Legal · Convey Labs

Privacy
Policy.

This Privacy Policy explains how Convey Labs collects, uses, processes, and protects personal data when you or your end users interact with our voice, messaging, and ad-signal services.

By using the Service, you agree to the collection and use of information in accordance with this Policy.

Last Updated:
01

Introduction

Convey Labs ("Convey Labs", "we", "us", or "our") operates an AI-powered communication platform that helps businesses run voice calls, multi-channel messaging (WhatsApp, RCS, SMS, Instagram), and ad-signal optimisation across India.

We take privacy seriously. This Policy describes the personal data we handle, the purposes for which we handle it, the choices you have, and how we comply with applicable laws — including the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and TRAI regulations.

This Policy should be read together with our Terms & Conditions.

02

Definitions

Service
Voice agents, messaging agents (WhatsApp, RCS, SMS, Instagram), ad-signal optimisation, dashboards, and APIs provided by Convey Labs.
Personal Data
Any data about an individual who is identifiable from that data, in accordance with the DPDP Act, 2023.
Client
A business or organisation that has registered to use our Service.
End User / Lead
The customer, prospect, or contact that a Client communicates with through the Service.
Data Fiduciary
The person who, alone or with others, determines the purpose and means of processing personal data. The Client is the Data Fiduciary for End-User data.
Data Processor
A person who processes personal data on behalf of a Data Fiduciary. Convey Labs is the Data Processor for End-User data uploaded by Clients.
Company
Convey Labs, with registered office at CBI Colony, Madhapur, Hyderabad 500033, Telangana, India.
Country
India
Website
conveylabs.ai
You
The individual or entity accessing or using the Service.
03

Our Role & Yours

Convey Labs operates in two distinct capacities, depending on the type of personal data involved:

As a Data Fiduciary

When you visit our website, sign up for an account, request a demo, or interact with us directly, we act as the Data Fiduciary for the information you provide. This Policy describes how we handle that data.

As a Data Processor

When a Client uploads or generates lead, contact, or End-User data through the Service, the Client is the Data Fiduciary and Convey Labs acts as the Data Processor. We process such data strictly on the Client's instructions and only to deliver the Service.

End Users: If you are an End User who received a call or message from a Convey Labs-powered system, the business that contacted you is the Data Fiduciary. Please reach out to that business first for questions about consent, opt-out, or data access. We will assist that business in honouring your request.

04

Information We Collect

Information You Provide Directly

  • Account information: name, business name, email, phone number, role, login credentials
  • Billing information: billing address, GSTIN, payment method details (processed via PCI-compliant payment providers)
  • Communications: messages you send to our sales, onboarding, or support teams, including via email, forms, calls, or chat

Information Generated by Use of the Service

  • Lead and contact data uploaded by the Client (name, phone, email, custom attributes)
  • Conversation data — call recordings, transcripts, message logs across WhatsApp, RCS, SMS, and Instagram
  • Outcomes & metadata — lead quality scores, intent labels, disposition, timestamps, channel, duration
  • Ad-signal events sent to ad platforms (Meta, Google) on the Client's behalf

Information Collected Automatically

  • Usage data: IP address, browser type, device identifiers, pages visited, referring URL, session duration
  • Cookies and similar technologies — see § 10 Cookies & Tracking
  • Log data: requests to our APIs, error logs, performance telemetry
05

How We Use Information

We use personal data for the following purposes:

  • Provide and operate the Service — place calls, send messages, generate transcripts, produce dashboards and analytics
  • Account management — create accounts, authenticate users, configure agents, provision integrations
  • Customer support — respond to enquiries, troubleshoot issues, train Client teams
  • Billing & invoicing — process payments, generate invoices, manage subscriptions
  • Service improvement — analyse aggregated and de-identified usage to improve performance, models, and product quality
  • Security & abuse prevention — detect fraud, prevent misuse, enforce our Terms
  • Communication — send product updates, security notices, and (where permitted) marketing communications
  • Legal compliance — respond to lawful requests, meet regulatory obligations under the DPDP Act, TRAI, and other applicable laws

We do not sell personal data, and we do not use End-User conversation data to train third-party AI models.

06

Communication Channels

Our Service reaches End Users across multiple channels. Each channel carries its own provider terms and consent requirements, which the Client is responsible for honouring.

Voice Calls
Outbound and inbound calls placed via licensed telecom carriers, governed by TRAI regulations.
WhatsApp Business
Messages sent via the WhatsApp Business Platform, governed by Meta's policies and template approval.
RCS Messaging
Rich Communication Services messages sent via approved carrier gateways.
SMS
Sent via DLT-registered headers and templates in compliance with TRAI's commercial communication framework.
Instagram Messaging
Direct messages via Meta's Messenger Platform, governed by Instagram and Meta's policies.
Email (optional)
Transactional and marketing email sent through approved providers, with opt-out honoured.

Recordings, transcripts, and message history are retained on the Client's behalf and made available within the dashboard for audit and quality purposes.

07

Sharing & Disclosure

We share personal data only in the following circumstances:

  • With Service Providers who help us deliver the Service — cloud hosting, telephony carriers, messaging gateways, payment processors, analytics. Each is bound by confidentiality and data-protection obligations.
  • With the Client — End-User conversation data, transcripts, and metadata generated through the Service are made available to the Client whose account initiated the communication.
  • With ad platforms — when configured by the Client, we forward conversion or qualification signals to Meta, Google, and similar platforms. Only the signals necessary for attribution are sent.
  • For legal reasons — to comply with a lawful court order, government request, or regulatory obligation.
  • In a business transfer — in connection with a merger, acquisition, or sale of assets, with appropriate confidentiality safeguards.
  • With your consent — for any purpose disclosed at the time of collection.

We do not sell personal data to advertisers, data brokers, or any other third party.

08

Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including:

  • Delivering the Service to the Client
  • Meeting tax, accounting, and audit obligations
  • Resolving disputes and enforcing our agreements

Default retention windows:

  • Call recordings & transcripts: as configured by the Client; default 12 months, after which they may be archived or deleted
  • Message logs: 12 months from the date of communication, unless extended by Client configuration
  • Account & billing records: retained for the duration of the contract plus a statutory period after termination
  • Marketing data: retained until you opt out, after which it is removed from active mailing lists

Upon termination of a Client contract, data is retained for thirty (30) days to allow export, after which it is deleted in accordance with our retention policy, unless we are legally required to retain it for longer.

09

Data Security

We use reasonable administrative, technical, and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data
  • Role-based access controls and audit logging
  • Hosted on reputable cloud providers with industry-recognised security certifications
  • Regular vulnerability assessments and code reviews
  • Incident response procedures and breach notification commitments under the DPDP Act

No system is perfectly secure. While we work hard to protect personal data, we cannot guarantee its absolute security. If we become aware of a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected individuals as required by law.

10

Cookies & Tracking

Our website uses cookies and similar technologies for the following purposes:

  • Essential cookies — required to authenticate you and keep the dashboard working
  • Preference cookies — remember your settings (language, theme)
  • Analytics cookies — measure aggregated usage to improve the product and the website
  • Marketing cookies — measure the effectiveness of our marketing campaigns; you can opt out via your browser settings

You can control or disable cookies through your browser settings. Disabling essential cookies may prevent parts of the Service from working.

11

Third-Party Services

The Service integrates with third-party providers. When you use those integrations, your data may be transmitted to or processed by them, subject to their own terms and privacy policies:

  • Telecom carriers for voice and SMS
  • WhatsApp Business Platform (Meta) for WhatsApp messaging
  • Meta & Instagram for Messenger and Instagram messaging
  • Google Ads, Meta Ads, and other ad platforms for ad-signal optimisation
  • CRMs and lead sources connected by the Client (e.g., HubSpot, Zoho, Salesforce, Google Sheets)
  • Cloud infrastructure providers for hosting and storage
  • Payment processors for billing

We are not responsible for the privacy practices of third parties. We encourage you to review their policies before using those integrations.

12

Your Rights

Under the DPDP Act, 2023, you have the following rights with respect to personal data we hold about you as a Data Fiduciary:

  • Right to information about the personal data we process and the purposes of processing
  • Right to correction of inaccurate, incomplete, or misleading personal data
  • Right to erasure of personal data that is no longer necessary for the purpose it was collected
  • Right to grievance redressal — raise a complaint with our Grievance Officer (see § 16)
  • Right to nominate another individual to exercise these rights in case of death or incapacity
  • Right to withdraw consent at any time, where consent is the basis for processing

To exercise these rights, contact us at official@conveylabs.ai. We will respond within the timelines required by applicable law.

If you are an End User whose data was uploaded by a Client, please first contact the business that communicated with you. They control your data as the Data Fiduciary; we will assist them in honouring your request.

13

International Transfers

Our primary infrastructure is hosted within India. In limited cases — for example, when using global services like WhatsApp, Meta, or certain cloud regions — personal data may be processed outside India.

Where international transfers occur, we rely on appropriate safeguards (such as contractual commitments from the receiving party) consistent with the DPDP Act and any applicable cross-border transfer rules notified by the Government of India.

14

Children's Privacy

The Service is not directed at, or intended for, individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

Clients must not use the Service to contact End Users under the age of 18 without verifiable parental or guardian consent, as required by the DPDP Act.

15

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will revise the "Last Updated" date at the top of this page, and for material changes we will provide reasonable advance notice by email or in-app notification.

Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the changes.

16

Contact & Grievance Officer

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Grievance Officer (DPDP Act, 2023): For grievances related to the processing of your personal data, please write to our Grievance Officer at official@conveylabs.ai with the subject line "Grievance — Data Protection". We will acknowledge your request within a reasonable time and respond within the timelines required by applicable law.