Privacy Policy

We are committed to protecting personal data and respecting privacy. This Policy describes the categories of personal data we collect, the purposes and legal bases for processing, the parties with whom we share data, the safeguards we apply, and the rights you can exercise.

Where we provide the Services to a business customer, that customer generally determines how personal data of their own end users is processed. In those cases the customer acts as the data controller and Konversation acts as a data processor, as described in our Data Processing Agreement. This Policy primarily governs the data for which Konversation is the controller.

“Personal Data”

any information relating to an identified or identifiable natural person.

“Processing”

any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

“Controller”

the party that determines the purposes and means of processing personal data.

“Processor”

the party that processes personal data on behalf of, and under the instructions of, a controller.

“Data Subject”

the individual to whom personal data relates.

“Customer”

a business or person that subscribes to the Services.

“End User”

an individual who interacts with a Customer through the Services, for example a person messaging a chatbot.

“Services”

the Konversation.io platform, websites, applications, APIs, and related offerings.

We collect the following categories of personal data:

We use personal data to:

• provide, operate, maintain, and secure the Services;
• create and administer accounts and authenticate users;
• process payments, manage subscriptions, and prevent billing fraud;
• deliver AI-powered features such as chatbot responses, intent detection, and summaries;
• provide customer support and respond to enquiries;
• monitor, analyse, and improve performance, reliability, and usability;
• develop new features and conduct product research using aggregated or de-identified data;
• send service, security, and transactional communications;
• send marketing communications where permitted, which you may opt out of at any time;
• detect, investigate, and prevent fraud, abuse, and security incidents; and
• comply with legal obligations and enforce our agreements.

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases for processing personal data for which we are the controller:

• Contract — processing necessary to provide the Services you or your organisation have requested.
• Legitimate interests — to secure, improve, and market our Services, where not overridden by your rights.
• Consent — for non-essential cookies and certain marketing communications, which you may withdraw at any time.
• Legal obligation — to comply with applicable laws, including tax, accounting, and law-enforcement requests.

Where Konversation acts as a processor for a Customer, the Customer is responsible for establishing the legal basis for processing End User data.

We use cookies and similar technologies to operate the Services, remember preferences, maintain sessions, support security, and measure usage. You can control cookies through your browser settings and, where applicable, our cookie banner. For full details, see our Cookie Policy.

We use analytics tools, including privacy-conscious and third-party analytics such as Google Analytics, to understand how the Services are used and to improve them. These tools may set cookies and collect usage and device data. Where required, analytics that are not strictly necessary are only enabled with your consent. A current list of analytics providers is maintained on our Subprocessors page.

The Services use artificial intelligence, including large language models provided by subprocessors such as OpenAI and Anthropic, to generate responses, classify and route conversations, summarise interactions, and power automations. Inputs and outputs may be processed by these providers solely to deliver the requested functionality.

We do not use Customer Uploaded Content or End User conversation content to train our own general-purpose AI models without authorisation, and we contractually require our AI subprocessors to refrain from training their foundation models on data submitted through our API integrations except as permitted by the applicable agreement. Automated processing that produces legal or similarly significant effects is subject to the safeguards described in Section 16 and our AI Usage Policy.

We may share personal data with:

• service providers and subprocessors that support delivery of the Services;
• payment processors to complete transactions;
• professional advisers such as auditors, lawyers, and accountants;
• authorities, regulators, or other parties where required by law or to protect rights, safety, and property; and
• parties to a corporate transaction as described in Section 18.

We do not sell personal data.

We engage third-party service providers (subprocessors) to host infrastructure, deliver AI functionality, process payments, provide analytics, and support communications. These providers act on our instructions, are bound by contractual confidentiality and data-protection obligations, and may only process personal data for the purposes we specify. A current list is available on our Subprocessors page.

We are based in the United Kingdom and may process and store personal data in the UK, the European Economic Area, the United States, and other countries where we or our subprocessors operate. Where we transfer personal data outside the UK or EEA to a country that does not provide an adequate level of protection, we put in place appropriate safeguards, such as the UK International Data Transfer Agreement, the UK Addendum, and the European Commission's Standard Contractual Clauses, together with supplementary measures where necessary.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with legal, tax, and accounting obligations, resolve disputes, and enforce agreements. Account data is generally retained for the duration of the account relationship and deleted or anonymised within a reasonable period after closure. Customer Uploaded Content is retained and deleted in accordance with the Customer's instructions and the Data Processing Agreement. Backups are retained on a rolling basis and overwritten in the ordinary course.

We maintain technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, and destruction, including encryption in transit and at rest, access controls, network protections, monitoring, and regular review. For more detail, see our Security Policy. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Subject to applicable law, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, to data portability, and to withdraw consent. To exercise these rights, contact us at team@konversation.io. We will respond within the timeframes required by law. Where Konversation processes data on behalf of a Customer, requests should be directed to that Customer, and we will assist them as required.

If you are in the European Economic Area, you have the right to:

• access your personal data and obtain a copy;
• request rectification of inaccurate or incomplete data;
• request erasure (the “right to be forgotten”);
• restrict or object to processing;
• data portability;
• withdraw consent at any time without affecting prior processing; and
• lodge a complaint with your local supervisory authority.

If you are in the United Kingdom, you have equivalent rights under the UK GDPR and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, although we encourage you to contact us first so we can address your concerns. Decisions based solely on automated processing that produce legal or similarly significant effects are subject to additional safeguards, including the ability to request human review.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to know what personal information we collect and how it is used and shared, to request access to and deletion of personal information, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. We do not sell personal information. We will not discriminate against you for exercising these rights. To make a request, contact us at team@konversation.io.

The Services are not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at team@konversation.io and we will take appropriate steps to delete it.

If Konversation is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal data, as well as any choices you may have, where required by law.

As a company established in the United Kingdom, Konversation Limitedis directly subject to the UK GDPR and the supervision of the Information Commissioner's Office (ICO). If you are in the UK, you may lodge a complaint with the ICO at ico.org.uk, although we encourage you to contact us first so we can address your concerns.

Where we offer the Services to individuals in the European Economic Area, we comply with the EU GDPR. Where appointment of a representative under Article 27 of the EU GDPR is required, we will appoint an EU representative and identify them here and on our GDPR Compliance page. If you are in the EEA, you may also lodge a complaint with your local supervisory authority. To reach our privacy team or our representative regarding any data-protection matter, contact team@konversation.io.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and, where appropriate, provide additional notice. Your continued use of the Services after changes take effect constitutes acceptance of the updated Policy. This Policy was last updated on June 15, 2026.

For any questions, requests, or complaints regarding this Privacy Policy or our data practices, contact our team: