Data privacy in LoyJoy Cloud Platform
Data storage and encryption
This document provides an overview of all options for storing data in LoyJoy. Our goal is to minimize our data protection footprint.
- LoyJoy may use database tables to store data, including personally identifiable information.
- This data storage can be easily enabled or disabled based on the usage profile of your LoyJoy tenant.
- LoyJoy can also store data in the local storage of the end customer’s device (similar to a cookie).
- The data from local storage can be transferred to existing systems via an interface. This means that storage in LoyJoy can usually be dispensed with entirely.
- Storage in local storage is exclusively on the client side, not on the server side.
- The data is stored exclusively in the European Union with AES encryption.
- All data that may contain personal information has an automatic expiration date. In addition, data can be deleted manually at any time.
- OpenAI models are sourced from the EU via Microsoft Azure.
List of storage options for personal data
| No. | Name | Required | Functionality | Automatic expiry | Expiry based on | Personal data included |
|---|---|---|---|---|---|---|
| 1 | Chat messages for live chat | Required when using the live chat module | Allows you to read messages in LoyJoy Manager in “live” mode. | 7 days (optional 30, 60 days) | Created at | Chat messages (AES-encrypted) |
| 2 | Chat messages for automated chats only | Required when using the Live Chat module | Allows you to access the list of recent conversations. | 1 day | Created at | Chat messages (AES-encrypted) |
| 3 | Chat messages for Natural Language Understanding (NLU) or GPT | No, recommended when using NLU or GPT | Stores free text chat messages with their NLU classification or GPT response as in Manager > Knowledge to check AI performance. | 30 days (optional 7 days) | Created at | Chat messages from free text entries (AES encrypted) |
| 4 | Messenger sessions | Required when using Facebook Messenger, WhatsApp, WeChat | Stores chat sessions in the case of Facebook, WhatsApp, WeChat, as these channels do not offer a session database comparable to LocalStorage. | 7 days (optional 30, 60 days) | Created at | Customer ID through the external platform, personal data collected in chatbots |
| 5 | Runtime log | Yes | Stores log entries as in Customers > Log. For example, external API errors (including HTTP body in debug mode), customer authentication (fail, pass). | 7 days (optional 30 days) | Created at | Email address (AES encrypted), IP address, message (AES encrypted) |
| 6 | Manager log | Yes | Stores log entries as in Manager > Settings > Log Data access by manager users | 180 days | Created at | LoyJoy manager user email addresses, IP addresses, date and time of activity (AES encrypted) |
| 7 | Security log | Yes | Stores log entries on security-related events (e.g., authentication, data export) and, in general, access to LoyJoy Manager for the purpose of IT security pattern recognition Data access by LoyJoy system administrators | 365 days | Created at | LoyJoy Manager user email addresses, IP addresses, timestamp (unencrypted for pattern recognition) |
| 8 | Variables | No | Stores all process variables for export purposes as in Manager > Customers > Download variables | 60 days (optional 30, 90, 180, 360 days) | Expires at | Variable values, email address, device ID, possibly also documents (AES encrypted) |
| 9 | Marketing consents | Can only be deactivated when using the process modules Newsletter Opt-In, Reminder Opt-In, Profiling Opt-In, Web Push Opt-In | Stores consents for export purposes. | 180 days (optional 60, 90, 360 days) | Created at | Email address (AES-encrypted), IP address (AES-encrypted) |
| 10 | Redeemed voucher codes | Only when using the Voucher or Codes process modules, can be deactivated | Stores voucher codes for issuance to customers. An issued voucher code is assigned to an email address so that it cannot be issued twice. | 180 days (optional 30, 60, 90, 360 days) | Created at | Email address (AES encrypted) |
| 11 | Loyalty transactions | Only when using the Loyalty, Loyalty Referral, Loyalty Sharing process modules, can be deactivated | Stores loyalty transactions, which are represented as coins in the chat. For example, a customer may receive 10 coins in one loyalty transaction and spend 2 coins on a reward in another loyalty transaction, leaving the customer with 8 coins and one reward redemption. | 180 days (optional 30, 60, 90, 360, 720 days) | Created at | Email address (AES-encrypted) |
| 12 | Loyalty reward redemption | Only when using the rewards process module, can be deactivated | Stores the redemption of rewards by customers from loyalty campaigns. | 60 days (optional 30, 90, 180 days) | Created at | Email address, first name, last name, postal address, telephone number (all AES encrypted) |
| 13 | Competition entries | Only if the Competition Entry or Instant Win process module is used, can be deactivated | Stores entries from which a participant can also be randomly selected. Can also save a manually selected random list of participants as a copy of the corresponding entry. | 60 days (optionally 30, 90, 180 days) | Created at | Email address, first name, last name, postal address, telephone number (all AES encrypted) |
| 14 | Push subscriptions | Only if the “Web Push Opt-In” process module is used and push messages are sent under the Push menu item | Stores a web push subscription that is created in the user agent (web browser) when web push consent is given | 720 days (optional 30, 60, 90, 180, 360) | Created at | auth_aes, endpoint, p256dh_aes, private_key_aes, public_key_aes |
| 15 | Push Notifications | Only if the Web Push Opt-In process module is used | Stores a specific web push notification for a specific user agent (web browser) to be sent at the due_at time | After the due_at time | Due at | actions_1_action, actions_1_icon_url, actions_1_title, actions_2_action, actions_2_icon_url, actions_2_title, auth_aes, badge_url, body, dir, due_at, endpoint, entity_id, icon_url, image_url, p256dh_aes, |
| 16 | Web Notifications | Only if the Notification process module is used | Stores web notifications that are displayed in the start view of the chat user interface with the notification widget | After receipt or after 7 days (optional 30, 60, 90, 180) | Created at | body, bot_id, jump_bpmn_process_id, device_id, due_at, entity_id, expires_at, icon_url, title, url |
Data transmission and encryption
Data at rest
Data at rest is stored encrypted.
