GDPR Compliance
Understanding n8nchatui.com's GDPR compliance and data protection measures.
Our Commitment to Data Protection
At n8nchatui.com, we take data protection seriously and have designed our services with privacy-first principles. This page explains how our services comply with GDPR requirements and how we protect your data.
Important Note: GDPR compliance primarily applies to our Managed Widgets service, which processes messages through our proxy service. Standalone Widgets are completely self-managed and do not involve any message processing by n8nchatui.com.
Data Minimization Principle
Our Approach
We follow the GDPR principle of data minimization by:
- Collecting only necessary data
- Processing data for specified purposes only
- Storing data for the minimum time necessary
Standalone Widgets
- No message processing by n8nchatui.com
- No proxy service involvement
- Direct communication between your website and n8n workflow
- You maintain full control over data flow
- No GDPR data processing - only account/license data is handled
- No analytics collection of user interactions
Managed Widgets (GDPR Applies)
- Real-time message processing through secure proxy service
- Messages pass through proxy but are not stored, cached, or logged
- Only essential technical metrics are collected for analytics and billing:
- Message counts for credit deduction and billing
- Session data (session IDs, user IDs) for analytics
- Technical metadata (user agent, timezone, timestamp)
- Performance metrics (response times, error rates)
- Geographic data (country/timezone) for usage analytics
- Browser and device information for technical insights
Technical Implementation
Service Type Comparison
| Aspect | Standalone Widgets | Managed Widgets |
|---|---|---|
| Message Processing | None by n8nchatui.com | Real-time proxy processing |
| Data Collection | Account/license only | Analytics + billing metrics |
| User Control | Complete self-management | Centralized management |
| Privacy Impact | No message data exposure | Transient processing only |
Proxy Service Architecture (Managed Widgets Only)
-
Message Flow
- Messages pass through our secure proxy service in real-time
- No message content is stored, cached, or logged
- Message content exists in memory only during processing
- Webhook URLs remain private and are never exposed publicly
- Configurable authentication and rate limiting
-
Analytics Collection
- Technical metrics are collected for service optimization
- Performance monitoring (response times, error rates)
- Geographic and device analytics for technical insights
- No personal message content is retained
- Data is processed and aggregated for dashboard display
-
Credit System Integration
- Message counts are tracked for credit deduction
- Real-time credit balance monitoring
- Audit trail for billing transparency
GDPR Compliance Details
Legal Basis for Processing
For Managed Widgets:
- Contract fulfillment (Article 6(1)(b)): Service provision, credit processing, billing
- Legitimate interests (Article 6(1)(f)): Security monitoring, performance optimization, fraud prevention
- Consent (Article 6(1)(a)): Marketing communications, optional analytics enhancements
For Standalone Widgets:
- Contract fulfillment (Article 6(1)(b)): License provision and account management only
- No message processing - users handle all data processing independently
Data Subject Rights
For Managed Widget Users: We support all GDPR rights including:
- Right to access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Rights related to automated decision-making
For Standalone Widget Users:
- Limited to account data only (no message processing by n8nchatui.com)
- Standard account management rights apply
International Data Transfers
- Primary processing: EU/EEA (Amsterdam, Netherlands via Railway)
- International transfers:
- USA (Loops for email services)
- APAC region (Cloudflare for security/CDN)
- Safeguards: Standard contractual clauses, adequacy decisions where applicable
- Data minimization: Only necessary data is transferred internationally
Sub-processors
We use the following sub-processors to provide our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Hosting and storage infrastructure | Amsterdam, Netherlands (EU/EEA) |
| Cloudflare | Security services and CDN | APAC region |
| Creem | Payment processing | Estonia (EU/EEA) |
| MongoDB | Database storage and management | Multiple regions (primarily EU/EEA) |
| Loops | Email communications | United States |
We ensure all sub-processors maintain appropriate data protection standards and will notify you of any changes to this list.
Security Measures
Technical Safeguards
- End-to-end encryption in transit
- Secure infrastructure configuration
- Regular security assessments
- Access control and monitoring
Organizational Controls
- Access on need-to-know basis
- Regular security checks
- Incident response procedures
Data Processing Agreement
You can view our Data Processing Agreement (DPA) here.
Compliance Documentation
Available Documentation
- Terms & Conditions
- Privacy Policy
- Data Processing Agreement (DPA)
- Sub-processor list (see above)
Contact Information
Data Protection Queries
For any GDPR-related questions or data subject requests:
- Email: [email protected]
- DPO: Manoj Kumar
- Response Time: Within 1-2 business days
Updates and Changes
We regularly review and update our GDPR compliance measures. Any significant changes will be communicated to our users and documented here.
Last updated: 4 September 2025.