This Privacy Policy explains how Convot.io ("we", "us", "our") collects, uses, discloses, and protects personal data when you use our website, applications, APIs, chat widget, and related services (the "Service"). We are committed to protecting your privacy and complying with applicable data-protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1. Who this policy applies to

This Privacy Policy applies to two groups of users:

Customers - businesses, teams, and their operators who sign up for Convot.io to manage customer conversations. For Customer data, Convot.io acts as a data controller.
End Users - visitors on a Customer's website who interact with the Convot.io chat widget. For End User data, the Customer who deployed the widget is the data controller, and Convot.io acts as a data processor on the Customer's behalf.

If you are an End User and have questions about how a specific business uses your data, please contact that business directly.

2. Personal data we collect

2.1 From Customers

Account information - full name, work email address, password (stored as a bcrypt hash), display name, avatar image, role (owner / admin / agent), time zone, and language preference.
Organization information - company name, website URL, industry, team size, billing address, and tax identifier.
Billing information - payment method details are collected directly by our payment processor, Stripe. We only store the last four digits of the payment card, the card brand, and Stripe's internal customer and subscription identifiers.
Usage data - pages visited within the Service, features used, timestamps, browser type, operating system, device type, IP address, and referring URL.
Support correspondence - any messages, screenshots, or account details you share when contacting our support team.

2.2 From End Users

Identifiers - name, email address, phone number, external user ID, and any custom attributes the Customer passes via the identify API.
Conversation content - messages, file attachments, and metadata (timestamps, delivery status) exchanged through the widget.
Technical information - IP address, user agent, approximate geographic location (derived from IP), browser language, page URL where the widget was loaded, and device type.
Session identifiers - a visitor token stored in the browser's local storage to maintain conversation continuity across page loads and visits.

2.3 From inbound email

When an End User replies to a transactional email sent by the Service, our email provider (Postmark) forwards the parsed message - including the sender address, subject, body, and any attachments - to our webhook endpoint so that we can thread it into the correct conversation.

3. Legal basis for processing (GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases to process personal data:

Performance of a contract - to provide the Service you have signed up for and to fulfill our obligations under our Terms of Service.
Legitimate interests - to operate, secure, and improve the Service; to prevent fraud and abuse; to communicate important product updates; and to conduct internal analytics.
Consent - for optional marketing communications and for any non-essential cookies or tracking technologies. You may withdraw consent at any time.
Legal obligation - to comply with applicable laws, respond to lawful requests from public authorities, and meet tax, accounting, and record-keeping requirements.

4. How we use your data

We use personal data for the following purposes:

Providing, maintaining, and securing the Service, including routing messages, delivering emails, storing attachments, and authenticating users.
Billing, invoicing, and collecting payments for paid subscriptions.
Responding to support requests, troubleshooting issues, and improving the quality of the Service.
Analyzing usage patterns and service performance to inform product decisions.
Sending transactional communications such as security alerts, billing notifications, and service updates. These cannot be opted out of while you have an active account.
Sending optional marketing communications, such as newsletters or new-feature announcements. These are sent only with your consent and can be unsubscribed at any time.
Preventing, detecting, and responding to fraud, abuse, security incidents, and violations of our Terms of Service.
Complying with legal obligations and responding to lawful requests.

We do not sell or rent personal data. We do not share personal data with advertisers, data brokers, or any third party for the purpose of cross-context behavioral advertising.

5. Cookies, local storage, and similar technologies

We use a minimal set of cookies and local-storage entries that are necessary to operate the Service:

Essential session cookies - required to keep you signed in after authentication. These cannot be disabled without preventing the Service from working.
CSRF protection cookies - required to protect your account from cross-site request forgery attacks.
Preference entries - stored in the browser's local storage to remember your language, selected inbox filter, starred contacts, and other UI preferences.
Visitor token (widget) - stored in the End User's browser to bind their chat session to a conversation. By default the token is retained until the End User clears their browser storage, so that they can return to an ongoing conversation.

We do not use third-party advertising cookies. We do not allow ad networks or tracking pixels to collect data through the Service.

We share personal data with carefully selected third-party service providers ("subprocessors") who help us deliver the Service. Each subprocessor has signed a Data Processing Agreement with us and may only use the data for the specific purposes we authorize.

