Privacy Policy
Last updated: May 21, 2026
1. Introduction
Conviro ("we", "our", or "us") is a product of Wizutech OÜ, a company registered in Estonia. We operate the website useconviro.com and the application at app.conviro.io (collectively, the "Service"), with our registered office in Tallinn, Estonia.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our Service. We are committed to processing personal data in compliance with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and other applicable data protection laws.
2. Data Controller
Wizutech OÜ is the data controller for personal data processed through the Service (account data, billing data, marketing communications). For data we process on behalf of business customers (e.g. End User conversation data, Meta Platform Data), Conviro acts as a data processor — see Sections 3.4, 3.6, 6 and 7.
- Email: [email protected]
- Address: Tornimäe tn 5, 10145 Tallinn, Estonia
- Estonian business registry code: 17161411
Instagram and Meta Platform Data
When a business connects an Instagram Professional account to Conviro, we process Instagram account metadata, message threads, sender identifiers, message content, timestamps, attachments, and webhook events solely to provide inbox, AI assistance, automation, analytics, and human handoff features.
We do not sell Meta Platform Data. We do not use Meta Platform Data for independent advertising, profiling, or training AI models. We process this data only on behalf of the connected business customer.
3. Data We Collect
3.1 Account Data
When you register, we collect:
- Identity Data: full name, username, profile photo (if using Google OAuth).
- Contact Data: email address, billing address, phone number (optional).
- Authentication Data: hashed password (for email login) or Google OAuth tokens.
3.2 Billing Data
Payment information (card number, billing address, VAT ID) is processed directly by Stripe and is never stored on our servers. We store only the Stripe customer ID and subscription status.
3.3 Usage Data
- IP address, browser type, operating system, referral URLs.
- Pages visited, features used, session duration, click patterns.
- API usage statistics, message counts, AI mode usage.
3.4 Conversation Data
When End Users interact with your chatbot, we process chat messages, visitor metadata (IP address, browser, referral URL), and any information voluntarily provided by the End User (name, email, phone via lead forms).
Important: As a Conviro customer, you are the data controller for End User conversation data. Conviro processes this data on your behalf as a data processor (see Section 7).
3.5 Knowledge Base Data
Content you upload to the knowledge base (documents, URLs, text) is processed and stored to enable AI-powered responses. This data remains within your Workspace, is not shared with other customers, and is not used to train AI models.
3.6 Meta Platform Data (Instagram, Facebook, WhatsApp)
When you connect your Instagram Business account, Facebook Page, or WhatsApp Business account to Conviro, we receive the following data from Meta Platforms, Inc. through their official APIs (Graph API, Messaging API, WhatsApp Cloud API):
- Account profile: business account ID, username, profile picture, follower count, connected Facebook Page ID.
- Conversation data: direct messages (incoming and outgoing), conversation metadata (timestamps, message IDs, thread IDs), end-user public profile (username, name, profile picture).
- Webhook events: message delivery confirmations, read receipts (where available), conversation state changes.
This data is received only after you (the client) explicitly authorize the connection through Meta's official OAuth flow. We do not access your personal Facebook profile or any business data beyond what is required to provide the customer support service. Detailed handling rules for this data are in Section 6.
4. How We Use Your Data
We process personal data for the following purposes:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and maintain the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments and billing | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (password reset, billing receipts) | Performance of contract (Art. 6(1)(b)) |
| Prevent fraud and enforce Terms of Service | Legitimate interest (Art. 6(1)(f)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (newsletter, product updates) | Consent (Art. 6(1)(a)) |
| Cookie-based analytics and advertising | Consent (Art. 6(1)(a)) |
| Comply with legal obligations (tax records, law enforcement) | Legal obligation (Art. 6(1)(c)) |
5. Data Sharing and Sub-processors
We share personal data only with the following named sub-processors, each bound by a Data Processing Agreement (DPA) under Article 28 GDPR:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting, database, object storage | Germany (EU) |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | US / Global edge |
| Anthropic, PBC | AI response generation (Claude) | United States |
| OpenAI, L.L.C. | AI response generation (GPT) | United States |
| Google LLC | AI response generation (Gemini) | United States / EU |
| Stripe, Inc. | Payment processing, billing | United States |
| Meta Platforms, Inc. | Instagram / Facebook / WhatsApp Messaging APIs | United States / EU |
| Resend, Inc. | Transactional email delivery | United States |
| Google LLC (Analytics) | Web analytics (only with cookie consent) | United States / EU |
AI provider commitments: Anthropic, OpenAI, and Google operate under enterprise agreements that prohibit training their models on customer data. Zero Data Retention (ZDR) is enabled where supported. Conversation content is sent transiently for response generation and is not retained by the AI provider beyond the API call.
