Compliance

GDPR Compliance

We take data protection seriously. Here's how Convoo complies with the UK GDPR and Data Protection Act 2018.

Right to Access

Request a full copy of all personal data we hold about you or your customers at any time.

Right to Erasure

Request deletion of your data. We'll remove it within 30 days, unless legally required to retain it.

Right to Portability

Export your data in a machine-readable format. Take your data with you if you leave.

Right to Restrict

Ask us to limit how we process your data while a complaint or request is being resolved.

Right to be Informed

We'll always tell you clearly what data we collect, why, and how it's used. No hidden practices.

Right to Object

Object to processing of your data for specific purposes, including direct marketing.

Our Role as Data Processor

When you use Convoo to manage your customers' WhatsApp conversations, we act as a Data Processor on your behalf. You remain the Data Controller of your customer data. We process data strictly according to your instructions and for the purposes of providing our Service.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract: Processing necessary to provide the Service you've subscribed to.

Legitimate Interest: Platform security, fraud prevention, and service improvement.

Consent: Marketing communications and optional analytics.

Data Processing Agreement

We offer a Data Processing Agreement (DPA) to all business customers. The DPA outlines our obligations as a data processor, including security measures, sub-processor notifications, and breach notification procedures. Contact privacy@convoo.io to request a DPA.

Sub-Processors

We use the following sub-processors to deliver our Service:

DigitalOceanCloud infrastructure & hostingUK (London)

Meta (WhatsApp)Messaging APIEU/US

OpenAIAI chatbot processingUS

StripePayment processingUS/EU

ClerkAuthenticationUS

International Transfers

Where data is transferred outside the UK, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, and verification that receiving countries provide adequate data protection.

Breach Notification

In the event of a personal data breach, we will notify affected customers within 72 hours, notify the ICO where required, document the breach including its effects and remedial actions, and provide support in notifying affected data subjects if necessary.

Contact Our DPO

For GDPR-related enquiries, data subject access requests, or to exercise any of your rights, contact us at privacy@convoo.io. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.