Privacy Policy
1. Introduction
SorvoAI AI ("we," "us," "our") respects your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information when you use the SorvoAI platform ("Service").
2. Data We Collect
2.1 Account Data
When you register, we collect your email address, display name, and authentication credentials (hashed password or OAuth tokens). If you sign up via Google, we receive your name, email, and profile picture from Google.
2.2 Usage Data
We collect anonymized analytics via PostHog, including feature usage, session duration, and performance metrics. We do not track individual conversations or content.
2.3 Conversation & Memory Data
Your conversations, memories, uploaded files, knowledge base documents, and automation configurations are stored server-side in PostgreSQL. This data is associated with your user account and is not accessible to other users.
2.4 Screen Awareness Data (Enterprise)
If you enable Screen Awareness (Enterprise plan), periodic screenshots are captured locally, analyzed via AI vision models, and only structured metadata (application name, task description, state) is sent to our servers. Raw screenshots are never stored server-side or transmitted. You can disable this feature at any time.
2.5 Billing Data
Payment processing is handled by Stripe. We do not store credit card numbers. We receive and store your Stripe customer ID, subscription status, and billing history.
3. How We Use Your Data
- To provide and operate the Service
- To personalize your AI agent experience (memory, predictions, automations)
- To process payments and manage subscriptions
- To send transactional emails (account verification, billing receipts)
- To improve the Service through anonymized analytics
- To detect and prevent abuse, fraud, and security threats
4. Data Sharing
We do not sell your personal data. We share data only with:
- LLM Providers (Together AI, Anthropic): Conversation messages are sent to AI model providers for processing. These providers process data according to their own privacy policies and do not use your data for model training.
- Stripe: Billing and payment information for subscription management.
- PostHog: Anonymized usage analytics (no conversation content).
- Cloudflare R2: Encrypted file storage for uploaded documents.
- Law enforcement: Only when required by valid legal process.
5. Data Retention
- Active accounts: Data is retained as long as your account is active.
- Deleted accounts: Data is permanently deleted within 30 days of account deletion.
- Backups: Encrypted database backups are retained for 30 days and then automatically purged.
- Analytics: Anonymized analytics data may be retained indefinitely.
6. Your Rights
You have the right to:
- Access: Export all your data as a ZIP file at any time.
- Rectification: Update your profile and account information.
- Deletion: Delete your account and all associated data.
- Portability: Export data in standard formats (JSON, Markdown).
- Restriction: Disable specific features (e.g., screen awareness, analytics).
- Objection: Opt out of non-essential analytics tracking.
To exercise these rights, use the Data & Privacy section in the application settings or contact privacy@sorvoai.com.
7. Security
We implement industry-standard security measures including:
- TLS encryption for all data in transit
- Bcrypt password hashing (cost factor 12)
- JWT-based authentication with short-lived access tokens
- Row-level security in PostgreSQL
- Client-side E2E encryption (Enterprise plan, via libsodium)
- Regular security audits and penetration testing
- Encrypted database backups stored in geographically separate storage
8. AI Model Training
We do not use your conversations, memories, or any personal data to train AI models. Your data is used solely to provide the Service to you. LLM provider agreements prohibit the use of API data for model training.
9. Cookies & Local Storage
The SorvoAI desktop and mobile apps use local storage for authentication tokens and user preferences. We do not use tracking cookies. The landing page (sorvoai.com) uses no cookies.
10. Children's Privacy
The Service is not intended for children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect data from children. If we learn that we have collected data from a child, we will promptly delete it.
11. International Data Transfers
Your data may be processed in countries other than your own. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes through the application or email. The "Effective Date" at the top indicates when the policy was last updated.
13. Contact
For privacy-related questions or to exercise your data rights, contact us at privacy@sorvoai.com.