Privacy Policy
Last updated: 04 May 2026 · Les på norsk
1. Data Controller
Alpha AI AS is the data controller for personal data you provide when registering and using the Sam platform as a customer (tenant account holder).
For questions or to exercise your rights, contact our Data Protection contact:
Note on end-user data: If you use Sam to process personal data of your own customers (website visitors who interact with your chatbot), you are the data controller for that data, and Alpha AI AS acts as a data processor on your behalf. This is governed by a separate Data Processing Agreement.
2. Personal Data We Collect
2.1 Account Data
- Name and email address (required for registration)
- Password (stored as a bcrypt hash — never in plaintext)
- Company/organisation name and workspace name
- Language preference
- Account creation date and last login
2.2 Billing Data
- Subscription plan and billing history
- Payment card details are processed and stored exclusively by Stripe, Inc. — we do not store card numbers
- Stripe customer ID linked to your account
2.3 Usage and Configuration Data
- Chatbot configuration settings (widget appearance, welcome messages, positions)
- Knowledge base documents you upload for AI training
- Conversation transcripts between your chatbot and your end users
- Lead and contact data captured through the chatbot
- Usage logs and analytics (message counts, response times, intent classifications)
2.4 Technical Data
- IP addresses (for security logging and fraud prevention)
- Browser and device type (from access logs)
- Session identifiers
- Error logs and crash reports
3. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6:
Contract performance (Art. 6(1)(b))
Account data and billing data are processed to provide the Service you have contracted with us for, including authentication, subscription management, and customer support.
Legitimate interests (Art. 6(1)(f))
Technical and usage data are processed for security monitoring, fraud prevention, platform improvement, and ensuring service reliability. We have assessed that these interests do not override your rights.
Legal obligation (Art. 6(1)(c))
Billing records and transaction data are retained to comply with Norwegian accounting law (Bokføringsloven) and tax obligations.
Consent (Art. 6(1)(a))
Where we send optional marketing communications, we rely on your explicit consent, which you may withdraw at any time.
4. Data Processors and Third-Party Services
We use the following trusted sub-processors to deliver the Service. All are bound by appropriate data processing agreements:
| Processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, file storage, email (SES) | eu-north-1 (Stockholm, EEA) | EEA — no transfer |
| OpenAI, Inc. | AI conversation processing, vector embeddings | United States | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | Payment processing and subscription management | United States / Ireland | SCCs / adequacy decision |
| Cloudflare, Inc. | DNS, CDN, bot protection (Turnstile) | Global (EEA nodes used) | SCCs |
Conversation data sent to OpenAI is subject to OpenAI's API data usage policies. As of the date of this policy, OpenAI does not use API data to train its models by default. You can review OpenAI's data policies at openai.com/policies.
5. Data Retention
6. Your Rights
Under GDPR and the Norwegian Personal Data Act, you have the following rights:
Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17)
Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to restriction (Art. 18)
Request that we limit processing of your data in certain circumstances.
Right to object (Art. 21)
Object to processing based on legitimate interests.
To exercise any of these rights, email privacy@viasam.app. We will respond within 30 days. You may also lodge a complaint with the Norwegian Data Protection Authority:
Datatilsynet
Postboks 458 Sentrum, 0105 Oslo
Website: datatilsynet.no
Email: postkasse@datatilsynet.no
7. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit
- Encryption at rest for sensitive fields using AES-256
- Session tokens encrypted and stored in Redis with automatic expiry
- Passwords stored using bcrypt hashing
- All infrastructure hosted in AWS eu-north-1 (Stockholm) within the EEA
- Access controls and audit logging for administrative operations
- CSRF protection on all form submissions
- Bot protection via Cloudflare Turnstile on authentication endpoints
In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Article 33–34.
8. Cookies
The Sam dashboard uses the following cookies:
We do not use advertising, tracking, or analytics cookies. The chat widget embedded on customer websites does not set cookies by default.
9. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact privacy@viasam.app and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or in-app notification at least 30 days before changes take effect. The current version is always available at viasam.app/privacy.
11. Contact
For any privacy-related questions, requests, or concerns: