Privacy Policy

1. Introduction & Scope

Tavio Inc. ("Company," "we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the Tavio platform ("Platform") and services.

This Privacy Policy applies to:

• • Tavio platform users (team members, admins, agents)
• • Customers of institutions using Tavio (end-users of AI agents)
• • Visitors to our website

We comply with the Kenya Data Protection Act (KDPA), General Data Protection Regulation (GDPR), and other applicable privacy laws.

2. Data Controllers & Processors

Data Controller: Your organization (the Customer) is the data controller for customer conversations and personal data collected through the Platform. You determine the purposes and means of processing.

Data Processor: Tavio Inc. is the data processor. We process personal data on your instructions and according to our Data Processing Agreement (DPA). A separate DPA governs the relationship and clarifies responsibilities.

Data Controller (For Platform Account): Tavio Inc. is the data controller for information you provide when creating a Tavio account (name, email, organization details, payment information). You control your own account data.

3. Information We Collect

3.1 Account Information

• • Full name, email address, phone number
• • Organization name, industry, country, size
• • Job title and role
• • Password (hashed, never stored in plaintext)
• • Payment information (processed by third-party payment processors, not stored by us)
• • API keys and authentication tokens

3.2 Platform Usage Data

• • Conversations and messages (stored in your tenant database)
• • Call logs (phone numbers, transcriptions, duration)
• • Voice recordings and transcriptions (stored securely)
• • Channel configurations (API keys, integration credentials)
• • Knowledge base documents uploaded
• • Analytics events (intents, conversation outcomes)
• • User activities (login times, features accessed, changes made)
• • Team invitations and member management

3.3 Technical & Log Data

• • IP address and location
• • Device type, browser, operating system
• • Referrer and access timestamps
• • Error logs and debugging information
• • Cookies and similar tracking technologies
• • Server logs and request data

3.4 Customer Data (End-User Conversations)

When customers (end-users of financial institutions) interact with the Platform through voice, SMS, WhatsApp, or other channels, their conversations are captured and stored. This may include:

• • Phone numbers, email addresses
• • Account balances, transaction details (if provided by customer)
• • Full names and identification details
• • Conversation transcripts and recordings
• • Intent and sentiment data
• • IP addresses and device information

Important: Your organization is responsible for obtaining lawful basis (consent, legitimate interest, contract, etc.) to collect this customer data. Tavio does not collect this data directly; it is provided by your organization through the Platform.

3.5 Communications Data

• • Support inquiries and emails
• • Feature requests and feedback
• • Survey responses
• • Notification preferences and opt-outs

4. How We Use Your Data

4.1 To Provide Services

• • Delivering AI agent functionality across channels
• • Processing and routing conversations
• • Transcribing voice calls and generating text
• • Storing conversation history and analytics
• • Managing team access and permissions
• • Providing real-time notifications

4.2 Billing & Account Management

• • Processing payments and subscriptions
• • Sending invoices and billing information
• • Fraud detection and prevention
• • Account verification and security

4.3 Communication & Support

• • Responding to support requests
• • Sending system notifications and updates
• • Notifying about service changes or security issues
• • Sending billing and account notifications
• • Marketing communications (with your consent, with unsubscribe option)

4.4 Analytics & Improvement

• • Analyzing usage patterns and trends (aggregated)
• • Identifying feature usage and popular channels
• • Understanding customer behavior (conversation outcomes, resolution rates)
• • Improving platform performance and reliability
• • A/B testing and optimization

4.5 Legal & Compliance

• • Complying with laws and regulations
• • Responding to legal requests or court orders
• • Investigating and preventing abuse or fraud
• • Enforcing our Terms of Service
• • Protecting the security and integrity of the Platform

4.6 AI Model Training (Limited)

We do NOT train our AI models on your conversation data by default. Your data remains isolated in your tenant. However:

• • Enterprise customers have complete assurance of data isolation
• • OpenRouter (our AI provider) may have their own data policies; review their terms
• • You can opt-out of any analytics collection in account settings

5. Data Storage & Infrastructure

5.1 Location

Data is primarily stored in:

• • Supabase (PostgreSQL) - data centers in North America (primary)
• • Vercel (Application) - CDN globally, application compute in North America
• • AWS S3 or similar - for voice sample files and backups

5.2 Data Isolation

Your organization's data is isolated from other organizations at the database level using:

• • Row-Level Security (RLS) policies based on tenant_id
• • Separate database schemas for sensitive data
• • Encryption at rest for all stored data
• • API-level access controls and authentication

5.3 Retention Period

• • Active account data: Retained while your account is active
• • Conversations: Retained for 12 months from date of conversation (configurable)
• • Call logs & recordings: Retained for 6 months (configurable)
• • Voice recordings: Encrypted and deleted after transcription (or as per your policy)
• • After account termination: Deleted within 30 days (can request expedited deletion)
• • Legal hold: Data may be retained longer if required by law or pending legal action

5.4 Backups

We maintain automated backups of all data for disaster recovery. Backups are retained for 30 days after deletion to allow recovery. Backups are encrypted and stored securely.

