Privacy Policy

Effective date: 1 January 2026  |  Last updated: 29 May 2026

Zyvora AI Limited(“Zyvora,” “we,” “us,” or “our”) is the data controller for personal information processed through the Zyvora AI platform (the “Service”). We are registered in England and Wales.

Registered address: Office 1226, 60 Tottenham Court Road, Fitzrovia, London, W1T 2EW, United Kingdom

Privacy contact: privacy@thezyvora.com

This policy applies to business owners (“you”) who use our dashboard, APIs, and integrations, and — where relevant — to end-customers whose messages flow through your connected channels. If you do not agree with this policy, do not use the Service.

1. What data we collect

1.1 Account and identity

• Email address and authentication credentials — collected when you sign up or log in (directly or via Google OAuth). We store a hashed identifier from your authentication provider and your email address.
• Session tokens and device data — to maintain secure login sessions across browser visits.
• Billing information — processed by our payment providers where applicable; we do not store full payment card numbers on our servers.

1.2 Business profile and knowledge base

When you use the Onboarding / Consultant AI agent to configure your business, we collect and store:

• Business name, type, services, pricing, hours, location, and other details you confirm.
• Chat transcripts of your onboarding conversations with the AI agent.
• Uploaded images or files you send to the AI for analysis.
• Structured “knowledge base” fields stored in our database linked to your account.

1.3 Customer conversations and appointments

When you activate AI agents on connected channels (WhatsApp, Instagram, Messenger), we process:

• Inbound and outbound message content, timestamps, and channel metadata.
• End-customer identifiers provided by the messaging platform (e.g., WhatsApp phone numbers, Instagram and Messenger PSIDs).
• Appointment records created when the AI books a service — including customer name, phone number, requested service, and date/time.
• Customer profiles we build from conversation history (name, contact details, message counts).

1.4 Channel connection data

• Meta API credentials (WhatsApp Phone Number ID, Instagram User ID, Facebook Page ID) that you connect via our integrations. These are stored in our database to route messages to the correct business account.
• OAuth tokens from Meta are handled according to Meta’s platform policies. You remain responsible for managing token security.

1.5 Technical and usage data

• Server and application logs (timestamps, IP addresses, error diagnostics, request metadata).
• Browser or device information collected through cookies or similar technologies (see Section 8 on Cookies).
• Fraud-prevention signals and rate-limiting data to protect our infrastructure.

2. How we use your data

We process personal data for the following purposes:

• Providing and operating the Service — running AI agents, routing messages, storing appointments, and maintaining your dashboard.
• Authentication and account security — verifying your identity, preventing unauthorised access, and enforcing usage limits.
• AI response generation — sending message content and business knowledge to our AI inference providers (e.g., OpenAI) to generate agent replies. We do not use your data to train public foundation models without your explicit consent.
• Service communications — sending you essential emails about your account, security alerts, and policy updates. We do not send unsolicited marketing without consent.
• Compliance and legal obligations — responding to lawful requests from authorities and enforcing our Terms of Service.
• Product improvement — analysing aggregated, de-identified usage patterns to improve reliability and features. We do not sell individual data.

3. Legal basis for processing (GDPR / UK GDPR)

For users in the UK and European Economic Area, we rely on the following legal bases:

• Contract performance — processing your account data, business profile, and messages is necessary to provide the Service you requested.
• Legitimate interests — securing the platform, preventing fraud, improving performance, and maintaining service logs. We balance these interests against your rights.
• Legal obligation — retaining certain records as required by applicable law.
• Consent — for non-essential cookies (if any) and marketing emails where required by law. You may withdraw consent at any time.

4. Who we share data with

We share personal data only as necessary:

• Infrastructure providers — cloud hosting, databases (Supabase / PostgreSQL), and DNS services that process data on our instructions under data processing agreements.
• AI providers — model API vendors (e.g., OpenAI) to generate agent responses. These providers process message content under their own privacy policies and our agreements with them.
• Meta platforms— when you connect WhatsApp, Instagram, or Messenger, message data flows through Meta’s APIs. Meta processes this data under its own policies.
• Payment processors — for billing, under their own terms and data protection commitments.
• Legal and safety — we may disclose data to law enforcement or regulators when legally required, or to protect rights, property, or safety.

We do not sell, rent, or trade personal data to third parties for marketing purposes.

5. How long we keep your data

• Account data — retained while your account is active and for up to 90 days after deletion to allow recovery from accidental requests.
• Message and conversation logs — retained for up to 12 months from the date of the conversation, unless you request earlier deletion.
• Appointment records — retained for 24 months for business record-keeping purposes, unless you request deletion.
• Security logs — retained for up to 90 days for fraud prevention and debugging.
• Billing records — retained for 7 years as required by UK tax law.

6. Security

We implement technical and organisational measures to protect your data, including encryption in transit (TLS), server-side credential storage, and access controls. No system is perfectly secure. You are responsible for keeping your account credentials confidential. If you suspect unauthorised access, contact us immediately at privacy@thezyvora.com.

7. International transfers

Some of our service providers (including AI inference providers and cloud infrastructure) may process data outside the UK and EEA. Where such transfers occur, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), or equivalent mechanisms approved by the relevant authority.

8. Cookies and similar technologies

We use the following categories of cookies on our website and dashboard:

• Strictly necessary cookies — session cookies required for authentication and secure access to your dashboard. These cannot be disabled without breaking the Service.
• Functional cookies — store your preferences (e.g., consent choices, UI settings) using browser localStorage.
• Analytics cookies — we may use anonymised analytics to understand usage patterns. These are only set with your consent.

You can manage cookie preferences through the consent banner on our website or by adjusting your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use the core Service.

9. Your rights under GDPR / UK GDPR

If you are based in the UK or EEA, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — request deletion of your personal data, subject to legal retention obligations (see Section 10 below).
• Right to restriction — ask us to limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making — not to be subject to solely automated decisions that significantly affect you.

To exercise any of these rights, contact us at privacy@thezyvora.com. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local data protection authority.

10. How to request data deletion

You can request deletion of your account and associated data in two ways:

1. From your dashboard: Go to Settings → Privacy & Data → Delete My Account. This initiates an immediate deletion of your profile, agents, conversations, and appointments from our systems.
2. By email: Send a deletion request to privacy@thezyvora.com from the email address registered to your account. Include “Data Deletion Request” in the subject line. We will confirm and process the deletion within 30 days.

What gets deleted: your account credentials, business profile, AI agents, knowledge base, message history, appointments, and customer records linked to your profile.

What may be retained: billing records required by UK tax law (up to 7 years), anonymised security logs (up to 90 days), and any data we are legally required to retain in response to a lawful order.

11. Children

The Service is intended for businesses and adults aged 18 or over. We do not knowingly collect personal data from children under 18. If you believe a minor has provided data to us, contact us at privacy@thezyvora.com and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. We will post the revised version with an updated “Last updated” date. For material changes, we will notify you by email or in-product notification at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact us

For privacy questions, rights requests, or data-related concerns:

• Email: privacy@thezyvora.com
• Post: Data Privacy, Zyvora AI Limited, Office 1226, 60 Tottenham Court Road, Fitzrovia, London, W1T 2EW, United Kingdom
• Website: thezyvora.com

This policy was last reviewed by Zyvora AI Limited on 29 May 2026. This document is provided in good faith and does not constitute legal advice.