1. Summary
Convoking AI is a business-to-business platform. We collect what we need to run our services for you — account details, usage logs, and the conversations your agents handle — and nothing else.
- Your conversations belong to you.We don't use them to train foundation models.
- We don't sell data. We share only with vetted sub-processors who help us deliver the service.
- You can export or delete it. Anytime, through the admin dashboard or by emailing us.
- You can pick the region — Sydney, US, or EU — where your data lives.
The rest of this document is the regulator-friendly version of the same idea.
2. Who we are
Convoking AI Pty Ltd (“Convoking”, “we”) is the data controller for the personal information described here. Our registered office is Level 4, 11 York St, Sydney NSW 2000, Australia.
When you use Convoking to power conversations with your customers, we act as a data processor on your behalf — you remain the controller. Our Data Processing Addendum applies to that relationship.
3. What we collect
Account & billing
- Name, email, company, role, password (hashed)
- Billing address and tax ID, last four digits of payment card
- Communication with our support and sales teams
Usage
- Login timestamps, IP address, browser, device type
- Feature usage events (which agents you create, which buttons you click, errors you encounter)
- Aggregate counts of calls, messages, and API requests
Conversational content (controlled by you)
- Transcripts and audio of conversations your agents handle, where you have enabled recording
- Knowledge sources you connect (docs, FAQs, tickets) and metadata about your customers if you have chosen to pass it
4. How we use it
We use personal information to:
- Operate the Services and route conversations correctly
- Bill you and prevent fraud
- Respond to support requests, send service announcements, and improve product quality
- Generate de-identified, aggregated metrics about platform usage
- Comply with legal obligations (record-keeping, lawful requests from authorities)
Our legal bases under the GDPR are: performance of contract, legitimate interests in operating and improving our service, legal obligation, and (for marketing) consent.
5. AI & training data
We do not use customer conversations to train foundation models — neither ours nor anyone else's.
We use customer-specific evaluation sets (drawn from your own historical conversations) to fine-tune your agent against your own quality bar. That fine-tuning is private to your workspace.
Where we use third-party model providers (OpenAI, Anthropic, Google, etc.), we route through their zero-retention business APIs so prompts and completions are not retained or used to train their models.
6. Sharing & sub-processors
We share personal information only with vetted sub-processors that help us deliver the Services. Each is bound by a data-processing agreement with confidentiality, security, and audit obligations.
Current sub-processors include:
- Infrastructure: AWS, Google Cloud, Vercel (region-locked per your selection)
- Model inference: OpenAI, Anthropic, Google (zero-retention APIs)
- Telephony: Twilio, Vonage (only when voice is enabled)
- Email & CX: Postmark, Customer.io (for service emails)
- Billing: Stripe (PCI-DSS compliant)
- Analytics:first-party only — we don't use third-party trackers on the product
A current list is available at convoking.ai/security; we give 30 days' notice of new sub-processors so you can object.
7. Retention
Account information is retained while your workspace is active and for up to 6 months after closure (for billing and legal obligations). You control the retention of conversation content via your Plan's settings — defaults are 30 days on Hobby, 90 days on Standard, 1 year on Pro, and configurable on Enterprise.
On request — or on account closure — we'll permanently delete personal information within 30 days unless we're legally required to retain it.
8. Your rights
Wherever you are, you have the right to:
- Access the personal information we hold about you
- Correct it if it's inaccurate
- Delete it (subject to lawful retention)
- Export it in a portable format
- Object to processing or withdraw consent
- Lodge a complaint with your local data-protection authority
For Australian users that authority is the OAIC. For EU/UK, it's your national supervisory authority. For California, your CCPA/CPRA rights apply and we offer the same access, deletion, and opt-out mechanisms.
To exercise any of these, email privacy@convoking.ai from the address on file, or use the in-product data tools.
9. International transfers
We let you pick the region your data lives in: Sydney, North Virginia, or Frankfurt. Cross-border transfers between our engineers and your data happen under appropriate safeguards — standard contractual clauses (EU), the UK IDTA, the Australian Privacy Principles, and binding sub-processor agreements.
10. Security
We're SOC 2 Type II audited and ISO 27001 certified. In practice that means:
- TLS 1.3 in transit; AES-256 at rest
- Customer-managed encryption keys available on Enterprise plans
- SSO & SCIM, role-based access, scoped API tokens, IP allowlists
- Continuous vulnerability scanning, quarterly penetration tests, named security engineer on call
- Responsible disclosure program — report findings to security@convoking.ai
11. Cookies & tracking
On convoking.ai we use only first-party essential cookies (session, CSRF, cookie-consent state). We use a privacy- preserving product-analytics tool (no third-party trackers, no advertising cookies). You can clear cookies anytime from your browser without affecting service functionality.
12. Children
Convoking AI is a B2B product not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have, contact privacy@convoking.aiand we'll delete it.
13. Changes
We'll update this policy when our practices change or the law requires. Material changes will be announced by email at least 30 days before they take effect, and the “last updated” date at the top of this page will move.
14. Contact & DPO
Privacy questions, data-subject requests, or notices for our Data Protection Officer go to privacy@convoking.ai.
Postal address: Convoking AI Pty Ltd · Attn: Privacy · Level 4, 11 York St, Sydney NSW 2000, Australia.
Our EU representative is available on request for GDPR Article 27 purposes; UK rep available for UK GDPR purposes.