Privacy Policy

Welcome and thank you for your interest in Vervato.io ("Vervato", "we", "our" or "us"). Vervato offers AI-powered business automation services that allow companies to streamline their operations through voice-first interfaces and intelligent automation.

This Privacy Notice explains how information about you is collected, used and disclosed by Vervato in connection with the Vervato websites and mobile applications that post or link to this Privacy Notice, including our website https://www.vervato.io (collectively, the "Site"), and our services offered in connection with the Site (collectively with the Site, the "Service").

1. Information We Collect

Information You Provide to Us

We collect information you provide directly to us, such as when you:

• Create an account or use our services
• Subscribe to our newsletter or marketing communications
• Participate in surveys, contests, or promotions
• Contact us for support or other inquiries
• Use voice commands or interact with our AI assistant

Information We Collect Automatically

When you access or use our Service, we automatically collect information about you, including:

• Log information: IP address, browser type, operating system, referral URLs, device identifiers
• Usage information: Pages viewed, time spent, features used, search queries
• Device information: Device type, operating system version, unique device identifiers
• Location information: General location based on IP address

Voice and Audio Data

When you use our voice-powered features, we may collect and process audio recordings of your voice commands. This data is used to provide and improve our AI assistant services and is processed in accordance with this privacy policy.

AI Context and "Memories"

To provide personalized automation, our Service stores "learned preferences" (e.g., your business rules, frequent contacts, and service pricing). This data is stored in an encrypted format (field-level encryption) to ensure that even in the event of unauthorized database access, your business intelligence remains unreadable without the specific decryption keys.

2. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Communicate with you about products, services, offers, and events
• Monitor and analyze trends, usage, and activities in connection with our Service
• Personalize your experience and provide content and features
• Facilitate contests, sweepstakes, and promotions
• Carry out any other purpose described to you at the time of collection

AI Model Training Boundaries

We use anonymized, aggregated usage trends to improve our Service. However, the following categories of data are never used to train, fine-tune, or improve any foundational Large Language Model (LLM):

• Gmail content: The content of email messages accessed via the Google API (subject lines, message bodies, attachments, recipients) is used solely to fulfill your in-session request and is never retained for model training purposes
• Encrypted AI memories: Your learned preferences, business rules, and other personalized data stored as encrypted "memories" are never decrypted for training purposes
• Invoice PII: Personally identifiable information within your business invoices (customer names, addresses, payment details) is not used for model training

Gmail data processed by our AI assistant is used exclusively to generate your requested response within the active conversation session. It is not logged, cached, or retained beyond what is necessary to fulfill that specific request.

3. Information Sharing and Disclosure

We may share information about you as follows:

Service Providers

We may share your information with third-party vendors, contractors, or agents who perform services for us, such as hosting, data analysis, payment processing, order fulfillment, customer service, and marketing assistance.

Sub-Processors (Gmail Data)

The following sub-processors may receive or process data originating from your connected Gmail account in the course of providing the Service:

No sub-processor receives raw Gmail OAuth credentials. Only transient email excerpts are shared with OpenAI for the sole purpose of generating your requested AI response within the active session.

We will notify users of any material changes to our list of sub-processors who handle Gmail data by updating this policy and providing notice via our website or email as required by Google's Limited Use requirements.

Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, such as a court or government agency.

4. Google API Services User Data

Limited Use Compliance

In accordance with Google's Limited Use requirements, Vervato affirms that it will:

1. Only use Google user data to provide or improve user-facing features that are prominent in our application's user interface. Our use of Google user data is limited to providing the email management features you explicitly request through our AI assistant.
2. Not transfer Google user data to third parties except: (a) as necessary to provide or improve user-facing features that are prominent in our user interface, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets with adequate notice to users.
3. Not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
4. Not allow humans to read Google user data unless: (a) we have first obtained your affirmative agreement for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data (including derivations) is aggregated and anonymized and used for internal operations.

What Google Data We Access

When you connect your Gmail account, our AI assistant Stanley accesses the following data on your behalf:

• Email messages: Read, search, and display your inbox so Stanley can help you manage emails
• Email sending: Send replies and new messages through your Gmail account at your explicit request
• Email organization: Delete or archive messages at your explicit request

How We Use Google Data

• We use your Gmail data only to provide and improve the email management features you request within our Service
• We do not use your Gmail data for advertising purposes
• We do not sell your Gmail data to third parties
• We do not use your Gmail data to train general-purpose AI or machine learning models
• We do not allow human review of your Gmail content except as described in the Limited Use Compliance section above

Storage and Security of Google Data

Gmail OAuth tokens are stored encrypted (AES-256-GCM) in our database. Email content is processed in real time to fulfill your requests and is not permanently stored beyond what is needed for the current conversation context.

Revoking Access

You can disconnect your Gmail account at any time from the Settings page within our app. Disconnecting immediately revokes our access tokens with Google and deletes all stored Gmail credentials from our database. You may also revoke access directly from your Google Account permissions page.

5. Data Security

We implement enterprise-grade security controls to protect your data, including:

• Field-Level Encryption: Sensitive business preferences and memories are encrypted using AES-256-GCM before being stored in our database. Each piece of data receives a unique initialization vector (IV) and a cryptographic authentication tag to ensure both confidentiality and integrity.
• PII Redaction: We utilize automated scrubbing technology to detect and redact Personally Identifiable Information (PII) — such as email addresses, phone numbers, and physical addresses — from internal system logs before they are written to disk.
• Fail-Closed Architecture: Our systems are designed to halt high-risk operations (such as storing new memories or sending automated communications) rather than proceed insecurely in the event of a system misconfiguration or a missing encryption key.

However, no internet or email transmission is ever fully secure or error-free. We encourage you to use strong, unique passwords and to protect your account credentials.

6. Data Retention and Disposal

We store the information we collect about you for as long as is necessary for the purpose(s) for which we originally collected it, or for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.

Specific Disposal Timelines

Upon account deletion, we initiate the disposal process within 72 hours. Production data is removed within 30 days and backup copies are purged within 90 days.

7. Vulnerability Disclosure

We value the work of independent security researchers and welcome responsible disclosure of vulnerabilities in our Service. If you believe you have discovered a security issue, we encourage you to report it to us.

How to Report

Please send a detailed description of the vulnerability to support@vervato.io with the subject line "Security Vulnerability Report". Include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots or proof-of-concept code

Our Commitment

• We will acknowledge receipt of your report within 72 hours
• We will provide an initial assessment within 7 business days
• We will not pursue legal action against researchers who act in good faith and comply with this policy
• We ask that you do not access, modify, or delete data belonging to other users during your research
• We ask that you allow us a reasonable period to address the issue before any public disclosure

8. Your Rights and Choices

You may have certain rights regarding your personal information, including:

• Access: Request access to your personal information
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your personal information
• Portability: Request a copy of your personal information in a portable format
• Opt-out: Opt-out of certain uses of your personal information
• Right to Erasure (AI Memory): In addition to standard account deletion, you may request a "Hard Reset" of your AI's learned preferences. This action permanently deletes the encryption keys associated with your business memories, rendering the data immediately and irretrievably unreadable.

9. Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect and track information and to improve our Service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

10. Third-Party Links

Our Service may contain links to other websites. We are not responsible for the privacy practices or content of these other sites.

11. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

12. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our Service prior to the effective date of the changes.

14. Contact Us

If you have any questions about this Privacy Policy, please contact us at: