Privacy Policy
How Conveya collects, uses, and protects your personal data.
1. Who we are
Conveya is operated by Conveya, a company registered in the Netherlands under Chamber of Commerce (KVK) number 58435697, VAT number NL002403314B83 ("Conveya", "we", "us").
For the purpose of the GDPR, Conveya acts as the data controller for personal data we collect about our customers (the individuals who sign up for and administer a Conveya workspace) and as a data processor for personal data that our customers route through Conveya's services (the end-users who interact with our customers' AI agents). This policy describes both roles.
Questions? Contact us at [email protected].
2. What data we collect
2.1 Data you provide when you sign up
When you create a Conveya account we collect:
- Your name and email address.
- A hashed version of your password (we never store passwords in plain text).
- Organization name, team members you invite, and your subscription plan.
- Billing information, processed directly by Stripe; we store the Stripe customer ID, not full card numbers.
- Signup attribution (where you came from: referrer URL, UTM parameters, landing page) so we can improve our marketing.
2.2 Data generated while you use Conveya
- Your activity inside the platform: agents you configure, datasources you upload, conversations you review.
- Technical logs (IP address, browser user-agent, timestamps) needed to keep the service secure and debug issues.
- Audit records of sensitive actions (e.g. admin impersonation, billing changes).
2.3 Data that flows through your AI agents
When an end-user interacts with an AI agent you've deployed (via website widget, WhatsApp, email, or API), we process and store:
- Messages exchanged with the agent (text content and attachments).
- Contact details the end-user shares (name, email, phone number).
- Conversation metadata (channel, timestamps, language, sentiment).
- Technical context (IP address, anonymous browser fingerprint, referring URL) to the extent you enable it on your widget.
You, our customer, are the data controller for this end-user data. We process it strictly to deliver the service you configured.
3. How we use your data (purposes and legal basis)
- Providing the service (contract, art. 6(1)(b) GDPR): running your account, delivering AI responses, routing messages, billing you.
- Improving and securing the service (legitimate interest, art. 6(1)(f) GDPR): detecting abuse, preventing fraud, fixing bugs, analysing aggregated usage.
- Complying with law (legal obligation, art. 6(1)(c) GDPR): keeping billing records for the statutory 7-year retention, responding to lawful requests.
- Direct marketing to existing customers (legitimate interest, with opt-out in every email): product updates, service changes. You can unsubscribe at any time.
- Optional marketing communications (consent, art. 6(1)(a) GDPR): newsletters and similar. Only if you actively opt in.
We do not use end-user conversation content to train third-party AI models. OpenAI's API, which we use to generate agent responses, operates under a no-training agreement by default.
4. Cookies and similar technologies
We use a small set of first-party cookies. No third-party tracking or advertising pixels:
next-auth.session-token: keeps you signed in. Expires after 30 days.NEXT_LOCALE: remembers your chosen language (EN / NL / DE).oauth_state: short-lived CSRF token used only during OAuth redirects.
These cookies are strictly necessary for the service to function and are exempt from the consent requirement under article 11.7a lid 3 Dutch Telecommunications Act. We do not load Google Analytics, advertising pixels, or similar tracking.
5. Sub-processors
We use the following sub-processors to deliver Conveya. Each one is bound by a data processing agreement (DPA) that imposes GDPR-equivalent confidentiality and security obligations.
| Provider | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| OpenAI, LLC | Large language model inference (agent responses, RAG). | United States | SCC + DPF |
| Resend, Inc. | Transactional email delivery (signup, notifications, billing). | United States | SCC |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, TLS termination. | Global (EU DC preferred) | SCC |
| TransIP B.V. | VPS hosting for the application servers and primary database. | Netherlands (EU) | n/a |
| Amazon Web Services EMEA SARL (S3) | Object storage for file uploads (datasources, avatars, attachments). | EU (eu-central-1) | n/a |
| Functional Software, Inc. (Sentry) | Application error tracking and performance monitoring. | United States | SCC |
| Stripe Payments Europe, Ltd. | Billing, subscription management, payment processing. We store an API key for our own account. | Ireland (EU) | n/a |
| Google Ireland Ltd. | OAuth tokens plus email and calendar metadata for Gmail and Google Calendar integrations. | Ireland (EU) | n/a |
| Microsoft Ireland Operations Ltd. | OAuth tokens plus email and calendar metadata for Outlook integrations. | Ireland (EU) | n/a |
| Meta Platforms Ireland Ltd. | WhatsApp Business Cloud API: message metadata and tokens for connected WhatsApp channels. | Ireland (EU) | n/a |
| Slack Technologies Ireland Ltd. | Workspace info and OAuth tokens for connected Slack workspaces. | Ireland (EU) | n/a |
| HubSpot Ireland Ltd. | CRM OAuth tokens for connected HubSpot portals. | Ireland (EU) | n/a |
| Automattic Inc. (WooCommerce) | API tokens for connected WooCommerce stores. | United States | SCC |
| Shopify International Ltd. | Store tokens for connected Shopify stores. | Ireland (EU) + Canada | SCC (Canada) |
| Pipedrive OÜ | CRM OAuth tokens for connected Pipedrive accounts. | Estonia (EU) | n/a |
| Intercom R&D Unlimited Company | Workspace OAuth tokens for connected Intercom workspaces. | Ireland (EU) | n/a |
| Formagrid, Inc. (Airtable) | Base OAuth tokens for connected Airtable bases. | United States | SCC |
| Notion Labs, Inc. | Workspace OAuth tokens for connected Notion workspaces. | United States | SCC |
| Twilio Ireland Ltd. | API key and SMS message metadata for connected Twilio accounts. | Ireland (EU) | n/a |
| Picqer B.V. | API key for connected Picqer fulfillment accounts. | Netherlands (EU) | n/a |
| Lightspeed Commerce NL B.V. | API key for connected Lightspeed retail accounts. | Netherlands (EU) | n/a |
| Sendcloud B.V. | API key for connected Sendcloud shipping accounts. | Netherlands (EU) | n/a |
| Calendly, LLC | API key for connected Calendly scheduling accounts. | United States | SCC |
| Zendesk International Ltd. | API key for connected Zendesk support accounts. | Ireland (EU) | n/a |
We update this list at least 30 days before adding or replacing a sub-processor with material access to personal data. Customers on a paid plan can subscribe to change notifications via [email protected].
