Privacy Policy

ConversionOS ("we," "us," or "our") operates the ConversionOS platform, including our websites, dashboard, and services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service. We treat customer privacy as a top priority and design our systems accordingly.

1. Scope and Roles

This policy applies to (a) visitors of our marketing and product websites, (b) customers who sign up and use the ConversionOS dashboard and products ("Customers"), and (c) end users whose data is processed by our Customers when they use Customer-facing features (e.g., chat widget, testimonial forms, analytics on Customer sites) ("End User Data"). When we process End User Data on behalf of a Customer, we do so as a data processor; the Customer is the data controller and is responsible for having a lawful basis and providing any required notices to their end users.

2. Information We Collect

2.1 Information you provide

Account and profile: When you create an account, we collect email address, name, and optionally avatar. We may also store organization/workspace name, logo, and settings.
Billing: Payment and subscription data are processed by Stripe. We store subscription status, plan, and product entitlements; we do not store full payment card numbers.
Product usage: Content you create in the Service (e.g., chat agents, testimonials, analytics sites, monitoring configs, team members, invites) is stored to provide the Service.
Communications: If you contact support or use feedback forms, we collect what you send and use it to respond and improve.

2.2 Information collected automatically

Usage and logs: We log access to our applications (e.g., IP address, user agent, timestamps) for security, debugging, and operational purposes. We may retain these for a limited period.
Cookies and similar tech: We use cookies and similar technologies only where necessary—primarily for authentication (e.g., Supabase session cookies) and to remember preferences. Our analytics product is designed to be cookie-free and privacy-friendly when used on Customer sites (see Section 2.3).

2.3 End User Data (processed on behalf of Customers)

Chat: When visitors use a Customer's chat widget, we may process conversation content, optional lead data (name, email, phone, company), and technical data (e.g., user agent, referrer, page URL) to deliver the chat and AI responses. Messages may be sent to AI providers (e.g., OpenAI, OpenRouter) to generate replies.
Testimonials: Submissions (text, video, name, email, title, company, rating, social links, avatar) are stored for the Customer. Video may be processed and stored via Mux. Email notifications may be sent via Resend.
Analytics: Our analytics script can collect, on Customer-configured sites: pageviews, events, referrer, UTM parameters, device type, browser/OS (high-level), and country/region/city (from IP or provider headers). We use a daily session identifier that does not rely on persistent cookies; IP is used to derive session ID but can be excluded or not stored per your configuration. Customers can exclude paths, countries, and IPs. We do not sell this data.
Monitoring: We collect and store mentions, reviews, and related metadata that Customers configure us to monitor (e.g., social, reviews).

3. How We Use Information

We use the information we collect to:

Provide, operate, and improve the Service.
Authenticate you and manage your account and organizations.
Process payments and manage subscriptions (via Stripe).
Send transactional and product-related emails (e.g., invites, notifications) via Resend.
Power AI features (e.g., chat completions, embeddings, insights) using OpenAI and/or OpenRouter.
Host and stream video testimonials via Mux.
Comply with law, enforce our terms, and protect our rights and safety.

We do not use your data or End User Data for advertising or to build advertising profiles. We do not sell personal information.

We may share information only as follows:

Service providers (subprocessors): We use trusted providers to run the Service. They process data only on our instructions and under agreements that protect confidentiality and security. Key providers include: Vercel for hosting; Supabase for authentication and possibly database; Stripe for payments; Resend for email; OpenAI and/or OpenRouter for AI; Mux for video; and, if applicable, testimonial.to for linked accounts. A current subprocessor list is available on request.
Legal and safety: When required by law, or to protect rights, safety, or property.
Business transfers: In connection with a merger, sale, or other transfer of assets, with continued protection of personal information under this policy or a successor policy.

5. Data Retention

Account data: Retained while your account is active and for a reasonable period after closure for legal and operational needs, unless you request deletion and we are not required to retain it.
End User Data: Retained as long as the Customer's account is active and the data is needed to provide the Service. Analytics event data may be subject to retention limits by plan (e.g., 30 days, 90 days, 1 year) as described in the product or pricing documentation.
Logs and backups: Logs and backups may retain data for a limited period; we do not use them for ongoing processing beyond operational and security purposes.

6. Security

We implement technical and organizational measures to protect personal information, including encryption in transit, access controls, and secure development practices. We do not store payment card numbers; payment data is handled by Stripe. No system is 100% secure; we will notify affected parties and regulators where required in the event of a breach that poses a risk to rights and freedoms.

7. International Transfers

We may store and process data in the United States and other countries where our service providers operate. Where we transfer data from the EEA, UK, or other restricted jurisdictions, we rely on adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms. Details are available on request.

8. Your Rights

Depending on where you live, you may have the right to:

Access and receive a copy of your personal data.
Correct inaccurate data.
Request deletion of your data (subject to legal and operational exceptions).
Restrict or object to certain processing.
Data portability (e.g., export in a machine-readable format).
Withdraw consent where processing is based on consent.
Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at privacy@conversionos.com. We will respond within the timeframes required by applicable law. For End User Data, the Customer is the controller; end users should direct requests to the Customer first where appropriate.

9. Cookies and Tracking

We use cookies and similar technologies only where necessary for the Service: primarily for authentication and session management. Our analytics script, when embedded on Customer sites, is designed to work without persistent cookies and in a privacy-friendly manner (e.g., daily session hashing, no cross-site tracking). Customers are responsible for disclosing to their end users that they use our analytics and for complying with consent laws in their jurisdiction.

10. Children

The Service is not directed at children under 16 (or higher age in certain jurisdictions). We do not knowingly collect personal information from children. If you believe we have collected such data, please contact us and we will delete it.

11. Changes

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we may notify you by email or through the Service. Your continued use after the effective date constitutes acceptance of the updated policy.

12. Contact

For privacy-related requests, questions, or complaints, contact us at:

Lonely Dev Inc.
522 W Riverside Ave, #5474, Spokane, WA 99201
Privacy: privacy@conversionos.com
General: support@conversionos.com

If you are in the EEA or UK, you may also have the right to lodge a complaint with your local data protection authority.