Privacy Policy — Conversha

This Privacy Policy explains how Lyvme Ltd ("Conversha", "we", "us", or "our") collects, uses, stores, and protects personal information when you use Conversha, our AI-powered customer communication platform. Lyvme Ltd is a company registered in England and Wales with its registered office at Suite 10313, 5 Brayford Square, London, United Kingdom, E1 0SG.

We are committed to protecting your privacy and handling your data with the highest standards of security and transparency. By using Conversha, you agree to the practices described in this Privacy Policy.

1. Who We Are

Conversha is a SaaS platform operated by Lyvme Ltd that enables businesses to automate customer communications across multiple channels including Instagram, Facebook Messenger, TikTok, email, and web chat. We act as a data controller for information we collect directly from our customers (account holders), and as a data processor for data our customers process through our platform on behalf of their end-users.

2. Information We Collect

2.1 Account Information

When you create a Conversha account, we collect:

Full name and business name;
Email address;
Password (hashed using industry-standard algorithms);
Phone number (optional);
Business information (website URL, industry, size);
Billing information (processed securely through Stripe — we do not store complete payment card data).

2.2 Customer Communication Data

When you use Conversha to communicate with your end-users, we process the following data on your behalf:

Contact information (names, emails, phone numbers, social media usernames);
Message content from Instagram, Facebook, TikTok, email, and web chat conversations;
Automation triggers and workflow configurations;
Knowledge base content (text, URLs, PDFs) you upload to train your AI assistant.

Important: Sensitive fields including contact names, phone numbers, messages, and knowledge base content are encrypted at rest using AES-256-GCM authenticated encryption.

2.3 Third-Party Platform Data

When you connect third-party platforms (Instagram, Facebook, TikTok, Shopify, email providers), we receive data from those platforms in accordance with the permissions you grant. This may include:

Profile information (username, profile picture, account ID);
Page/account access tokens (encrypted and stored securely);
Messages, comments, mentions, and other events via webhooks;
Product catalog data (for Shopify integrations).

2.4 Usage and Analytics Data

We automatically collect information about how you use Conversha:

Pages visited and features used;
Actions performed (automation creation, message sent, etc.);
Device information (operating system, browser type, screen resolution);
Timestamps of activity;
Error logs and diagnostic data.

We do NOT collect or store your IP address for user tracking purposes. IP addresses may be temporarily logged for security and abuse prevention but are not associated with user profiles.

2.5 Cookies and Similar Technologies

We use essential cookies required for authentication, security, and basic functionality. We do not use advertising cookies or third-party tracking cookies. You can manage cookie preferences through your browser settings.

3. How We Use Your Information

We process your personal information for the following purposes:

Service Delivery: To provide, maintain, and improve Conversha's features;
Account Management: To authenticate users, manage subscriptions, and process billing;
AI Processing: To generate automated responses using your knowledge base and customer messages;
Customer Support: To respond to inquiries and provide technical assistance;
Analytics: To understand usage patterns and improve our platform;
Security: To detect and prevent fraud, abuse, and security incidents;
Legal Compliance: To comply with applicable laws, regulations, and legal requests;
Communications: To send service-related notifications (always) and promotional updates (only with your explicit consent).

We do NOT sell your personal information. We do not share your data with advertisers or data brokers.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data under the following legal bases:

Contract Performance: To deliver the services you have subscribed to;
Legitimate Interests: For fraud prevention, security, and service improvement;
Consent: For marketing communications and optional features (withdrawable at any time);
Legal Obligations: To comply with tax, accounting, and regulatory requirements.

5. Data Security Measures

We implement comprehensive security measures to protect your data:

Encryption at Rest: Sensitive fields (messages, contact PII, knowledge base content) are encrypted using AES-256-GCM with authenticated encryption and random initialization vectors;
Encryption in Transit: All communications use TLS 1.2 or higher;
Tenant Isolation: Each customer's data is logically isolated; no account can access another's data;
Access Controls: Role-based access control (RBAC) with principle of least privilege;
Secure Infrastructure: Hosting on enterprise-grade cloud providers (Google Cloud, Vercel, Cloudflare);
Vector Database Isolation: Knowledge base embeddings stored in Pinecone with per-tenant namespaces;
Security Monitoring: Continuous monitoring for suspicious activity and unauthorized access;
Incident Response: Documented procedures for identifying, containing, and notifying affected users of data breaches.

