Privacy Policy
This page explains what data we collect when you use smartchatbot.rs — through the contact form, through the bot conversation and by visiting — why we collect it, and what you can do about it.
Last updated: 15 July 2026
01 What this policy covers
The smartchatbot.rs website and everything that happens on it: the contact form, the demo bot in the bottom-right corner, and visit measurement.
It does not cover the bots we build for clients on their own websites. There the site owner is the data controller and we are the processor, and that is governed by our contract with that client — not by this page.
02 Who processes your data
The controller is UndiWeb, Balkanska 11a, 32000 Čačak, Serbia.
Tax ID (PIB) 111369135 · Company number (MBR) 65363224.
For anything about your data, write to info@undiweb.net or call +381 61 133 4665. The same team that builds the product answers.
03 What we collect and on what basis
| Data | Why | Legal basis |
|---|---|---|
| Contact form: name, email, website address, message | To answer your enquiry and prepare an assessment | Steps prior to entering a contract, at your request (Art. 6(1)(b) GDPR / Art. 12(1)(2) Serbian DP Act) |
| Bot conversation: the text you type | So the bot can answer, and so we can see what it could not answer | Legitimate interest — running and improving the demo (Art. 6(1)(f) GDPR / Art. 12(1)(6) Serbian DP Act) |
| Technical data: IP address, page address, timestamp | Security, abuse prevention and visit statistics | Legitimate interest (Art. 6(1)(f) GDPR / Art. 12(1)(6) Serbian DP Act) |
Please do not enter health, financial or other sensitive data into the bot conversation. It is a demo and is not intended for that.
05 Where the data is stored
The site and application run on a server in Germany (Nürnberg), and the database is in Frankfurt. Both are in the European Union.
That is not an accident. Data you leave on this site does not leave the EU except with the processors listed below, and then on the basis of standard contractual clauses.
06 Who we share data with
We do not sell your data and do not pass it to third parties for their own purposes. We use the following processors, purely so the site and the bot work:
| Who | What they do | Where |
|---|---|---|
| Anthropic | Generates the bot's replies in conversation | USA (standard contractual clauses) |
| OpenAI | Turns a question into a vector to search the knowledge base — the text of the question goes to them | USA (standard contractual clauses) |
| Supabase (AWS) | Database: conversations and contact-form messages | EU — Frankfurt, Germany |
| Hetzner Online GmbH | The server the site and application run on | EU — Nürnberg, Germany |
| Resend | Sends the contact-form message and notifications | EU / USA (standard contractual clauses) |
| Sentry | Technical error reporting. Conversation content, access tokens and cookies are not sent | EU |
This is the complete list. If we add a processor, we update this table.
07 How long we keep data
Contact-form data is kept while we are handling your enquiry and for as long as we need it to answer and to keep a record of business correspondence. Once that need ends, we delete it.
Bot conversations are kept while we need them to run the demo and to see where the bot gets things wrong. Aggregate visit statistics are kept without data that could identify you.
You can ask for deletion at any time. We delete without delay, unless a law requires us to retain something.
08 Your rights
Under the Serbian Personal Data Protection Act and the GDPR you have the right to:
- find out what data we hold about you and get a copy of it
- have inaccurate data corrected
- have your data deleted
- ask us to restrict processing
- object to processing based on legitimate interest
- take your data to another controller
An email to info@undiweb.net is enough. We reply within 30 days and we do not charge.
If you believe we are processing your data unlawfully, you can complain to the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Bulevar kralja Aleksandra 15, Belgrade), or — if you are in the EU — to the supervisory authority in your country.
09 Security
Traffic to the site is encrypted, access to data is limited to those who need it to do the work, and the database is backed up regularly.
No system is absolutely secure and we will not claim otherwise. If an incident does occur, we notify the Commissioner and the people affected within the deadlines the law sets.
10 Changes to this policy
If something changes — a new processor, a new purpose — we change this text and the date at the top. No silent edits.