Convrt
Sign inStart free

Legal · Privacy

Privacy Policy

Last updated: February 12, 2026

This Privacy Policy describes how Convrt ("we", "us", "our") collects, uses, and shares information when you use our website, dashboard, AI chat widget, and related services (collectively, the "Service").

1. Information we collect

We collect three categories of information, and we collect each one only when we have a clear, narrow purpose for doing so.

  • Account information you provide when signing up: name, email address, hashed password, and (optionally) company name. We store the password as a one-way bcrypt hash — even a complete compromise of our database does not expose the plain-text password.
  • Service usage data: sites you create, widget configurations, conversations qualified, leads captured, and aggregate analytics about how you use the dashboard. We use this to debug issues, ship better defaults, and decide which features to build next.
  • End-visitor conversations: when an end-visitor interacts with the Convrt widget embedded on your site, we process and store the conversation transcript on your behalf so you can review qualified leads. You are the data controller; we act as a data processor under the terms of our Data Processing Addendum (available on request).

We do not collect biometric data, precise geolocation, government-issued identifiers, or special categories of personal data under the GDPR.

2. How we use information

  • To operate, maintain, and improve the Service — including diagnosing bugs, measuring feature usage, and prioritizing the roadmap.
  • To send you transactional emails (account confirmations, password resets, qualified-lead alerts, billing receipts). These are necessary for the Service to function; you cannot opt out of transactional mail without closing your account.
  • To send you product updates (changelog, new features, downtime notices). You can opt out of these any time from the dashboard.
  • To detect and prevent fraud, abuse, payment chargebacks, and security incidents.
  • To comply with applicable laws and respond to legal requests where we are legally compelled to do so.

We do not sell your personal information, we do not share it with data brokers, and we do not use your account data, your widget conversations, or your leads to train our AI models or anyone else's.

3. Cookies and tracking

We use a minimal set of strictly necessary cookies to remember your login session and to preserve your dashboard state between visits. These cookies cannot be disabled without breaking the Service.

With your explicit consent — granted through the cookie banner shown on your first visit — we also load Meta Pixel, Google Analytics 4, and the LinkedIn Insight Tag to measure the effectiveness of our marketing campaigns. You can accept or decline at any time; declining means we cannot tell which marketing channel sent you, but every other part of the Service works identically. You can also clear your browser cookies at any time to reset the choice and be re-prompted on your next visit.

4. Third-party processors

We rely on a small number of carefully chosen sub-processors to deliver the Service. We maintain DPAs with each one and select them based on track record, certifications (SOC 2 / ISO 27001), and EU adequacy where applicable:

  • MongoDB Atlas — primary data storage, US-East region, encrypted at rest with AES-256.
  • Stripe — payment processing (PCI DSS Level 1). We never see or store your full card number.
  • Resend — transactional email delivery.
  • Google (Gemini) — AI inference for the chat widget; conversations are sent to Google's API but are not retained by Google for training under their Workspace terms.
  • Slack — only if you choose to connect a webhook for lead alerts. We store the webhook URL encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256).

5. Your rights

Depending on your jurisdiction (notably the GDPR for EU/UK residents and the CCPA for California residents), you may have the right to:

  • Access a copy of the personal data we hold about you, in a structured, commonly used format.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of your account and associated data, subject to certain exceptions for fraud prevention and legal compliance.
  • Object to or restrict certain processing — for example, you can ask us to stop sending you marketing email or to stop processing analytics on your visits.
  • Export your data in a portable format (JSON or CSV) so you can move it to a competitor.
  • Lodge a complaint with your local data-protection authority if you believe we have mishandled your data.

To exercise any of these rights, email privacy@convrt.ai from the address associated with your account. We verify identity before acting on requests and respond within 30 days as required by the GDPR (and within 45 days for CCPA requests).

6. Data retention

We keep your account information for as long as your account is active, and for up to 90 days after you delete it to satisfy backup-rotation requirements and legal-hold obligations. After that 90-day window, your data is permanently purged from production and backup systems on a rolling basis. End-visitor conversations are retained for as long as you keep your account, unless you delete them earlier from the dashboard; in that case, deletion is propagated to backups within 30 days.

7. International transfers

Convrt operates from the United States. If you access the Service from outside the US — including from the EU, UK, Canada, or elsewhere — your data will be transferred to, stored in, and processed in the US. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for EU/UK transfers, and we maintain supplementary measures (encryption in transit and at rest, access controls, audit logging) consistent with the Schrems II decision.

8. Security

We protect your data with TLS 1.2+ in transit, AES-256 at rest, bcrypt-hashed passwords with per-user salts, Fernet-encrypted webhook URLs, least-privilege access controls, mandatory two-factor authentication for our own team, structured audit logging, and regular dependency-vulnerability scans. No internet service is 100% secure, but we follow industry best practices, run quarterly security reviews, and disclose security incidents promptly when they affect you.

9. Children

Convrt is not intended for children under 16. We do not knowingly collect personal information from anyone under 16, and we do not target our marketing to children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time as our Service evolves or as the regulatory environment changes. If we make material changes — meaning any change that meaningfully expands what we collect or how we use it — we will notify you via email at the address on file and via a banner in the dashboard at least 14 days before they take effect. Non-material changes (typo fixes, link updates) take effect immediately and are reflected in the "Last updated" date at the top of this page.

11. Contact

For any privacy question, email privacy@convrt.ai. For all other questions, email hello@convrt.ai or reach us through the contact page.

Install Convrt

Add to your home screen for one-tap access to your dashboard.

Made with Emergent