← Back to home

Privacy Policy

Effective Date: December 1, 2025

This Privacy Policy describes how ConvoInsights ("Company," "we," "us," or "our") handles information in connection with your use of our Services (the "Service").

This Privacy Policy is incorporated into and is subject to our Terms of Service. By accessing or using the Service, you agree that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree, you must stop using the Service immediately.

The Short Version (Plain English)

We collect your email and account info to run your account. We control this data.

You upload transcripts. This is Your Content. You control this data, and you are 100% legally responsible for it.

We are a "Data Processor." We just follow your instructions, like when you tell us to send Your Content to an AI for analysis.

If you upload someone's personal info without their permission, that is your responsibility, not ours.

Any service disputes with us are handled by arbitration in Ontario. Any regulatory complaints (like a GDPR complaint) are a matter between you, us, and the regulator. You also have specific rights under GDPR (if in EU) or CCPA (if in California) listed below.

1. Who Controls What Data? (The Core Principle)

This policy distinguishes between two types of data. This distinction is critical to understanding your rights and responsibilities.

1.1. Account Information

This is the limited personal data we collect to provide the Service to you, such as your email address, name, and IP address. We are the "Data Controller" (or equivalent) for this data and are responsible for protecting it as described in this policy.

1.2. Customer Content

This is the data you upload to the Service, such as sales call transcripts ("Customer Content"). You are the "Data Controller" for this data. We are a "Data Processor" (or "Service Provider"). We only process this data on your behalf and according to your instructions (e.g., when you click "add theme labels").

You are solely and exclusively responsible for all legal and compliance obligations related to your Customer Content, including (but not limited to) GDPR, CCPA, and PIPEDA.

2. Information We Collect

A. Account Information (Data We Control)

Identifiers: Your first and last name, email address.

Authentication: OAuth tokens if you sign up via Google.

Billing Information: We do not see or store your credit card. Our payment processor (Polar) handles this, and we only receive a subscription status confirmation.

Technical Information: IP address, browser type, operating system, and usage logs (e.g., features clicked) for security and service improvement.

B. Customer Content (Data You Control)

Sales call transcripts and any other files or text you voluntarily upload to the Service. We do not access, review, or control this data except as required to provide the Service or as required by law.

3. How We Use Information

Account Information:

  • To provide, maintain, and secure the Service
  • To manage your account, process payments, and send essential service-related emails
  • To analyze usage patterns to improve the Service
  • To enforce our Terms of Service and comply with our legal obligations

Customer Content:

  • We process this data only as you instruct
  • When you request an AI analysis, we transmit it to the AI provider
  • We do not use your Customer Content to train our own models, for marketing, or for any other purpose

4. How We Share Information

We do not sell or rent your personal data. We only share it with the following parties to operate the Service:

Service Providers (Our "Sub-processors")

  • Infrastructure: Supabase (database, hosting)
  • Authentication: Google (if you use Google OAuth)
  • Payments: Polar (handles all billing)
  • Analytics: PostHog (for product usage analytics)

Third-Party AI Providers (Your "Sub-processors")

When you instruct us to, we will transmit your Customer Content to AI providers like Anthropic (Claude) and Google (Gemini). Their use of your data is governed by their own policies, which you are responsible for reviewing:

Google API Compliance: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.

Legal & Compliance

If we receive a valid legal order (e.g., a subpoena) under our governing law (Ontario, Canada).

Business Transfers

If we are acquired, merged, or sell our assets, your data will be transferred to the new owner.

Aggregated Data

We may create and share aggregated, de-identified, or anonymized data that cannot identify you personally for lawful business purposes.

