Privacy Policy

Last Updated: November 26, 2025

This Privacy Policy explains how Converra ("Converra", "we", "us", or "our") collects, uses, discloses, and protects information in connection with our websites, web application, APIs, optimization and simulation services, and any related products and services (collectively, the "Service").

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.

1. Scope

This Privacy Policy applies to:

  • Visitors to our websites and documentation.
  • Users of our web application and dashboard.
  • Organizations and developers using our APIs, WebSockets, and SSE endpoints.
  • Customer personnel interacting with onboarding, optimization, insights, and related features.

This Privacy Policy does not apply to third-party websites, services, or products that you may integrate with the Service. Their policies govern their own handling of data.

2. Information We Collect

We collect three main categories of information:

  • Account and billing information
  • Usage and technical information
  • Customer data and content used within the Service

2.1 Account and Billing Information

When you register for an account, create a workspace, or subscribe to a plan, we may collect:

  • Name and email address
  • Password or identity provider tokens (for SSO / OAuth, where applicable)
  • Organization name, role, and contact details
  • Billing details such as company name, billing address, and tax IDs
  • Payment-related information handled by our payment processor (e.g. Stripe)

We do not store full payment card numbers. Those are processed and stored by the payment processor.

2.2 Usage and Technical Information

When you access or use the Service, we automatically collect certain technical and usage information, such as:

  • Log data (timestamps, URLs, referrers, HTTP status codes)
  • Device and browser information (type, version, user agent)
  • IP address and approximate location inferred from IP
  • Authentication events (login, logout, session refresh)
  • API request/response metadata (endpoints called, latency, status codes)
  • Usage metrics (e.g. token consumption, optimization runs, team members, feature usage)

We use this information to operate, secure, and improve the Service, and to understand capacity and performance.

2.3 Customer Data and Content

The core of Converra is the data you choose to send into the platform ("Customer Data" or "Customer Content"). This may include:

  • Prompts, prompt configurations, and optimization settings
  • Conversations, transcripts, simulation outputs, and evaluation data
  • Memories, contexts, embeddings, and related metadata
  • Insights, metrics, and optimization results
  • Files, documents, or text uploaded during onboarding or via integrations
  • Webhook payloads, events, and external identifiers you configure

Customer Data is stored in our databases, caches, vector stores, and related infrastructure solely to provide and improve the Service.

3. How We Collect Information

We collect information in the following ways:

  • Directly from you when you register, configure projects, upload data, send requests, or communicate with us.
  • Automatically when you use the Service, through logs, cookies, and similar technologies.
  • From integrations you configure, when you connect external systems and instruct us to ingest or receive data from them.

4. How We Use Information

We use the information we collect for the following purposes:

4.1 To Provide and Maintain the Service

  • Authenticate users and secure multi-tenant access
  • Run optimization, simulation, and evaluation workflows
  • Store and retrieve memories, contexts, embeddings, and insights
  • Provide dashboards, usage views, audit logs, and analytics
  • Operate our APIs, SSE streams, and WebSockets

4.2 To Operate, Secure, and Monitor the Platform

  • Monitor system performance, reliability, and capacity
  • Detect and prevent fraud, abuse, and security incidents
  • Maintain logs, audit trails, and error reports
  • Enforce rate limits and access control

4.3 To Improve the Service

  • Analyze aggregated usage patterns (e.g., which features are used, how often)
  • Improve optimization agents, simulation flows, metrics, and user experience
  • Develop new features, capabilities, and integrations

4.4 To Handle Billing and Account Management

  • Process subscriptions and usage-based fees
  • Issue invoices, receipts, and billing notifications
  • Resolve payment and account-related issues

4.5 To Communicate with You

  • Send transactional emails (security alerts, account notices, billing updates)
  • Respond to support requests and product inquiries
  • Send product updates or announcements where permitted; you can opt out of non-essential communications

Where applicable privacy laws (e.g., GDPR) apply, we process personal data based on one or more of the following legal bases: performance of a contract, legitimate interests (such as securing and improving the Service), compliance with legal obligations, and, where required, your consent.

5. Use of AI Models and Third-Party Providers

5.1 LLM Providers

To perform optimization, simulation, evaluation, and related AI workflows, we send portions of Customer Data (such as prompts, snippets of conversations, and relevant context) to third-party large language model providers and related AI services.

We configure those providers and contracts to limit their use of your data to providing the requested operations, wherever their offerings allow such controls. However, each provider's own terms, privacy policies, and technical behavior apply when your data is processed by them.

You should review the terms and policies of any model provider that you require or instruct us to use.

