You are thinking about adding an AI chatbot to your website. Good idea. Your visitors want instant answers, and a well-built chatbot delivers them. But before you drop a script tag on your site and call it done, there is a question you should be asking that most business owners skip entirely.
What happens to the data?
Your chatbot is going to have conversations with your customers. Those conversations will contain names, email addresses, phone numbers, questions about sensitive topics, and details about their personal situations. Where does all of that go? Who can see it? And what happens to it after the conversation ends?
These are not paranoid questions. They are the same questions your customers are silently asking themselves every time they type something into a chat window. If you cannot answer them, you have a problem.
The five questions every business owner should ask
Before you commit to any chatbot provider, ask these five questions. If you do not get clear answers, keep looking.
1. Does the chatbot store conversations?
This is the most basic question and the one with the most evasive answers. Some chatbot providers store every conversation indefinitely. Some store them for "analytics purposes." Some store them in ways their own support team cannot clearly explain.
What you want to know: Where are conversations stored? For how long? Can you access them? Can you delete them?
The right answer is not "we do not store anything." You need conversation history to review leads, track what visitors are asking, and improve your business. The right answer is that conversations are stored in your account, accessible to you, and deletable by you. They should not be floating around in some shared database or analytics pipeline you have no control over.
2. Are conversations used to train AI models?
This is the big one. Many AI chatbot providers feed your customer conversations back into their training data. That means the personal details your visitors share, their questions, their concerns, their contact information, all of it gets absorbed into a model that serves other businesses too.
Read that again. Your customer's private conversation with your business could be improving the chatbot for your competitor.
Some providers bury this in their terms of service. Some frame it positively as "improving the AI experience." But the bottom line is the same: your customer data is being used for someone else's benefit without your customer's knowledge or consent.
Ask directly: "Are conversations with my chatbot used to train or fine-tune your AI models?" If the answer is yes, or if the answer is vague, that is a dealbreaker.
3. Who has access to customer data?
When a visitor shares their email address or phone number through your chatbot, who can see it? Just you? Your chatbot provider's support team? Their engineering team? Third-party analytics tools? Ad networks?
The data access chain matters. Every additional party that can see your customer data is another potential breach point, another privacy policy your customers did not agree to, and another company that might use their information in ways you cannot control.
What you want: Only you (the business owner) and your authorized team members should have access to your customer conversations and lead data. The chatbot provider should have access to the infrastructure, not the content.
4. Is data isolated per business?
This is a technical question, but it has real consequences. In a multi-tenant system (which most SaaS chatbot platforms are), your data lives alongside every other customer's data. The question is whether there are real walls between them.
Poor data isolation means a bug, a misconfigured query, or a security vulnerability could expose your customer data to another business on the same platform. It has happened before with other SaaS products, and it will happen again.
What to look for: tenant-level isolation where every database query is scoped to your business. Your data should be completely inaccessible to other businesses on the platform, not just hidden by a UI filter, but architecturally separated.
5. What happens when a customer wants their data deleted?
GDPR, CCPA, and a growing list of privacy regulations give your customers the right to request deletion of their personal data. If someone who chatted with your widget emails you and says "delete everything you have on me," can you actually do that?
With some chatbot providers, the answer is "we will get back to you in 30 days." With others, the answer is "we cannot delete individual conversations." Neither of those answers will hold up if a regulator comes knocking.
What you need: the ability to export all data associated with your business and delete your account and all associated data yourself, without filing a support ticket and waiting.
How Mika handles each of these
We built Mika with privacy as a structural decision, not a marketing afterthought. Here is how each of those five questions plays out.
Conversations are yours, not ours
When a visitor chats with your Mika widget, the conversation is stored in your account. You can review it in your dashboard, export it as a CSV, and use it to understand what your visitors are asking about. The conversations belong to your business.
We do not mine your conversations for insights. We do not aggregate them across customers. We do not build "industry benchmarks" from your data. Your conversations are your business data, period.
Your data never trains AI models
Mika uses Claude as its AI backbone. Your customer conversations are sent to Claude's API for processing, and Claude's API does not use API inputs to train its models. This is a contractual commitment from Anthropic, not a checkbox in a settings panel.
That means the conversation your visitor has with your chatbot stays between your business and your visitor. It is not absorbed into a shared model. It is not used to improve responses for other businesses. It is processed, responded to, and that is the end of it.
Data access is locked down
Your customer data is accessible to you through your dashboard. That is it. Mika's infrastructure is designed so that customer data is scoped by tenant at every level. Database queries, API calls, Redis caching, all of it is namespaced to your business.
Your API keys are server-side secrets. They never appear in your widget code, in browser network tabs, or in any client-side bundle. Your visitors interact with your chatbot through a public key that only grants access to the chat endpoint for your specific business. It cannot read your configuration, access other businesses' data, or reach any admin functionality.
Tenant isolation is architectural
Every query that touches your data includes your business identifier. This is not a filter applied at the UI level. It is enforced at the database layer. A misconfigured API call cannot accidentally return another business's conversations because the isolation is built into every query, not bolted on as a permission check.
Your Redis cache keys are namespaced. Your file storage is scoped. Your conversations, leads, and settings are completely invisible to every other business on the platform.
Deletion is self-serve and immediate
From your Mika dashboard, you can export all of your data as a JSON file with one click. Every conversation, every lead, every setting. If a customer asks you for their data, you have it ready.
And if you want to delete your account entirely, you can do that yourself from the Account page. No support ticket. No 30-day waiting period. No "we will process your request." You confirm the deletion, and it happens. Your data, your conversations, your leads, your configuration, all of it is removed.
This is not just a nice feature. It is what GDPR and CCPA compliance actually looks like in practice. Not a privacy policy page that promises good behavior, but actual tools that let you act on data requests immediately.
The security layer most chatbots skip
Privacy is not just about who can see the data. It is also about preventing abuse of the system itself. Mika includes several layers that most chatbot providers either skip or charge extra for.
Content filtering
Every message that passes through Mika is filtered for harmful content before it reaches the AI. Hate speech, explicit content, threats, and prompt injection attempts are all caught and blocked. This protects your business from abuse and protects your visitors from seeing harmful responses attributed to your brand.
Rate limiting
Every public key and IP address is rate-limited. This prevents bad actors from scraping your chatbot's knowledge base by sending thousands of automated messages. It also prevents a single abusive visitor from running up your message count. If someone hits the limit, they get a clean error message and a cooldown period. Your other visitors are unaffected.
Domain validation
Your Mika widget validates that it is running on your registered domain. If someone tries to embed your widget on a different site, the API rejects the request. This prevents competitors or bad actors from hijacking your chatbot and using your message quota.
What to check in any chatbot's privacy policy
If you are evaluating chatbot providers beyond Mika, here is a quick checklist. Print it out, pull up each provider's terms of service, and look for clear answers.
- Data training: Does the provider use your conversations to train or improve their AI models? Look for phrases like "aggregate data," "improve our services," or "anonymized usage data." These often mean yes.
- Data retention: How long are conversations stored? Can you control the retention period? Can you delete specific conversations?
- Third-party sharing: Does the provider share data with analytics tools, ad networks, or partner companies? Check for phrases like "trusted partners" or "service providers."
- Data location: Where are the servers? If you serve customers in the EU, is the data stored in a GDPR-compliant region?
- Breach notification: What happens if there is a security breach? Are you notified? How quickly?
- Sub-processors: What other companies handle your data? Cloud providers, email services, analytics tools. Each one is a link in the chain.
If any of these questions gets a vague answer or a redirect to a generic privacy page, that is your signal. A company that takes privacy seriously can answer these questions directly because they made deliberate decisions about each one.
Your customers already care about this
You might think your customers do not care about chatbot privacy. They do. They might not articulate it as "data isolation" or "model training opt-out," but they feel it. Every time a visitor hesitates before typing their phone number into a chat window, that hesitation is a privacy concern. Every time someone types "is this a real person?" into your chatbot, they are wondering who is on the other end and what happens to what they say.
Trust is the foundation of lead capture. If your chatbot's privacy practices erode that trust, even subtly, you are losing leads you will never know about. The visitor who almost gave you their email but decided not to does not show up in any analytics dashboard.
Building that trust starts with choosing a chatbot provider that handles data the way your customers would want it handled if they could see behind the curtain.
The bottom line
Adding a chatbot to your website is a smart move. It captures more leads, answers questions instantly, and works when you are not available. But the chatbot you choose carries your business's reputation every time it interacts with a visitor. If it mishandles their data, that is your problem, not the chatbot company's.
Ask the five questions. Get clear answers. And if a provider cannot explain exactly what happens to your customer data in plain language, find one that can.
See how Mika handles privacy and security, or try the demo to see what a privacy-first chatbot looks like in action.
Your customers trust you with their information. Make sure your chatbot deserves that trust too.