6. Data Sharing & Third Parties

6.1 Service Providers

We share data with third-party service providers who help us operate the Platform:

• • Twilio: Voice/SMS delivery (phone numbers, transcripts)
• • Meta/Facebook: WhatsApp, Messenger, Instagram (messages, media)
• • Africa's Talking: SMS/USSD delivery (phone numbers, content)
• • OpenRouter: AI inference (conversation content for processing)
• • ElevenLabs: Text-to-speech synthesis (text prompts, voice parameters)
• • Google Cloud: Speech recognition and translation services
• • Supabase: Database hosting and real-time infrastructure
• • Vercel: Application hosting and deployment
• • Resend: Email delivery (email addresses, email content)
• • Novu: Notification infrastructure (user notifications)
• • Stripe/Payment Processor: Payment processing (payment info, billing)

Important: By using the Platform, you acknowledge and consent to data being shared with these providers. Review their privacy policies, as they have their own data handling practices:

• • Twilio: https://www.twilio.com/legal/privacy
• • Meta: https://www.facebook.com/privacy/policy
• • OpenRouter: https://openrouter.ai/privacy
• • Google: https://policies.google.com/privacy
• • ElevenLabs: https://elevenlabs.io/privacy

6.2 Legal Requests

We may disclose data if required by law, court order, or government request. We will attempt to notify you of legal requests unless legally prohibited.

6.3 Business Transfers

If Tavio is acquired or merges, your data may be transferred as part of the transaction. You will be notified and given the option to delete your data or terminate your account.

6.4 Aggregated & Anonymized Data

We may share aggregated, anonymized analytics with partners and the public (e.g., "Average conversation resolution time: 2.5 minutes"). This data cannot identify you individually.

6.5 No Sales of Personal Data

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

7. Your Data Rights

Under the Kenya Data Protection Act (KDPA) and GDPR (if applicable), you have the following rights:

7.1 Right of Access
You have the right to request a copy of all personal data we hold about you. We will provide this within 30 days.

7.2 Right to Rectification
You have the right to correct inaccurate or incomplete personal data.

7.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data (with some exceptions for legal compliance, fraud prevention). We will delete within 30 days unless we have legal reasons to retain.

7.4 Right to Restrict Processing
You can ask us to restrict how we use your data while we investigate a dispute or comply with your request.

7.5 Right to Data Portability
You have the right to receive your data in a structured, commonly-used format (CSV, JSON) and transfer it to another service.

7.6 Right to Object
You can object to marketing communications and certain types of processing. You can unsubscribe from emails at any time using the link in our emails.

7.7 Right to Withdraw Consent
If processing is based on your consent, you can withdraw it anytime. Withdrawal does not affect processing before the withdrawal.

To Exercise Your Rights:
Contact us at privacy@tavio.ai with your request. Include your full name, account email, and specific request. We will verify your identity and respond within 30 days.

8. Cookies & Tracking Technologies

We use cookies and similar technologies to improve your experience. For detailed information, see our Cookie Policy.

Types of Cookies:

• • Essential: Required for login and security
• • Preference: Remember your theme (light/dark mode)
• • Analytics: Understand how you use the Platform
• • Marketing: Track conversions and effectiveness (can be disabled)

You can disable non-essential cookies in your browser settings or account preferences.

9. Data Security

9.1 Security Measures

We implement industry-standard security controls:

• • Encryption in Transit: TLS 1.3 for all data transmission
• • Encryption at Rest: AES-256 for stored data
• • Authentication: Supabase Auth with JWT tokens, 2FA available
• • Access Control: Role-based access control (RBAC) for team members
• • Network Security: Firewalls, DDoS protection, WAF
• • Monitoring: Real-time security monitoring and threat detection
• • API Security: Rate limiting, API key rotation, signature verification
• • Data Isolation: Row-Level Security (RLS) at database level
• • Regular Audits: Annual security audits and penetration testing

9.2 No Guarantee

While we implement robust security, no system is 100% secure. We cannot guarantee absolute protection against all attacks. You are responsible for:

• • Protecting your account credentials
• • Keeping your password secure
• • Using strong passwords and 2FA
• • Monitoring your account for unauthorized activity
• • Maintaining your own backups

9.3 Data Breach Notification

If we discover a data breach, we will notify affected users within 72 hours (as required by GDPR and KDPA). For financial institutions, we will work with you to notify your customers and regulatory authorities.

10. International Data Transfers

10.1 Transfers Outside Kenya/EEA

Our primary infrastructure is located in North America (US). If you are in the EU and we transfer your data to the US, we rely on:

• • Standard Contractual Clauses (SCCs) as approved by the European Commission
• • Data Processing Agreements that address GDPR requirements
• • Supabase's GDPR compliance and international data protection commitments

10.2 Your Responsibility

If you are a data controller processing customer data from outside Kenya, you are responsible for:

• • Obtaining necessary consents for international data transfer
• • Understanding GDPR obligations for EU customers
• • Ensuring your use of third-party services (Twilio, OpenRouter, etc.) complies with local laws

11. Children's Privacy

The Platform is not intended for children under 13 (or the age of digital consent in your country). We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it immediately. If you believe a child has created an account, contact us at privacy@tavio.ai.

12. Retention & Deletion

12.1 Active Data

While your account is active, we retain all data necessary to provide services. You can view, export, and delete data from your dashboard.

12.2 After Account Deletion

• • Account data (name, email, password): Deleted within 30 days
• • Conversations and messages: Deleted within 30 days
• • Voice recordings: Deleted within 30 days
• • Backups: Deleted within 30 days (after backup retention period)
• • Legal hold: Data retained if required by law or pending legal action

You can request expedited deletion by contacting privacy@tavio.ai.

12.3 Data Export Before Deletion

Before deleting your account, you can export all your data in standard formats (CSV, JSON) from your account settings.

13. Contact Information

For privacy questions, data access requests, or complaints:

EU/GDPR Complaint: If you are in the EU and have concerns about our GDPR compliance, you can lodge a complaint with your national data protection authority.

14. Policy Changes

We may update this Privacy Policy to reflect changes in our practices, technology, or law. Material changes will be communicated to you via email or prominent notice on the Platform. Your continued use constitutes acceptance of the updated policy.