Privacy Policy · Owlish

This Privacy Policy explains how Chevvi Pty Ltd (ABN 54 682 793 602, "Chevvi", "we", "us") collects, uses, discloses, and protects personal information when you use the Owlish website (owlish.bot), the Owlish admin console, the Owlish chat widget, and any related services (together, the "Services").

Chevvi is the data controller for personal information collected directly from website visitors and from people who sign up for an Owlish account. When our customers deploy Owlish on their own websites or channels, our customers are typically the controller of any personal information their end users share with their agents, and Chevvi acts as a data processor on their behalf, governed by our Data Processing Addendum.

1. Quick summary

We collect only the data we need to run the service, bill you, and improve Owlish.
We host data in the United States (Google Cloud, region us-central1) and disclose this transfer in writing.
We do not sell your personal information, and we do not use customer conversations to train shared AI models.
You can access, correct, export, or delete your data at any time — see Your rights.
Our cookie banner is geo-gated to the EU, UK, and Australia and defaults analytics cookies to off.

2. Who this policy applies to

This policy applies to three groups:

Website visitors — anyone who browses owlish.bot or our marketing pages.
Owlish customers — workspace owners, administrators, members, and operators who sign in to the Owlish admin console.
Visitors to customer agents — end users who interact with an AI agent built on Owlish, embedded on a customer's website, Slack workspace, or other channel. For this group, the customer is typically the controller and we process data on their behalf.

3. What personal information we collect

3.1 Information you provide

Account details — name, email address, password (hashed), profile picture, role within a workspace.
Workspace and billing details — workspace name, plan tier, billing contact, country, tax ID, payment method (handled and tokenised by Stripe — we never see full card numbers).
Knowledge base content — documents, URLs, files, and other source material you upload or point us to so the agent can ground its answers in your knowledge.
Conversations — messages between visitors and your AI agent, including any name, email, or other information visitors voluntarily provide via the pre-chat form your agent is configured to show.
Support correspondence — any messages you send us by email or through in-app support.

3.2 Information collected automatically

Device and connection data — IP address, browser, operating system, language, device type, and referrer URL.
Product analytics — pages visited, features used, time spent, and event metadata. Sent to Google Analytics 4 and PostHog only with your consent in the EU, UK, and Australia, and otherwise on a legitimate-interest basis.
Server logs — request metadata (timestamp, route, status code, latency, internal IDs). We deliberately do not log full request or response bodies that could contain personal information.
Cookies and similar technologies — see our Cookie Policy.

3.3 Information from third parties

Identity providers — if you sign in with Google, we receive your email, name, and profile picture from Google.
Approximate location — to decide whether to show our cookie banner, the marketing site looks up your country (only) via Cloudflare's public cdn-cgi/trace endpoint and caches it locally for 7 days.
Channel platforms — when you connect Slack, Microsoft Teams, or another channel, we receive workspace IDs, bot tokens, and the messages addressed to your bot.

4. Why we collect personal information and our legal basis

Purpose	Categories	Legal basis (GDPR Art. 6) / APP basis
Provide and operate the Services, authenticate accounts, run agents.	Account, workspace, conversations, knowledge base.	Contract (6(1)(b)); APP 6(1) primary purpose.
Bill you and process payments via Stripe.	Billing details.	Contract (6(1)(b)); legal obligation (6(1)(c)) for tax records.
Secure the Services — fraud prevention, abuse detection, audit logs.	Account, device, IP, server logs, audit log.	Legitimate interest (6(1)(f)); APP 11 reasonable security steps.
Improve the product through aggregated analytics.	Pseudonymised event data.	Consent (6(1)(a)) in EU/UK/AU; legitimate interest elsewhere.
Send transactional email (sign-in links, billing receipts, security alerts).	Email, account.	Contract (6(1)(b)).
Send product updates and marketing — only to people who opt in.	Email.	Consent (6(1)(a)); withdraw any time.
Comply with legal requests and protect rights.	Whatever is strictly necessary.	Legal obligation (6(1)(c)) / vital interest.

5. How we use AI and your data

Conversations between visitors and your agent are processed by large language models (Google Gemini, Anthropic Claude, OpenAI GPT) accessed through Vertex AI to generate responses grounded in your knowledge base.
We have configured these providers in no-training mode where supported. Customer conversations are not used to train shared, cross-customer AI models.
Agents only have access to the knowledge base sources you have explicitly added to your workspace, plus the live conversation context.
AI output is probabilistic and may be wrong. The agent cites the source it used so you can verify. Owlish is not professional advice (legal, medical, financial).

6. Sub-processors

We use the following sub-processors to deliver the Services. Each is bound by a written data-processing agreement and is required to apply at least the same level of protection as we do. The list is current as of the "last updated" date above; see DPA Annex III for the live list.