6. Google Workspace data, Limited Use disclosure
Conveya's use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When a customer connects Gmail or Google Calendar to their Conveya workspace, we limit our processing of the resulting Google user data as follows:
- Use: Google Workspace data is used solely to deliver the user-visible features of the connected integration, sending email on the user's behalf (
gmail.send), checking free/busy availability and creating calendar events (calendar.readonly+calendar.events). - Transfer to third parties: we do not transfer raw or derived Google user data to third parties other than (a) the sub-processors listed in §5 that are strictly necessary to deliver the feature, most notably OpenAI may receive the body of an outgoing email when the AI agent composes it on the user's behalf, and our hosting / object-storage providers see encrypted-at-rest OAuth tokens and request payloads; (b) where required by applicable law; or (c) as part of a merger or acquisition with prior user notification.
- No advertising: Google Workspace data is never used to serve advertising, including retargeting, personalised, or interest-based advertising.
- No human reading: we do not allow humans to read Google user data except: with the user's explicit consent, for security investigations, to comply with applicable law, or for aggregated and anonymised internal operations.
- No AI/ML model training: we do not use Google Workspace data to develop, improve, or train generalised AI/ML models. Our LLM sub-processor (OpenAI) processes individual requests via their API; per our Data Processing Agreement, those inputs are not retained for model training.
7. International data transfers
Several sub-processors are established outside the EEA, primarily in the United States (OpenAI, Resend, Cloudflare, Sentry, Automattic / WooCommerce, Airtable, Notion, Calendly) and Canada (Shopify, for some store regions). For those transfers we rely on the EU Commission's Standard Contractual Clauses (2021/914) combined with supplementary technical measures (encryption in transit and at rest, access controls). For OpenAI specifically we also rely on their participation in the EU-US Data Privacy Framework. The transfer mechanism for each sub-processor is listed in the "Transfer mechanism" column of the §5 table.
8. How long we keep data
- Account data: for as long as your account is active, plus 30 days after deletion for backup rotation.
- Conversation history: 2 years by default, or shorter if you configure a retention policy in your workspace settings. Earlier deletion on request.
- Billing records and invoices: 7 years (Dutch tax law, art. 52 AWR).
- Audit logs of admin actions: 2 years.
- Application logs (IP, user-agent): 90 days.
9. Your rights
Under the GDPR you have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: ask us to delete your data (subject to legal retention obligations).
- Restriction: limit how we process your data while a dispute is resolved.
- Portability: receive your data in a structured, machine-readable format.
- Object: object to processing based on our legitimate interests, including direct marketing.
- Withdraw consent: where processing relies on consent, withdraw it at any time.
To exercise any of these rights, email [email protected]. We respond within 30 days. If you're unsatisfied, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
If you are an end-user of one of our customers' AI agents and want to exercise these rights, please contact that customer directly. They are the data controller for that relationship. We'll assist them in responding to your request.
10. Security
We protect your data with industry-standard measures: TLS 1.2+ for all traffic, encryption at rest for databases and backups, bcrypt password hashing, principle of least privilege for access, regular dependency audits, and a documented incident response process. If a data breach affects you, we notify you within 72 hours as required by article 34 GDPR.
11. Changes to this policy
We may update this policy as our services evolve. When we make material changes, we'll notify you by email and via a prominent notice in the product at least 14 days before the changes take effect. The current version is always available at https://conveya.app/privacy.
12. Contact
Privacy questions, rights requests, or concerns about how we handle your data:
- Email: [email protected]
This policy was last updated on 28 May 2026.