methods

Client-Side Processing (Files < 250MB)

  • Your files are processed entirely in your browser
  • No data is sent to our servers during processing
  • Maximum privacy protection

Server-Side Processing (Files > 250MB)

  • Files temporarily uploaded to secure Cloudflare servers
  • Processing completed within 60 minutes
  • All data deleted within 24 hours
  • Encrypted storage and transmission

Google Drive Integration (Optional)

  • User-Controlled: You explicitly authorize access when enabling incremental backups
  • Minimal Scope: We use Google Drive API scope drive.file - the most restrictive permission level
  • Limited Access: We can ONLY access files and folders that our app creates (a single "ChatConverter" folder)
  • No Browsing: We cannot see, read, or access ANY other files, folders, or data in your Google Drive
  • Purpose: Store conversion logs and results to YOUR drive for incremental backup calculations
  • Your Data: All processing logs are delivered to YOUR Google Drive, ensuring you maintain custody of your conversion history
  • Revocable: You can revoke access at any time through your Google Account settings

Sub-Processors and Third-Party Services

Under GDPR Article 28, we disclose all sub-processors who may process your personal data:

Sub-Processor Purpose Data Processed Location Safeguards
Stripe, Inc. Payment processing Payment card data, billing address, transaction metadata, email address United States (global infrastructure) PCI DSS Level 1, SOC 2 Type II, GDPR compliant, Standard Contractual Clauses (SCCs)
Cloudflare, Inc. Hosting, CDN, server-side processing for large files, OAuth proxy IP addresses, uploaded files (>250MB only), processing metadata, OAuth tokens (in transit) United States (global edge network) SOC 2 Type II, ISO 27001, GDPR compliant, Standard Contractual Clauses (SCCs), Data Processing Agreement
Google LLC Google Drive storage (user-authorized, optional) Processed ZIP files, conversion metadata, conversation checksums (stored in YOUR Google Drive) User's Google Drive location (user-controlled) ISO 27001, SOC 2/3, GDPR compliant, Standard Contractual Clauses (SCCs). Data stored in user's own Google Drive under user's control.

Data Flow Transparency:

  • Client-Side Processing (Files < 250MB): Conversation content never leaves your browser. Only payment metadata sent to Stripe.
  • Server-Side Processing (Files > 250MB): Files uploaded to Cloudflare Workers for processing. Deleted within 24 hours.
  • Payment Flow: All transactions require Stripe. Payment metadata (transaction ID, amount, timestamp) sent to verify processing authorization.
  • Google Drive (Optional): If connected, processed files and metadata stored in YOUR Google Drive folder. We access only via user-authorized OAuth.

International Data Transfers:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States. We rely on the following legal mechanisms:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all sub-processors handling EEA data
  • Adequacy Decisions: Where applicable (e.g., EU-US Data Privacy Framework participants)
  • Necessity for Contract Performance: Processing required to provide the Service you've requested

4. Data Retention

  • Uploaded Files: Deleted immediately after processing (client-side) or within 24 hours (server-side)
  • Processed Files: Available for download for 7 days, then deleted
  • Payment Records: Retained for 7 years for tax and legal compliance
  • Analytics Data: Aggregated and anonymized, retained for 26 months
  • Support Communications: Retained for 2 years

5. Data Sharing

We do not sell, rent, or share your personal data with third parties except:

  • Service Providers: Stripe for payment processing, Cloudflare for hosting
  • Legal Requirements: When required by law or legal process
  • Business Transfer: In case of merger or acquisition (with notice)

6. Global Data Protection Compliance

General Data Protection Regulation (GDPR) - EU/UK/EEA

For users in the European Union, United Kingdom, and European Economic Area, we comply with GDPR requirements:

  • Legal Basis for Processing:
    • Contract performance (providing conversion services you've paid for)
    • Legitimate interests (improving service quality, fraud prevention)
    • Consent (optional Google Drive integration, marketing communications)
    • Legal obligation (tax records, responding to authorities)
  • Data Controller: Obsidian Bluff LLC acts as the data controller for all personal data collected
  • Data Protection Officer Contact: privacy@chatconverter.ai
  • EU Representative: For GDPR inquiries from EU residents, contact privacy@chatconverter.ai
  • International Transfers: When we transfer data outside the EU/EEA, we use Standard Contractual Clauses approved by the European Commission
  • Right to Lodge Complaint: EU residents may lodge complaints with their national Data Protection Authority

California Consumer Privacy Act (CCPA) - California, USA

For California residents, we comply with CCPA requirements:

  • Categories of Personal Information Collected:
    • Identifiers (email, IP address, payment confirmation ID)
    • Commercial information (purchase history, conversion records)
    • Internet/electronic activity (browser type, usage analytics)
    • File data (ChatGPT export contents you provide for conversion)
  • Business Purpose for Collection: Provide file conversion services, process payments, improve product, comply with law
  • No Sale of Personal Information: We do NOT sell personal information to third parties
  • No Sharing for Cross-Context Behavioral Advertising: We do not share data for targeted advertising
  • Retention Period: See Section 4 (Data Retention) for specific timeframes
  • Service Providers: Stripe (payment processing), Cloudflare (hosting), Google (optional Drive integration)

Other Jurisdictions

We respect data protection laws in all jurisdictions where we operate. If you are located outside the EU or California and have questions about your local privacy rights, please contact privacy@chatconverter.ai.

7. International Transfers

  • Data may be processed in countries where our service providers operate
  • We ensure adequate protection through appropriate safeguards
  • EU users have specific rights under GDPR (see Section 6)

8. Your Rights

We respect your data rights. To exercise any of these rights, contact privacy@chatconverter.ai. We will respond within 30 days (or as required by applicable law).

All Users

  • Right to Access: Request information about what personal data we hold about you, including categories of data, sources, purposes, and recipients
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Right to Transparency: Receive clear information about how we process your data

EU/UK Users (GDPR Rights)

In addition to the rights above, EU/UK/EEA residents have:

  • Right to Data Portability: Receive your personal data in a structured, machine-readable format (e.g., JSON) and transmit it to another service
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent: Withdraw consent at any time for processing based on consent (e.g., Google Drive access, marketing emails)
  • Right to Lodge a Complaint: File a complaint with your national Data Protection Authority if you believe we've violated GDPR
  • Right Not to Be Subject to Automated Decision-Making: We do not use automated decision-making or profiling with legal/significant effects

California Users (CCPA/CPRA Rights)

California residents have these specific rights:

  • Right to Know: Request disclosure of:
    • Categories and specific pieces of personal information collected
    • Categories of sources from which data is collected
    • Business purpose for collecting or selling data
    • Categories of third parties with whom we share data
  • Right to Delete: Request deletion of personal information we've collected (subject to legal exceptions)
  • Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply
  • Right to Opt-Out of Sharing for Targeted Advertising: We do NOT share data for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: We use sensitive information only as necessary to provide services
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights (no denial of service, different prices, or lower service quality)
  • Right to Correct: Request correction of inaccurate personal information

How to Exercise Your Rights

To submit a request:

  • Email: privacy@chatconverter.ai with subject line "Data Rights Request"
  • Include: Your name, email address used for our service, and specific right(s) you wish to exercise
  • We may verify your identity before fulfilling requests to protect your data security
  • Response time: 30 days (GDPR), 45 days (CCPA), with possible extension if complex
  • No fee for requests (unless excessive or repetitive)

9. Security Measures and Data Breach Notification

Security Safeguards

We implement industry-standard security measures to protect your personal data:

  • Encryption: HTTPS/TLS 1.3 encryption for all data transmission between your browser and our servers
  • Secure Storage: Server-side processing uses encrypted storage on Cloudflare Workers with strict access controls
  • Access Controls: Employee and contractor access limited to necessary functions only, with audit logging
  • Regular Security Audits: Quarterly review of security practices, dependency updates, and vulnerability assessments
  • Sub-Processor Standards: All sub-processors (Stripe, Cloudflare, Google) maintain SOC 2 Type II, ISO 27001, or equivalent certifications
  • Data Minimization: We collect and retain only data necessary for service provision
  • Automatic Deletion: Uploaded files deleted immediately (client-side) or within 24 hours (server-side)

