Convyro AI (“we”, “our”, “us”) is a B2B SaaS platform providing AI-powered communication and lead-conversion automation tools for service businesses. This Privacy Policy describes how we collect, use, store, and protect personal data when you use our platform at convyro.ai and related services. By using Convyro AI, you acknowledge that you have read and understood this policy. If you do not agree with any part of this policy, please do not use the Service.
1. Scope and Identity of the Controller
Who we are
Convyro AI ("Convyro AI", "we", "us", "our") is the data controller responsible for personal data collected through the platform available at convyro.ai and all related sub-domains and APIs (the "Service"). We are incorporated and operate under the laws of the Netherlands.
What this policy covers
This Privacy Policy applies to all personal data we process about: (a) visitors to our marketing website; (b) registered users and administrators of the Service; (c) end-users whose data is processed on behalf of our customers through the Service (e.g. leads, contacts, chat participants). It does not apply to third-party services you may access through integrations — those are governed by their own privacy policies.
Controller vs. processor
For data relating to your account, billing, and platform usage, Convyro AI acts as the data controller. For personal data belonging to your end-customers that you process through the Service (e.g. conversation data, contact records), Convyro AI acts as a data processor on your behalf. The terms governing this relationship are set out in our Data Processing Addendum, available on request.
2. Personal Data We Collect
Account and identity data
When you register for an account, we collect your full name, business email address, company name, job title, and password (stored as a one-way bcrypt hash). You may also provide a profile picture and business address.
Billing and payment data
We collect the billing email address, company VAT number (if applicable), billing address, and payment method details (card last four digits, expiry). Full payment card details are handled exclusively by Stripe Inc. and are never stored on Convyro AI servers.
Service usage data
We collect data about how you use the Service, including features accessed, actions performed, workflow configurations, AI prompt inputs and outputs, and usage metrics (message volume, API calls).
Communication and conversation data
When you connect channels (WhatsApp, Instagram, Gmail, voice), we process the content of messages and call transcripts on your behalf. This data belongs to you and your end-customers. We act as a processor for this data.
Technical and device data
We automatically collect IP addresses, browser type and version, operating system, device identifiers, referring URLs, page views, timestamps, and error logs. This data is used for security, fraud prevention, and platform diagnostics.
Communications you send us
If you contact our support team, request a demo, or respond to surveys, we retain the content of those communications and any personal data contained within them.
Data we receive from third parties
Where you connect OAuth-based integrations (Google, Meta, Microsoft), we receive authentication tokens and, to the extent authorised, limited profile data (name, email). We do not receive or store your passwords for third-party services.
3. Legal Basis for Processing
Contract performance (Article 6(1)(b) GDPR)
Processing your account data, subscription data, and Service usage data is necessary to perform our contract with you — i.e. to provide the features you have subscribed to, manage your account, and process billing.
Legitimate interests (Article 6(1)(f) GDPR)
We process certain data on the basis of our legitimate interests: improving the platform through anonymised analytics, detecting and preventing fraud and abuse, maintaining platform security, and sending relevant product communications to existing customers. We have conducted a Legitimate Interests Assessment (LIA) and concluded these interests are not overridden by your rights. You may object to processing based on legitimate interests at any time.
Legal obligation (Article 6(1)(c) GDPR)
We are required to process and retain certain data (e.g. billing records, invoices) to comply with tax, accounting, and anti-money-laundering obligations under applicable law.
Consent (Article 6(1)(a) GDPR)
Where we rely on consent — for example, to send marketing newsletters, to use conversation data for product improvement research, or to load Google Analytics 4 on our website — we will obtain your explicit, informed consent before doing so (where required by law). You may withdraw consent at any time without affecting the lawfulness of processing that occurred before withdrawal. We may also use privacy-preserving, cookieless analytics on parts of the site that do not rely on advertising or cross-site profiling.
4. How We Use Your Data
Providing and improving the Service
We use your data to operate, maintain, personalise, and improve the platform — including AI auto-reply generation, lead scoring, appointment booking, inbox management, and reporting features.
AI processing
Conversation content and knowledge-base material you upload are sent to third-party AI providers (Anthropic and OpenAI) solely to generate intelligent responses and assist in automating your workflows. These providers process data under data processing agreements that include EU Standard Contractual Clauses. We do not use your conversation data to train AI models without your explicit written consent.
Billing and account management
We use your billing data to charge for subscriptions, issue invoices, handle refund requests, and manage plan upgrades or downgrades.
Security and fraud prevention
We analyse IP addresses, login patterns, and access logs to detect unauthorised account access, prevent credential stuffing, and investigate security incidents.
Product communications
We send transactional communications (receipts, password resets, security alerts) that are required for the operation of your account. With your consent, we may also send product updates, feature announcements, and tips. You can unsubscribe from non-transactional emails at any time using the link in the email footer.
Aggregated analytics
We create anonymised, aggregated analyses of platform usage (e.g. which features are most popular, error rates, performance metrics) to guide product development. These analyses cannot be used to identify individual users.
6. International Data Transfers
Transfer mechanisms
Convyro AI is established in the Netherlands (EEA). Some of our sub-processors operate infrastructure in the United States. Where personal data is transferred from the EEA or UK to a third country, we rely on the European Commission's Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR and, where applicable, the UK IDTA addendum.
Supplementary safeguards
For transfers to the United States, we implement supplementary technical safeguards — including TLS encryption for all data in transit and data minimisation practices — to ensure Personal Data is protected to a standard equivalent to the EEA.
Data Processing Addendum
Our full Data Processing Addendum (DPA) is publicly available at convyro.ai/legal/dpa. Enterprise customers who require a countersigned copy may request one by contacting [email protected] and we will execute it within 5 business days.
7. Data Retention
Active account data
We retain your account data, settings, and Service data for as long as your account is active.
Post-termination
Following account cancellation or termination, we retain your data in recoverable form for 90 days to allow you to export it or reinstate your account. After 90 days, all primary data is deleted from production systems.
Billing and financial records
Invoices, payment records, and related financial data are retained for a minimum of 7 years to satisfy tax and accounting obligations under Dutch and EU law.
Backup and disaster recovery
Encrypted system backups may retain copies of your data for up to 30 days beyond the scheduled deletion date as part of our disaster recovery infrastructure. These backups are rotated and permanently destroyed on schedule.
Legal hold
Where data is subject to a legal hold, regulatory investigation, or dispute resolution, we may retain it beyond the standard retention periods until the matter is resolved.
8. Your Rights
Right of access (Article 15 GDPR)
You have the right to request a copy of all personal data we hold about you, along with information about how it is used (a Subject Access Request). Submit requests via your account settings or by emailing [email protected].
Right to rectification (Article 16)
You may correct inaccurate or incomplete personal data at any time through your account settings. Where data cannot be corrected self-service, contact us at [email protected].
Right to erasure (Article 17)
You may request deletion of your personal data by emailing [email protected]. We will comply within 30 days, subject to legal retention requirements (e.g. billing records must be kept for 7 years).
Right to data portability (Article 20)
You may request your data in a structured, commonly used, machine-readable format (JSON or CSV) for transfer to another service. Submit requests to [email protected].
Right to restrict processing (Article 18)
You may ask us to temporarily halt processing of your data while a dispute about accuracy or lawfulness is being resolved.
Right to object (Article 21)
You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights related to automated decision-making (Article 22)
Convyro AI does not make decisions with legal or similarly significant effects on individuals based solely on automated processing.
Right to lodge a complaint
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl), the ICO (for UK residents), or the data protection authority in your EU member state.
9. Security
Encryption in transit
All data transmitted between your browser/app and our servers is protected by TLS. We enforce HTTPS on all domains. This is provided by our infrastructure layer (Vercel).
Encryption at rest
Data stored in our database is encrypted at rest by our infrastructure provider (Supabase/AWS). Sensitive credentials such as API keys and OAuth tokens are stored encrypted in the database.
Access controls
Access to production systems and customer data is restricted to authorised personnel only, protected by multi-factor authentication. Access is granted on a need-to-know basis and revoked promptly when no longer required.
Vulnerability management
We monitor dependencies for known vulnerabilities and apply security patches on a priority basis. We operate a responsible disclosure programme — please report suspected vulnerabilities to [email protected].
Incident response
We maintain a documented incident response and breach notification procedure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Article 33–34 GDPR.
11. Children's Privacy
Age restriction
The Service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we discover we have inadvertently collected such data, we will delete it promptly. If you believe a minor has provided us with personal data, contact us at [email protected].
12. California Privacy Rights (CCPA / CPRA)
Applicability
If you are a California resident and an individual consumer (not a business), certain rights apply to you under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Note: Convyro AI is a B2B platform — most of our processing relates to employees and contractors of businesses, who are subject to a CCPA B2B exemption. We include this section for completeness.
Your California rights
California residents may request: (a) disclosure of the categories and specific pieces of personal information collected; (b) deletion of personal information, subject to exceptions; (c) correction of inaccurate personal information; (d) opt-out of any sale or sharing of personal information. We do not sell personal information. To exercise your rights, email [email protected] with subject line 'California Privacy Request'. We will respond within 45 days.
Non-discrimination
We will not discriminate against you for exercising your California privacy rights.
13. Changes to This Policy
Material changes
We will notify you of material changes to this Privacy Policy by email (to the address on file) and via an in-app notice at least 30 days before changes take effect. The updated effective date will appear at the top of this page.
Continued use
Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you may close your account before the effective date.
Version history
Previous versions of this Privacy Policy are available on request by emailing [email protected].
14. Contact Us
For privacy-related questions, data subject requests, or complaints, please contact our privacy team. We aim to acknowledge all enquiries within 2 business days and resolve them within the statutory 30-day period.
Convyro AI
Privacy enquiries: [email protected]
Legal & DPA requests: [email protected]
Security disclosures: [email protected]
Related legal documents