Sub-processor	Purpose	Data categories	Location
Google Cloud Platform (incl. Cloud Run, Cloud Functions, Cloud SQL, Firestore, Cloud Storage, Vertex AI, Firebase Auth)	Core hosting, database, AI inference, authentication.	Account, conversations, knowledge base, files.	United States (us-central1), under EU‑US DPF and SCCs.
Anthropic, OpenAI (via Vertex AI)	Optional LLM model providers selectable per agent.	Conversation messages, system prompt context.	United States; no-training mode.
Stripe	Payment processing, subscription billing, tax invoices.	Billing email, name, payment method (tokenised), invoice metadata.	United States, Ireland (EU billing).
Resend	Transactional email delivery (sign-in, receipts, alerts).	Email address, message metadata, delivery logs (90-day retention).	United States.
Firecrawl	Discovering URLs from sitemaps for knowledge sources.	URLs you supply (no page content).	United States.
Parallel.ai (Parallel Web Systems Inc.)	Extracting page content from URLs you supply as knowledge sources.	Content fetched from URLs you supply.	United States.
Google Document AI	OCR fallback for scanned documents.	Document content you upload.	United States.
PostHog	Product analytics (after consent in EU/UK/AU).	Pseudonymous user ID, event metadata, page paths.	United States today; we plan to migrate EU traffic to PostHog EU Cloud.
Google Analytics 4	Marketing-site analytics (after consent in EU/UK/AU).	Pseudonymous client ID, event metadata, IP-anonymised location.	United States, under DPF/SCCs.
Cloudflare	Country-code lookup (via `cdn-cgi/trace`) to decide whether to display the cookie banner.	IP address (used to return country only).	Global edge network.
Slack, Microsoft, Discord (channel integrations)	Optional integrations you choose to connect.	Workspace IDs, bot tokens, messages addressed to your bot.	United States; per-vendor terms.

7. International data transfers

Owlish is hosted in the United States (Google Cloud, region us-central1). When you use Owlish from the European Economic Area, the United Kingdom, Australia, or anywhere else, your personal information is transferred to and processed in the United States.

EEA / UK transfers — we rely on (i) the EU‑US Data Privacy Framework where the recipient is certified, and (ii) the European Commission's Standard Contractual Clauses (SCCs, 2021) and the UK International Data Transfer Addendum where DPF does not apply, supplemented by appropriate technical and organisational measures (encryption in transit and at rest, access controls, audit logging).
Australia transfers — we comply with Australian Privacy Principle 8 by taking reasonable steps to ensure overseas recipients comply with the APPs through written agreements, encryption, and access controls.
Enterprise residency — if your organisation requires data hosting in the EU or another specific region, please contact us to discuss enterprise deployment options.

8. How long we keep your data

Data	Retention
Account profile	For the life of your account, plus up to 30 days after deletion (soft-delete grace period).
Workspace data (settings, integrations, knowledge base)	For the life of your workspace, plus up to 30 days after deletion.
Conversations and session events	Plan-tier dependent: Starter 30 days, Growth 90 days, Scale 365 days. Purged automatically by a daily job.
Audit and security logs	Up to 24 months for security-relevant records; pseudonymous deletion-audit records retained for 7 years for accountability (GDPR Art. 5(2)).
Billing and tax records	7 years from issue, as required by Australian and US tax law. Customer is anonymised in Stripe at deletion; invoice line-items are retained.
Server and application logs	30 days in the application log bucket; up to 90 days for authentication logs.
Email delivery logs	90 days (Resend default).
Marketing analytics	14 months for Google Analytics 4; 12 months for PostHog event data tied to a pseudonymous ID.
Backups	Encrypted, retained for up to 35 days, then expire automatically.

When retention expires, data is either hard-deleted or anonymised (identifying fields replaced with stable pseudonyms) so that what remains can no longer be linked to you.

9. Your rights

Subject to the laws that apply to you, you have the right to:

Access — get a copy of the personal information we hold about you.
Rectify — correct inaccurate or incomplete information.
Erase — ask us to delete your personal information ("right to be forgotten" / right of erasure).
Restrict or object to processing — including objecting to processing based on legitimate interest, and objecting to direct marketing at any time.
Portability — receive your data in a structured, machine-readable format (JSON or CSV) and ask us to transmit it to another controller where technically feasible.
Withdraw consent — where we rely on consent (e.g., analytics cookies, marketing email), withdraw it at any time without affecting prior processing.
Not be subject to a solely automated decision — the AI agent may suggest answers, but no significant decision about you is made by the agent without human review.
Lodge a complaint — with your local supervisory authority (e.g., the OAIC in Australia, the ICO in the UK, your national DPA in the EU).

How to exercise your rights

Download a copy of your account data — sign in to the Owlish admin console and go to Account Settings. The export is a structured JSON file covering profile, workspace memberships, and any operator messages you authored.
Delete your account — same page; we run a 28-day soft-delete grace window before hard erasure across all stores and sub-processors.
Workspace-owned data (sessions, knowledge base, agents, billing) — for workspace owners, see Workspace Settings → Privacy. End users of an agent should contact the workspace operator first.
Anything not yet supported in-app — email privacy@chevvi.com. We respond within 30 days; for complex requests we may extend by up to two further months and will tell you why.

