Privacy Policy | Cavosec.ai

1. Introduction

Welcome to Cavosec.ai ("we," "our," or "us"). We are an AI e-commerce agency specializing in unified conversational AI design for chat and voice channels, primarily serving mid-market DTC fashion brands.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with our AI-powered solutions. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable privacy regulations.

1.1 Data Processing Addendum

For business clients, our Data Processing Addendum (DPA) supplements this Privacy Policy and is available at cavosec.ai/legal/dpa. The DPA governs our processing of personal data on your behalf when we act as a data processor.

1.2 Privacy by Design Commitment

We implement privacy by design and default principles throughout our operations, ensuring data protection is embedded in our systems and processes from the ground up.

2. Information We Collect

2.1 Information You Provide Directly

Business Information:

Contact details (name, email address, phone number, job title)
Company information (name, website, industry, size, revenue range)
Billing and payment information (processed securely through Stripe)
Project requirements and consultation notes
Discovery session recordings and transcripts
Support tickets and communication history

Website Interactions:

Form submissions and inquiries
Newsletter subscriptions
Content downloads and resource requests
Webinar registrations
ROI calculator inputs

2.2 Information Collected Automatically

Technical Data:

IP address and approximate location (country/state level)
Browser type, version, and language settings
Device information (type, operating system, unique identifiers)
Access times and referring website addresses
Clickstream data and navigation patterns

Performance Data:

Page load times and Core Web Vitals
Error logs and crash reports
API usage and response times
Feature usage statistics

2.3 Special Categories of Data

We do NOT intentionally collect special categories of personal data (sensitive data under GDPR):

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health information
Data concerning sex life or sexual orientation

If we accidentally receive such data (e.g., in customer service conversations), we immediately delete or anonymize it. Our AI models are trained to recognize and exclude sensitive information.

3. How We Use Your Information

3.1 Service Delivery

Process and respond to inquiries about our AI solutions
Schedule and conduct discovery sessions and consultations
Deliver Standard and Premium Implementation Packages
Provide ongoing optimization and support services
Manage client accounts and authentication
Process payments and maintain billing records

3.2 Marketing and Communications

Send relevant information about AI automation for e-commerce (with consent)
Share case studies and ROI insights specific to your industry
Provide educational content about conversational AI implementation
Send service updates and important notifications
Conduct email nurture sequences (consent-based)
Personalize website content and recommendations

3.3 Business Operations

Lead scoring and qualification using our 100-point rubric
Improve website performance and user experience
Analyze conversion funnels and optimize services
Conduct A/B testing and service improvements
Maintain security and prevent fraud
Comply with legal obligations
Train and improve our AI models (with anonymized data)

4. Legal Basis for Processing (GDPR)

We only process personal data when we have a valid legal basis under GDPR Article 6:

4.1 Consent (Article 6(1)(a) GDPR)

We rely on your freely given, specific, informed consent for:

Marketing emails and newsletters
Non-essential cookies and analytics
Case study participation and testimonials
Webinar recordings and educational content
Behavioral analytics and personalization

You can withdraw consent at any time without affecting the lawfulness of prior processing.

4.2 Contract Performance (Article 6(1)(b) GDPR)

Processing necessary for contract fulfillment:

Delivering AI implementation services
Processing payments and invoicing
Providing technical support and maintenance
Account management and authentication
Service communications and updates

4.3 Legitimate Interests (Article 6(1)(f) GDPR)

We've conducted legitimate interest assessments for business operations including lead scoring, security monitoring, service analytics, and direct marketing to existing clients. You have the right to object to processing based on legitimate interests.

4.4 Legal Obligations (Article 6(1)(c) GDPR)

Tax and financial record keeping (7 years)
Responding to lawful government requests
Compliance with data protection laws
Court orders and legal proceedings

5. Data Sharing and Third-Party Services

5.1 Sub-Processors and Service Providers

We share data with carefully vetted third parties who assist in our operations:

Vercel: Website hosting (Global CDN/EU, SCCs & DPA)
Supabase: Database storage (US-East/EU-West, SCCs & DPA)
Stripe: Payment processing (EU for EU customers, PCI-DSS compliant)
HubSpot: CRM & marketing (US with EU options, Privacy Shield & SCCs)
Calendly: Appointment scheduling (US, SCCs & DPA)
Resend: Email delivery (US/EU, SCCs & DPA)

Full sub-processor list with updates: cavosec.ai/legal/subprocessors

5.2 Business Transfers

If we merge with or are acquired by another company, your information may be transferred to the new entity. We will notify you before any transfer and ensure continued protection.

5.3 Legal Disclosures

We may disclose information when required by:

Court orders or subpoenas
Law enforcement requests (with proper authorization)
National security requirements
Protection of rights and safety

We will notify you of legal requests unless prohibited by law.

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

Active Client Data: Duration of contract + 7 years (legal/tax requirements)
Lead Data: 18 months (auto-deleted after 12 months of inactivity)
Marketing Consent: Until withdrawn + 3 years suppression
Analytics Data: 6 months detailed, 2 years aggregated
Email Interactions: 90 days detailed, 1 year aggregated
Payment Records: 7 years (legal requirements)
Security Logs: 1 year

After retention periods expire, we securely delete or anonymize data using industry-standard methods.

7. Your Rights and Choices

7.1 GDPR Rights (EU/UK/EEA Residents)

Under GDPR, you have the following rights:

Right to Access (Article 15): Request a copy of your personal data, understand how and why we process it, and receive information about recipients and retention.

Right to Rectification (Article 16): Correct inaccurate information, complete incomplete data, and update outdated information.

