Privacy Policy

Account Information

Name, email address, login details, and contact information for account creation and management.

Email and Calendar Data

If you connect Gmail, Outlook, and/or your calendar, we access the data you choose to connect only to provide the features you use (e.g., tagging, draft creation, availability checks, event scheduling). Data is encrypted in transit and at rest. We do not sell your data or use it for advertising.

Live Chat and Knowledge Base Data

If you use Live Chat, we store chat messages between your team and customers to provide real-time support and conversation history. If you use the Knowledge Base, we store the articles your team creates to power help centre and AI-assisted answers. All chat messages and knowledge base content is application-encrypted (AES-256-GCM) at rest.

Payment Information

Subscription payments are securely processed by third-party providers (e.g., Stripe, PayPal). We do not store full card details but may retain billing identifiers and subscription records.

Technical Information

IP address, browser type, device identifiers, operating system, access times, log files, and crash reports.

Cookies

We use only essential cookies needed to run the service (for example, to keep you signed in and protect the service). We do not use analytics, advertising, or other non-essential cookies. Your browser may store limited settings (e.g., preferences) to improve your experience. You can clear cookies and storage in your browser, but this may sign you out. If we introduce non-essential cookies in the future, we will ask for your consent first.

Service Delivery

Delivering and improving our services (email management, live chat, knowledge base, scheduling, tagging, draft generation).

Personalisation

Personalising features and understanding usage patterns.

Payment Processing

Processing subscription payments and maintaining billing records.

Support & Communication

Responding to support requests and communications.

Legal Compliance

Meeting legal and regulatory obligations.

Security

Preventing fraud, abuse, or unauthorised access. We do not use your data for purposes outside these without your consent.

Access to Google data is requested only after you connect Gmail and/or Google Calendar inside Orivio. You can disconnect at any time. Orivio's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Access to Microsoft data is requested only after you connect Outlook and/or Microsoft Calendar inside Orivio. You can disconnect at any time. Orivio's use of information received from Microsoft Graph APIs will adhere to the Microsoft APIs Terms of Use and applicable data protection requirements.

What We Access

When you connect WhatsApp Business, Facebook Messenger, or Instagram Direct Messages inside Orivio, we receive incoming messages sent by your customers to your connected Facebook Page, WhatsApp Business number, or Instagram Business account. We also receive basic sender information (name, profile) provided by Meta's APIs to identify the customer in your inbox.

How We Use It

Message data is used solely to display conversations in your Orivio live chat inbox, enable your team to reply, and provide conversation history. We do not use Meta user data for advertising, profiling, or any purpose unrelated to delivering the Orivio service.

Storage and Encryption

All messages received via WhatsApp, Messenger, and Instagram are encrypted at rest (AES-256-GCM) in the same manner as other live chat data. Page access tokens are stored encrypted and are never exposed to end users or third parties.

Data Sharing

We do not sell, rent, or share Meta user data with third parties. Message content may be processed by AI services (e.g., for suggested replies) only if you enable AI features, subject to the same no-training guarantees described in Section 10.

Disconnection and Deletion

You can disconnect WhatsApp, Messenger, or Instagram at any time from Settings → Connected Apps. Upon disconnection, we revoke the stored access token and no new messages are received. Existing conversation history from the disconnected channel is retained in your account for continuity. To delete all Meta message data, delete your Orivio account via Settings → Account → Delete Account, or request deletion via [email protected].

Meta Platform Terms

Orivio's use of data received from Meta Platform APIs adheres to the Meta Platform Terms and Developer Policies, including data use restrictions and privacy requirements.

What We Access

When you connect a Telegram Bot inside Orivio, we receive incoming messages sent by your customers to your Telegram bot. We also receive basic sender information (name, username) provided by the Telegram Bot API to identify the customer in your inbox.

How We Use It

Message data is used solely to display conversations in your Orivio live chat inbox, enable your team to reply, and provide conversation history. We do not use Telegram user data for advertising, profiling, or any purpose unrelated to delivering the Orivio service.

Storage and Encryption

All messages received via Telegram are encrypted at rest (AES-256-GCM) in the same manner as other live chat data. Bot tokens are stored encrypted and are never exposed to end users or third parties.

Data Sharing

We do not sell, rent, or share Telegram user data with third parties. Message content may be processed by AI services (e.g., for suggested replies) only if you enable AI features, subject to the same no-training guarantees described in Section 10.

Disconnection and Deletion

You can disconnect Telegram at any time from Settings → Connected Apps. Upon disconnection, the stored bot token is removed and no new messages are received. Existing conversation history from Telegram is retained in your account for continuity. To delete all Telegram message data, delete your Orivio account via Settings → Account → Delete Account, or request deletion via [email protected].

What We Access

When you connect a Twilio SMS number inside Orivio, we receive incoming SMS messages sent by your customers to your connected phone number. We also receive the sender's phone number to identify the customer in your inbox.

How We Use It

SMS message data is used solely to display conversations in your Orivio live chat inbox, enable your team to reply via SMS, and provide conversation history. We do not use SMS data for advertising, profiling, or any purpose unrelated to delivering the Orivio service.

Storage and Encryption

All SMS messages are encrypted at rest (AES-256-GCM) in the same manner as other live chat data. Twilio credentials are stored encrypted and are never exposed to end users or third parties.

Data Sharing

We do not sell, rent, or share SMS data with third parties. Message content may be processed by AI services (e.g., for suggested replies) only if you enable AI features, subject to the same no-training guarantees described in Section 10.

