Privacy Policy
This privacy policy explains how we collect, use, store, and protect your personal data when you use the Convu.ai platform and services.
Last updated: March 6, 2026
1. Who We Are
Convu.ai is operated by DataPulse AI Limited, a company registered in England and Wales (Company No. 16397998). We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: [email protected]
2. What Personal Data We Collect
We collect different categories of personal data depending on how you use Convu.ai. We only collect data that is necessary for providing and improving our services.
Account and Profile Data
When you register and set up your profile, we collect:
- •Registration data: email address, password (stored using bcrypt hashing -- we never store your password in plain text), first name, and last name
- •Profile information: phone number and country code, profile picture, display name, job title, company, bio, hobbies, interests, education, certifications, and social media links
- •Profile pictures are stored in AWS S3. Pictures uploaded directly by you or imported from LinkedIn are stored with public-read access so they can be displayed on your digital business card
LinkedIn and OAuth Data
If you sign in or connect via LinkedIn, we receive and store:
- •OAuth data: LinkedIn provider ID, profile URL, first name, last name, email address, and profile picture URL (scopes: openid, profile, email)
- •LinkedIn QR scanning: when you scan a LinkedIn QR code, we extract publicly available metadata including display name, headline, company, education, location, and profile image
- •LinkedIn profile photos obtained through scanning are copied to our storage for reliability
Connections and Contact Data
When you add connections and record moments, we store:
- •Contact details: display name, first name, last name, primary email, primary phone, company, job title, location, timezone, profile picture, LinkedIn URL
- •AI-generated data: relationship summary, relationship strength score, and key topics -- generated by our AI to help you maintain connections
- •Memories: text notes, photos, voice recordings, sentiment analysis, tags, event names, and location data (latitude, longitude, location name) if you choose to record it
- •Source tracking: how a contact was added (e.g. via a Moment, Circle, QR scan, or other method)
Voice Recordings
When you create voice-based memories, we collect:
- •Audio files: recordings in M4A, AAC, MP3, WAV, or WebM format (up to 10MB), stored privately in AWS S3
- •Transcription outputs: transcription text, summary, suggested follow-ups, and draft emails generated from your recordings
Please see Section 4 below for details on how voice recordings are processed by AI.
Nudge Email Data
When you use the Nudge feature to send follow-up emails, or when someone views your profile and triggers a nudge:
- •Send records: recipient email, recipient name, subject line, email body, tracking ID, and whether the email was clicked (including click count and timestamp)
- •Click tracking: IP address and user agent of the person who clicks a link in a nudge email
- •All nudge emails include List-Unsubscribe headers so recipients can opt out
Visitor Contact Form Data
When someone submits a contact form after viewing your profile, we collect their first name, last name, company, email address, and message.
Location Data
If you enable the "Record Location" setting, we store latitude, longitude, and location name when you scan a connection or record a memory. This is entirely optional and controlled by your settings.
Analytics and Device Data
- •Analytics events: event type, user ID, visitor ID, target profile ID, button ID, page URL, user agent, and associated metadata
- •IP addresses: we hash IP addresses using SHA-256 before storing them. Your plain-text IP address is never stored in our analytics database
- •Push notification tokens: Expo push notification token and timezone, used to deliver notifications to your device. Invalid tokens are automatically cleared
3. How We Use Your Data
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
Contract Performance (Article 6(1)(b))
Processing that is necessary to provide you with the Convu.ai service:
- •Creating and managing your account and digital business card
- •Storing and displaying your profile information to people who view your card
- •Managing your connections, memories, and contact records
- •Sending nudge emails on your behalf to your connections
- •Processing voice recordings to generate transcriptions, summaries, and follow-up suggestions
- •Generating AI-powered smart actions and relationship insights
- •Managing Circles and facilitating group networking
- •Delivering push notifications about connections, profile views, and other service events
- •Authenticating your identity via email/password or LinkedIn OAuth
Legitimate Interests (Article 6(1)(f))
Processing where we have a legitimate business interest, balanced against your rights:
- •Collecting analytics data (with hashed IP addresses) to understand how our service is used and to improve it
- •Tracking nudge email engagement (clicks) to provide you with connection insights
- •Maintaining security of the platform, including fraud prevention and detecting misuse
- •Generating vector embeddings of your contacts to power intelligent search and recommendations
Consent (Article 6(1)(a))
Where we rely on your consent, you may withdraw it at any time:
- •Recording your location data when scanning contacts or creating memories (controlled via the "Record Location" setting)
- •Non-essential cookies (see Section 7 below)
- •Receiving push notifications (controlled via your device settings and in-app preferences)
4. Voice Recordings and AI Processing
Convu.ai uses artificial intelligence to help you capture and act on your networking interactions. We believe in being transparent about exactly how this works.
Voice Recording Processing
When you record a voice memory:
- 1.Your audio file is stored privately in AWS S3 (US East region)
- 2.The audio is sent as base64-encoded data to Google Gemini API (model: gemini-3-flash-preview) for transcription
- 3.Along with the audio, we send contextual data to improve accuracy: the contact's name, company, job title, email, phone number, and your name as the recording user
- 4.The AI generates a transcription, summary, suggested follow-ups, and draft emails, which are stored in our database
Other AI Features
We use Google Gemini for several AI-powered features:
- •AI Assistant (Convu): a conversational assistant that can search your contacts, draft messages, and surface relationship insights. Your messages and relevant contact data are sent to Google Gemini to generate responses (model: gemini-3-flash-preview). Conversation history is stored to provide context across sessions.
- •Smart Actions: AI-generated suggestions for maintaining your connections (model: gemini-3-flash-preview)
- •Contact Search: intelligent search across your connections (model: gemini-3-flash-preview)
- •Vector Embeddings: contact data is converted into numerical representations for search and matching (model: gemini-embedding-001, producing 768-dimensional vectors stored in Pinecone)
AI Processing Transparency
- •We use Google Gemini exclusively as our AI provider. We do not use OpenAI, Anthropic, or any other AI provider
- •Full prompt text sent to AI models is logged internally in our InsightsGenerationLog table for debugging and quality assurance
- •AI-generated outputs (relationship summaries, smart actions, email drafts) are suggestions only. You remain in control of what actions you take
- •No automated decisions with legal or similarly significant effects are made about you based solely on AI processing
5. Third-Party Services
We share personal data with the following third-party service providers, each of which processes data on our behalf:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini API | AI assistant, voice transcription, smart actions, embeddings, contact search | Chat messages, voice recordings, contact details (name, company, job title, email, phone), user name, prompt text |
| Pinecone | Vector database for intelligent contact search | Contact vector embeddings with metadata |
| Amazon Web Services (S3) | File storage for profile pictures, photos, voice recordings, nudge attachments | Uploaded files (images, audio, documents) |
| Amazon Web Services (SES) | Transactional and nudge email delivery | Recipient email addresses, email content |
| Supabase | PostgreSQL database hosting | All application data as described in this policy |
| Expo Push Notifications | Mobile push notification delivery | Push tokens, notification content |
| LinkedIn API | OAuth authentication and profile data import | OAuth tokens (used to retrieve your LinkedIn profile data) |
We do not sell your personal data to any third party. Data is shared with these providers solely for the purposes described above.
6. Circles and Shared Data
Circles are group networking features that allow multiple people to exchange contact information at an event or gathering. When you create or join a Circle, you should be aware of the following:
- •Circle data: Each Circle stores the creator's identity, a circle name, a join code, and an expiry time
- •Participant data: When you join a Circle, your name, social links/URLs, and the time you joined are recorded
- •Data visibility: The Circle creator can see all participants. All participants can see each other's shared information. By joining a Circle, you consent to your submitted details being visible to other participants and the creator
- •Guest access: People can join a Circle without having a Convu.ai account. Guest participants provide their name and optional social links
7. Cookies and Tracking
We use cookies and similar technologies for authentication, analytics, and to remember your preferences.
