Privacy Policy – Chatzoo App

Privacy Policy – Chatzoo App

Incorporating:

  • APPENDIX A — AI Model & Subprocessor List

  • APPENDIX B — DATA PROCESSING AGREEMENT (DPA)

  • APPENDIX C — SCC (Standard Contractual Clauses) ADDENDUM


Operated by Biscotte GmbH, Grafenauweg 8, 6300 Zug, Switzerland.


Last Updated: March 2026.

This Privacy Policy explains how Biscotte GmbH (“we”, “us”, “our”) collects, uses, processes, stores, and shares your personal data when you use the Chatzoo mobile application (“Chatzoo”, “App”).


We comply with:

• EU GDPR

• UK GDPR

• Swiss FDPA

• EU AI Act transparency principles (where applicable)

• Apple App Store privacy requirements


Chatzoo is intended for users 13 years and older.

  1. Who We Are

  1. Who We Are

Biscotte GmbH

Grafenauweg 8, 6300 Zug, Switzerland

Phone: +1 628 270 9686


Biscotte GmbH is the Data Controller for all processing described in this Policy.

  1. Age Requirements & Child Safety

  1. Age Requirements & Child Safety

2.1 Under 13

Children under 13 years old may not use the App.

We do not knowingly collect data from children under 13.


2.2 Ages 13–17

Minors may use Chatzoo but must understand:

• AI outputs may be inaccurate

• AI does not provide therapy

• AI cannot replace parental or professional support

• Excessive reliance on AI may be unhealthy


2.3 Parental Rights

Parents may request:

• Access

• Correction

• Deletion

of a minor’s data.

  1. Data We Collect

  1. Data We Collect

We collect the following categories:


3.1 Account Data

  • Email

  • Password (hashed)

  • Subscription status

  • Country/region (based on IP)


3.2 User-Generated Content

  • Prompts & messages

  • Uploaded images

  • AI-generated images

  • Voice input (transcribed)

  • Attachments


Your content may include personal data you choose to provide.


3.3 Device & Technical Data

  • IP address

  • Device ID

  • Operating system

  • App version

  • Locale & timezone

  • Crash logs


3.4 Usage Data

  • Feature usage

  • Model selections

  • Routing metadata

  • Session length

  • Performance analytics


3.5 Payment Metadata (Apple)

We receive:

  • Purchase confirmation

  • Renewal status

We never receive:

  • Card numbers

  • Billing addresses

  1. How We Use Your Data (Legal Bases Included)

  1. How We Use Your Data (Legal Bases Included)

4.1 Operating the App — GDPR Art. 6(1)(b)

  • Generating AI responses

  • Image creation

  • Voice transcription

  • Model routing

  • Saving & syncing chats


4.2 Safety & Moderation — GDPR Art. 6(1)(f)

We may detect, filter, or block:

  • Unsafe prompts

  • Sexual or violent content

  • Minor-related harmful content

  • Abuse or platform misuse


4.3 Diagnostics & Improvement — GDPR Art. 6(1)(f)

  • Crash analysis

  • Performance optimization

  • Improving safety models

  • Feature improvement


4.4 Legal Obligations — GDPR Art. 6(1)(c)

  • Compliance with law

  • Responding to lawful requests


4.5 Optional Consent-Based Logging — GDPR Art. 6(1)(a)

If enabled, users may opt-in to share anonymized logs.

  1. AI Transparency (EU AI Act)

  1. AI Transparency (EU AI Act)

You interact with automated AI systems.


Outputs may:

  • Be incorrect or biased

  • Include anthropomorphic/emotional language

  • Be unsuitable for sensitive or professional contexts

  • Require human verification


Chatzoo is not a replacement for professional advice or emergency services.

You interact with automated AI systems.


Outputs may:

  • Be incorrect or biased

  • Include anthropomorphic/emotional language

  • Be unsuitable for sensitive or professional contexts

  • Require human verification


Chatzoo is not a replacement for professional advice or emergency services.

  1. Automated Decision-Making & Profiling

  1. Automated Decision-Making & Profiling

We use automated systems to:

  • Route queries

  • Filter harmful content

  • Enforce rate limits


We do not:

  • Conduct behavioral advertising

  • Make legally significant automated decisions

  • Profile minors

  1. Data Retention

  1. Data Retention

Data Type

Data Type

Account data

Account data

Chat history

Chat history

Images

Images

Model routing logs

Model routing logs

Safety logs

Safety logs

Crash logs

Crash logs

Payment metadata

Payment metadata

Retention

Retention

Until deleted

Until deleted

Until user deletes

Until user deletes

Until deleted

Until deleted

30–90 days

30–90 days

6–24 months

6–24 months

12–24 months

12–24 months

As required by Apple

As required by Apple

  1. Data Deletion

  1. Data Deletion

You may delete:

  • Your account

  • All chat history

  • All images

  • All personal data

Deletion occurs within 30 days unless legally required otherwise.

  1. Sharing Your Data

  1. Sharing Your Data

We share data only with:


9.1 AI Model Providers (Processors/Subprocessors)

To generate responses.

Full list in Appendix A.


9.2 Infrastructure Providers

Storage, hosting, analytics.


9.3 Apple (Payments)

Limited to subscription verification.


9.4 Legal Authorities

Only when required by law.

We do not sell personal data.

  1. International Transfers & SCCs

  1. International Transfers & SCCs

Data may be transferred to:

  • USA

  • EU

  • UK

  • Switzerland

  • Other jurisdictions.

