Privacy Policy

Zuvia Software Solutions Limited ("Company", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ZuviaOne platform, website, mobile applications, and services (collectively, the "Service").

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and other applicable data protection laws.

1. Data Controller Information

Zuvia Software Solutions Limited is the data controller responsible for your personal data.

2. Information We Collect

We collect different types of information depending on how you interact with the Service and your role (Business User, Staff Member, Customer, or Visitor).

2.1 Account and Profile Information

Business Users and Staff Members:

• Full name, email address, phone number
• Company name, job title, department
• Username and password (securely hashed)
• Profile picture
• Google account ID (if using Google Sign-In)
• Employment information (hire date, employee ID, employment type)
• Emergency contact details
• Professional licenses, certifications, skills, and qualifications

Customers (via Customer Portal):

• Full name, email address, phone number
• Company name (if applicable)
• Billing and service addresses
• Account preferences and communication settings

2.2 Financial and Payment Information

• Payment card details (processed by Stripe; we do not store full card numbers)
• Bank account details for Staff Members (payroll purposes)
• Tax identification numbers (where required)
• Billing addresses
• Transaction history and payment records
• Subscription and credit balance information

2.3 Business Operations Data

When you use the Service to manage your business:

• Customer and lead contact information
• Booking and appointment details
• Quotes, invoices, and financial records
• Service descriptions and pricing
• Staff schedules and availability
• Internal notes and communications
• Custom form responses

2.4 Communication Data

• Email content (when connected via Gmail integration)
• SMS messages sent through the Service
• Voice call recordings and transcriptions (when enabled)
• Internal chat messages between team members
• Chatbot conversation transcripts
• Customer support correspondence

2.5 Location Data

Staff Location Tracking (Opt-In Only):

• GPS coordinates (latitude, longitude)
• Location accuracy and timestamp
• Reverse-geocoded address
• Movement data (altitude, heading, speed)
• Associated booking or job information

Customer and Business Addresses:

• Service addresses for bookings
• Billing addresses for invoices
• Geocoded coordinates for mapping and routing

2.6 Device and Technical Information

• Device type, model, and operating system
• Browser type and version
• IP address (anonymised for GDPR compliance)
• Unique device identifiers
• Push notification tokens (for mobile apps)
• App version information

2.7 Usage and Analytics Data

• Pages and features accessed
• Actions taken within the Service
• Time spent on various sections
• Search queries within the Service
• Error logs and diagnostic information
• Widget views and interactions
• Link clicks (for Link in Bio pages)

2.8 Marketing Attribution Data

When you interact with our marketing or embedded widgets:

• Referrer URL and landing page
• UTM parameters (source, medium, campaign)
• Advertising click identifiers (Google, Facebook, Microsoft)
• Visitor session information
• Conversion tracking data

2.9 Information from Third Parties

• OAuth profile data from Google (when using Google Sign-In)
• Payment confirmation and fraud signals from Stripe
• Email delivery status from email service providers
• SMS delivery status from Twilio

3. How We Use Your Information

3.1 To Provide and Operate the Service

• Create and manage your account
• Process bookings, quotes, and invoices
• Facilitate communications (email, SMS, voice calls)
• Enable team collaboration and internal messaging
• Provide customer portal access
• Process payments and manage subscriptions
• Deliver push notifications

3.2 To Improve and Personalise the Service

• Analyse usage patterns to enhance features
• Personalise your experience based on preferences
• Optimise widget and form performance through A/B testing
• Develop new features and functionality
• Fix bugs and resolve technical issues

3.3 For AI-Powered Features

We use artificial intelligence to provide enhanced functionality:

• AI Agent — assistance for business queries
• Email classification — categorisation and prioritisation
• Sentiment analysis — understanding communication tone
• Intent detection — routing and prioritisation
• Chatbot conversations — customer engagement
• Semantic search — intelligent search across data
• Content generation — drafting assistance

3.4 For Automated Decision-Making and Optimisation

We use automated systems to improve Service performance:

• A/B testing of widget variants using Thompson Sampling algorithms
• Contextual upsell recommendations based on booking context
• Email routing based on detected intent and urgency
• Search result ranking based on query classification

See Section 11 for more information about automated decision-making.