- AES encrypted with AES/CBC/PKCS5Padding and key size 128.
- The database rows are automatically deleted after the respective expiry date according to the configuration in the client.
- Database backups are deleted on a rotating basis after 60 days.
Data in transit
Data in transit is encrypted using TLS.
- All services are hosted on Google Cloud Run, so Google Load Balancer certificate management applies.
- LoyJoy GmbH does not manage TLS certificates; this is done automatically based on LetsEncrypt from Google Cloud Platform.
Secrets
Secrets are managed by the Google Cloud Platform Secret Manager. This applies to all secrets except the AES private key, which is not made visible to Google Cloud Platform. The AES key is not stored in plain text as a secret, but as ciphertext that is decoded by a hardware security module.
Cookies and LocalStorage
Cookies im Manager (LoyJoy Backend Platform)
The LoyJoy Cloud Platform Manager writes and reads a secure authorization cookie when a manager user logs in. The cookie contains a signed JWT with the user’s credentials and expires after 8 hours.
Cookies in the chat UI
From our point of view, it can be assumed that the user expects a functioning chat solution, i.e. H. that the content of the chat is not lost simply by closing the browser or due to prolonged inactivity.
The LoyJoy Platform uses the browser’s local storage instead of a cookie. In LocalStorage we store the state of the chat, i.e. H. the previous chat history with the user input.
The LoyJoy Chat UI only saves this chat session client-side, not server-side.
The use of LocalStorage can also be deactivated in the platform (see Storage period of the cookie).
Only when natively integrated into the Facebook Messenger, WeChat and WhatsApp channels does the LoyJoy Chat UI save the entire chat session on the client side, not on the server side. Our approach minimizes server-side session data for privacy reasons.
The Chat UI writes and reads the LocalStorage object loyjoy-chat.
This object contains the properties Messages and Session.
- Messages contains the chat message history of the chat,
- Session contains a signed JWT object that contains all of the chat’s session variables, i.e. H. Process variables.
Storage period of the cookie
The storage duration of chat message histories in the LocalStorage object can be configured in the LoyJoy Platform. It is between 30 minutes and 14 days. Selecting “0 minutes” disables chat message histories.
Integration with consent managers
If you use a consent manager (also known as a cookie banner) on your website, the LoyJoy chatbot can respond to the customer’s selection.
The Consent Manager can be integrated into LoyJoy in two ways: Basic or Smart.
With Basic, the LoyJoy code snippet is customized with parameters to fit your Consent Manager. Typically these parameters are the cookie category and that the widget should be loaded after the Consent Manager is closed. The disadvantage of Basic Mode is that (1) if LoyJoy is classified as an essential cookie, the LoyJoy chat will load immediately and may collide with the Consent Manager window and (2) if LoyJoy is classified as a marketing cookie, the Chat will not load if the customer rejects such cookies.
In Smart mode, these disadvantages are mitigated. LoyJoy (1) waits for the Consent Manager window to close before displaying the chat and (2) displays the chat in any case, but with cookies disabled if the customer has rejected cookies. It is not necessary to classify LoyJoy as essential, functional or marketing, as the chat only allows cookies if all categories have been agreed.
Reading login cookies
The chat UI can read non-secure cookies to use an external authentication context to automatically log the customer into the LoyJoy Chat UI.
FAQ
What data is or is not transferred to Cloudflare in the USA?
Cloudflare is a qualified DDoS mitigation service provider managed by the Federal Office for Information Security (BSI). Cloudflare has EU-U.S. certification. Data Privacy Framework.
Cloudflare operates a global content delivery network (CDN) and provides protection features for the LoyJoy web application. This means that LoyJoy runs efficiently and securely at all times.
Cloudflare only processes customers’ IP addresses as this is technically necessary. Any other personal data that may arise in the chat process will NOT be routed via Cloudflare.
Is the IP address of each customer automatically tracked?
No. LoyJoy does not use tracking technologies (however, it can be integrated with Facebook Pixel, for example). The transmission of IP addresses is technically necessary on the internet in order to exchange data between the web server and the customer’s device. A web-based application (e.g., a website or LoyJoy) cannot function without transferring the IP address. If the LoyJoy chat is only loaded technically (i.e., the chat bubble is loaded), we do not store the IP address. If the chat is opened and used, we store the chat history, including the IP address, for 30 days.
Has LoyJoy already agreed the current EU standard contractual clauses with the subservice providers?
Yes, the agreed standard contractual clauses were updated following the Schrems II ruling.
These can be viewed here:
https://cloud.google.com/terms/data-processing-terms
https://www.cloudflare.com/cloudflare-customer-dpa/
Is personal data processed pseudonymously?
The data is transported and stored in encrypted form.
What measures are taken regarding the transfer of data to third countries, in addition to the standard contractual clauses?
Unfortunately, the conclusion of standard contractual clauses is not sufficient for the supervisory authorities when data is transferred to third countries. We have therefore implemented additional security measures for the data so that access by US authorities is (factually/theoretically) not possible.
These include, in particular, transport encryption and storage encryption.
We also offer the extensive waiver of the use of server-side data storage. The data is then stored locally on the customer’s device and, if necessary, transmitted in encrypted form via an API or provided as an encrypted attachment to an email.
What is LocalStorage?
The local storage represents storage in the customer’s browser. In contrast to the use of cookies, information in the local storage is not transmitted to the server. This means that the use of LocalStorage is more data-efficient compared to cookies.
The difference between local storage and session storage is that local storage never expires. And the session storage expires when the browser window/tab is closed and is deleted.
Which data is automatically processed when starting the chat?
As with every website visit, the IP address is transmitted. In addition, the time of access, the user agent (browser used), URL of the website and the referrer URL.
Which Google Cloud services are used for what?
| Google Cloud Firebase CDN | Hosting static code (JavaScript, HTML, CSS) of the LoyJoy Platform |
|---|---|
| Google Cloud Run | Hosting and server-side execution of LoyJoy Platform Java code in clusters with horizontal scalability |
| Google Cloud Functions | Hosting and server-side execution of non-Java code from the LoyJoy Platform for specific tasks (PDF creation, search index generation, etc.) |
| Google Cloud Storage | Hosting tenant-specific administration objects (models, knowledge articles, images, fonts, etc.) in multiple multi-regionally replicated buckets |
| Google Cloud DataStore | Encrypted storage of personal data as append-only in multi-regionally replicated tables |
| Google Cloud SQL | Anonymized storage of analytics data; Encrypted storage of conversations, chat messages, variables, giveaway participations |
| Google Cloud Memorystore Redis | Encrypted storage of chat messages (if not in Google Cloud SQL) |
| Google Cloud Secret Manager | Encrypted storage of configuration parameters |
| Google Cloud Trace | Distributed tracing of hosted services to collect anonymized performance data |
| Google Cloud Scheduler | Configuration and triggering of cron jobs |
| Google Cloud Error Reporting | Automated collection of client- and server-side anonymized error messages as well as automated notifications to DevOps |
Will OpenAI questions be transferred to the US?
No, if requested, processing takes place in Microsoft Ireland data centers in the EU. We recommend storing your own Microsoft Azure API Key in the LoyJoy Platform. This means OpenAI runs directly in your own Microsoft Azure subscription. In this case, Microsoft is not a subservice provider of LoyJoy, but rather your direct service provider.
Does Azure OpenAI store data for training AI?
No, the questions to the AI are not used for AI training. After answering a question, the data will be deleted after 30 days by OpenAI (if processed in the USA) or Microsoft Ireland (if processed in the EU).
What personal data is transferred to Azure OpenAI?
Only the questions will be transferred.
Where is the data uploaded to the LoyJoy Knowledge Database stored?
Your data is stored in encrypted form within the EU. Instead of the original files, only derived knowledge “chunks” are retained as the basis for the Retrieval Augmented Generation (RAG) process. You can delete this data at any time directly within the platform.
Questions about the EU AI Act
What role does LoyJoy play with the offered chatbot platform and what is the business model?
LoyJoy is a Software as a Service (SaaS) platform for chatbots that integrates external AI models into its service offering. As a sub-service provider, LoyJoy uses models from OpenAI via Microsoft Azure (contractual partner Microsoft Ireland), among others.
The provider within the meaning of the AI Act is Microsoft Azure (or, if applicable, another LLM provider of the customer’s choice). Both LoyJoy and LoyJoy’s customers are classified as users/operators. LoyJoy does not develop its own model nor does it perform fine-tuning of models.
Customers have the option of linking LoyJoy to their own Azure subscription. In this case, Microsoft is the customer’s direct sub-service provider.
What is the contractual relationship between LoyJoy, Microsoft Azure, and OpenAI?
The contractual relationship has already been explained in the answer to the first question.
How does the model work in relation to third parties and training data? How is the data provided by customers technically processed and potentially used?
From the provided source data for the AI, so-called embeddings are calculated and stored in a vector database. Incoming questions are also provided with embeddings. First, a semantic comparison is performed based on the embeddings to identify potentially relevant content. This content is then passed to the Large Language Model (LLM) via API, along with a prompt and a system message, so that the LLM can generate a response. Optionally, the identified content can be semantically evaluated in advance by an LLM regarding its suitability for answering the question (so-called reranking).
What happens to the data entered by customers and is it used for training the AI (even if it is not personal data)?
The data entered by customers is not used for training an AI.