Privacy Policy

1. Introduction

This Privacy Policy explains how Good Thinking (finn@goodthinking.solutions) handles personal data when you interact with our services. Good Thinking operates via goodthinking.solutions — AI chatbot and automation services deployed for client businesses.

Our chatbots appear either on our own website or on websites operated by businesses we work with ("Client Business"). We deploy chatbots using two platforms:

• ChatBase.co — a third-party hosted chatbot platform
• GT Chat — a self-hosted chatbot system built and operated by Good Thinking, running on our own infrastructure

The platform used will depend on the specific deployment. The sections below note where practices differ between platforms.

Important: All conversations with our chatbots are saved. Transcripts are sent to staff daily and may be read by human team members.

2. Who Controls Your Data

For chatbots on Client Business websites

Good Thinking operates as the Data Controller for the technical processing and storage of your chat data. The Client Business is also a Data Controller for how they use the information you provide in conversations. This means:

• Good Thinking controls the chatbot platform, stores transcripts, and manages data retention
• The Client Business receives daily transcript reports and uses the information to respond to your queries
• Our platform providers (ChatBase.co or GT Chat infrastructure) act as Data Processors

For chatbots on the Good Thinking website

Good Thinking is the sole Data Controller. Our platform providers act as Data Processors.

Our registered details

ICO registration

Good Thinking is in the process of registering with the UK Information Commissioner’s Office under the data protection fee arrangements. This statement will be updated with our registration number once confirmed. In the meantime, all processing continues under the UK GDPR legal bases and security measures described in this policy.

3. What Data We Collect and How It's Used

Chat Transcripts

What: Every message you send and every response you receive, including the date and time of each message and the website domain from which you are chatting.
How it's used: Transcripts are automatically sent to relevant staff members in daily email reports.
Who sees it: Staff members at the relevant organisation may read your conversation.

Please do not share sensitive information such as health conditions, financial details, or passwords in chatbot conversations.

Contact Information (Optional)

What: Name, email address, or phone number that you voluntarily provide.
When: The chatbot may ask whether you'd like to leave your contact details for the team to follow up.
How it's used: Passed to the Client Business so they can respond to your enquiry. Included in the chat transcript.

Technical Information

What: IP address, browser type, approximate location, timestamp.
How it's used: For chatbot functionality, security, and troubleshooting.
ChatBase chatbots: ChatBase.co automatically collects this data.
GT Chat chatbots: Your IP address is used temporarily (in server memory, up to 24 hours) solely to enforce rate limits and prevent spam. It is not stored in our database and is not used for tracking or profiling.

Visitor Identifier (GT Chat only)

GT Chat stores a randomly generated visitor code in your browser's local storage (not a cookie). This code maintains your conversation history within a session. It is unique to each chatbot on each website, is not shared with any third party, and does not track you across different websites. You can remove it by clearing your browser's local storage or site data.

Automation and Workflow Projects

Where Good Thinking builds automated workflows, integrations, or data pipelines on behalf of a Client Business, personal data may be processed as part of those automations — for example, contact records passed between systems, form submissions routed to CRM platforms, or AI-generated responses triggered by customer activity.

In these cases, Good Thinking acts as a Data Processor on behalf of the Client Business (the Data Controller). The specific data processed, its purpose, and retention will be documented in the relevant data processing agreement with that client. If you have questions about data processed through an automated workflow built by Good Thinking, please contact the Client Business directly or reach us at finn@goodthinking.solutions.

Legal Basis

We process your data based on legitimate interests: providing customer service, responding to enquiries, and improving our chatbot services.

4. AI Processing — How Your Messages Are Used

To generate responses, your message and relevant extracts from the Client Business's knowledge base are sent to a third-party AI language model provider (such as OpenAI or Anthropic). This is necessary to operate the chatbot.

GT Chat chatbots: Your visitor identifier is never sent to the AI provider — only the text content of your conversation and relevant background context are transmitted.

ChatBase chatbots: Processing is handled under ChatBase.co's own agreements with AI providers.

AI providers handle your data under their own GDPR-compliant terms and Standard Contractual Clauses (SCCs). Your data is not used to train general-purpose AI models.

5. How Long We Keep Your Data

Early deletion: If you request deletion of your data, we will remove it within 30 days (see Section 8). Deletion is handled manually by Good Thinking.

6. Who We Share Your Data With

We share your chat data with the Client Business whose website you're using (daily transcript emails) and with our technology sub-processors:

ChatBase Chatbots

GT Chat Chatbots

We do not:

• Sell your data to third parties
• Use your data to train general AI models
• Share your data for marketing purposes (except as described in Section 9)

7. Data Storage and Security

Where Data is Stored

ChatBase chatbots: Data is stored on ChatBase.co's secure servers, which may be located in the United States or Canada.

GT Chat chatbots: Chat conversations and session data are stored in a PostgreSQL database hosted on Railway's infrastructure (United States).

Security Measures

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.2+)
• Access controls limiting who can view data
• API endpoints (GT Chat) protected by authentication and rate limiting
• ChatBase.co complies with GDPR and SOC 2 standards

International Transfers

Personal data transferred outside the UK/EEA is protected by Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office.

Data Processing Agreement

Good Thinking has Data Processing Agreements with our sub-processors to ensure GDPR-compliant handling of all personal data.

Data Breach Notification

If any sub-processor notifies us of a data breach affecting chatbot data, we will inform affected Client Businesses immediately and cooperate fully to meet legal notification requirements.

8. Your Data Protection Rights

You have the following rights under UK data protection law:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Ask us to limit how your data is used
• Objection: Object to our processing of your data
• Portability: Request your data in a portable format

How to Exercise Your Rights

Contact Good Thinking at finn@goodthinking.solutions. We will respond within 30 days.

Because GT Chat sessions are linked to a randomly generated anonymous identifier, we may ask you to provide the date, time, and website where you used the chatbot to help us locate your data.

If you object to our processing of your data, we will stop processing unless we have compelling legitimate grounds to continue (which we will explain to you).

Making a Complaint

If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office:

• Website: ico.org.uk
• Helpline: 0303 123 1113

9. Cookies, Local Storage and Tracking

ChatBase Chatbots

ChatBase.co technology may place cookies on your device for:

• Essential functionality
• Security
• Analytics
• User preferences
• Limited marketing analysis (not for third-party advertising)

You can control cookie preferences using the "Cookie Preferences" link in the chat interface or your browser settings. For full details, see the ChatBase Cookie Policy.

GT Chat Chatbots

GT Chat does not use cookies. Instead, it stores a single randomly generated visitor code in your browser's local storage for session continuity. This code is not used for tracking or profiling and is not shared with any third party. You can remove it at any time by clearing your browser's local storage or site data.

10. Children's Privacy

Our chatbot services are not intended for anyone under 16 years of age. We do not knowingly collect data from children. If you believe a child has used our chatbot, please contact finn@goodthinking.solutions immediately and we will delete their data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with a new effective date. We encourage you to review this policy periodically.

12. Contact Us

For any questions about this policy or to exercise your data protection rights: