Privacy Policy

We collect information you provide directly to us, as well as information generated through your use of our services:

• Account Information: Full name, email address, password (encrypted), and profile photo when you create an account.
• Event Data: Event name, date, location, description, and any custom registration form fields you create.
• Guest Information: Name and email address of guests who register for your events or are invited by event organizers.
• Payment Information: Billing details and transaction records processed securely through our payment partners (PayOS/SePay). We do not store raw card numbers.
• Business Card Data: Profile information (name, title, company, phone, social links, avatar) you enter when creating a digital business card, stored securely on our servers.
• Voice Data (Speech-to-Text): When you use the Speech-to-Text tool, your audio is processed in real-time by your browser's built-in Web Speech API. We do not record, store, or transmit your voice audio to our servers.
• Usage Data: Pages visited, features used, and device/browser information to improve our service.
• Communications: Emails and messages you send to our support team.

We use the information we collect for the following purposes:

• Account Management: To create, authenticate, and maintain your account.
• Transactional Emails: To send OTPs for login/verification, password reset links, event registration confirmations, and digital tickets containing unique QR codes — all sent via Amazon SES.
• Event Operations: To facilitate event creation, registration management, guest invitations, and on-site check-in using QR codes.
• Platform Improvement: To analyze usage patterns, fix bugs, and develop new features.
• Legal Compliance: To comply with applicable laws and regulations, and to respond to lawful requests from authorities.
• Security: To detect, prevent, and respond to fraud, abuse, or security incidents.

We take email communication seriously and operate a strict anti-spam policy:

• Opt-in Only: All email recipients have explicitly opted in — either by registering an account on our platform or by accepting an event invitation.
• Transactional Only: We only send emails that are directly triggered by user actions (e.g., registration, event sign-up, password reset). We do not send unsolicited promotional emails.
• Unsubscribe: Every marketing and event invitation email includes a clear, one-click 'Unsubscribe' or 'Decline Invitation' link. Opt-out requests are processed within 24 hours.
• Bounce & Complaint Monitoring: We actively monitor email bounce and complaint rates using Amazon SNS notifications. Hard-bounced and complained addresses are immediately added to our suppression list.
• Organizer Controls: Event organizers are prohibited from importing unsolicited email lists. Any organizer account generating bounce rates above 3% or complaint rates above 0.1% will be automatically suspended.
• SNS Integration: We use Amazon Simple Notification Service (SNS) to receive real-time alerts for bounces and complaints, allowing immediate automated action.

We implement robust technical and organizational measures to protect your data:

• Encryption: All data is encrypted in transit using TLS 1.2+. Sensitive data at rest is encrypted using industry-standard AES-256 encryption.
• Access Controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
• Secure Infrastructure: Our services run on trusted cloud infrastructure (AWS), which undergoes regular security audits and complies with ISO 27001.
• Retention: We retain your personal data for as long as your account is active or as needed to provide services. You may request deletion at any time.
• Breach Notification: In the event of a data breach that affects your personal information, we will notify you promptly in accordance with applicable law.

We use carefully selected third-party services to operate our platform. Each service is contractually bound to handle your data securely:

• Amazon Web Services (AWS) — SES & SNS: Used exclusively for transactional email delivery and bounce/complaint monitoring. AWS complies with GDPR and SOC 2.
• PayOS / SePay: Vietnamese payment gateways used for processing event ticket payments. Your payment data is handled directly by these PCI DSS-compliant providers.
• Vercel / Cloud Hosting: Our application infrastructure is hosted on secure, enterprise-grade cloud platforms.
• Analytics (if used): We may use privacy-focused analytics to understand usage patterns. No personally identifiable information is shared with analytics providers.

You have the following rights regarding your personal data:

• Right to Access: You can request a copy of the personal data we hold about you at any time.
• Right to Correction: You can update or correct inaccurate information in your account settings.
• Right to Deletion: You can request that we delete your personal data. We will comply unless we are legally required to retain it.
• Right to Portability: You can request your data in a machine-readable format (JSON/CSV).
• Right to Object: You can object to the processing of your data for certain purposes, such as marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

Chabiti provides a suite of free utility tools. We are committed to your privacy in how each tool handles your data:

• Image Tools (Compress, Resize, Convert, Watermark): All image processing is performed entirely within your browser using client-side JavaScript. Your image files are never uploaded to our servers and are not transmitted over the internet.
• Video Tools (Compress, Resize, Convert, Cut, Merge): All video processing runs locally in your browser via WebAssembly (FFmpeg.wasm). Video files remain on your device at all times and are never sent to our servers.
• QR Code Generator: QR code generation is entirely client-side. The data you encode (URLs, text, contact info) is not logged or stored.
• Password Generator: Passwords are generated locally using cryptographic random functions in your browser. No generated passwords are transmitted or stored.
• Text Tools (Word Counter, Case Converter, Code Formatter): All text processing is local. Content you paste or type is not sent to any server.
• File to Markdown Converter: Document parsing runs entirely in your browser. Uploaded files are not transmitted to our servers.
• Text to Speech: Uses your browser's built-in speech synthesis engine. No text is sent to external servers unless your browser delegates to a cloud-based TTS service (governed by your browser/OS provider's policy).
• Speech to Text: Uses your browser's Web Speech API. Audio is processed by your browser's native engine. Chabiti does not receive or store any audio data.
• Video Downloader: This tool helps you download publicly available video content. Users are responsible for ensuring they have the right to download content and must comply with the terms of service of the source platform and applicable copyright laws.
• Minigames (Lucky Draw, Lucky Wheel, Tiger Race, Loto, Dice, Team Generator, etc.): All game logic runs in your browser. Any participant names or data you enter are stored only in your browser's local memory for the session and are never transmitted to our servers.

We use only essential cookies required for our service to function. These include session authentication cookies and your language preference (Vietnamese or English). We do not use advertising cookies, cross-site tracking cookies, or fingerprinting technologies. You can manage cookie preferences through your browser settings at any time.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us: Email: contact@chabiti.com Website: https://www.chabiti.com We aim to respond to all inquiries within 2 business days. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the relevant data protection authority.