Amazon Web Services, Inc. - cloud hosting, database storage, file storage (S3), and backups. Location: United States and European Union regions.
Stripe, Inc. - payment processing, subscription billing, and invoicing. Location: United States, European Union.
Wildbit, LLC (Postmark) - transactional email delivery and inbound email parsing. Location: United States.
Functional Software, Inc. (Sentry) - application error monitoring and performance tracing. Location: United States. Sensitive fields are scrubbed before transmission.
Redis Ltd. - in-memory data store used for background job queues and real-time message delivery. Location: Region selected by the Customer.
Shopify, Inc. - where a Customer installs the Convot.io Shopify app, limited to order and customer metadata that the Customer explicitly authorizes.
Anthropic, PBC - AI processing (Claude models) used to power features such as conversation summaries, suggested replies, automated support answers, and live translation. Location: United States.
OpenAI, L.L.C. - AI processing used for language detection, translation, and text embeddings that power search and routing. Location: United States.

Use of AI subprocessors. To provide certain features we transmit Conversation content and related identifiers to the AI subprocessors listed above. These providers process the data solely to return a result to us under their commercial terms and Data Processing Agreements; they do not use Convot.io data to train their models and do not use it for advertising. Conversation content is not retained by these providers beyond what is necessary to deliver the requested output.

We may also disclose personal data to third parties (a) in response to a valid legal request, court order, subpoena, or government demand, (b) to enforce our Terms or protect our rights, property, or safety, (c) as part of a merger, acquisition, sale of assets, or similar business transaction (in which case we will notify affected users), and (d) with your explicit consent.

7. International data transfers

Convot.io operates across multiple regions. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data may be transferred to and processed in countries outside your home jurisdiction, including the United States. Where such transfers occur, we rely on Standard Contractual Clauses (SCCs) issued by the European Commission, or other approved safeguards, to ensure that your data remains protected to a standard equivalent to that required by the GDPR.

8. Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specifically:

Active accounts - we retain Customer and End User data for as long as the Customer's account remains active.
Cancelled or closed accounts - Customer data and associated End User data are retained for thirty (30) days after cancellation in case of accidental closure, and then permanently deleted from our active systems.
Backups - encrypted backups may contain deleted data for up to ninety (90) days before they are overwritten.
Billing records - invoices, payment records, and related financial data are retained for up to seven (7) years to comply with tax and accounting laws.
Support correspondence - retained for up to two (2) years after the ticket is closed for quality-assurance and training purposes.
Logs and security data - IP addresses and access logs are retained for up to twelve (12) months for fraud prevention, abuse detection, and compliance with applicable law.

9. Your rights

Subject to applicable law, you have the following rights regarding your personal data:

Right of access - request a copy of the personal data we hold about you.
Right to rectification - ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") - request that we delete your personal data, subject to legal retention obligations.
Right to restriction - ask us to limit how we process your data.
Right to data portability - receive the personal data you have provided in a structured, commonly used, machine-readable format.
Right to object - object to processing based on legitimate interests, direct marketing, or automated decision-making.
Right to withdraw consent - at any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint - with your local data-protection authority (for EEA users) or with the California Attorney General (for California residents).

To exercise any of these rights, please contact us at [email protected]. We will respond within thirty (30) days, or as otherwise required by applicable law. We may need to verify your identity before fulfilling your request. To delete your account and associated data, see our Data Deletion page.

CCPA notice for California residents: In addition to the rights above, California residents have the right to opt out of the sale of personal information. As stated above, we do not sell personal data.

10. Security

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction, including:

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest, including databases and file storage, using AES-256.
Password hashing using bcrypt with a sufficient work factor.
Webhook payload signing using HMAC-SHA256 so that Customers can verify the authenticity of events.
Strict access controls on production systems, with multi-factor authentication required for all engineering and support staff.
Regular security reviews, dependency updates, and third-party penetration testing.
Comprehensive logging and monitoring to detect unusual activity.

While we take security seriously, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability affecting the Service, please report it responsibly to [email protected].

11. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, as required by the GDPR. Where the breach is likely to result in a high risk, we will also notify affected users directly without undue delay.

12. Children's privacy

The Service is not directed at children under sixteen (16) years of age, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email or by a prominent notice within the Service at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this document always reflects the current version.

14. Contact us

If you have questions about this Privacy Policy, wish to exercise any of your rights, or would like to request a Data Processing Agreement (DPA), please contact us:

Privacy inquiries and data subject requests: [email protected]
Security vulnerability reports: [email protected]
General support: [email protected]