Privacy Policy

This Privacy Policy explains how Catchavo ( "we," "us") collects, uses, discloses, and protects personal information in connection with our websites, dashboard, APIs, and related services (collectively, the "Service"). The Service is operated by Steven J Lynch, a sole proprietorship, offering the Service under the name Catchavo.

Two audiences. (1) Business users who create accounts to use Catchavo for their company. (2) Leads and customers of those businesses who interact with chat, phone, email, forms, or other channels connected to Catchavo, This policy covers both, with different roles described below.

Controllers and processors. Catchavo generally acts as a data controller for information we collect about business users and about visitors to our marketing sites. For Lead Data that businesses submit or that originates from their customer channels, the business is typically the controller and Catchavo processes that information as a processor on their instructions to provide the Service. Where laws treat us differently, we comply accordingly.

From business users

• Identity and contact: name, email, phone, company name, role.
• Account and billing: credentials (password hashed), subscription and payment-related data processed by our payment provider.
• Configuration: business profile, services, service area, AI persona settings, webhook secrets, integration tokens (e.g., calendar) where you connect them.

From leads and customers (via businesses and integrations)

• Contact and inquiry: name, phone, email, message content, job type, location, source platform metadata.
• Conversation logs: chat transcripts, call/email/chat metadata, status, and timestamps.

Automatically collected

• Device and log data: IP address, browser type, approximate location derived from IP, pages viewed, referring URL, diagnostics.
• Cookies and similar technologies (see Section 10).

• Provide, operate, and secure the Service and accounts.
• Deliver AI-assisted and human-handled conversations, scheduling flows, and notifications.
• Improve reliability, debug, and develop features (including using aggregated or de-identified data where appropriate).
• Comply with law, enforce terms, and respond to lawful requests.
• Send service and administrative messages to business users (not marketing unless permitted and opted in).

Where the UK GDPR or EU GDPR applies, we rely on: performance of a contract (providing the Service to business users); legitimate interests (security, product improvement, fraud prevention—balanced against your rights); consent where required (e.g., non-essential cookies, certain marketing where consent is the appropriate basis); and legal obligation where we must retain or disclose data. Leads' data is typically processed on the business customer's instructions; they should provide you their lawful basis (often contract or legitimate interests for service messages, or consent for marketing).

Catchavo handles customer communications on phone, email, and website chat.

We use AI models to generate or suggest replies. This involves automated processing of conversation content. Outputs are not guaranteed accurate. For UK/EEA users, where decisions with legal or similarly significant effects are made solely by automated means, applicable law may give you rights to human review; our Service is designed for business lead conversations rather than solely automated legal decisions—contact us if you believe a specific scenario applies.

We share personal information with vendors who assist us. Depending on features you use, this may include: Supabase (database, authentication, and related infrastructure); Vercel (application hosting); Resend (transactional email we send from the app); Mailgun (inbound email routing to our servers); Twilio (telephony infrastructure — phone numbers, call content, and call metadata needed to receive and log calls); Vapi (voice AI assistant infrastructure when voice is enabled); Anthropic, OpenAI (fallback when Anthropic is unavailable), or other model providers (AI inference for automated replies); Stripe (payment processing); Google (Calendar OAuth and event data when you connect Calendar); and analytics on our own marketing site. Vendors are bound by contractual obligations where applicable. We may disclose information if required by law, to protect rights and safety, or in connection with a merger or asset sale (with notice where required).

We are based in the United States. If we transfer personal information from the UK, EEA, or Switzerland to the U.S. or other countries, we use appropriate safeguards such as the UK International Data Transfer Agreement / Addendum, EU Standard Contractual Clauses, or other mechanisms approved by regulators, unless an adequacy decision applies.

We retain information for as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Business accounts may be deleted or anonymized after closure subject to legal holds. Lead and message data retention may follow business customer settings or defaults we publish.

We use cookies and similar technologies for essential operation (e.g., session, security), preferences, and, where allowed, analytics or marketing on our own marketing pages. You can control cookies through browser settings; some features may not work without essential cookies. Where required, we will obtain consent before non-essential cookies on applicable sites.

We implement technical and organizational measures appropriate to the risk (encryption in transit, access controls, vendor review). No system is perfectly secure. We will notify you and regulators where required when a breach affects personal data subject to notification laws.

The Service is not directed to children under 13 (U.S.) or under the digital consent age in your jurisdiction. We do not knowingly collect personal information from children for those audiences. If you believe we have, contact us to delete it.

California residents may have the following rights subject to exceptions: to know what personal information we collect, use, and disclose; to delete personal information; to correct inaccurate information; to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising (as of the date above, we do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law); to limit use of sensitive personal information to what is necessary to provide the Service; and non-discrimination for exercising rights. You may designate an authorized agent. We will verify requests as permitted by law.

California Shine the Light: California residents may request certain information about disclosure of personal information to third parties for direct marketing (where that law applies).

To submit a request: support@catchavo.com.

Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing (including targeted advertising or profiling in some states). Contact us at the address below; we will respond in line with applicable law.

If you are in the UK or EEA, you may have the right to: access your personal data; rectify inaccuracies; erase data in certain cases; restrict processing; data portability; object to processing based on legitimate interests or for direct marketing; withdraw consent where processing is consent-based; and lodge a complaint with a supervisory authority (e.g., ICO in the UK, or your local DPA in the EEA).

To exercise rights: support@catchavo.com. You may also contact the business that collected your data—they may be the controller for much of your personal data as a lead or customer.

In the preceding twelve months, we may have collected: identifiers (name, email, phone, account ID); commercial information (subscription); internet or network activity; geolocation (approximate from IP); and professional information. Sources include you, business customers, integrations, and automatic collection. Purposes are described in Section 3. Disclosures are described in Section 7.

We may update this Privacy Policy. We will post the new version and revise the "Last updated" date. For material changes, we will provide additional notice where required (e.g., email or in-product).

For data protection and privacy inquiries, contact us at support@catchavo.com. We will respond in line with applicable law and may request information to verify your request where permitted.