Privacy Policy

1. Introduction

Cloudbuzz Global Technologies, operating as Konverze AI ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at konverze.in and related services (the "Service").

This policy applies to all users of the Service, including account holders ("Users") and individuals who interact with chatbots deployed by Users ("End Users"). By using the Service, you consent to the practices described in this policy.

This Privacy Policy is governed by and complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), India's Digital Personal Data Protection Act 2023 (DPDPA), and the Information Technology Act, 2000 and its amendments (IT Act).

2. Information We Collect

2.1 Account Information (from Users)

• Email address — used for authentication (OTP login), account communications, and support
• Name — if provided during sign-up or via Google OAuth
• Business name — provided during onboarding to create your tenant
• Google account data — if you sign in via Google OAuth (name, email, profile picture)

2.2 Training & Content Data (from Users)

• Website URLs — submitted for AI crawling and chatbot training
• Uploaded documents — PDFs, DOCX, TXT, CSV files uploaded for knowledge base training
• FAQ pairs and custom instructions — manually entered Q&A content and behavioral instructions
• Chatbot configuration — display name, avatar, brand color, widget settings, personality

2.3 Conversation Data (from End Users)

• Chat messages — messages exchanged between End Users and your deployed chatbot
• Metadata — timestamps, session identifiers, page URLs where the chatbot is embedded

2.4 Technical Data (Automatically Collected)

• IP address — for security, rate limiting, and approximate geolocation
• Browser and device information — user agent string, screen resolution, operating system
• Usage data — pages visited within the Service, feature usage patterns, error logs

2.5 Cookies

2.6 Performance Monitoring Data

We may use Microsoft Azure Application Insights to collect anonymised performance and usage telemetry (page load times, error rates, feature usage patterns). This data is used solely for diagnosing technical issues and improving Service reliability. It does not include your training data or conversation content, and is not used for advertising or sold to third parties.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To create and manage your account, train your chatbot, generate responses, and deliver the Service
• Authentication: To verify your identity via OTP email or Google OAuth
• Communication: To send transactional emails (OTP codes, account notifications), service updates, and support responses
• Improvement: To analyze usage patterns, diagnose issues, and improve the Service
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

We do not use your training data or conversation data to train general-purpose AI models. Your data is used exclusively to power your specific chatbot.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Service Providers: With trusted third-party providers who assist us in operating the Service (e.g., cloud hosting, email delivery, payment processing). These providers are bound by data processing agreements and may only use data to perform services on our behalf.
• AI Processing: Your training data and End User messages are processed by AI language models to generate chatbot responses. Please see Section 4A below for full details.
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case you will be notified
• With Your Consent: When you explicitly authorize the sharing

4A. AI and Large Language Model (LLM) Data Processing

4A.1 What AI Systems We Use

Konverze AI uses third-party large language model (LLM) APIs to power chatbot responses. Our current AI infrastructure includes:

• OpenAI API (OpenAI, L.L.C., USA) — for natural language understanding and response generation
• Additional AI providers may be used from time to time for embedding, classification, or fallback purposes

We regularly evaluate our AI providers against data protection standards. Any change to primary AI providers will be reflected in an update to this policy.

4A.2 What Data Is Sent to AI Providers

When an End User sends a message to your deployed Konverze chatbot, the following data is transmitted to the AI provider to generate a response:

• The End User's message — the text of the current question or message
• Conversation context — a limited number of prior messages in the current session (for continuity)
• Relevant knowledge base excerpts — portions of your training data (website content, uploaded documents, FAQs) that are relevant to the query
• System instructions — your configured chatbot personality and behavioral rules

We do not send: names, emails, phone numbers, or any personally identifiable information (PII) from your account or your End Users' identity — unless the End User themselves includes PII in their message. We apply data minimisation — only what is strictly necessary to answer the query is sent.

4A.3 How AI Providers Handle Your Data

Our AI providers are contractually bound under their API Terms of Service and Data Processing Agreements:

• No retention for training: Data sent via the API is not used to train or improve the AI provider's general-purpose models. OpenAI's API usage policy explicitly prohibits using API data for model training without explicit opt-in.
• Short-term processing only: Messages sent via the API are processed in memory to generate a response and are not persisted by the AI provider beyond the immediate request (typically under 30 days per provider's standard abuse monitoring logs, after which they are deleted).
• Encryption in transit: All data sent to AI providers is encrypted using TLS 1.2+ during transmission.
• US-based processing: OpenAI processes data on servers located primarily in the United States. For EU users, this constitutes an international data transfer — appropriate safeguards are maintained through OpenAI's Standard Contractual Clauses (SCCs).

4A.4 Your Responsibilities as a Data Controller

When you deploy a Konverze chatbot, you become the data controller for your End Users' conversations. Konverze acts as a data processor on your behalf. As the data controller, you are responsible for:

• Informing your website visitors that an AI chatbot processes their messages
• Including disclosure of AI processing in your own website's privacy policy
• Ensuring your End Users have given appropriate consent (where required) for their messages to be processed by AI systems
• Not directing End Users to share sensitive personal data (health information, financial details, passwords) through the chatbot

We recommend adding the following notice to your website privacy policy: "Our website uses Konverze AI, a third-party AI chatbot service. If you interact with our chatbot, your messages are processed by AI language models to generate responses. Messages are not used to train AI models. See Konverze AI's privacy policy at konverze.in/privacy for details."

