Privacy Policy

Last updated: June 4, 2026

Resolv ("we", "us") is operated from France and subject to the General Data Protection Regulation (GDPR). This policy explains what personal data we collect, why we collect it, and what rights you have over it.

1. Who we are

Resolv is an AI-powered support widget platform. Service operators register their product on our dashboard, upload documentation, and embed a support widget on their site. Questions from that site's users are answered by an AI using the operator's documentation and, optionally, their API.

Data controller: Resolv, France. Contact: privacy@resolv.club

2. Data we collect

2a. Waitlist signups

If you submit your email on our landing page to join the waitlist, we store your email address. We use it only to notify you when Resolv launches. Legal basis: consent (Article 6(1)(a) GDPR). You can withdraw consent and be removed from the list at any time by emailing us.

2b. Service operators (dashboard users)

When you create a Resolv account and register a service, we collect or process:

  • Identity and contact data — name and email address, managed by our authentication provider Clerk (see Section 4).
  • Service configuration — your service name, API base URL, allowed embed origins, widget appearance settings.
  • Documentation content — Markdown files and OpenAPI specs you upload. This content is chunked, embedded (converted into numerical vectors), and stored in our database so the AI can retrieve relevant sections.
  • Admin API key — if you configure one, it is encrypted at rest using AES-256-GCM before storage. Important: as the platform operator, Resolv holds the encryption key and can technically decrypt stored keys. Keys are decrypted only in memory during API proxy calls and are never logged or transmitted to clients. We do not access your key for any purpose other than executing tool calls your users initiate.
  • Billing data — payment details are handled entirely by Stripe (see Section 4). We store your Stripe customer ID and subscription status; we never see your card number.
  • Conversation logs — messages exchanged through your embedded widget are stored so you can review them in the analytics dashboard. Logs are deleted if you delete your service.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

2c. End users of embedded widgets

When a person chats with a Resolv widget embedded on a third-party site, we process:

  • Conversation messages — what the user types and what the AI responds. These are sent to OpenAI's API for processing (see Section 4) and stored in our database associated with the service that owns the widget.
  • User token — if the service operator has configured signed user tokens, we receive and verify the token. The token contains a user identifier set by the operator's backend; we do not independently know who the person is.
  • No tracking — we do not set cookies or fingerprint end users. We do not build profiles across services.

The service operator is the data controller for their end users' data. Resolv acts as a data processor on the operator's behalf for this data. Operators are responsible for providing their users with appropriate privacy notices covering Resolv's processing.

Legal basis (for our own storage): legitimate interest in providing the contracted service (Article 6(1)(f) GDPR).

3. How we use your data

  • To provide and operate the Resolv platform
  • To process payments and manage subscriptions
  • To send you service-related communications (billing receipts, policy updates)
  • To notify waitlist members when Resolv launches (with their consent)
  • To detect and prevent abuse

We do not sell personal data. We do not use personal data for advertising.

4. Third-party processors

We share data with the following sub-processors, all bound by data processing agreements:

  • Clerk (clerk.com) — authentication and user account management. Stores your name and email. Data processed in the US under standard contractual clauses.
  • Stripe (stripe.com) — payment processing and subscription management. Data processed in the US. Stripe is PCI-DSS certified.
  • OpenAI (openai.com) — AI inference. Conversation messages (the text users type and the AI's responses) are sent to OpenAI's API. OpenAI's API usage data is not used to train their models by default under their API terms. Data processed in the US.
  • Neon (neon.tech) — PostgreSQL database hosting. All structured data (service config, documents, conversation logs) is stored here. Data stored in the US (AWS us-east-1).
  • Vercel (vercel.com) — application hosting and CDN. Data processed in the US.

5. International data transfers

Our infrastructure is based in the United States. Transfers of personal data from the EU to the US are made under the European Commission's standard contractual clauses (SCCs) or equivalent safeguards provided by each processor. You can request details of the safeguards in place by contacting us.

6. Data retention

  • Waitlist emails — retained until launch notification is sent, or until you ask to be removed.
  • Service operator accounts — retained for the duration of your subscription plus 30 days after cancellation, then deleted. Billing records are kept for 7 years to comply with French accounting law.
  • Conversation logs — retained while your service exists. Deleting your service deletes all associated conversations.
  • End user data — follows the conversation log retention above. Operators may contact us to delete specific conversations.

7. Security

We use HTTPS for all data in transit and AES-256-GCM encryption for admin API keys at rest. Access to the production database is restricted to application infrastructure. We do not store passwords — authentication is delegated to Clerk.

No security measure is perfect. If you discover a vulnerability, please report it to privacy@resolv.club.

8. Your rights under GDPR

As a data subject, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Restriction — ask us to restrict processing while a dispute is resolved.
  • Withdraw consent — where processing is based on consent (e.g. waitlist), withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@resolv.club. We will respond within 30 days.

9. Complaints

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the French data protection authority:

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified by email to registered operators at least 14 days before taking effect. The "last updated" date at the top of this page reflects the current version.

11. Contact

For any privacy-related questions: privacy@resolv.club