Right to Erasure (Article 17): Request deletion when data is no longer necessary, consent is withdrawn, legitimate interest objection is upheld, processing is unlawful, or there's a legal obligation to delete.

Right to Restriction (Article 18): Limit processing while disputes are resolved, when accuracy is contested, or processing is unlawful but you oppose deletion.

Right to Data Portability (Article 20): Receive your data in structured format (JSON/CSV) and transfer directly to another controller where feasible.

Right to Object (Article 21): Object to processing based on legitimate interests, direct marketing (absolute right), and profiling/automated decisions.

7.2 How to Exercise Your Rights

Response times: Acknowledgment within 48 hours, resolution within 30 days. Most requests are free; excessive/repetitive requests may incur fees.

7.3 CCPA Rights (California Residents)

California residents have rights to know what personal information is collected, request deletion, and opt-out of sharing for behavioral advertising. We do not sell personal information.

8. Cookie Policy

We use cookies and similar tracking technologies to improve your experience. For detailed information, see our comprehensive Cookie Policy.

Cookie Categories:

Strictly Necessary: Essential for website function
Functional: Enhanced functionality and personalization
Analytics: Usage understanding and improvement
Marketing: Relevant ads and remarketing

Your Cookie Choices:

Preference Center: cavosec.ai/cookie-preferences
Browser Settings: Block/delete via browser controls
Do Not Track: We honor DNT signals
Global Privacy Control: We recognize GPC signals

9. Security Measures

9.1 Technical and Organizational Measures

Data Protection:

Encryption: TLS 1.3 for transit, AES-256 for rest
Access Control: Role-based access control (RBAC) with principle of least privilege
Authentication: Multi-factor authentication (MFA) for all admin access
Database Security: Row Level Security (RLS) in Supabase
API Security: Rate limiting (100 requests/minute/IP)
Infrastructure: SOC 2 compliant hosting providers

Organizational Security:

Security awareness training for all employees
Background checks for employees with data access
Confidentiality agreements and NDAs
Regular security audits and penetration testing
Incident response plan with 24-hour escalation
Privacy Impact Assessments (PIAs) for new processing

9.2 Data Breach Response

In the event of a personal data breach:

Supervisory Authority: Within 72 hours of awareness (if risk exists)
Affected Individuals: Without undue delay if high risk to rights/freedoms
Clients (B2B): Immediately if their customer data affected

We maintain a breach register documenting all incidents, impacts, and remediation.

10. International Data Transfers

When transferring data outside the EEA/UK, we use:

Primary Safeguards: Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), adequacy decisions
Supplementary Measures: End-to-end encryption, pseudonymization, contractual commitments, Transfer Impact Assessments (TIAs)

Processing Locations: Primary processing in United States (with EU safeguards), optional EU processing for Premium clients, global CDN with regional caching.

11. Automated Decision-Making and Profiling

11.1 What We Do

Lead Scoring: 0-100 point qualification system based on company size, engagement, industry fit, and technical readiness to prioritize responses and customize experience.

AI-Powered Services: Chatbot responses, voice interaction processing, and sentiment analysis for escalation.

11.2 Your Rights

Under GDPR Article 22, you can request human review of automated decisions, express your point of view, contest the decision outcome, and opt-out of profiling for marketing.

IMPORTANT: No automated decision has legal or similarly significant effects. All critical decisions include human oversight.

12. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children, market to children, or process children's data for our clients.

If we discover data from a child under 18, we immediately delete it. Parents may contact us at privacy@cavosec.ai to request removal.

13. Third-Party Links

Our website contains links to third-party sites including social media platforms, industry resources, partner websites, and payment processors. We are not responsible for the privacy practices of external sites. Review their policies before providing personal information.

14. Privacy by Design and Default

We implement privacy from the ground up with these principles:

Data Minimization: Only collect necessary data
Purpose Limitation: Use data only for stated purposes
Privacy Defaults: Most protective settings pre-selected
Transparency: Clear information about processing
User Control: Easy-to-use privacy tools
Security First: Protection built into all systems

15. Updates to This Policy

We may update this Privacy Policy to reflect changes in our services, new legal requirements, or user feedback.

Notification Methods:

Email to registered users (material changes)
Website banner for 30 days
Updated "Last Updated" date

We review this policy at least annually. For material changes affecting legal basis or purposes, we may request renewed consent.

16. Contact Information and Complaints

16.1 Data Protection Officer

Cavosec.ai Data Protection Officer

Email: privacy@cavosec.ai

Phone: (702) 381-2350

Address: 30 N Gould St Ste N, Sheridan, WY 82801

Response Time: 48 hours acknowledgment, 30 days resolution

16.2 Supervisory Authority Complaints

If unsatisfied with our response, you may lodge a complaint with:

EU Residents: Your national Data Protection Authority (edpb.europa.eu/about-edpb/board/members)
UK Residents: Information Commissioner's Office (ICO) - ico.org.uk, Phone: 0303 123 1113
California Residents: California Privacy Protection Agency (CPPA) - cppa.ca.gov

17. California Privacy Rights Notice

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We honor Do Not Track browser signals and do not sell personal information.

18. Consent and Acknowledgment

By using our website or services after the Effective Date, you acknowledge that:

You have read and understood this Privacy Policy
You agree to the collection and use of information as described
You understand your rights and how to exercise them
You are at least 18 years of age

For explicit consent requirements (marketing, cookies), we collect specific opt-in consent separately.

19. Additional Resources

End of Privacy Policy

This privacy policy was last reviewed and updated on September 28, 2025.

For questions about this policy or our privacy practices, please contact our Data Protection Officer at michaeljabel@cavosec.ai.