1. Who We Are
Convexa ("we", "our", "us") is an AI-powered customer support automation service. We help businesses automate customer conversations via email and other channels. Our contact email is convexa@polsia.app.
2. What Data We Collect
We collect the following categories of personal data:
- Account information: Your name, email address, and password when you create a Convexa account.
- Company information: Your company name, industry, support email address, and configuration settings you provide during onboarding.
- Knowledge base content: Text, FAQs, product descriptions, and other content you upload or enter into the Convexa knowledge base. This content is used to power your AI assistant's responses.
- Customer conversation messages: Incoming customer emails and messages directed to your support address, and the AI-generated responses sent on your behalf. These messages may contain personal data about your customers.
- Usage data: Metrics about how the service is used, including conversation counts, response times, and feature interactions.
- Billing information: Payment details are handled by our payment processor (Stripe). We store only a record of your subscription status.
3. How We Process Your Data
We use your data for the following purposes:
- Service delivery: To receive incoming customer messages, generate AI responses using your knowledge base, and route or deliver those responses.
- AI conversation engine: Customer messages and knowledge base content are sent to our AI provider (Anthropic) to generate support responses. Anthropic processes this data under their own terms and does not use it to train their models by default.
- Message queues: Incoming and outgoing messages are temporarily held in processing queues to ensure reliable delivery.
- Account management: To maintain your account, process billing, and provide customer support.
- Service improvement: Aggregated, anonymised usage data to improve the service.
Legal basis (GDPR): We process your data on the basis of contract performance (to deliver the service you signed up for) and legitimate interest (service reliability and security). Where we process your customers' data on your behalf, you are the data controller and we act as a data processor — see our Terms of Service for the Data Processing Agreement.
4. Data Retention
- Queued messages: Messages held in processing queues are retained for a maximum of 7 days before automatic deletion.
- Conversation history: Full conversation logs are retained until you delete them or close your account.
- Account data: Retained for the duration of your account. Deleted within 30 days of account closure upon request.
- Knowledge base content: Retained until you delete individual entries or close your account.
5. Third-Party Data Processors
We share data with the following sub-processors:
- Anthropic, Inc.: Our AI provider. Customer messages and knowledge base content are sent to Anthropic's Claude API to generate responses. Anthropic processes data under their Privacy Policy.
- Neon, Inc.: Cloud PostgreSQL database provider. All structured data is stored in Neon's infrastructure.
- Render, Inc.: Cloud infrastructure provider. Application servers run on Render's platform.
- Stripe, Inc.: Payment processing. Billing information is handled directly by Stripe under their Privacy Policy.
6. Your GDPR Rights
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
- Right to data portability: Request a machine-readable export of your data.
- Right to object: Object to processing based on legitimate interest.
- Right to restrict processing: Request that we limit how we use your data.
- Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior processing.
To exercise any of these rights, email us at convexa@polsia.app. We will respond within 30 days.
7. International Transfers
Some of our sub-processors (including Anthropic and Stripe) are based in the United States. When we transfer personal data outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) or other approved mechanisms to ensure adequate protection.
8. Security
We implement industry-standard security measures including AES-256 encryption for stored credentials, TLS encryption for data in transit, and access controls to limit who can view personal data. Contact us immediately at convexa@polsia.app if you suspect a security incident.
9. Cookies
We use a single session cookie to keep you logged in to your Convexa account. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on authenticated pages.
10. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. We will notify you by email and update the "Last Updated" date at the top of this page. Continued use of the service after notification constitutes acceptance.
11. Contact & Complaints
For privacy questions or to exercise your rights, contact: convexa@polsia.app
If you are in the EEA and believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, or the DPC in Ireland).