Privacy Policy

This Policy describes how we handle two kinds of information differently:

• Your account information — information about you and your business as our customer. For this information, we act as a controller.
• Customer Data — personal information about your own leads, contacts, recipients, and customers that you process using the Service (e.g., CRM records, email and message content, chatbot transcripts, prospect lists). As between you and us, you are the controller of Customer Data and we act as a processor / service provider that processes it on your instructions to provide the Service. You are responsible for the lawfulness of that data, including providing required notices and obtaining any required consents.

We collect the following categories of information:

• Account & business information: name, email address, business name, team members, and settings you provide when you create and configure an account.
• Business data you create: leads, contacts, messages, bookings, quotes, invoices, knowledge-base content, campaigns, and similar records you add to or generate within the Service.
• Communications content: the content of emails, SMS and voice/voicemail (including transcriptions), and LinkedIn and social messages (e.g., WhatsApp, Instagram, Telegram) that you send or receive through connected channels, and chatbot conversation transcripts.
• Connected-account data: when you connect a third-party account (such as Google, Microsoft, or a social/messaging account) via OAuth or an account bridge, we access data from that account as described in Sections 3–4.
• Prospecting data: contact information you retrieve, reveal, enrich, or verify through third-party data providers used by lead-search features.
• Payment & payout information: billing details processed by our payment provider (Stripe); we do not store full card numbers on our servers. If you participate in our affiliate program, we collect the payout details you provide.
• Usage & technical data: log data, device and browser information, IP address, and similar diagnostics used to operate and secure the Service.

If you choose to connect a Google (Gmail) or Microsoft account, we request only the permissions needed to provide the features you enable. Specifically:

• Read and organize your mailbox (Google scope gmail.modify; Microsoft Mail.ReadWrite): to display your messages in the unified inbox, sync read/label state, and let you triage, label, and archive messages from within the Service.
• Send email on your behalf (Google scope gmail.send; Microsoft Mail.Send): to send replies and messages that you (or Agent Ivan with your approval) compose in the Service.
• Calendar access (where enabled): to sync events and manage bookings.
• Basic profile / email address (openid, email): to identify the connected mailbox.

We use this data solely to provide and improve the user-facing features you have enabled (for example, the shared inbox and AI-assisted drafting/triage performed by Agent Ivan). We access the minimum data necessary and only while your account remains connected.

Agent Ivan's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, regarding data obtained through Google (or Microsoft) APIs, we do not:

• use the data for serving advertisements;
• sell the data;
• use the data to train, develop, or improve generalized or non-personalized artificial intelligence or machine-learning models. Any AI processing is performed only to provide features to you, the user, and is not used to train models;
• allow humans to read the data, unless: (a) we obtain your explicit consent to read specific messages; (b) it is necessary for security purposes (such as investigating abuse); (c) to comply with applicable law; or (d) the data is aggregated and anonymized and used for internal operations.

Where we use third-party AI providers to power Agent Ivan's features, those providers act as service providers processing data on our behalf under contractual terms that prohibit using your content to train their models.

• To provide, operate, maintain, and secure the Service;
• To deliver the features you enable, including the unified inbox, sending, CRM, bookings, billing, chatbot, prospecting, outbound, social messaging, and Agent Ivan;
• To process payments, manage subscriptions, and administer the affiliate program;
• To communicate with you about your account, security, and support;
• To monitor, prevent, and address abuse, fraud, and security incidents;
• To comply with legal obligations and enforce our terms.

We do not use Customer Data, or data obtained through Google/Microsoft APIs, to train generalized AI models. We do not sell personal information.

We use cookies, local storage, and similar technologies that are necessary to operate the Service — for example, to keep you signed in, maintain your session, remember preferences, and support security. The affiliate program uses your browser's local storage to remember a referral code so a referral can be attributed at signup. We may also use limited analytics to understand and improve usage. You can control cookies through your browser settings, though disabling necessary cookies may impair the Service.

We do not sell your personal information. We share information only with service providers (subprocessors) that help us operate the Service, and only as needed to provide it. These include, for example:

• Supabase — database and authentication hosting;
• Vercel — application hosting and infrastructure;
• OpenAI / Anthropic — AI processing for Agent Ivan (under terms that prohibit training on your data);
• Stripe — payment processing (your subscription and, if you enable it, payments from your customers);
• Twilio — phone, SMS, and voicemail features (if enabled);
• Resend — transactional and account email delivery;
• Unipile — LinkedIn and social/messaging channel bridging (if enabled);
• Apollo.io — lead/prospect data retrieval (if you use Find Leads);
• ZeroBounce — email-address verification (if enabled);
• Domain registrar partner — sending-domain registration and DNS for outbound (if used);
• Upstash — rate-limiting and caching infrastructure;
• Other cloud infrastructure and email-delivery providers used to host and operate the Service.

Each subprocessor operates under its own privacy policy. A current list of subprocessors is available on request. We may also disclose information to comply with the law, respond to lawful requests, enforce our agreements, or protect the rights, safety, and security of our users and the Service. If we undergo a business transfer (such as a merger or acquisition), information may be transferred subject to this Policy.

We and our subprocessors may store and process information in countries other than your own, including the United States. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for cross-border transfers of personal information. By using the Service, you understand that your information may be transferred to and processed in those countries.

We protect data with industry-standard safeguards, including encryption in transit (TLS), encryption of sensitive credentials at rest, access controls, and tenant isolation (including row-level security) so that each business's data is kept separate. OAuth tokens are stored securely and used only to provide the features you enabled. Social/messaging account credentials are managed by our bridge provider (Unipile) and are not stored by us. No method of transmission or storage is 100% secure, but we work to protect your information and limit access to authorized personnel and processes.

We retain information for as long as your account is active or as needed to provide the Service and comply with our legal obligations. Following cancellation or termination, we may retain account data for a limited period (for example, 30 days) in a deactivated state to allow export or reactivation, after which it may be permanently deleted. You can:

• Disconnect a connected account at any time from the integrations or email settings in the app. Disconnecting revokes our access and removes the stored OAuth tokens; you may also revoke access directly at Google Account permissions or your Microsoft or social account's app permissions.
• Request deletion of your account and associated data, or of specific synced content (such as email bodies), by contacting us at hello@agentivan.ai. We will delete or de-identify your data except where retention is required by law.

Depending on your location, you may have rights to access, correct, delete, or export your personal information, to object to or restrict certain processing, to withdraw consent, and to not be discriminated against for exercising these rights. We do not sell or “share” personal information for cross-context behavioral advertising. To exercise these rights, contact us at hello@agentivan.ai. We will respond consistent with applicable law (including the GDPR and the CCPA/CPRA where they apply).

For Customer Data, you are the controller; if you receive a data-subject request relating to your contacts or customers, you can manage that data within the Service or contact us for assistance. If you require a Data Processing Agreement, contact us at hello@agentivan.ai.

The Service is intended for businesses and is not directed to children under 13 (or the age required by your jurisdiction). We do not knowingly collect personal information from children.

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

If you have questions about this Privacy Policy or our data practices, contact us at hello@agentivan.ai.