Privacy Policy

1. Introduction

Custovia ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered customer engagement platform.

By using Custovia, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, phone number
• Billing Information: Payment card details (processed securely by Stripe)
• Profile Information: Business details, logo, preferences
• Content: Knowledge base articles, files, chatbot configurations
• Communications: Support messages, feedback, survey responses

2.2 Information Collected Automatically

• Usage Data: Features used, pages viewed, time spent, click patterns
• Device Information: IP address, browser type, device type, operating system
• Cookies and Tracking: Session cookies, analytics cookies, preference cookies
• Performance Data: Response times, error rates, system health
• Conversation Data: Chat logs, voice transcripts, AI interactions

2.3 End-User Data (Your Customers)

When your customers interact with your AI assistants via Custovia:

• Conversation messages and transcripts
• Voice recordings and transcriptions
• Contact information (if provided)
• Files and attachments uploaded
• Feedback and ratings

Important: You are the data controller for your customers' data. We process this data on your behalf as a data processor.

3. How We Use Your Information

We use collected information for:

• Service Delivery: Provide, maintain, and improve the Platform
• AI Processing: Train and improve AI models, generate responses
• Billing: Process payments, send invoices, manage subscriptions
• Communication: Send service updates, security alerts, marketing (opt-out available)
• Analytics: Understand usage patterns, improve features
• Security: Detect fraud, prevent abuse, ensure platform security
• Legal Compliance: Meet legal obligations, respond to legal requests
• Customer Support: Respond to inquiries, resolve issues

4. AI and Machine Learning

Our Service uses AI powered by OpenAI, ElevenLabs, and other providers:

• AI Training: We may use aggregated, anonymized conversation data to improve AI models
• Third-Party AI: Your data may be processed by OpenAI, ElevenLabs (subject to their privacy policies)
• Opt-Out: Enterprise customers can opt out of AI training on request
• No Personal Data in Training: We remove identifying information before using data for training

5. Information Sharing and Disclosure

5.1 We Share Information With:

• Service Providers: Stripe (payments), Twilio (communications), OpenAI (AI), AWS/Vercel (hosting)
• Your Team Members: Users you invite to your account
• Business Transfers: In case of merger, acquisition, or sale of assets
• Legal Requirements: When required by law, court order, or legal process
• Protection: To protect our rights, property, or safety

5.2 We Do NOT:

• Sell your personal information to third parties
• Share your data for advertising purposes
• Provide your customer data to competitors
• Use your data for purposes other than stated here

6. Data Security

We implement industry-standard security measures:

• Encryption: All data encrypted in transit (TLS/SSL) and at rest
• Access Control: Role-based permissions, multi-factor authentication
• Monitoring: 24/7 security monitoring and intrusion detection
• Audit Logs: Complete tracking of all data access and changes
• Compliance: SOC 2, GDPR, HIPAA-ready infrastructure
• Regular Audits: Security assessments and penetration testing

While we strive to protect your data, no method of transmission or storage is 100% secure. You use the Service at your own risk.

7. Your Rights (GDPR and Beyond)

You have the right to:

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Deletion: Request deletion of your data ("right to be forgotten")
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to certain data processing activities
• Withdrawal: Withdraw consent at any time
• Complaint: Lodge a complaint with a data protection authority

To exercise these rights, contact us at privacy@custovia.io. We will respond within 30 days.

8. Data Retention

We retain your data for as long as:

• Your account is active
• Needed to provide the Service
• Required for legal, tax, or regulatory purposes
• Necessary to resolve disputes or enforce agreements

Retention Periods:

• Account Data: Until account deletion + 30 days
• Conversation Logs: 365 days by default (configurable)
• Billing Records: 7 years (legal requirement)
• Audit Logs: 7 years (compliance requirement)
• Backup Data: 90 days in encrypted backups

9. Cookies and Tracking Technologies

We use cookies and similar technologies:

Essential Cookies (Required):

• Authentication and session management
• Security and fraud prevention
• Load balancing

Analytics Cookies (Optional):

• Usage analytics and statistics
• Feature usage tracking
• Performance monitoring

You can control cookies through your browser settings. Disabling essential cookies may limit Service functionality.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States. These countries may have different data protection laws.

We ensure appropriate safeguards through:

• Standard Contractual Clauses (EU-approved)
• Privacy Shield frameworks (where applicable)
• Data Processing Agreements with all vendors
• Encryption of data in transit and at rest

11. Children's Privacy

Our Service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us immediately and we will delete it.

12. Third-Party Services

We use third-party services that have their own privacy policies:

• Stripe: Payment processing - Stripe Privacy Policy
• Twilio: SMS and voice communications - Twilio Privacy Policy
• OpenAI: AI processing - OpenAI Privacy Policy
• Clerk: Authentication - Clerk Privacy Policy

We carefully vet all third-party providers for security and privacy compliance.

13. Data Processing Agreement (DPA)

As a B2B service, we act as a data processor for your customer data. We:

• Only process data according to your instructions
• Maintain appropriate security measures
• Notify you of data breaches within 72 hours
• Assist with data subject requests (GDPR)
• Delete or return data upon contract termination
• Provide DPA documentation for Enterprise customers

14. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to Know: What personal information we collect and how we use it
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of data sales (we don't sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise these rights, email privacy@custovia.io.

15. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours
• Notify relevant data protection authorities as required
• Provide details about the breach and affected data
• Explain steps we're taking to address the breach
• Recommend actions you should take to protect yourself

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email to your registered address (for significant changes)
• Showing a notice in your dashboard

Your continued use after changes constitutes acceptance of the updated policy.

17. Contact Information

For privacy-related questions, concerns, or requests:

18. Specific Disclosures by Region

European Union (GDPR):

• Data Controller: Custovia
• Legal Basis: Legitimate interest, contract performance, consent
• DPO Contact: privacy@custovia.io
• EU Representative: [To be designated if required]

United States:

• We comply with CCPA (California)
• We comply with CPRA (California Privacy Rights Act)
• We do not sell personal information

Canada:

• We comply with PIPEDA
• Privacy Officer contact available above