We do not sell personal data. We do not share data with third parties for their independent marketing purposes. We do not transfer data to sub-processors not listed above without prior notice.
6. Meta Platform Data Handling (Tech Provider compliance)
This section applies specifically to data we receive from Meta Platforms, Inc. (Instagram, Facebook, WhatsApp) when a Conviro client connects their business account. Conviro is a registered Meta Tech Provider operating under Meta's Platform Terms and Developer Policies.
Purpose limitation. We use Meta Platform Data exclusively to provide the customer support automation service contracted by the client whose Meta account is connected. Specifically:
- Reading direct messages sent to the client's business account by End Users (consumers).
- Generating AI-powered or agent-assisted replies.
- Sending replies through Meta's Messaging API as the client's business account.
- Routing conversations to human agents on the client's team via our dashboard.
- Storing conversation history for the client to view, search, and export.
- Producing aggregated analytics for the client (message volume, response time, satisfaction scores).
We do NOT:
- Sell Meta Platform Data.
- Use Meta Platform Data for our own advertising or marketing.
- Train AI models on Meta Platform Data.
- Share Meta Platform Data between clients — each client's data is fully isolated at the database level.
- Access any Meta data beyond the permissions explicitly granted by the client during OAuth.
Data deletion. When a client disconnects their Meta account from Conviro, or closes their Conviro account, we delete all associated Meta Platform Data within 30 days, including conversation history, attachments, and derived analytics. End Users (consumers messaging the business) may also request deletion of their personal data by contacting [email protected]; the relevant business client will be notified and the data deleted across all systems within 30 days.
7. Data Processing Agreement (DPA)
Where Conviro acts as a data processor — including processing End User conversation data on behalf of a business client, and processing Meta Platform Data on behalf of a connected business — we provide a Data Processing Agreement that incorporates the standard clauses required by Article 28 of the GDPR.
The DPA is available on request by emailing [email protected]. Customers on Business and Enterprise plans automatically receive a signed DPA during onboarding.
8. International Data Transfers
Our primary servers are located in the European Union (Germany). Some of our sub-processors (Stripe, AI providers, Meta) may process data in the United States. For US transfers, we rely on:
- EU-US Data Privacy Framework (DPF) certifications, where the sub-processor is enrolled.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Supplementary technical measures (encryption in transit and at rest, pseudonymisation where feasible).
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Conversation data (incl. Meta Platform conversations) | Per workspace settings (default: 90 days) |
| Billing records | 7 years (Estonian accounting law) |
| Server logs | 30 days |
| Analytics data (Matomo, self-hosted) | 24 months |
| Knowledge base data | Duration of account + 30 days after deletion |
10. Your Rights (GDPR Articles 15-22)
You have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Art. 18): Request restriction of processing of your data.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest or direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.
11. Data Security
- Encryption in Transit: All data is transmitted over TLS 1.2+ with 256-bit encryption.
- Encryption at Rest: Customer data is encrypted using AES-256.
- Access Control: Role-based access, MFA for internal systems, least-privilege principle.
- Infrastructure: ISO 27001-certified data centers in the EU. Database servers are not accessible from the public internet.
- Monitoring: 24/7 intrusion detection and automated alerting.
- Breach notification: In the event of a personal data breach, we will notify the Estonian Data Protection Inspectorate within 72 hours and affected users without undue delay, as required by GDPR Article 33.
12. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact [email protected].
13. Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through the cookie banner or the preferences button on our Cookie Policy page.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
15. Contact
For privacy-related inquiries:
- Email: [email protected]
- Company: Wizutech OÜ
- Address: Tornimäe tn 5, 10145 Tallinn, Estonia
- Estonian Data Protection Authority: www.aki.ee