Essential Cookies (Strictly Necessary)
These cookies are required for the service to function and cannot be disabled:
- •accessToken: authenticates your login session (expires after 1 day). HTTPOnly, Secure flag applied on HTTPS connections, SameSite varies by context (Lax or None for WebView support)
- •refreshToken: allows session renewal without re-entering your password (expires after 30 days). Same security settings as accessToken
Analytics Tracking
- •visitor_id: a cookie that identifies returning visitors for analytics purposes (expires after 1 year)
- •Analytics events are batched in memory and bulk-inserted into our database. IP addresses are hashed (SHA-256) before storage
Cookie Consent
- •cookieConsent: stored in your browser's localStorage (not as a cookie) to remember your cookie preference choices
- •You can reset your cookie preferences at any time using the button at the bottom of this page
8. Data Security
We implement technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse:
- ✓Passwords are hashed using bcrypt and are never stored in plain text
- ✓Authentication cookies use HTTPOnly and Secure flags (on HTTPS connections) to prevent client-side script access and transmission over unencrypted connections
- ✓All data transmitted between your device and our servers is encrypted using HTTPS/TLS
- ✓Private files (voice recordings, moment photos, nudge attachments) are stored with private access controls in AWS S3
- ✓IP addresses in analytics are hashed using SHA-256 so that raw IP addresses are not retained
- ✓JWT-based authentication with short-lived access tokens (1 day) and separate refresh tokens (30 days)
While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.
9. International Data Transfers
Although DataPulse AI Limited is based in the UK, some of our third-party service providers process data in the United States and other countries outside the UK. Specifically:
- •Amazon Web Services: S3 file storage and SES email delivery operate in the US East (Ohio, us-east-2) region
- •Google (Gemini API): AI processing is performed on Google's infrastructure, which may involve data centres in the US and other locations
- •Pinecone: vector database services are hosted in the US
- •Expo: push notification services are operated from the US
Where personal data is transferred outside the UK, we rely on appropriate safeguards as required by UK GDPR, including the use of providers that adhere to recognised data protection frameworks and, where applicable, standard contractual clauses approved by the Information Commissioner's Office (ICO).
10. Data Retention
We retain your personal data for as long as your account is active and as necessary to provide you with our services. When you delete your account, your user record is soft-deleted (marked with a deletion timestamp) rather than immediately removed, to allow for account recovery and to fulfil any legal obligations.
Transparency Note
We are currently developing formal data retention schedules that will specify exact retention periods for each category of personal data. Until those schedules are finalised, we retain data as described above and will update this policy once formal retention periods are in place. If you wish to request deletion of your data in the meantime, please contact us at [email protected].
Certain data may be retained for longer where required by law or to protect our legitimate interests (for example, to resolve disputes or enforce our terms of service).
11. Your Rights Under UK GDPR
Under UK data protection law, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at [email protected].
Right of Access
You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request.
Right to Rectification
You have the right to request correction of inaccurate personal data, or to have incomplete data completed. You can update most of your information directly through the app or website.
Right to Erasure
You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purpose it was collected, or where you withdraw consent. Please note that we may need to retain certain data to comply with legal obligations.
Right to Restrict Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of your data following a rectification request.
Right to Data Portability
You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
Right to Object
You have the right to object to processing based on legitimate interests. If you object, we will stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features generate suggestions and insights, but no automated decisions with such effects are made without human involvement.
Right to Withdraw Consent
Where we rely on your consent to process personal data, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
We will respond to all rights requests within one month. In complex cases, we may extend this by a further two months, but we will inform you if this is necessary.
12. Right to Complain to the ICO
If you are unhappy with how we handle your personal data, we encourage you to contact us first at [email protected] so we can try to resolve your concern.
However, you also have the right to lodge a complaint with the UK's supervisory authority:
13. Children
Convu.ai is a professional networking service and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at [email protected] and we will take steps to delete that information.
14. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you through the app, by email, or by posting a prominent notice on our website. We encourage you to review this page periodically for the latest information on our privacy practices.
15. Contact Us
If you have any questions about this privacy policy, wish to exercise your data protection rights, or have any concerns about how we process your personal data, please get in touch:
Cookie Management
You can reset your cookie preferences at any time. This will clear your stored consent choice and prompt you to make a new selection.
Professional networking, humanised.
Last updated: March 6, 2026
© 2026 DataPulse AI Limited. All rights reserved.
Registered in England and Wales. Company No. 16397998