Data Breach Notification Procedure

In compliance with GDPR Article 33, CCPA, and other applicable data protection laws, we commit to the following breach notification procedures:

1. Breach Detection and Assessment (0-24 hours):

  • Upon discovery of a suspected security incident, we immediately initiate investigation
  • Determine scope: type of data affected, number of individuals, severity of potential harm
  • Engage incident response team and legal counsel
  • Implement containment measures to prevent further unauthorized access

2. Notification to Supervisory Authority (Within 72 hours of awareness):

  • GDPR Compliance: If breach likely to result in risk to rights and freedoms of individuals, we notify the relevant Data Protection Authority within 72 hours
  • Notification Includes: Nature of breach, categories and approximate number of affected individuals, likely consequences, measures taken to address breach, contact point for more information
  • Supervisory Authorities:
    • EU/UK residents: Notification to relevant national DPA (Data Protection Authority)
    • California residents: Notification to California Attorney General if breach affects 500+ California residents

3. Notification to Affected Individuals (Without undue delay):

  • When Required: If breach likely to result in high risk to rights and freedoms of individuals (e.g., sensitive data exposed, risk of identity theft or fraud)
  • Notification Method: Direct email communication to affected users (using email addresses from payment records or Google Drive authorization)
  • Content of Notification:
    • Clear description of the nature of the breach in plain language
    • Type of data potentially compromised (e.g., payment metadata, file metadata, conversation content)
    • Likely consequences and potential risks
    • Measures we have taken to address the breach and mitigate harm
    • Recommendations for individuals to protect themselves (e.g., monitor accounts, change passwords)
    • Contact information for questions: security@chatconverter.ai
  • Timing: Notification sent without undue delay, and within timeframes required by applicable law (e.g., CCPA requires notification without unreasonable delay)

4. Public Disclosure (If Required):

  • If breach affects a significant number of users or involves high-risk data, we will post a public notice on our website
  • Prominent notice displayed on homepage and in user dashboards
  • Transparency report published within 30 days of breach resolution

5. Post-Breach Actions:

  • Root Cause Analysis: Conduct thorough investigation to identify how breach occurred
  • Remediation: Implement technical and organizational measures to prevent recurrence
  • Documentation: Maintain detailed records of breach, assessment, and response actions for regulatory compliance
  • User Support: Provide dedicated support channel for affected users to ask questions and receive assistance
  • Monitoring: Enhanced monitoring for at least 90 days post-breach to detect related incidents

Exceptions to Individual Notification:

We may not notify individuals if:

  • Breach is unlikely to result in risk to rights and freedoms (e.g., data was encrypted and encryption keys not compromised)
  • We have implemented subsequent measures ensuring high risk is no longer likely to materialize
  • Individual notification would require disproportionate effort (in which case we make public communication instead)
  • As permitted or required by applicable law

Our Commitment:

While we implement robust security measures, no system is 100% secure. In the event of a breach, we prioritize transparency, rapid response, and user protection. We will always comply with the strictest applicable data protection laws.

10. Cookies and Tracking

  • Essential Cookies: Required for service functionality
  • Analytics Cookies: Help us improve the service (can be disabled)
  • No Advertising Tracking: We don't use advertising networks

11. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or prominent notice on our website.

13. Contact Information

For privacy-related questions or to exercise your rights:

Email: privacy@chatconverter.ai
Address: Obsidian Bluff LLC
30 N Street Suite R
Sheridan, WY 82801

Questions about privacy?

Contact us or review our Terms of Service for more information.

Disclaimer: Chat Converter is an independent tool and is not affiliated with, endorsed by, or connected to OpenAI, Notion Labs Inc., Obsidian.md, Microsoft Corporation, Google LLC, or any other third-party service mentioned on this site. All product names, logos, and brands are property of their respective owners. Use of these names, logos, and brands does not imply endorsement. ChatGPT is a trademark of OpenAI. Google Drive is a trademark of Google LLC. All company and product names are trademarks™ or registered® trademarks of their respective holders.