Last Updated: January 2, 2026 | Effective Date: January 2, 2026 | Version 2.1
This Privacy Policy ("Policy") is entered into by and between Convoro ("Company," "we," "us," or "our") and you, the individual or legal entity accessing or otherwise using the Convoro platform, including all associated websites, mobile applications, application programming interfaces, and related services (collectively, the "Service"). This Policy is intended to inform you, in a thorough and legally compliant manner, of our practices with respect to the collection, processing, storage, disclosure, transfer, and deletion of personal data and other information that we receive in connection with your use of the Service.
By accessing or using the Service in any manner, including but not limited to visiting or browsing the Service, creating an account, connecting a social media account, uploading content, or configuring automated messaging functionality, you acknowledge that you have read, understood, and agree to be bound by this Policy in its entirety. If you do not agree to the terms of this Policy, you must immediately cease all use of the Service and may request deletion of any data we have collected by contacting us using the contact information set forth in Section 14 of this Policy.
This Policy applies to all users of the Service regardless of geographic location, except where superseded by a jurisdiction-specific addendum or separate agreement executed in writing between you and the Company. We reserve the right to update, modify, or replace this Policy at any time at our sole discretion. It is your responsibility to review this Policy periodically. Your continued use of the Service following the posting of any changes to this Policy constitutes acceptance of those changes.
When you register for an account, connect third-party services, configure the Service, or otherwise interact with any portion of the Service, we collect information that you voluntarily provide to us. This includes, without limitation: your email address and any other account registration information; authentication credentials, including passwords which are stored in hashed form using industry-standard cryptographic algorithms; Instagram Business account connection data, including OAuth tokens and associated metadata; access tokens issued by Meta Platforms, Inc. and its subsidiaries and affiliates ("Meta"), which are stored in encrypted form using AES-256 encryption; knowledge base content, documents, frequently asked questions, product descriptions, pricing information, and any other text, images, or media that you upload or input into the Service for the purpose of training or configuring your automated messaging agent; bot configuration settings, response preferences, persona descriptions, delay settings, and other operational parameters; and any other information you choose to provide when contacting our support team, completing surveys, or otherwise communicating with us.
When you use the Service, certain information is collected automatically as a result of your interactions with the platform and as a result of the Service performing its core functionality on your behalf. This automatically collected information includes, but is not limited to: the full text content of Instagram Direct Messages received by and sent from your connected Instagram Business account, including inbound messages from third-party users and outbound automated responses generated by the Service; conversation metadata, including message timestamps, message identifiers, sender Instagram user identifiers (IGSIDs), recipient identifiers, and delivery status information; usage data, including the frequency and timing of your interactions with the Service dashboard, features accessed, configuration changes made, and other behavioral data relating to your use of the Service's web interface; webhook event payloads transmitted by Meta to the Service in connection with your connected Instagram account, which may include message content, reaction events, postback events, and other messaging-related events; session data, including IP addresses, browser type and version, operating system, device type, and referring URLs; and service performance and error logging data generated in the course of operating and maintaining the Service infrastructure.
We may receive information about you from third-party sources, including from Meta in connection with your use of the Instagram API, from Supabase in connection with authentication services, from Stripe, Inc. in connection with payment processing, and from other service providers whose services are integrated with or used in the operation of the Service. Such third-party data is handled in accordance with this Policy and any applicable data processing agreements we have entered into with such third parties.
To the extent that applicable law requires us to identify a legal basis for our processing of your personal data, we process your personal data on the following bases: (a) Performance of a Contract — processing is necessary for the performance of a contract to which you are a party, including the provision of the Service as described in our Terms of Service; (b) Legitimate Interests — processing is necessary for the purposes of our legitimate interests in operating, improving, and securing the Service, provided that such interests are not overridden by your interests or fundamental rights; (c) Consent — where you have provided consent to our processing of your personal data for one or more specific purposes; and (d) Compliance with Legal Obligations — where processing is necessary for compliance with a legal obligation to which we are subject.
We use the information we collect for the following purposes, which are described in greater detail below: to provision, operate, maintain, and improve the Service and all of its features and functionality; to process and respond to Instagram Direct Messages on your behalf using artificial intelligence-generated responses informed by your knowledge base content; to store and display conversation history for your review, analytics, and quality assurance purposes; to monitor message volume and enforce subscription plan limits and overage policies as described in our Terms of Service and applicable subscription agreements; to generate analytics and reporting data, including message volume statistics, response rate information, and other operational metrics; to send you transactional communications, including account verification emails, billing notifications, service status updates, and other communications necessary for the operation of the Service; to investigate and respond to support requests, complaints, and inquiries; to detect, prevent, and address technical issues, security incidents, fraudulent activity, and violations of our Terms of Service; to comply with applicable laws, regulations, legal processes, and governmental requests; and to carry out any other purpose for which you provide information or to which you have otherwise consented.
