Privacy Policy

SmartConvo provides a hosted Conversation AI Platform and embeddable Chat AI widget (“Services”) where businesses can configure automated chat-driven workflows. This policy clarifies what is already implemented in our platform and what clients can configure, ensuring accurate representation of our current setup.

1. Roles & Scope

  • Client (Controller): You—the business deploying SmartConvo on your site—determine which data is collected and why.
  • SmartConvo (Processor): We process data strictly on your behalf and do not independently determine processing purposes.

2. Data We Currently Collect

  1. Non‑Personal Technical Data (Implemented)
    • Anonymous usage metrics, widget performance logs, anonymized IP ranges, browser and OS versions, and error reports, collected solely for platform reliability and improvement
  2. Personal Data
    • By default, SmartConvo collects no personally identifiable information. Any PII (e.g. name, email, phone, or other custom fields) is captured only if you explicitly configure a chat workflow or form capture in your Admin Console—SmartConvo imposes no fixed schema and supports whatever fields you choose.
  3. Cookies & Local Storage
    • Strictly necessary cookies for chat-widget operation are set automatically.
    • No analytics or targeting cookies are loaded unless you integrate your own consent banner and opt end users into those features.

3. Purposes & Legal Basis

  1. Service Delivery (Implemented):
    • Necessary processing to render the chat widget and execute configured workflows (Contractual Necessity).
  2. Platform Improvement (Implemented):
    • Aggregate, anonymized analytics under Legitimate Interest to optimize performance and detect issues.
  3. Optional Data Capture (Configurable):
    • Any PII capture or analytics requires you to obtain end‑user consent before SmartConvo logs the data.

4. Data Retention & Purge

  • Default Retention (Implemented):
    • Chat transcripts and technical logs are retained for 30 days.
    • A scheduled background job automatically deletes data older than 30 days.
  • Anonymized Metrics:
    • Retained indefinitely in aggregated form for trend analysis.

5. Data Subject Rights & Interfaces

  • Admin‑Interface Tools (Implemented):
    • Export or delete any end-user data directly via your Admin Console.
  • Client Responsibility:
    • You must provide end users with a mechanism (links, buttons, or support contact) to invoke these exports or erasures.

6. Security Measures

  • Encryption in Transit (Implemented):
    • All traffic to APIs and the chat widget uses TLS (HTTPS and WSS).
  • Encryption at Rest (Implemented):
    • Data stored in AWS RDS is encrypted using AES‑256.
  • Access Controls (Implemented):
    • Role‑based API
  • Audit Logging (Implemented):
    • Immutable logs record every data‑export, deletion, and access event.

7. Third‑Party Processors & Agreements

  • OpenAI (Implemented):
    • Used exclusively for AI inference. We have a signed DPA in place.
  • Other Vendors:
    • We do not currently integrate other third‑party processors that handle EU personal data.

8. Cookie Consent Integration

  • Built‑In Respect (Implemented):
    • SmartConvo defers to your site’s cookie‑consent banner. No non‑essential cookies are set until your banner indicates end‑user opt‑in.

9. International Data Transfers

  • Not Applicable:
    • Data processing and storage occur within AWS regions you select; no onward transfers outside those regions.

10. Breach Notification

  • Incident Response (Implemented):
    • In the unlikely event of a breach affecting your data, we will notify the email address you’ve provided (e.g. contact@smartconvo.io) within 72 hours.

11. Other Privacy Regimes

  • CCPA/CPRA: We do not sell personal data. California residents may request details of data sharing via your Admin‑Console reports.
  • COPPA: Our Services are not intended for children under 16; no PII is knowingly collected from minors.

12. Compliance & Certifications

  • GDPR (EU): SmartConvo operates as a GDPR-compliant processor, adhering to Articles 28–32 for data security, processing records, and breach notification.
  • UK GDPR: Our data practices align with the UK’s implementation of GDPR to protect UK residents’ personal data.
  • CCPA/CPRA: We comply with California privacy laws; SmartConvo does not sell personal data and supports consumer requests for access and deletion.
  • COPPA: Our Services are not directed at children under 16, and we do not knowingly collect PII from minors.
  • Data Processing Agreement (DPA) with OpenAI: A signed, GDPR-compliant DPA governs our AI-inference interactions.

13. Updates to This Policy

We will revise this policy as features evolve or regulations change. Material updates will be
communicated directly to you, and the “Last Updated” date will reflect the change.

Contact

For questions or data‑rights requests, contact your SmartConvo account representative or
email contact@smartconvo.io.