Privacy Policy

1. Who we are

The Vavio service and website (together, the “Service”) are operated by Vectorwise LLC, a limited liability company formed in Wyoming, United States, trading under the Vavio brand (“we”, “us”, “our”). This Privacy Policy explains what personal data we collect when you visit our website or use the Service, how we use and share it, and the choices and rights you have.

2. The Service in summary

Vavio is a business-to-business software-as-a-service platform that lets businesses (our “Customers”) create, publish, and manage AI-powered, customer-facing agents — for example, chat agents embedded on the Customer’s own website — that engage visitors, answer questions grounded in the Customer’s own content, and capture and route leads into the Customer’s systems. This Privacy Policy covers personal data we process as a controller (e.g. about Customer account holders and website visitors to our marketing site). When a Customer uses the Service to interact with their own end users, we process that data on the Customer’s behalf as their processor — see Section 11.

3. Personal data we collect

We collect the following categories of personal data:

• Account data: name (if provided), email address, password (stored as a salted hash), workspace and role information.
• Billing data: when you subscribe to a paid plan, our payments processor collects card details and billing address. We do not store full card numbers on our systems.
• Usage data: how you use the Service (e.g. agents created, configuration changes, sessions, feature usage) for security, support, billing, and product improvement.
• Communications: messages you send us (e.g. support requests, demo requests, sales correspondence) and our responses.
• Technical data: IP address, browser type and version, device identifiers, language, time zone, and similar information needed for security, fraud prevention, and operation.
• Marketing data: records of preferences, consents, and interactions with our marketing emails or ads, where applicable and lawful.
• Customer content: content and knowledge our Customers upload to configure their agents (e.g. pricing rules, FAQs, policies). Where this content contains personal data, our Customer is the controller; we process it on their instructions.
• End-visitor conversation data: when a visitor interacts with a Customer’s agent embedded on the Customer’s site, the conversation and any contact details the visitor provides are processed through the Service. Our Customer is the controller of that data; we process it on their instructions as their processor.

4. How we use personal data

As a controller (for the categories at Section 3 other than Customer content and end-visitor conversation data), we use personal data to:

• Provide, operate, and maintain the Service and our website.
• Create and manage accounts, authenticate users, and prevent unauthorised access.
• Process payments and manage subscriptions.
• Respond to support requests, demo requests, and other communications you initiate.
• Improve the Service: diagnose issues, fix bugs, analyse usage trends, and develop new features. Where we use analytics for this purpose, we minimise identification of individuals.
• Send service-related messages (e.g. transactional notifications, security alerts, material changes to terms or policies).
• Send marketing communications about Vavio where we have a lawful basis to do so. You can opt out at any time using the unsubscribe link in our emails or by contacting us.
• Comply with legal obligations and enforce our terms.

5. Legal bases (UK and EEA)

If you are in the United Kingdom, European Economic Area, or Switzerland, we rely on the following legal bases under the UK GDPR and EU GDPR:

• Contract: to provide the Service to you and to handle your requests.
• Legitimate interests: to secure the Service, prevent fraud and abuse, improve our products, and communicate with you about features or offers relevant to your role, balanced against your rights.
• Consent: where required by law (e.g. certain analytics or advertising cookies, certain marketing messages). You can withdraw consent at any time.
• Legal obligation: where we are required to process personal data by applicable law.

6. AI and automated processing

The Service uses artificial intelligence — including large language models (LLMs) provided by third parties — to generate responses inside our Customers’ agents. You should be aware that:

• Conversations between a website visitor and a Customer’s agent are transmitted to one or more LLM providers we use as sub-processors so that the agent can generate a response.
• Our LLM providers process this data under their applicable API or enterprise terms. By default under these terms, content sent through the API is not used to train the providers’ foundation models.
• We do not sell personal data, and we do not use Customer content or end-visitor conversation data to train our own AI models.
• AI-generated responses can be incorrect or incomplete. Customers are responsible for the content they configure into their agents and for any human review or oversight they choose to apply.
• We do not use these AI systems to make decisions that produce legal or similarly significant effects on individuals.