We implement and maintain a comprehensive set of technical and organizational security measures designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include, without limitation: AES-256 encryption of all OAuth access tokens and other sensitive authentication credentials prior to storage in our database; TLS/SSL encryption for all data transmitted between your browser or device and our servers and between our servers and third-party service providers; role-based access controls limiting access to personal data to personnel with a legitimate business need; regular security assessments and vulnerability testing; and logging and monitoring of access to systems containing personal data.
Our Service infrastructure is hosted on Render, a cloud computing platform. Our database is hosted on Supabase. Data may be stored on servers located in the United States or other jurisdictions depending on the configurations of our cloud infrastructure providers. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have data protection laws that differ from those in your jurisdiction.
Notwithstanding the foregoing, no method of electronic storage or transmission over the internet is completely secure. While we use commercially reasonable security measures to protect your information, we cannot guarantee absolute security and cannot be held liable for breaches that result from factors outside of our reasonable control.
We share your information with third-party vendors and service providers that perform services on our behalf. These include: Meta Platforms, Inc., in connection with access to the Instagram Messaging API, webhook subscriptions, and OAuth authentication; OpenAI, in connection with the generation of AI-powered automated message responses (note: message content and knowledge base data is transmitted to OpenAI's API for processing); Supabase, Inc., in connection with authentication and database hosting services; Stripe, Inc., in connection with payment processing and subscription management; and Render, Inc., in connection with application hosting and infrastructure services. Each of these providers is subject to contractual obligations with respect to their handling of your data, and each maintains its own privacy policy governing its data practices.
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: comply with a legal obligation, court order, subpoena, or governmental request; protect and defend the rights or property of the Company; prevent or investigate possible wrongdoing in connection with the Service; protect the personal safety of users of the Service or the public; or protect against legal liability.
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy or insolvency proceeding, your information may be transferred to a successor entity as part of the transaction. We will endeavor to provide notice of any such transfer and any material changes to this Policy that may result therefrom.
We retain your personal data for as long as your account remains active or as otherwise necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically: account registration data is retained for the duration of your account and for a reasonable period thereafter as required by applicable law; Instagram message content and conversation history is retained for the duration of your account and for up to twelve (12) months following account termination, unless you request earlier deletion; knowledge base content and bot configuration data is retained for the duration of your account; payment and billing information is retained as required by applicable tax and financial recordkeeping laws; and log data and analytics data is retained for up to twenty-four (24) months.
You may request deletion of your personal data at any time by contacting us at the email address listed in Section 14. We will process deletion requests within a reasonable timeframe, subject to any legal obligations that require us to retain certain data.
Depending on your jurisdiction and applicable law, you may have the following rights with respect to your personal data: the right to access the personal data we hold about you; the right to correct or rectify inaccurate or incomplete personal data; the right to request deletion or erasure of your personal data, subject to certain exceptions; the right to restrict or object to our processing of your personal data in certain circumstances; the right to data portability, allowing you to receive your personal data in a structured, machine-readable format; the right to withdraw consent where our processing is based on your consent; and the right to disconnect your Instagram account from the Service at any time through the dashboard settings.
To exercise any of the foregoing rights, please contact us using the information in Section 14. We may require verification of your identity before processing any such request. We will respond to your request within the timeframe required by applicable law.
We use cookies and similar tracking technologies to operate the Service, maintain session state, and analyze usage patterns. These include session cookies necessary for authentication, preference cookies that store your settings, and analytics cookies that help us understand how the Service is used. You may configure your browser to refuse cookies, but doing so may impair the functionality of the Service. We do not currently respond to "Do Not Track" signals.
The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of eighteen (18). If you are under 18, you are not permitted to use the Service. If we become aware that we have collected personal data from a person under 18 without verifiable parental consent, we will take steps to delete that information as promptly as practicable. If you believe that a minor has provided us with personal information, please contact us immediately using the information in Section 14.
The Service is operated from the United States. If you are located outside of the United States, please be aware that information we collect about you may be transferred to, stored, and processed in the United States or other countries where our servers and service providers are located. By using the Service, you consent to such transfer, storage, and processing. We will take all reasonable steps necessary to ensure that your data is treated securely and in accordance with this Policy.
The Service may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Policy applies only to the Service. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party service you access through or in connection with the Service, including Meta, OpenAI, Supabase, and Stripe.
We reserve the right to modify this Privacy Policy at any time. We will provide notice of material changes by posting the updated Policy to this page and updating the "Last Updated" date at the top of this Policy, and may also provide notice via email or in-app notification. Your continued use of the Service following the effective date of any updated Policy constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Service.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Convoro — Email: [email protected]