5.2 Infrastructure and Subprocessors

We also rely on third-party infrastructure providers to host and operate the Service, such as:

  • Cloud hosting, storage, databases, vector stores, and caches
  • Payment processors (e.g., Stripe)
  • Email delivery services
  • Monitoring, logging, and error tracking tools

These third parties act as our subprocessors and process data on our behalf under appropriate contractual, confidentiality, and security obligations.

6. Cookies and Similar Technologies

We may use cookies, local storage, and similar technologies to:

  • Maintain your session and authentication state
  • Remember your preferences (e.g., language, layout)
  • Provide basic analytics about feature usage

You can configure your browser to reject some or all cookies. However, certain essential parts of the Service may not work properly without them.

7. How We Share Information

We do not sell your personal information or Customer Data.

We may share information in the following circumstances:

7.1 Service Providers and Subprocessors

We share information with third-party service providers who help us provide, maintain, and improve the Service (hosting, LLM providers, payment processors, email providers, monitoring tools, etc.), but only to the extent necessary for them to perform their services.

7.2 At Your Direction

When you configure integrations, webhooks, or external destinations, we send data to those endpoints according to your configuration and instructions.

7.3 Business Transfers

If we are involved in a merger, acquisition, reorganization, sale of assets, or similar transaction, information may be transferred as part of that transaction, subject to appropriate confidentiality and continuity of protection.

7.4 Legal and Safety Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that such disclosure is reasonably necessary to:

  • Protect the rights, property, or safety of Converra, our customers, or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our agreements and policies

7.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you or your organization (for example, high-level statistics about usage or performance).

8. Data Retention

We retain information for as long as needed to:

  • Provide the Service to you and your organization
  • Comply with legal, accounting, or reporting obligations
  • Enforce our agreements and protect our rights

Upon termination of your account or upon your explicit written request:

  • We will delete or de-identify Customer Data from active systems within 30 days, except where longer retention is required by law or necessary for legitimate business purposes (such as billing records, dispute resolution, or fraud prevention).
  • Aggregated or de-identified data that cannot reasonably be linked back to you may be retained for analytics and service improvement.
  • Backup copies may persist for a limited time as part of normal backup and disaster recovery processes.

9. Security

We implement technical and organizational measures designed to protect the confidentiality, integrity, and availability of your data, including:

  • Encrypted transport (TLS) for data in transit
  • Authentication and authorization mechanisms
  • Logical multi-tenant isolation and access controls
  • Logging and monitoring of key operations and errors
  • Rate limiting and abuse detection for sensitive endpoints

No method of transmission or storage is completely secure. You are responsible for:

  • Protecting your account credentials and API keys
  • Configuring user roles, permissions, and governance settings within your organization
  • Implementing appropriate security controls in your own systems and integrations

If you believe your account or API keys have been compromised, you should rotate secrets and contact us promptly.

10. International Data Transfers

Depending on your location and the locations of our infrastructure and providers, your information may be transferred to, stored, and processed in countries that may have different data protection laws than your own.

Where required by law, we will implement appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) to protect personal data transferred internationally.

11. Your Rights and Choices

Your rights will depend on the laws that apply to you (e.g., GDPR, UK GDPR, CCPA/CPRA, and other regional laws). Subject to applicable law, you may have some or all of the following rights:

  • Access: Request confirmation of whether we process personal data about you and receive a copy of that data.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of personal data, subject to legal and contractual retention requirements.
  • Restriction: Request restriction of certain processing in specific circumstances.
  • Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Objection: Object to certain processing activities, particularly where based on legitimate interests or for direct marketing.
  • Consent Withdrawal: Where processing is based on consent, withdraw that consent going forward.

If you are an end user of an organization that uses Converra (for example, your employer is the Converra customer), please direct your request to that organization first, as they control the account and Customer Data. We may refer or redirect your request to them.

You can also contact us directly using the contact information in Section 14. We may need to verify your identity before responding.

12. Children

The Service is not intended for and does not knowingly target individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal information in violation of this policy, please contact us so we can take appropriate steps.

13. U.S. State Privacy Notices

If you are a resident of a U.S. state with specific privacy rights (such as California, Colorado, Connecticut, Virginia, or others):

  • We do not sell personal information as defined under applicable state privacy laws.
  • To the extent state-specific rights apply (e.g., certain opt-out rights), you may contact us using the information in Section 15 to exercise those rights.
  • We may update or supplement this Privacy Policy with state- or region-specific notices as laws evolve.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page, and
  • Provide additional notice through the Service or by email where appropriate.

Your continued use of the Service after the effective date of any revisions constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Service.

15. Contact Us

If you have questions about this Privacy Policy, our data practices, or would like to exercise your rights, please contact us at:

privacy@converra.ai
Converra, Inc.
Delaware, USA

If applicable law gives you the right to lodge a complaint with a data protection authority, you may do so, but we encourage you to contact us first so we can address your concerns.