4A.5 AI Processing Opt-Out

Since AI processing is fundamental to delivering the chatbot service, it is not possible to use Konverze AI while opting out of all AI processing — the two are inseparable. However:

• End Users may opt out by simply not using the chatbot on your website
• Account holders may delete their account and all associated data at any time via Settings → Account → Delete Account
• Upon account deletion, all training data, conversation logs, and configuration data are removed within 30 days and will no longer be available for AI processing

4A.6 Automated Decision-Making

Konverze AI uses automated decision-making to generate chatbot responses and to identify potential leads from conversations (Lead Intelligence feature). These decisions:

• Do not produce legal effects or significantly affect End Users
• Are used solely to provide better chatbot responses and lead qualification scores for account holders
• Are not used for credit scoring, employment decisions, or other high-stakes determinations

If you have questions about automated processing or wish to request human review of any AI-generated output affecting you, contact us at [email protected].

5. Data Storage & Security

5.1 Storage Location

Your data is stored on secure cloud servers operated by Microsoft Azure located in the Central India region. We may use additional regions for redundancy and disaster recovery.

5.2 Security Measures

We implement industry-standard security measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• JWT-based authentication delivered via httpOnly, Secure, SameSite=Lax cookies — token value is inaccessible to JavaScript
• No tracking cookies, no localStorage, no advertising pixels
• Role-based access controls and principle of least privilege
• Regular security assessments and vulnerability monitoring
• API key generation with per-tenant isolation

5.3 Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities within 72 hours of becoming aware, as required by applicable law.

6. Data Retention

• Account data: Retained for the duration of your account. Upon account deletion, personal data is removed within 30 days.
• Training data: Retained while your account is active. Deleted within 30 days of account termination.
• Conversation logs: Retained for the duration of your subscription. Available for export on applicable plans.
• Technical logs: Retained for up to 90 days for security and debugging purposes.
• Billing records: Retained as required by applicable tax and accounting laws (typically 7 years).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdrawal of Consent: Withdraw consent at any time where processing is consent-based

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7.1 For Indian Residents (DPDPA)

If you are a resident of India, you have the following rights under the Digital Personal Data Protection Act, 2023 (DPDPA):

• Right to Access: Obtain a summary of personal data we hold about you and the processing activities undertaken
• Right to Correction & Erasure: Request correction of inaccurate data or erasure of data no longer necessary for the purpose it was collected
• Right to Grievance Redressal: Have your grievance addressed within a reasonable time period
• Right to Nominate: Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity
• Right to Withdraw Consent: Withdraw consent at any time. To withdraw consent, email us at [email protected] or delete your account via Settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Grievance Officer (DPDPA): In accordance with the DPDPA, we have appointed a Grievance Officer to address data-related complaints:

If your grievance is not resolved to your satisfaction, you have the right to escalate your complaint to the Data Protection Board of India (DPB) established under the DPDPA. Details of the DPB and its complaint process will be available at the official government portal upon the Board's constitution.

7.2 For EU/EEA Residents (GDPR)

If you are in the EU/EEA, we process your personal data on the following lawful bases:

• Contract performance (Article 6(1)(b)): Account creation, authentication, chatbot delivery, billing
• Legitimate interest (Article 6(1)(f)): Security monitoring, fraud prevention, service improvement, technical diagnostics
• Consent (Article 6(1)(a)): Marketing communications, optional analytics features
• Legal obligation (Article 6(1)(c)): Tax records, regulatory compliance

You have the right to lodge a complaint with your local supervisory authority (data protection authority). A list of EU supervisory authorities is available at edpb.europa.eu. We will respond to verified GDPR requests within 30 days.

Privacy Contact (GDPR): For GDPR-related inquiries, contact our designated privacy contact:

7.3 For California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information for cross-context behavioural advertising
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to that necessary to provide the Service

To exercise any of the above rights, California residents may submit a verifiable consumer request via either of these methods:

• Email: [email protected] with subject line "CCPA Privacy Request"
• In-App: Account Settings → Privacy → Submit Data Request

We will respond to verified CCPA requests within 45 days. If we require additional time, we will notify you within the initial 45-day period and may extend our response by an additional 45 days.

8. End-User Data (Your Chatbot Visitors)

As a data controller, you are responsible for:

• Providing appropriate privacy notices to your End Users
• Obtaining necessary consents for data collection via the chatbot
• Ensuring your use of the chatbot complies with applicable data protection laws
• Responding to End User data access, correction, and deletion requests

We recommend updating your website's privacy policy to disclose the use of an AI chatbot and explain how conversation data is collected and processed.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child under 18, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at [email protected].

10. Third-Party Links & Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies independently.

11. International Data Transfers

If you access the Service from outside India, your data may be transferred to and processed in India. By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where applicable.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notice at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision. Your continued use of the Service after changes constitutes acceptance.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us: