PRIVACY POLICY — CONVYY

Preamble

Convyy ("we", "our", "us") is committed to the protection of your personal data. This Privacy Policy explains how we collect, use, store, and share personal data when you access or use the Convyy platform ("Service"), and describes your rights under applicable law.

This Policy applies to:

• Customers — individuals and organizations that create and manage surveys using Convyy;
• Respondents — individuals who participate in surveys created by Customers on the Platform;
• Visitors — individuals who visit our website without registering.

1. Identity and Contact Details of the Data Controller

The entity responsible for processing your personal data is:

2. What Personal Data We Collect

We collect personal data in two ways: directly from you, and automatically through your use of the Platform.

2.1 From Customers (Account Holders)

• Full name and professional title
• Business email address
• Organization name
• Billing name, billing address, and payment identifiers (processed via third-party payment processors; we do not store full card details)
• Account credentials (stored in hashed and encrypted form)
• Usage data: features accessed, survey templates created, and session logs

2.2 From Respondents (Survey Participants)

• Conversational survey responses as submitted
• Metadata required for survey integrity: response timestamps and session identifiers
• Survey de-duplication cookie data (see Section 5)
• IP address, used solely for geographic approximation and fraud prevention, and not linked to response content
• Device and browser type, collected for technical purposes

Respondents are actively notified at the point of survey entry that their responses will be processed by Convyy on behalf of the Customer, and that the conversational experience is powered by an AI system.

2.3 From Website Visitors

• IP address and browser information collected via server logs
• Cookie and analytics data, subject to consent (see Section 5)

2.4 Data We Do Not Collect

Convyy does not intentionally collect:

• Sensitive personal data — including health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, or sexual orientation — unless you as a Customer explicitly configure a survey to collect such data, in which case you are solely responsible for the appropriate legal basis and safeguards.
• Data from individuals under 18 years of age. If you believe a minor has submitted data through the Platform, please contact us directly.

3. How and Why We Use Your Personal Data

All processing activities are grounded in a specific lawful basis. The table below outlines each purpose.

4. AI Model Improvement — Our Strict Commitment

This section is important and we want to be fully transparent about it.

What we extract. To improve the quality of our AI survey assistant, we analyze Interaction Patterns — structural, anonymized, and aggregated signals that help us understand:

• Which conversational flows lead to complete, high-quality survey engagements;
• Which question-phrasing approaches work best in specific domains (e.g., customer experience, HR, civic research);
• How our NLP and clustering models can be made more accurate and domain-appropriate.

What we never extract or use for training:

• The substantive content of your surveys — your questions and your respondents' answers;
• Any information about your company's strategy, products, competitive positioning, or operations;
• Any personally identifiable information about you or your respondents;
• Any data that could identify your organization or be attributed to it.

The principle. Our AI learns how good conversations are structured — not what your conversations contain. The service delivery pipeline and the model improvement pipeline are architecturally separated. Raw Customer Data does not enter the model training pipeline.

You may object to this processing at any time by contacting us directly (see Section 9).

5. Cookies and Tracking Technologies

We use the following categories of cookies:

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We do not share Customer Data with third parties for their own commercial purposes. We share limited data with trusted third-party data processors — entities that act strictly on our instruction — including:

• Cloud infrastructure providers for platform hosting and storage;
• Payment processors for billing, who handle payment card data under their own security-compliant frameworks;
• Analytics providers, subject to your consent, for platform performance monitoring;
• Email delivery providers for transactional and product communications;
• AI infrastructure providers, where applicable, strictly limited to processing anonymized Interaction Patterns.

All processors are bound by data processing agreements. Where processors are located outside of the jurisdiction in which your data originates, appropriate transfer safeguards are in place (see Section 8).

We may also disclose data where required by law, court order, or competent authority. Where legally permitted, we will notify you before doing so.

7. Data Retention

We retain personal data only for as long as necessary for the stated purpose or as required by applicable law.

Upon account termination, Customer Data is deleted or returned upon request within 30 days, subject to any statutory retention obligations.

8. International Data Transfers

Convyy is registered and primarily operates in Germany. If we transfer personal data to processors or infrastructure located in other countries, we ensure that appropriate safeguards are in place — including contractual protections, adequacy mechanisms, or other recognized legal frameworks applicable in the relevant jurisdiction.

You may request information about the specific safeguards applicable to your data by contacting us directly.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you;
• Rectification — request correction of inaccurate or incomplete data;
• Erasure — request deletion of your data where it is no longer necessary, or where processing is unlawful;
• Restriction — request that we limit how we process your data in certain circumstances;
• Portability — receive your data in a structured, commonly used, machine-readable format;
• Object — object to processing carried out on the basis of legitimate interest, including the use of Interaction Patterns for AI improvement. Upon a valid objection, we will cease that processing unless we can demonstrate compelling grounds that override your interests;
• Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
• Non-Automated Decision-Making — the right not to be subject to decisions based solely on automated processing that produce significant legal effects. Convyy does not make such decisions about you.

To exercise any of these rights, contact us directly. We will respond within 30 days. In complex cases, we may extend this period by an additional 60 days with prior notice.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or disclosure, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access controls and least-privilege principles;
• Regular security assessments and vulnerability testing;
• Incident response procedures and breach notification processes.

In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law and without undue delay.

11. Respondent-Specific Provisions

Respondents accessing surveys hosted on the Convyy Platform should be aware that:

• The survey is created and operated by the Customer — the organization that sent you the survey link. For questions about how your responses will be used, please contact that organization directly.
• Convyy acts as a data processor on behalf of the Customer for your survey responses.
• You are interacting with an AI-powered conversational system. This is disclosed to you at the point of entry into every survey.
• A de-duplication cookie will be stored on your device to prevent multiple submissions to the same survey. You are notified of this upon entering the survey. This cookie is technically necessary for survey integrity.

12. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us directly.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes — for example, to the purposes for which we process your data or to the rights available to you — we will notify you by email and/or by a prominent notice on the Platform at least 14 days before the changes take effect. The "Last Updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Policy.

14. Right to Lodge a Complaint

If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with the relevant data protection supervisory authority in your country or region of residence.