We rely on:

  • SCC 2021 (Module 2)

  • UK Addendum (IDTA)

  • Swiss FDPIC Addendum

  • Supplementary security measures

Full SCC Addendum included in Appendix C.

11. Security Measures (ISO 27001 + SOC2-Aligned)

11. Security Measures (ISO 27001 + SOC2-Aligned)

We implement:

  • TLS 1.2+ encryption

  • AES-256 encryption at rest

  • MFA for admin access

  • Role-based access controls

  • Network segmentation

  • Abuse detection

  • Incident response

  • Logging & auditing

  • Personnel confidentiality

  • Secure development lifecycle

12. High-Risk Use Prohibited

12. High-Risk Use Prohibited

Chatzoo must not be used for:

  • Medical diagnosis or treatment

  • Legal or financial decisions

  • Emergency services

  • Military or defense applications

  • Aviation or navigation

  • Life-critical systems

We disclaim all liability for prohibited uses.

13. Your Rights (GDPR, UK GDPR, FDPA)

13. Your Rights (GDPR, UK GDPR, FDPA)

You may request:

  • Access

  • Correction

  • Deletion

  • Restriction

  • Objection

  • Portability

  • Withdrawal of consent

14. Changes to This Policy

14. Changes to This Policy

We may update this Policy.

15. Contact Information

15. Contact Information

Biscotte GmbH

Grafenauweg 8

6300 Zug, Switzerland

Phone: +1 628 270 9686

APPENDIX A — AI MODEL PROVIDER & SUBPROCESSOR LIST

APPENDIX A — AI MODEL PROVIDER & SUBPROCESSOR LIST

(Referenced by Terms, Privacy, and DPA)


Chatzoo may route user inputs to the following AI model providers and subprocessors:


OpenAI

  • GPT-5

  • GPT-5.2

  • GPT-5 Chat

  • GPT-OSS


Anthropic

  • Claude Sonnet

  • Claude Opus


Google DeepMind

  • Gemini Pro

  • Gemini Flash


Mistral AI

  • Mistral Large

  • Ministral models


Meta

  • Llama models


NVIDIA

  • Nemotron


DeepSeek

  • DeepSeek R1

  • DeepSeek Chat


xAI

  • Grok


Zhipu AI

  • GLM


Liquid AI

  • LFM


Moonshot

  • Kimi models


Perplexity AI

  • Sonar models


Plus: hosting, logging, analytics, and safety vendors as required.

This list is updated regularly.

APPENDIX B — DATA PROCESSING AGREEMENT (DPA)

APPENDIX B — DATA PROCESSING AGREEMENT (DPA)

Parties

Parties

Controller: The customer using Chatzoo

Processor: Biscotte GmbH, Grafenauweg 8, 6300 Zug, Switzerland

This DPA forms part of Chatzoo’s Privacy Policy.

  1. Subject Matter

  1. Subject Matter

Processing of personal data submitted to or collected by the App.

  1. Duration

  1. Duration

For the duration of the customer relationship and until all data is deleted.

  1. Nature & Purpose

  1. Nature & Purpose

  • AI text and image generation

  • Model routing

  • Voice transcription

  • Safety & moderation

  • Diagnostics

  • Compliance

  1. Categories of Data

  1. Categories of Data

  • Account data

  • Prompts & chats

  • Images

  • Voice inputs

  • Device logs

  • IP addresses

  • Subscription metadata

  1. Data Subjects

  1. Data Subjects

  • End users

  • Minors 13–17 (if applicable)

  1. Obligations of Processor (Biscotte GmbH)

  1. Obligations of Processor (Biscotte GmbH)

We shall:

6.1 Process data only on documented instructions

Including this Policy, product settings, or written instructions.


6.2 Maintain confidentiality

Personnel are trained and bound by confidentiality.


6.3 Implement security measures

See Schedule 2.


6.4 Assist Controller

With rights requests, incidents, and DPIAs.


6.5 Return or delete data

When requested or upon termination.

  1. Subprocessors

  1. Subprocessors

7.1 Authorization

Controller grants general authorization to engage subprocessors.


7.2 Requirements

Each subprocessor must:

  • Be bound by equivalent protections

  • Use data only for approved purposes

  • Sign DPAs & SCCs where applicable


7.3 List of Subprocessors

See Appendix A.

  1. International Transfers

  1. International Transfers

Covered by:

  • SCC 2021 (Module 2)

  • UK Addendum

  • Swiss FDPIC Addendum

  1. Incident Notification

  1. Incident Notification

We will notify Controller without undue delay of:

  • Security breaches

  • Data leaks

  • Unauthorized access

  1. Liability

  1. Liability

Liability is limited as set out in the Terms & Conditions.

  1. Governing Law

  1. Governing Law

Swiss law applies.

Disputes follow the arbitration clause in the Terms & Conditions.

APPENDIX C — SCC (STANDARD CONTRACTUAL CLAUSES) ADDENDUM

APPENDIX C — SCC (STANDARD CONTRACTUAL CLAUSES) ADDENDUM

Module Applied:

Module Applied:

Module 2 — Controller → Processor

Incorporation by Reference

Incorporation by Reference

The full text of the European Commission’s SCCs (2021) is incorporated.

UK Addendum (IDTA)

UK Addendum (IDTA)

Applies when UK-origin data is transferred internationally.

Swiss Addendum

Swiss Addendum

Applies when Swiss-origin data is transferred internationally.

Supplementary Measures

Supplementary Measures

Biscotte GmbH implements:

  • Encryption

  • Limited access controls

  • Logging & audit trails

  • Policy-based access restrictions

  • Commitment to challenge unlawful government access