Home Legal Privacy Policy

Privacy Policy

How we collect, use, and protect your personal data — and the data of your customers.

Last updated: May 5, 2026 ConvoAI by Serverlys
Terms of Service Privacy Policy Cookie Policy Acceptable Use DPA
Summary: We collect account information, usage data, and the WhatsApp conversation data your agents process. We use it to provide the Service. We do not sell your data. You can request deletion at any time. Your customers' conversation data is yours — we process it only on your behalf.

1. Overview

This Privacy Policy explains how Serverlys ("we", "us", "our") collects, uses, discloses, and safeguards personal data when you use ConvoAI (the "Service"). It also covers our obligations regarding personal data of your customers ("End Users") that is processed through the Service on your behalf.

We are committed to handling personal data responsibly and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

2. Who We Are

ConvoAI is operated by Serverlys. For questions about this policy or to exercise your rights, contact us at hello@serverlys.com.

In the context of GDPR:

  • Data Controller: Serverlys, for data we collect directly from you (account data, billing data, usage data).
  • Data Processor: Serverlys, for End-User personal data processed on behalf of you (the Data Controller) through your AI agents.

3. Data We Collect

3.1 Account & Registration Data

  • Email address
  • Full name (optional)
  • Password (stored as a secure hash — never in plain text)
  • Payment information (processed and stored by Stripe — we receive only a token and last-4 digits)

3.2 Agent Configuration Data

  • Business name, description, website URL, business hours
  • WhatsApp API credentials (Phone Number ID, WABA ID; access tokens are stored encrypted)
  • Knowledge base documents, product catalogs, FAQs, and custom instructions you upload
  • Webhook URLs and API keys you configure

3.3 Usage & Technical Data

  • Log data: IP address, browser type, pages visited, timestamps
  • Usage metrics: number of conversations, messages, AI requests, API calls
  • Error and performance data for debugging and service improvement

3.4 WhatsApp Conversation Data (End-User Data)

When your AI agents receive and respond to WhatsApp messages, we process:

  • WhatsApp phone numbers of your customers
  • Message content (text, media type references)
  • Profile display names provided by WhatsApp
  • Conversation history used to generate AI responses
  • CRM data derived from conversations (lead scores, stage, tags, notes)

This data is processed on your behalf as a Data Processor. See Section 7 for more detail.

4. How We Use Data

We use collected data to:

  • Provide the Service: Create and manage your account, run AI agents, process WhatsApp messages, and generate CRM records
  • Process payments: Manage subscriptions, invoices, and billing via Stripe
  • Improve the Service: Analyse usage patterns and performance to fix bugs and build new features (using aggregated, anonymised data where possible)
  • Security and fraud prevention: Monitor for abuse, unauthorized access, and policy violations
  • Customer support: Respond to your enquiries and resolve issues
  • Communications: Send transactional emails (account confirmations, billing receipts, security alerts). With your consent, we may send product updates and marketing emails
  • Legal compliance: Comply with applicable laws, regulations, and lawful requests

If you are located in the EEA, UK, or Switzerland, our legal bases for processing your personal data are:

  • Contract performance: Processing necessary to provide the Service you have subscribed to (account management, AI agent operation)
  • Legitimate interests: Security monitoring, product analytics, fraud prevention, and service improvement — where these interests are not overridden by your rights
  • Legal obligation: Compliance with applicable laws and regulations
  • Consent: For marketing emails and non-essential cookies — you may withdraw consent at any time

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following circumstances:

  • Anthropic: Message content is sent to Anthropic's API to generate AI responses. Anthropic processes this data as a sub-processor under their API terms. We do not send personally identifiable sender information beyond the message content.
  • Stripe: Payment data is processed by Stripe, Inc. We do not store full card numbers.
  • Meta (WhatsApp): Messages are transmitted via Meta's WhatsApp Cloud API. Meta's own Privacy Policy applies to this transmission.
  • Infrastructure providers: We use cloud hosting providers (e.g., servers, databases) who process data on our behalf under data processing agreements.
  • Legal requirements: We may disclose data if required by law, court order, or governmental authority, or if necessary to protect the safety of our users or the public.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify you before your data is subject to a different privacy policy.

7. End-User Data (Your Customers' Data)

When you use ConvoAI's messaging features, your customers' WhatsApp messages, phone numbers, and other personal data are processed by our systems on your behalf. In this context:

  • You are the Data Controller of your customers' data
  • We are the Data Processor acting on your instructions
  • You are responsible for having a lawful basis to process your customers' data and for informing them about how their data is used
  • You must maintain a compliant Privacy Policy for your end-users that covers WhatsApp-based data processing

Our Data Processing Agreement (DPA) is publicly available and covers our obligations as processor, the list of authorised sub-processors, security measures, breach notification procedures, and your rights under GDPR Article 28. Enterprise customers may request a countersigned DPA at hello@serverlys.com.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: Retained for the life of your account plus 30 days after deletion
  • Conversation data: Retained for the life of your account; can be deleted on request
  • Billing records: Retained for 7 years as required by financial regulations
  • Usage logs: Retained for up to 90 days for security and debugging purposes

When you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer.

9. Security

We implement industry-standard technical and organisational security measures to protect your data, including:

  • TLS/HTTPS encryption for all data in transit
  • Encrypted storage for sensitive fields (access tokens, API keys)
  • Bcrypt password hashing — passwords are never stored in plain text
  • Role-based access controls and principle of least privilege
  • Regular security reviews and vulnerability assessments
  • Django Content Security Policy (CSP) headers and CSRF protection

No method of transmission or storage is 100% secure. If you suspect a security breach, contact us immediately at hello@serverlys.com.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interests or for direct marketing
  • Withdraw consent: Withdraw consent for consent-based processing at any time
  • CCPA (California residents): Right to know, delete, and opt out of sale of personal information. We do not sell personal information.

To exercise any of these rights, email hello@serverlys.com. We will respond within 30 days. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with your supervisory authority.

11. International Data Transfers

Your data may be processed on servers located outside your country of residence, including in the United States. When we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at hello@serverlys.com and we will promptly delete it.

13. Cookies

We use cookies and similar technologies to operate the Service and improve your experience. For full details, see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact & Data Protection Enquiries

For privacy-related questions, data subject requests, or to request a DPA: