A better ChatGPT for NetSuite questions

1. Who We Are

Cadbury is operated by Cadbury, Inc., a company incorporated in the United States. Our service is available at trycadbury.com.

Registered address:
Cadbury, Inc.
2261 Market Street STE 22720
San Francisco, CA 94114
United States

For privacy-related questions, contact us at: privacy@trycadbury.com

2. Our Role Under GDPR

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, Cadbury, Inc. acts as the data controller in respect of your personal data. Where we engage third-party services to process data on our behalf, those parties act as data processors under written agreements.

3. What Data We Collect and Why

Data	Purpose	Legal Basis
Email address	Account identification and authentication	Contract (Art. 6(1)(b))
Conversation messages	Delivering the service	Contract (Art. 6(1)(b))
Usage data (message counts, session activity)	Service limits and abuse prevention	Legitimate interest (Art. 6(1)(f))
Payment information	Processing subscriptions	Contract (Art. 6(1)(b))
IP address + user agent (anonymous users)	Rate limiting and security	Legitimate interest (Art. 6(1)(f))
Error and performance data	Service reliability	Legitimate interest (Art. 6(1)(f))
Analytics data	Understanding product usage	Legitimate interest (Art. 6(1)(f))

We do not process any special category data (Article 9 GDPR) and do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Authentication

We authenticate users exclusively via Google OAuth and Microsoft Azure AD. We do not store passwords. The only personal data we receive from these providers is your email address.

5. Your Conversation Data

Your conversations are stored in our database to provide the service. We do not use your conversation content to train AI models, share it with third parties for their own purposes, or sell it. Conversations are logically isolated — no other user can access your data.

6. Data Retention

Data	Retention Period
Account and conversation data	Duration of your account, plus 30 days after deletion
Anonymous usage records	12 months
Payment records	7 years (legal obligation)
Error and performance logs	90 days

You may request deletion of your account and associated data at any time (see Section 8).

7. International Data Transfers

Cadbury, Inc. is based in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the US, we do so on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, the EU-US Data Privacy Framework.

Our infrastructure is hosted by Render, which participates in the EU-US Data Privacy Framework and holds ISO 27001 and SOC 2 Type 2 certifications. Payments are processed by Stripe, which is PCI DSS Level 1 certified. A full list of sub-processors and applicable transfer mechanisms is available on request.

8. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your data (“right to be forgotten”)
Portability — receive your data in a structured, machine-readable format
Restriction — request that we restrict processing of your data
Objection — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@trycadbury.com. We will respond within 30 days in accordance with GDPR Article 12.

You also have the right to lodge a complaint with your local supervisory authority. In the EU, a list of national authorities is available at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.

9. Sub-Processors

Processor	Purpose	Location	Transfer Mechanism
Render	Infrastructure hosting	USA	EU-US DPF, SCCs, ISO 27001, SOC 2 Type 2
Stripe	Payment processing	USA	PCI DSS Level 1, SCCs
Google	Authentication (OAuth)	USA	SCCs, EU-US DPF
Microsoft	Authentication (Azure AD)	USA	SCCs, EU-US DPF
Sentry	Error monitoring	USA	SCCs
PostHog	Product analytics	USA	SCCs
Elastic	Search infrastructure	USA	SCCs

We maintain Data Processing Agreements (DPAs) with each sub-processor. These are available on request.

10. Cookies

Cookie	Purpose	Duration
Session token (NextAuth)	Authentication	Session
Anonymous ID	Rate limiting for unauthenticated users	1 year

We do not use third-party advertising or tracking cookies.

11. Security

OAuth-only authentication — no passwords are stored by Cadbury, Inc.
Encrypted data in transit (TLS) for all connections
PostgreSQL database hosted on Render with SSL enforced
Stripe for all payment processing — we never handle or store card details
Short-lived presigned URLs for file access (4-hour expiry)
Input validation on all API endpoints

Our infrastructure provider, Render, holds ISO 27001 and SOC 2 Type 2 certifications. Compliance documentation is available on request.

12. Children's Privacy

Cadbury is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have done so inadvertently, contact us at privacy@trycadbury.com and we will delete it promptly.

13. Changes to This Policy

We will notify registered users of material changes to this policy by email at least 14 days before they take effect. The “last updated” date at the top of this page will always reflect the current version.

14. Contact

Data Controller:
Cadbury, Inc.
2261 Market Street STE 22720
San Francisco, CA 94114
United States
privacy@trycadbury.com
trycadbury.com

Privacy Policy