Get started

Privacy Policy

Last updated: 2026-05-30

Widgent ("we", "our", or "us") operates widgent.app and related services (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal data in connection with the Service.

Two roles exist on our platform: (1) Customers — developers or companies who register and configure Widgent products; and (2) End-Users — the users of the applications that Customers build. This policy primarily governs data we hold about Customers. End-User data is governed by the Customer's own privacy policy; Widgent acts as a Data Processor on behalf of Customers, who are the Data Controllers for their End-Users' data.

1. Information We Collect

1.1 Account & Registration Data

When you create an account, we collect your name, email address, and authentication method (Google OAuth or email/password). This data is required to provide and secure your access to the dashboard.

1.2 Product Configuration Data

We store product settings, system prompts, tool configurations, and widget appearance settings. LLM API keys you provide are encrypted at rest using AES-256-GCM before storage, with the encryption key stored separately from the database. Service API keys are hashed (bcrypt) before storage and cannot be recovered.

1.3 End-User Conversation Data

By default, Widgent processes End-User messages in memory only and does not persist conversation content. If you explicitly enable the conversation history feature, messages are stored in our database. You, as the Customer, are responsible for ensuring you have the legal basis to store your End-Users' messages and for disclosing this in your own privacy policy.

Important: End-User messages may contain sensitive personal data (medical information, personal circumstances, financial details). If your use case involves such data, you must assess your own compliance obligations (e.g., HIPAA, GDPR Article 9 special categories) before enabling history storage.

1.4 Usage & Technical Data

We collect logs of API requests, conversation metadata (timestamps, token counts, error codes), and system diagnostics to operate and improve the Service. Logs are retained for 90 days and do not include message content unless history storage is enabled.

1.5 Analytics

We use Cloudflare Web Analytics (cookieless, no fingerprinting) on the marketing site. The dashboard uses PostHog (events only; no full message content is sent). No personal data is shared with analytics providers.

1.6 Billing Data

Payment processing is handled by a third-party billing provider. We do not store full payment card numbers. We retain billing records (amounts, dates, plan tier) as required by applicable law.

2. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the UK, we process your data under the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for
  • Legitimate interests — security monitoring, fraud prevention, service improvement (we balance this against your rights)
  • Legal obligation — compliance with applicable law
  • Consent — where you have explicitly opted in (e.g., marketing emails)

3. How We Use Your Information

  • To provide, operate, and maintain the Widgent platform and dashboard
  • To authenticate users and control access to products
  • To route LLM requests to your chosen provider using your encrypted API key
  • To send transactional emails (account verification, billing receipts, security alerts)
  • To detect and prevent abuse, fraud, and unauthorized access
  • To diagnose technical issues and improve reliability
  • To comply with legal obligations and enforce our Terms

We do not use your data or your End-Users' data to train AI models.

4. Data Sharing & Sub-Processors

We do not sell your personal data. We disclose data only as described below. By using the Service, you authorize us to engage the following sub-processors:

4.1 LLM Providers

End-User messages are forwarded to the AI provider you configure (OpenAI, Anthropic, Google, OpenRouter) under your API key. Each provider's own privacy policy and data retention rules apply. Widgent does not control how these providers handle data. You should review the relevant provider's data processing terms before configuring sensitive use cases.

4.2 Infrastructure Sub-Processors

ProviderPurposeLocation
RailwayCompute / hostingUS
SupabaseDatabase (PostgreSQL)US / EU
CloudflareCDN, DNS, PagesGlobal
UpstashRedis (rate limiting, caching)US / EU
Resend / SendGridTransactional emailUS

All sub-processors are bound by data processing agreements. We will notify you of material changes to this list with at least 14 days' notice.

4.3 Legal Disclosure

We may disclose data if required by law, valid court order, or governmental authority. Where legally permitted, we will notify you before complying.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

Widgent operates globally. If you are located in the EEA, UK, or Switzerland, your data may be transferred to countries outside your jurisdiction. Such transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms. If you are located in Israel, transfers are subject to the Israeli Privacy Protection Law, 5741-1981 and applicable regulations.

6. Data Security

All data is transmitted over HTTPS/TLS 1.2+. LLM API keys are encrypted at rest using AES-256-GCM; the encryption key is stored separately from the database. Access to production systems is restricted to authorized personnel and requires multi-factor authentication.

No system is perfectly secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you within 72 hours of becoming aware (as required by GDPR Article 33 and applicable law).

7. Cookies

The marketing site uses no third-party tracking cookies and no fingerprinting. The dashboard sets a single session cookie (HttpOnly, Secure, SameSite=Strict) used solely for authentication. Cloudflare Web Analytics is cookieless. We do not use advertising cookies.

8. Your Rights

Depending on your location, you may have the right to:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Restriction — request that we limit how we use your data
  • Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We may require identity verification before acting on requests.

If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority. Israeli residents may contact the Israeli Privacy Protection Authority (PPA).

9. Data Retention

  • Account data — retained while your account is active
  • API request logs — 90 days
  • Conversation history (if enabled) — until deleted by you or account closure
  • Billing records — 7 years (legal requirement)

When you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law.

10. Children's Privacy

Widgent is a developer platform not directed at children under 16 (or 13 in the US). We do not knowingly collect personal data from children. If you are a Customer deploying a widget that may be used by children, you are solely responsible for compliance with COPPA, GDPR-K, and applicable children's privacy laws.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information. To exercise your rights, contact [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a prominent notice in the dashboard at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the most recent revision. Continued use after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions or to submit a data subject request:
Email: [email protected]
Website: widgent.app