Gabbex logo — AI website assistant for small businesses and online stores

Security & Privacy

Security and privacy

How Gabbex handles your content, your customers' messages, and the safeguards built into every assistant.

This page covers how Gabbex protects your data, your customers, and your assistant. For the formal version, see the Privacy Policy and Terms. This page is the practical, plain-language summary.

What data Gabbex stores

Three buckets:

  1. Your content. Website crawls, uploaded files, Notion pages, Q&A entries. This is the assistant’s knowledge base. You decide what to put in it and you can delete it any time.
  2. Your customers’ messages. Every conversation is stored so you can review it in the dashboard. The only personal data attached is what the visitor chose to share — usually a name and email captured by lead capture or escalation.
  3. Your account data. Workspace name, member emails, billing details, and the assistants you have created.

Gabbex does not collect anything beyond this. There is no hidden tracking, no fingerprinting, and no resale of data to third parties.

Where data is stored

Data is stored in production cloud infrastructure with industry-standard encryption at rest and in transit. Backups run regularly. Backups are encrypted with the same standards as the live database.

Who can see your data

  • Workspace members can see assistants, conversations, and leads in their workspace, scoped by role (see Workspaces, members and roles).
  • No one outside your workspace can see your data unless you explicitly share it (for example, by exporting and emailing).
  • Gabbex staff can access workspace data only when troubleshooting at your request, or as required by our terms.

Built-in safeguards

Every Gabbex assistant ships with safety guardrails that you do not have to configure:

  • Stay-in-scope rules. The assistant is told to stay focused on being a business assistant for your site. It pushes back on attempts to take it off topic.
  • Prompt-injection resistance. Visitor messages cannot override the assistant’s system instructions. Common jailbreak patterns are blocked.
  • No leaking platform details. The assistant does not reveal account-level information, billing details, or other workspace metadata to visitors.
  • “I do not know” beats “I will guess”. When the assistant cannot find an answer in your sources, it says so and offers to escalate, instead of inventing one.

What you control

  • What goes into the knowledge base. Only what you explicitly upload, crawl, or sync.
  • Who can see your assistants. Through workspace roles.
  • Which domains can run the widget. Through the allowed domains list on each assistant.
  • What contact details are collected. Through lead capture configuration.
  • What gets escalated. Through the escalation tool’s settings.

Deleting data

You can delete:

  • A single conversation from the conversation detail page.
  • A single lead from the lead detail page.
  • A single source from the sources page.
  • An assistant from the assistant settings page. Removes everything attached to it.
  • A workspace from the workspace settings page. Removes everything in it.

Deletion is permanent. If you delete something by mistake, support cannot recover it.

GDPR and similar laws

If a visitor exercises their right to access or deletion under GDPR or a similar privacy law:

  1. Find their lead in the Leads dashboard or their conversations in the Conversations dashboard.
  2. Export the data if they have requested access.
  3. Delete the data if they have requested erasure.

Gabbex does not store visitor data outside what is in your dashboard. Once you delete it from your assistant, it is gone.

Reporting a security issue

If you find a security issue, please email security@gabbex.com. Include reproduction steps and any relevant context. We respond as quickly as possible and we credit researchers who report responsibly.

Next steps