7. Sharing and sub-processors

We do not sell personal data. We share personal data only with:

• Sub-processors that provide services on our behalf, including: cloud hosting and database providers, authentication providers, AI model providers (for the AI features described in Section 6), email and notification providers, payments processors, customer support tools, error monitoring, and product analytics. We require sub-processors to provide appropriate protections and to process personal data only on our documented instructions or for their own permitted purposes under applicable law.
• Professional advisers (e.g. accountants, lawyers) and corporate transactions (e.g. in connection with a merger, acquisition, or sale of assets), under appropriate confidentiality protections.
• Authorities or third parties where we are required to do so by law, to respond to lawful requests, to protect our rights, or to protect the safety of users or others.

A current list of categories of sub-processors is available on request via hello@vavio.ai.

8. International data transfers

We are based in the United States, and personal data may be processed in the United States and in other countries where we or our sub-processors operate. Where we transfer personal data from the United Kingdom, European Economic Area, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards (typically the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or the equivalent Swiss mechanism), together with technical and organisational measures.

9. Retention

We keep personal data only for as long as we need it for the purposes described in this Privacy Policy. Account and usage data are retained while your account is active and for a reasonable period afterwards to comply with legal obligations, resolve disputes, and enforce our agreements. Customer content and end-visitor conversation data are retained according to Customer settings and our agreement with the Customer. When personal data is no longer needed, we delete or anonymise it in line with our internal retention practices and applicable law.

10. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access: request a copy of personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure: ask us to delete personal data, subject to legal limits.
• Restriction or objection: ask us to restrict, or object to, certain processing.
• Portability: ask us to provide certain personal data in a portable format.
• Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior lawful processing.
• Complain: lodge a complaint with your local data protection authority (e.g. the UK Information Commissioner’s Office, or your EEA supervisory authority).

If you are a California resident, the California Consumer Privacy Act (“CCPA”) gives you additional rights, including the right to know what personal information we have collected, the right to request deletion, the right to correct, and the right to opt out of any “sale” or “sharing” of personal information as those terms are defined under the CCPA. We do not sell personal information. To exercise these rights, contact us using the details below. We will not discriminate against you for exercising your rights.

If our processing of your personal data is on behalf of one of our Customers (for example, conversation data captured by a Customer’s embedded agent), please direct your request to that Customer. We will assist them in responding.

11. Customer-controlled data

When we process Customer content and end-visitor conversation data on behalf of a Customer, that Customer is the data controller and we are the processor. The Customer is responsible for the lawful basis on which they collect and use that data, for providing appropriate notice and (where required) consent to their end users, and for honouring data subject requests received from their end users. Our processing of that data is governed by our agreement with the Customer, including any data processing terms incorporated by reference.

12. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit, access controls and least-privilege provisioning, logging and monitoring, and vendor diligence for our sub-processors. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security but work to keep our practices in line with industry standards.

13. Children

The Service is a business product intended for adults using it on behalf of an organisation. It is not directed to children. We do not knowingly collect personal data from children under 16 (or under 13 in the United States, where applicable). If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

14. Cookies and similar technologies

We and selected third parties use cookies and similar technologies on our website and in the Service for purposes such as keeping you signed in, remembering preferences, analytics, and (where you consent) marketing. Further detail and your choices are in our Cookie Policy.

Where you give consent for advertising cookies, the following advertising tags may transmit cookie and device identifiers, page visits, and conversion events to the named providers for advertising and measurement:

• Microsoft Corporation via the Microsoft Advertising Universal Event Tracking (UET) tag — see the Microsoft Privacy Statement.
• Google LLC via Google Ads and Google tag (gtag) — see the Google Privacy Policy.
• Meta Platforms, Inc. via the Meta Pixel — see the Meta Privacy Policy.
• LinkedIn Corporation via the LinkedIn Insight Tag — see the LinkedIn Privacy Policy.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our practices, or applicable law. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you (for example, by email or an in-product notice). Continued use of the Service after a change takes effect constitutes acknowledgement of the updated policy.

16. Contact

For privacy questions or to exercise your rights, contact Vectorwise LLC (Vavio) at hello@vavio.ai. Postal / legal notices: Vectorwise LLC, 1309 Coffeen Avenue STE 1200, Sheridan, WY 82801, USA. We will respond within a reasonable time and within the period required by applicable law.