Disconnection and Deletion

You can disconnect Twilio SMS at any time from Settings → Connected Apps. Upon disconnection, stored credentials are removed and no new messages are received. Existing SMS conversation history is retained in your account for continuity. To delete all SMS data, delete your Orivio account via Settings → Account → Delete Account, or request deletion via [email protected].

What We Access

When you connect Stripe inside Orivio (via API key or OAuth), we access customer billing information such as subscription status, payment history, and customer details from your Stripe account. This data is displayed in the conversation sidebar to give your support team billing context.

How We Use It

Stripe data is used solely to display relevant billing information alongside customer conversations in your Orivio inbox. We do not use Stripe data for advertising, profiling, or any purpose unrelated to delivering the Orivio service.

Storage and Encryption

Stripe API keys and OAuth tokens are stored encrypted (AES-256-GCM). Billing data is fetched in real-time from Stripe and is not permanently stored in Orivio.

Disconnection and Deletion

You can disconnect Stripe at any time from Settings → Connected Apps. Upon disconnection, stored credentials are removed and no further Stripe data is accessed.

What We Access

Orivio uses the MaxMind GeoLite2 database to approximate a visitor's location (country, region, and city) from their IP address. This is used for visitor analytics in your live chat inbox, location-aware routing, and security features such as IP-based blocking.

Attribution

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Contract

To provide services you subscribe to.

Consent

When you connect third-party services (e.g., Gmail, Google Calendar, Outlook, Microsoft Calendar, WhatsApp, Facebook Messenger, Instagram, Telegram, Twilio SMS, Stripe).

Legal Obligation

To comply with tax, accounting, and regulatory requirements.

Legitimate Interests

To improve services, maintain security, and prevent misuse.

No Selling or Renting

We do not sell or rent your data.

Service Providers

Trusted third parties providing hosting, payment, or support services.

Business Transfers

As part of mergers, acquisitions, or restructuring.

Legal Authorities

When required to comply with laws or valid legal requests.

Sub-processors

We use trusted service providers (sub-processors) to operate Orivio. Key sub-processors include: Hetzner Online GmbH (infrastructure hosting, Germany), OpenAI LLC (AI processing, USA), Stripe/PayPal (payment processing), and MaxMind, Inc. (IP geolocation database, USA). Each acts under contract and, where relevant, relies on approved transfer safeguards (such as the EU Standard Contractual Clauses with the UK Addendum) and security controls. A current list of sub-processors is available on request.

Other parties

When you connect Gmail or Google Calendar, Google remains an independent controller of its own services. Similarly, when you connect Outlook or Microsoft Calendar, Microsoft remains an independent controller of its own services. When you connect WhatsApp, Facebook Messenger, or Instagram, Meta remains an independent controller of its own platforms and services.

Email and Calendar Data

Retained only as long as needed to deliver services, then deleted or anonymised.

Live Chat and Knowledge Base Data

Chat messages and knowledge base articles are retained for as long as your account is active, then deleted or anonymised on account closure.

Billing Records

Retained for at least six years in line with UK tax law.

Technical Logs

Kept for 15–30 days for performance monitoring and security diagnostics.

Access

Access the personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Delete your account and data directly from Orivio: Login, go to Settings → Account, and click "Delete Account". Type "delete my account" to confirm. This immediately removes your Orivio account, email tags, meeting data, and preferences. Your Google or Microsoft account and original email/calendar data remain untouched. We may retain certain data as required by law (e.g., billing records). For assistance, contact [email protected].

Restriction

Restrict or object to certain types of processing.

Portability

Request a copy of your data in portable format.

Consent Withdrawal

Withdraw consent where processing is based on consent. Requests can be made by contacting [email protected]. Identity verification may be required.

Technical Measures

Encryption in transit and at rest. Private network access only.

Access Controls

Multi-factor authentication (MFA) enforced for administrative access. Least-privilege access with periodic reviews of permissions and logs. Secrets stored securely.

Incident Response

Documented process to detect, investigate, and contain security incidents. Notification to affected users and regulators where legally required. Post-incident remediation and improvements to prevent recurrence.

Data Protection Safeguards

We host core services in the UK/EEA (e.g., EU-West). Where a provider processes personal data outside the UK/EEA, we use approved transfer safeguards (such as the EU Standard Contractual Clauses with the UK Addendum) and appropriate security measures.

We use only essential cookies needed to run the service (for example, to keep you signed in and protect the service). We do not use analytics, advertising, or other non-essential cookies. Your browser may store limited settings (e.g., preferences) to improve your experience. You can clear cookies and storage in your browser, but this may sign you out. If we introduce non-essential cookies in the future, we will ask for your consent first.

Purpose

Some features such as automated email drafting, tagging, calendar management, live chat AI responses, and knowledge base article generation rely on third-party AI services (e.g., OpenAI API). Submitted data is processed solely to generate drafts, suggestions, or classifications.

No Training on Your Data

We do not permit AI providers to use your email, calendar, or other personal data to train or improve their models. Your data is processed only for the immediate task and is not stored for training purposes.

Data Minimisation

We limit the amount of personal data sent to these services and, where possible, anonymise or redact sensitive details before processing.

We will register with the UK Information Commissioner's Office (ICO) where required. Our ICO registration number will be added here once issued. You can check the public register at https://ico.org.uk/.

Policy Updates

We may update this Privacy Policy to reflect changes in technology, regulation, or business practice. Updates will be posted on our website with a new effective date.