Legal Document

Privacy Policy

This policy explains what data the Chitty – AI Live Chat WordPress plugin collects, why it collects it, and how you and your visitors can exercise your rights.

Last updated: March 14, 2026
Version 1.0
GDPR Compliant
WordPress.org Approved
Jump to: Overview Data Collected How We Use It Third Parties Data Storage Cookies GDPR Rights Children Changes Contact
1

Overview

Chitty – AI Live Chat ("Chitty", "Plugin", "we", "us") is a free, open-source WordPress plugin published on WordPress.org by Mubashir Hassan. This Privacy Policy describes the personal data that may be collected when your website visitors interact with the Chitty chat widget installed on your WordPress site.

Chitty is a self-hosted plugin. All chat data is stored in your own WordPress database, on your own server. We — the plugin developers — do not operate a central cloud service and therefore do not receive or store your visitors' chat conversations unless you explicitly choose to use a third-party AI provider (see Section 4).

Important distinction: This policy covers data collected by the Chitty plugin on the WordPress site where it is installed. It does not cover data collected by Mubashir Hassan's personal website (mubashirhassan.com). As a site owner, you remain the data controller for your visitors' data. You are responsible for updating your own site's privacy policy accordingly.

2

Data Collected by the Plugin

When a visitor interacts with the Chitty widget on your site, the following data may be collected and stored in your WordPress database:

Data Point Source Required? Purpose
Name Visitor submits in pre-chat form Optional Lead identification
Email Address Visitor submits in pre-chat form Optional Lead capture, GDPR export/erasure
Phone Number Visitor submits in pre-chat form Optional WhatsApp handoff, lead contact
Chat Messages Visitor types in the widget Yes (core function) AI reply generation, chat history
IP Address Server/WordPress Yes Geo-detection, spam prevention
Country / City Derived from IP via ip-api.com Yes Analytics, language detection
Browser / Device User-Agent header Yes Analytics dashboard
Page URL at chat start JavaScript Yes Context for AI replies, analytics
Browser Language JavaScript Yes Auto language detection (20+ langs)
Star Rating Visitor submits post-chat (optional) Optional Feedback and quality tracking
WooCommerce Order ID WordPress/WooCommerce Optional Revenue attribution (if WooCommerce active)

All data listed above is stored in your own WordPress database (tables prefixed with wpc_). The plugin developers have no access to this data.

3

How the Data Is Used

Data collected by Chitty is used exclusively to operate the chat plugin features. Specifically:

  • Chat Conversations — sent to your chosen AI provider (Claude, GPT-4, or OpenRouter) to generate replies. Only the current conversation context is sent; no cross-site sharing occurs.
  • Lead Data (name, email, phone) — displayed in the WordPress admin dashboard so the site owner can follow up with visitors.
  • IP Address & Geo-data — used to populate the analytics dashboard and to detect the visitor's language automatically.
  • Page URL — passed to the AI as context so it can give relevant answers about the current page.
  • WooCommerce data — used to attribute sales that originated from a chat conversation (conversion tracking).

The plugin does not use collected data for advertising, profiling, or any purpose other than operating the features described above.

4

Third-Party Services

Chitty can connect to the following external services. These connections are optional and controlled entirely by the site owner through the plugin settings:

Service Purpose Data Sent Privacy Policy
Anthropic Claude API AI reply generation Chat messages & conversation history anthropic.com/privacy
OpenAI API (GPT-4) AI reply generation Chat messages & conversation history openai.com/privacy
OpenRouter API Free AI model routing Chat messages & conversation history openrouter.ai/privacy
ip-api.com IP Geolocation (country & city) Visitor IP address ip-api.com/docs/legal
WhatsApp (Meta) Optional human handoff Phone number (only if visitor initiates) whatsapp.com/legal

⚠️ As a site owner: When you use AI providers (Anthropic, OpenAI, OpenRouter), your visitors' chat messages are transmitted to those providers' servers. You must disclose this to your visitors in your own privacy policy and ensure you have a lawful basis for doing so under applicable law (e.g. GDPR, CCPA).