3.5 For Communication

• Transactional notifications (booking confirmations, invoice alerts)
• Customer support
• Service announcements and updates
• Marketing communications (with consent)
• Facilitating communications between you and your customers

3.6 For Security and Compliance

• Detect and prevent fraud and abuse
• Maintain audit logs for compliance
• Enforce our Terms and Conditions
• Comply with legal obligations
• Protect the rights and safety of users

3.7 For Billing and Credits

• Track usage of AI, SMS, email, and automation features
• Manage credit balances and consumption
• Process subscription payments
• Detect anomalous usage patterns

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

5. Cookies and Tracking Technologies

5.1 Cookies We Use

Essential Cookies (Required):

• Session Cookie (connect.sid) — Maintains your login session. Duration: 7 days.
• CSRF Token (__Host-csrf) — Protects against cross-site request forgery. Duration: 15 minutes.

Functional Cookies:

• Visitor ID (crm_visitor_id) — Ensures consistent experience across widget visits and A/B tests. Duration: 1 year.

5.2 What We Do NOT Use

5.3 Managing Cookies

Essential cookies cannot be disabled as they are necessary for the Service to function. Manage other cookies through your browser settings (may affect certain features).

5.4 Do Not Track

We do not currently respond to "Do Not Track" browser signals as there is no industry standard. However, we minimise tracking and do not share data with third-party advertisers.

6. How We Share Your Information

6.1 Third-Party Service Providers

We share information with service providers who help us operate the Service. These providers are contractually obligated to protect your information.

AI and Machine Learning:

• OpenAI — AI Agent, email analysis, content generation, audio transcription
• Google Cloud — Speech-to-text transcription for voice calls

Communication Services:

• Twilio — SMS messages, voice calls, phone number services
• SendGrid — Transactional and marketing email delivery
• Resend — Backup email delivery service
• Google/Gmail API — Email sync when you connect your Gmail

Payment Processing:

• Stripe — Platform subscriptions and Stripe Connect for business payments

Location Services:

• LocationIQ — Geocodes addresses and reverse geocoding
• Postcodes.io — UK postcode lookup

Infrastructure:

• NeonDB — Database hosting (EU, AWS eu-west-2, London region)
• Tigris/AWS S3 — File storage in EU data centres

Other Services:

• Short.io — Shortened URL creation

6.2 Within Your Business

If you are a Staff Member, your Business administrator and authorised Staff Members may access:

• Your profile information
• Your work schedule and availability
• Location data (if tracking enabled and you consented)
• Your activity within the Service
• Communications sent through the Service

6.3 With Your Customers

When you communicate with customers:

• Your business contact information may be visible
• Email and SMS content is delivered to recipients
• Customer portal users can see their own booking and invoice history

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any change in ownership or uses of your information.

6.5 Legal Requirements

We may disclose information if required by law or in response to:

• Valid legal process (court orders, subpoenas)
• Government or regulatory requests
• To protect our rights, privacy, safety, or property
• To enforce our Terms and Conditions
• To prevent fraud or illegal activity

6.6 With Your Consent

We may share information with third parties when you give explicit consent.

6.7 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot reasonably identify you for research, analytics, and business purposes.

7. International Data Transfers

Your information is primarily stored in EU data centres (AWS eu-west-2, London region).

Some service providers operate outside the UK and EU, including the United States. When we transfer data internationally, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Transfers to countries with adequacy decisions
• Provider-specific data protection agreements
• Additional technical and organisational measures

Specific transfers include:

• OpenAI (United States) — AI processing
• Twilio (United States) — Communication services
• Stripe (United States) — Payment processing
• Google (United States) — Gmail integration and speech services

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy.

8.1 Specific Retention Periods

8.2 Account Deletion

When you request account deletion:

• A 14-day grace period applies during which you can cancel
• After the grace period, personal data is anonymised or deleted
• Some data may be retained in backups temporarily
• Data required for legal compliance may be retained longer
• Aggregated, anonymised data derived from your usage may be retained

9. Your Rights

Under the UK GDPR and other applicable laws, you have the following rights:

9.1 Right of Access

Request a copy of the personal data we hold about you. We will respond within one month.

9.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object and there are no overriding legitimate grounds
• The data has been unlawfully processed

9.4 Right to Restrict Processing

Request that we restrict processing while we verify accuracy or assess your objection.

9.5 Right to Data Portability

Request your personal data in a structured, machine-readable format (CSV or JSON) and transmit it to another controller.

9.6 Right to Object

Object to processing based on legitimate interests or for direct marketing. We will stop processing unless we have compelling legitimate grounds.

9.7 Rights Related to Automated Decision-Making

You have rights related to automated decision-making, including profiling. See Section 11.

9.8 Right to Withdraw Consent

Where we process data based on consent, withdraw at any time without affecting the lawfulness of prior processing.

9.9 Exercising Your Rights

9.10 Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data.

10.1 Technical Measures

• Encryption of data in transit (TLS 1.2+) and at rest
• AES-256-GCM encryption for sensitive tokens
• Secure password hashing (bcrypt with appropriate cost factor)
• CSRF protection on all state-changing operations
• Rate limiting to prevent abuse
• Regular security assessments

10.2 Organisational Measures

• Role-based access controls (190+ granular permissions)
• Staff training on data protection
• Incident response procedures
• Regular security reviews
• Vendor security assessments

10.3 IP Address Anonymisation

For GDPR compliance, we anonymise IP addresses in session logs:

• IPv4: Last octet set to zero (e.g., 192.168.1.100 → 192.168.1.0)
• IPv6: Only first 64 bits retained

While we take reasonable measures to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

11. Automated Decision-Making and Profiling

We use automated systems that may affect your experience or make decisions about content you see.

11.1 A/B Testing and Optimisation

We use Thompson Sampling algorithms to optimise widgets, forms, and quotes:

• Different users may see different variants of buttons, text, or layouts
• Variants are selected based on historical conversion data
• Contextual factors: device type, time of day, returning visitor status
• Purpose: Improve conversion rates and user experience
• Impact: Visual presentation differences; does not affect pricing or availability

11.2 Email Classification and Analysis

We automatically analyse inbound emails using AI to:

• Classify emails by type (inquiry, complaint, booking request, etc.)
• Detect sentiment (positive, negative, neutral)
• Identify intent and urgency
• Route emails to appropriate team members
• Purpose: Improve response times and service quality
• Impact: Affects email routing and suggested actions; human review always available

11.3 Recommendation Systems

We provide automated recommendations for:

• Upsell suggestions based on booking context
• Search results ranking based on query analysis
• Purpose: Improve relevance and business outcomes
• Impact: Order and visibility of suggestions; all options remain available

11.4 Your Rights Regarding Automated Decisions

You have the right to:

• Request human review of automated decisions that significantly affect you
• Express your point of view and contest decisions
• Obtain an explanation of the logic involved
• Opt out of certain automated processing where feasible

For AI-powered features, you can:

• Disable AI email analysis in your settings
• Request that specific communications not be AI-processed
• Contact us to understand how automated decisions were made

12. Location Tracking

12.1 Staff Location Tracking

Location tracking for Staff Members is entirely optional and requires explicit consent.

How it works:

• Tracking occurs only in the foreground (when app is actively in use)
• Triggered by job status changes, clock in/out, or configured intervals
• You choose which actions trigger location capture
• Enable/disable tracking at any time
• Control how long your data is retained (1-365 days)

Data collected:

• GPS coordinates (latitude, longitude)
• Accuracy measurement and timestamp
• Associated job or booking information
• Device information

Your controls:

• Master on/off switch
• Granular action-level controls
• Custom retention period
• View your own location history
• Delete your location data

Location data is shared with:

• Your Business administrator and authorised managers
• LocationIQ (for reverse geocoding addresses only)

12.2 Customer Address Geocoding

We geocode customer addresses to provide:

• Map displays of service locations
• Route planning and optimisation
• Geographic analytics

Addresses are sent to LocationIQ or Postcodes.io for coordinate lookup. Only the address text is shared; no personal identifiers.