While we take every reasonable precaution, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Sharing and Third Parties

We share your data with trusted service providers only as necessary to deliver Conversha's services. All providers are contractually obligated to protect your data and use it only for the purposes we specify.

6.1 Service Providers (Data Processors)

Google Cloud Platform (Firebase): Authentication, database hosting, cloud functions — United States;
Vercel: Application hosting and edge delivery — United States;
Cloudflare R2: File storage for documents and media — United States;
Pinecone: Vector database for knowledge base search — United States;
Voyage AI: Text embedding generation for AI features — United States;
Anthropic: Large language model provider for AI responses — United States;
Stripe: Payment processing — United States;
Resend: Transactional email delivery — United States.

6.2 Integrations You Enable

When you connect third-party platforms (Instagram, Facebook, TikTok, Shopify, etc.), data flows between Conversha and those platforms based on the permissions you grant. These platforms have their own privacy policies governing how they handle your data.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

If Lyvme Ltd is involved in a merger, acquisition, or asset sale, your information may be transferred as part of the transaction. You will be notified of any such change via email.

7. Data Retention

We retain your personal data only as long as necessary to provide our services and comply with legal obligations:

Account Data: Retained for the duration of your active account, plus 30 days after account deletion to allow recovery;
Message Data: Retained per your subscription plan limits (typically 90 days to 2 years);
Billing Records: Retained for 7 years to comply with accounting and tax regulations;
Backups: Encrypted backups retained for up to 90 days;
Anonymized Analytics: May be retained indefinitely in aggregated, non-identifiable form.

Upon account deletion, we will permanently delete or anonymize your personal data within 30 days, except where longer retention is required by law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data we hold about you;
Right to Rectification: Correct inaccurate or incomplete data;
Right to Erasure ("Right to be Forgotten"): Request deletion of your data;
Right to Data Portability: Receive your data in a structured, machine-readable format;
Right to Restrict Processing: Limit how we use your data;
Right to Object: Object to processing based on legitimate interests or direct marketing;
Right to Withdraw Consent: Withdraw consent for processing at any time;
Right to Non-Discrimination: Not be discriminated against for exercising your rights;
Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@conversha.com. We will respond within 30 days (or sooner as required by law).

9. International Data Transfers

Conversha operates globally, and your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we use appropriate safeguards, including:

Standard Contractual Clauses approved by the European Commission;
UK International Data Transfer Agreements;
Adequacy Decisions where applicable;
Contractual obligations requiring providers to maintain equivalent protection levels.

10. Children's Privacy

Conversha is not intended for individuals under the age of 18 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at privacy@conversha.comand we will promptly delete it.

11. AI Processing and Automated Decision-Making

Conversha uses artificial intelligence to generate automated responses to customer messages based on your knowledge base. Our AI processing:

Does not involve solely automated decisions with legal or significant effects on individuals;
Allows human intervention and override at any time;
Processes data only for the purpose of generating contextual responses;
Does not train third-party foundation models on your data (Anthropic Claude processes inputs without training);
Stores knowledge base content with AES-256-GCM encryption and tenant-isolated vector embeddings.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know what personal information we collect, use, and disclose;
Right to delete personal information;
Right to correct inaccurate personal information;
Right to opt-out of the sale or sharing of personal information (note: we do not sell your data);
Right to limit use of sensitive personal information;
Right to non-discrimination for exercising these rights.

To exercise these rights, contact us at privacy@conversha.com.

13. Third-Party Links and Services

Conversha may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties and encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via:

Email notification to account holders;
In-app notification;
Updated "Last Updated" date at the top of this policy.

Your continued use of Conversha after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Data Controller: Lyvme Ltd
Address: Suite 10313, 5 Brayford Square, London, United Kingdom, E1 0SG
Privacy Email: privacy@conversha.com
General Support: support@conversha.com
Registered in: England and Wales

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority. In the United Kingdom, this is the Information Commissioner's Office (ICO).