5

Data Storage & Retention

All chat data (sessions, messages, ratings) is stored in your own WordPress database. The plugin stores data in the following custom tables:

  • {prefix}_wpc_sessions — visitor sessions including lead data, IP, device, geo-data
  • {prefix}_wpc_chats — individual chat messages (visitor and AI)
  • {prefix}_wpc_ratings — post-chat star ratings

There is no automatic data deletion built into version 1.0. Site owners are responsible for defining their own data retention policies and manually deleting records from the admin dashboard or database as needed.

When the plugin is uninstalled, an uninstall.php routine removes all plugin settings and database tables, permanently deleting all stored chat data.

No external data storage: The plugin developers (Mubashir Hassan / Chitty) do not maintain any servers, databases, or cloud services that store your visitors' data. Your data stays on your server.

6

Cookies & Local Storage

Chitty uses browser-side storage to preserve chat state across page navigations. Specifically:

  • sessionStorage — stores the active chat session key, conversation messages, lead name, and widget open/close state. This data is cleared automatically when the browser tab is closed.
  • sessionStorage key wpc_pro — set to prevent proactive messages from appearing more than once per browser session.

Chitty does not set any persistent cookies (no document.cookie calls). Session storage is origin-scoped and is never sent to external servers.

If your jurisdiction requires consent for session storage, you may integrate Chitty with a cookie-consent solution and delay the widget initialization until consent is obtained.

7

GDPR & Privacy Rights

Chitty includes built-in support for the WordPress Personal Data tools, enabling site owners to fulfill GDPR requests from their visitors:

  • Right of Access / Data Export — Chitty registers a custom exporter with WordPress (Tools → Export Personal Data). Entering a visitor's email address will compile all chat sessions, messages, and personal data associated with that email into a downloadable ZIP file.
  • Right to Erasure (Right to be Forgotten) — Chitty registers a custom eraser with WordPress (Tools → Erase Personal Data). All chat sessions and messages linked to the provided email address will be permanently deleted from the database.
  • Right to Rectification — Site owners can manually edit or delete records from the Chitty admin dashboard.
  • Right to Restriction / Objection — Site owners can disable the chat widget for specific pages or disable lead-capture forms entirely from plugin settings.

GDPR Responsibility: As the WordPress site owner, you are the data controller. Chitty provides the technical tools; you are responsible for responding to data subject requests within the legally required timeframes (30 days under GDPR) and maintaining a lawful basis for processing visitor data.

If you are subject to other privacy regulations such as CCPA (California), LGPD (Brazil), or PDPA (Thailand), the same export and erasure tools can be used to fulfill equivalent requests.

8

Data Security

Chitty implements the following security measures:

  • All AJAX endpoints are protected with WordPress nonces to prevent cross-site request forgery (CSRF).
  • All database queries use WordPress prepared statements ($wpdb->prepare()) to prevent SQL injection.
  • Admin-only pages and settings are protected by WordPress capability checks (manage_options).
  • All output is sanitized using WordPress escaping functions (esc_html(), wp_kses()) to prevent XSS.
  • All API keys (Anthropic, OpenAI, OpenRouter) are stored using WordPress options and are never exposed in frontend JavaScript.

The overall security of your data also depends on your web host, WordPress installation, and server configuration. We recommend keeping WordPress, PHP, and all plugins up to date.

9

Children's Privacy

Chitty is a general-purpose business chat plugin and is not directed at children under the age of 13 (or 16 in the EU/UK under GDPR). The plugin does not knowingly collect personal data from children.

If you operate a website that may be visited by children, you are responsible for obtaining any required parental consent before enabling chat and lead-capture features for under-age visitors.

10

Changes to This Policy

We may update this Privacy Policy from time to time to reflect new plugin features, changes in legal requirements, or changes in third-party services. When we make significant changes, we will update the "Last updated" date at the top of this page.

We encourage site owners to review this policy periodically. Continued use of the Chitty plugin after updates constitutes acceptance of the revised policy.

Previous versions of this policy are available upon request by emailing hello@mubashirhassan.com.

11

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your visitors' personal data, please contact:

Mubashir Hassan
Plugin Developer & Data Controller

🌐 mubashirhassan.com
📧 hello@mubashirhassan.com
🔗 WordPress.org Support Forum

For data subject requests (export or erasure), site owners can use the built-in WordPress tools at Tools → Export Personal Data and Tools → Erase Personal Data in their WordPress admin area.