Privacy Policy

• iConvo AB is the data controller for personal data relating to users and prospects.

• For data processed on behalf of our clients (call recordings, transcripts, customer data), iConvo acts as a data processor and the client is the data controller. Clients are responsible for ensuring they have a lawful basis for processing personal data uploaded to the Service.

• Contact details:

  • iConvo AB, Sweden

  • Email: info@iconvo.ai

  • Privacy enquiries: sk@iconvo.ai

• "Client" means an organisation subscribing to the iConvo Service.

• "End User" means an individual accessing the Service on behalf of a Client.

• "Client Data" means call recordings, transcripts, and any other data uploaded to the Service by a Client.

• "Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR Article 4.

• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.

We collect several different types of data for various purposes to provide and improve our Service to you.

Account and Registration Data

When you create an account, we collect:

• Full name and email address

• Company name and industry

• Password (stored in encrypted form via Supabase Auth)

• Billing information (processed by Stripe — iConvo does not store card numbers)

• IP address and browser/device information for security purposes

Usage Data

We automatically collect technical data when you use the Service:

• Pages visited, features used, and time spent

• API call logs and system events

• Error reports and diagnostic data

Client Data (Call Recordings & Transcripts)

Clients upload call recordings and related metadata to the Service. This data may contain personal data of third parties (e.g. contact centre customers). iConvo processes this data solely as a data processor on behalf of the Client, in accordance with the Data Processing Addendum (DPA).

Clients are solely responsible for: (a) obtaining any required consents from callers, (b) compliance with local call recording laws, and (c) ensuring they have a lawful basis for processing under GDPR or applicable local law.

Cookies

We use strictly necessary cookies for session management and authentication. We do not use advertising or tracking cookies. You can control cookies via your browser settings.

Service Delivery (Contractual Necessity — GDPR Art. 6(1)(b))

• Providing access to the iConvo platform

• Processing call recordings through Deepgram (speech-to-text)

• AI analysis of transcripts using Anthropic Claude

• Generating quality management reports and coaching insights

• Billing and subscription management via Stripe

Legitimate Interests (GDPR Art. 6(1)(f))

• Improving and developing the Service

• Security monitoring and fraud prevention

• Customer support and communications

• Analytics on aggregated, anonymised usage data

Legal Obligation (GDPR Art. 6(1)(c))

• Complying with applicable laws and regulations

• Responding to lawful requests from authorities

iConvo uses the following sub-processors to deliver the Service. All are contractually bound to process data only on our instructions and are prohibited from using it for their own purposes:

• Supabase Inc. — Database and file storage. Data is stored exclusively in the EU (Ireland, AWS eu-west-1). As data remains within the EU/EEA, no SCCs are required for this transfer. Supabase's DPA applies.

• Deepgram Inc.  — Speech-to-text transcription of call recordings. Covered by SCCs. Data is processed transiently and not stored beyond the transcription request.

• Anthropic PBC  — AI analysis of call transcripts. Covered by SCCs. Data is processed transiently; Anthropic does not train models on API data.

• Vercel Inc.  — Cloud hosting infrastructure. Data served from EU edge network. Covered by SCCs.

• Stripe Inc.  — Payment processing. Card data is tokenised and not accessible to iConvo. Covered by SCCs and PCI DSS compliance.

• Google LLC  — Email delivery (SMTP). Used for transactional emails only. Covered by SCCs.

Where sub-processors are located outside the EU/EEA, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), ensuring an adequate level of protection.

Some sub-processors are based in the United States (Deepgram, Anthropic, Vercel). All international transfers of personal data from the EU/EEA to the US are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c). Your primary data store (Supabase) is hosted entirely within the EU (Ireland), ensuring your call recordings and transcripts remain in the EU/EEA at rest.

• Account data: retained for the duration of the subscription plus 90 days after termination, then deleted.

• Call recordings and transcripts: retained in accordance with the Client's plan settings. Clients may delete data at any time via the platform.

• Billing records: retained for 7 years to comply with Swedish accounting law (Bokföringslagen).

• Usage logs: retained for 90 days for security and debugging purposes.

Clients may request deletion of their data at any time by contacting info@iconvo.ai. Deletion will be completed within 30 days.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)

• Access controls and role-based permissions

• Row-level security in the database (Supabase RLS)

• API key authentication for all platform requests

• Regular security reviews and vulnerability monitoring

In the event of a personal data breach that is likely to result in risk to individuals, we will notify affected Clients without undue delay and, where required, notify the Swedish Authority for Privacy Protection (IMY) within 72 hours as required by GDPR Article 33.

As a data subject, you have the following rights:

• Right of access (Art. 15) — obtain a copy of your personal data

• Right to rectification (Art. 16) — correct inaccurate data

• Right to erasure (Art. 17) — request deletion of your data

• Right to restriction (Art. 18) — limit how we process your data

• Right to portability (Art. 20) — receive your data in machine-readable format

• Right to object (Art. 21) — object to processing based on legitimate interests

• Right to withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at info@iconvo.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact info@iconvo.ai.

We may update this Privacy Policy from time to time. We will notify Clients of material changes by email or via an in-app notification at least 30 days before the changes take effect. The date of the latest revision is shown at the top of this document. Continued use of the Service after the revised Policy takes effect constitutes acceptance of the changes.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

• Email: info@iconvo.ai

• Data Protection: sk@iconvo.ai

• Website: www.iconvo.ai/privacy-policy

• Address: iConvo AB, Sweden