5. Your Responsibilities as Data Controller

Since you are the Data Controller for your Customer Content, you represent and warrant that you will:

  • Comply with all applicable privacy laws (GDPR, CCPA, PIPEDA, etc.) for the data you upload
  • Have a lawful basis for collecting, processing, and sharing the content, including obtaining all necessary consents from individuals in your recordings
  • Redact or anonymize any sensitive personal information (PII, PHI) if required by your applicable laws or internal policies
  • Handle any data subject requests (e.g., deletion requests) from individuals whose data is contained in your content
  • Indemnify us from any claims, fines, or damages arising from your Customer Content, as detailed in our Terms of Service

We have no obligation to screen your content, detect PII, or ensure your compliance with any law.

Recommended Best Practices

We strongly recommend you:

  • Redact all PII (names, addresses, emails, phone numbers) before upload
  • Anonymize speaker identities (use "Customer A," "Sales Rep," etc.)
  • Remove financial information and account numbers
  • Ensure you have consent to share conversations with third-party services
  • Review your organization's data governance policies before using the Service

6. Your Privacy Rights

Your rights depend on the type of data.

A. Rights Regarding Your Account Information (The data WE control)

As we are a Canadian company, your rights are primarily governed by Canadian law (PIPEDA). However, we recognize that other laws may apply depending on where you are located.

General Rights:

  • Right to Access & Correction: You may request a copy of or correct your Account Information by contacting us
  • Right to Deletion: You may request the deletion of your account
  • Right to Object/Withdraw Consent: You may withdraw consent, which will require us to terminate your account as we cannot provide the Service without this data

To exercise these rights, please email us at support@convoinsights.app. We will evaluate all requests and respond as required by applicable law.

B. For European Economic Area, UK, and Switzerland Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) regarding your Account Information:

Legal Basis for Processing:

  • Contractual Necessity: We process your Account Information to provide the Service you requested
  • Legitimate Interests: We process certain data (usage logs, analytics) for service improvement, fraud detection, and security
  • Consent: Where you've provided explicit consent (e.g., for certain analytics)
  • Legal Obligations: Where required to comply with applicable laws

Your GDPR Rights:

  • Right to Access: Request a copy of your Account Information
  • Right to Rectification: Request correction of inaccurate information
  • Right to Erasure: Request deletion of your Account Information ("right to be forgotten")
  • Right to Restriction of Processing: Request we limit processing in certain circumstances
  • Right to Data Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with your supervisory authority
  • Right Not to be Subject to Automated Decision-Making: We do not make automated decisions that produce legal or similarly significant effects

How to Exercise Your Rights:

Email us at support@convoinsights.app from your registered email address. Include:

  1. Your full name and email
  2. Which right(s) you wish to exercise
  3. Any information necessary to verify your identity

We will respond within 30 days (or as required by GDPR). We do not charge a fee unless requests are manifestly unfounded or excessive.

Supervisory Authority:

You have the right to lodge a complaint with your local data protection authority. Find your authority here: https://edpb.europa.eu/about-edpb/board/members_en

C. For California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act regarding your Account Information:

Categories of Personal Information We Collect:

  • Identifiers: Email address, name, IP address
  • Internet or Network Activity: Usage logs, device information, browser type, operating system
  • Geolocation Data: IP address-based location

Your CCPA Rights:

  • Right to Know: What personal information we collect, use, and disclose about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale: We do NOT sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Important Disclosures:

  • We do NOT sell personal information and have not sold personal information in the past 12 months
  • We do NOT share personal information for cross-context behavioral advertising

How to Exercise Your Rights:

Email us at support@convoinsights.app. Include your name and the email address associated with your account. We will respond within 45 days as required by CCPA.

Authorized Agents:

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

D. For Canada Residents (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act:

  • Right to access your personal information
  • Right to challenge the accuracy of your information
  • Right to withdraw consent
  • Right to file a complaint with the Privacy Commissioner of Canada: https://www.priv.gc.ca

E. For Other US State Residents

Residents of Colorado, Connecticut, Delaware, Iowa, Montana, Oregon, Tennessee, Texas, Utah, Virginia, and other states with comprehensive privacy laws have similar rights to California residents. Contact us at support@convoinsights.app to exercise these rights.

F. Rights Regarding Your Customer Content (The data YOU control)

We cannot honor data subject requests for Customer Content because we are only a Processor. You have full control over this data and can access, modify, and delete it from within your account at any time.

If you receive a data subject request from one of your end-users (someone whose voice/data is in your transcripts), you are responsible for handling it.

7. International Data Transfers

We are a Canadian company. Our servers and service providers are located in Canada and the United States. If you are accessing the Service from outside these countries, you acknowledge and agree that:

  • Your Account Information and Customer Content will be transferred to, stored in, and processed in Canada and the United States
  • These countries may have data protection laws that are different from your own
  • By using the Service, you explicitly consent to this transfer

For EEA, UK, and Switzerland Users:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to countries outside the EEA
  • We implement additional technical and organizational safeguards to protect your data
  • You consent to the transfer of your data to the United States and other countries where our service providers operate

8. Data Security and Retention

Security

We use commercially reasonable security measures (such as encryption in transit via TLS/SSL and encryption at rest) to protect your data. However, no system is 100% secure.

You use the Service at your own risk, and we are not liable for security breaches except as required by applicable law.

Your Security Responsibilities

  • Use strong, unique passwords
  • Do not share login credentials
  • Log out from shared devices
  • Report suspected security incidents to support@convoinsights.app

Retention

Account Information: We retain this as long as your account is active, and for a limited period after termination (e.g., 30 days) for billing and legal purposes.

Customer Content: We retain this until you delete it or terminate your account. All Customer Content will be permanently deleted from our live systems within 30 days of termination. It may persist in secure, offline backups for up to 90 days before being purged.

Analytics Data: Retained for up to 24 months for service improvement purposes.

Authentication Logs: Retained for up to 90 days for security purposes.

9. Cookies and Tracking

We use a minimal number of cookies:

Essential Cookies: Required for authentication (Supabase Auth, Google OAuth) and session management. The Service cannot function without them.

Analytics Cookies: (e.g., PostHog) To help us understand how the product is used so we can fix bugs and make improvements.

We do not use third-party advertising or marketing trackers. We do not respond to "Do Not Track" signals as there is no universal standard.

For more information about cookies, visit allaboutcookies.org.

10. Dispute Resolution

This is a critical section. We separate commercial disputes from regulatory complaints and statutory privacy rights.

10.1. Commercial Disputes

As stated in our Terms of Service, any commercial dispute between you and ConvoInsights arising from or relating to the Service or this Privacy Policy (including disputes over billing, service quality, or contractual obligations) shall be resolved by binding arbitration in Toronto, Ontario, Canada, under the laws of Ontario.

10.2. Statutory Privacy Rights and Regulatory Complaints

This arbitration clause does not limit your statutory rights under applicable privacy laws. Specifically:

  • GDPR: If you are in the EEA, UK, or Switzerland, you retain the right to bring claims in court under GDPR Article 79, and to lodge complaints with your data protection authority under GDPR Article 77.
  • CCPA: If you are in California, you retain the right to bring private rights of action under the CCPA in court where permitted.
  • Regulatory Complaints: You may file complaints with data protection authorities or regulators (e.g., the Privacy Commissioner of Canada, EU data protection authorities, the California Attorney General) without being subject to arbitration. Such matters will be handled between ConvoInsights and the relevant authority.

The arbitration clause applies to commercial and contractual disputes, not to statutory privacy law claims or regulatory proceedings.

11. Personal Data of Minors

The Service is a B2B product and is not intended for or directed at anyone under the age of 13 (or under the age of 16 in the European Economic Area).

We do not knowingly collect personal information from individuals under these ages. If we learn we have done so, we will delete that information as quickly as possible.

If you believe that a minor may have provided us personal information, please contact us at support@convoinsights.app.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or an in-app notice at least 30 days before they take effect.

Your continued use of the Service after changes take effect constitutes acceptance of the new policy. If you do not agree, you must stop using the Service.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@convoinsights.app