13. Communication Services

13.1 Email

When you connect your Gmail account:

• We access using OAuth authentication
• We can read, send, and manage emails on your behalf
• Email content may be analysed by AI for classification
• Disconnect Gmail at any time

Emails sent through the Service are delivered via SendGrid or Resend. These providers receive recipient addresses and email content.

13.2 SMS

SMS messages are sent via Twilio. We share:

• Recipient phone numbers (E.164 format)
• Message content
• Sender identification

SMS consent requirements:

• Marketing messages require explicit opt-in consent
• We provide opt-out management tools
• You are responsible for compliance with SMS regulations

13.3 Voice Calls

Voice calls are facilitated via Twilio:

• Call metadata is logged (participants, duration, timestamps)
• Calls may be recorded if enabled by the Business
• Recordings may be transcribed using AI (Google Cloud or OpenAI)

Recording consent:

• You are responsible for informing call participants about recording
• Recordings are stored securely and accessible through the Service
• Retention period is configurable

14. Mobile Applications

14.1 Permissions Requested

Our mobile apps may request access to:

• Camera: Document scanning and photo uploads
• Location: Staff tracking (opt-in only)
• Notifications: Push notifications
• Microphone: Voice calls

Manage permissions through your device settings.

14.2 Push Notifications

If you enable push notifications:

• We collect your device token (APNs for iOS, FCM for Android)
• We send notifications about relevant Service events
• Configure preferences within the app
• Disable notifications via device settings

15. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child, we will delete it promptly.

If you believe we have collected data from a child, contact privacy@zuviaone.com.

16. Business Customers - Data Processor Role

When you use the Service to store and process data about your customers:

16.1 Your Role as Data Controller

You are the data controller for your customers' data. You are responsible for:

• Having a lawful basis to collect and process their data
• Providing appropriate privacy notices to your customers
• Responding to data subject requests from your customers
• Ensuring data accuracy
• Reporting data breaches to authorities where required

16.2 Our Role as Data Processor

We act as a data processor on your behalf. In this capacity, we:

• Process your customers' data only according to your instructions
• Maintain appropriate security measures
• Assist you in responding to data subject requests
• Notify you of any data breaches affecting your customers' data
• Delete or return your customers' data upon termination

16.3 Data Processing Agreement

For Businesses subject to GDPR or similar regulations, we provide a Data Processing Agreement (DPA) upon request. Contact legal@zuviaone.com to request a DPA.

17. Widget Data Collection

When you embed our widgets (quote forms, chatbots, booking forms) on third-party websites:

17.1 Data Collected from Visitors

• Form submissions (name, email, phone, address, service needs)
• Chatbot conversation transcripts
• IP address (for rate limiting and fraud prevention)
• Device and browser information
• Referrer URL and page context
• Marketing attribution data (UTM parameters, click IDs)

17.2 Your Responsibilities

As a Business embedding our widgets, you are responsible for:

• Disclosing data collection in your website's privacy policy
• Obtaining necessary consents from your website visitors
• Ensuring widget use complies with the host website's terms

17.3 Visitor Tracking

We use a visitor ID cookie (crm_visitor_id) to:

• Ensure consistent A/B test experiences
• Prevent duplicate form submissions
• Track conversion attribution

This cookie is first-party and does not track users across unrelated websites.

18. Audit Logging and Activity Monitoring

18.1 What We Log

For security and compliance, we maintain audit logs of:

• Account creation and modification
• Login and logout events
• Data access and changes
• Permission changes
• Financial transactions
• Communication activities
• Security events

18.2 Log Contents

Audit logs may include:

• User identifier (who performed the action)
• Action type and timestamp
• Affected entity and changes made
• IP address (anonymised)
• Request correlation ID

18.3 Retention and Access

• Audit logs are retained for 2 years
• Logs are not shared except as required by law
• You can request access to logs related to your account

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by:

• Email to your registered email address
• Notice within the Service
• Prominent posting on our website

We provide at least 30 days' notice before material changes take effect. Continued use after the effective date constitutes acceptance.

20. Contact Us

If you have questions about this Privacy Policy or our data practices:

By using the Service, you acknowledge that you have read and understood this Privacy Policy.