To protect you, we may need to verify your identity before acting on a request. We will not charge a fee for the first request in any 12-month period.

If you are an end user of a customer's agent

If you interacted with an AI agent on someone else's website (powered by Owlish), the operator of that website is the controller. Please contact them first. If they cannot help and you believe Chevvi is processing your data on their behalf, you can email us at privacy@chevvi.com and we will route the request to them.

Australian residents — OAIC complaints

If you are in Australia and we have been unable to resolve your concern, you can complain to the Office of the Australian Information Commissioner: oaic.gov.au/privacy/privacy-complaints · phone 1300 363 992 · post GPO Box 5288, Sydney NSW 2001.

California, Virginia, Colorado, Connecticut, Utah, Texas — US state privacy rights

If you are a resident of a US state with a comprehensive privacy law, you have the rights set out in section 9 above (access, delete, correct, portability, opt-out of sales/sharing). In addition, the following points apply:

We do not "sell" your personal information for monetary consideration, and we do not "share" it for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA). We have not done so in the preceding 12 months.
Sensitive personal information. We do not collect or use sensitive personal information (e.g., precise geolocation, government IDs, health data) beyond what is necessary to provide the Services. You can request that we limit our use of any such data.
Right to limit use of sensitive PI. Where applicable, you may direct us to limit our use of sensitive personal information to that which is necessary to deliver the Services or as otherwise permitted by law.
Authorised agents. You may use an authorised agent to make a request on your behalf. We will require the agent to provide proof of authorisation, and we may verify your identity directly.
Non-discrimination. We will not discriminate against you for exercising any of these rights — for example, by denying service, charging different prices, or providing a different level of quality.
Global Privacy Control (GPC). We honour browser-level GPC signals as a valid opt-out request under CCPA and other US state privacy laws. If your browser sends Sec-GPC: 1, we treat that as a "do not sell or share" signal: analytics and marketing cookies stay denied, and we do not display the consent banner to you.
Shine the Light (California Civil Code §1798.83). California residents may request information about disclosures of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year. We do not make such disclosures.
Appeal. If we deny your request, you may appeal by replying to our response email; we will respond to your appeal within 60 days. If your appeal is also denied, you may contact your state attorney general.

Personal information categories collected (CCPA §1798.140)

For California residents, this is how the personal information described in section 3 maps to the statutory categories in CCPA §1798.140. We collect categories marked Yes; the rest we do not collect.

Category	Collected?	Sources	Purposes
A. Identifiers (name, email, IP, account ID)	Yes	You; identity providers; channel platforms	Operate the Services; security; billing
B. Customer records (Cal. Civ. Code §1798.80(e)) — billing contact, payment metadata	Yes	You; Stripe	Billing, tax records
C. Protected-class characteristics (race, religion, etc.)	No	—	—
D. Commercial information (transactions, subscriptions)	Yes	You; Stripe	Operate the Services; billing
E. Biometric information	No	—	—
F. Internet/network activity (page views, feature usage, server logs)	Yes	Your browser; our servers	Security; product analytics (with consent in EU/UK/AU)
G. Geolocation (precise)	No	—	—
G. Geolocation (country only, via Cloudflare trace)	Yes	Cloudflare's `cdn-cgi/trace` endpoint	Decide whether to show the cookie banner
H. Sensory data (audio, electronic, visual, thermal)	No	—	—
I. Professional/employment information	Limited	You (workspace role)	Workspace permissions
J. Education information	No	—	—
K. Inferences drawn from any of the above	Limited	Our systems (agent suggestions, summaries)	Improve the agent; surface patterns to operators
L. Sensitive personal information (gov ID, health, precise geo, race, biometrics, contents of correspondence)	No	—	—

"Limited" means we hold the information only to the extent the customer (workspace controller) submits it through the agent's pre-chat form or operator workflows; we do not derive these categories about you ourselves.

10. Security

All traffic uses TLS 1.2 or higher (TLS 1.3 preferred), with HSTS enforced on production hostnames.
Data at rest is encrypted with AES-256, using Google Cloud's managed keys.
Authentication uses Firebase Auth with Argon2 / bcrypt password hashing and short-lived tokens.
Tenant isolation is enforced at four layers: Firebase Auth JWT, Data Connect GraphQL workspace filters, Server Action permission checks, and PostgreSQL triggers for critical invariants.
Access to production data by Chevvi personnel is restricted, audited, and logged.
We run automated dependency, secret, and container scans on every build.

11. Children

Owlish is a B2B service for businesses and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information through a customer's agent, please contact privacy@chevvi.com and we will delete it.

12. Cookies

See our Cookie Policy for the cookies we use, why, and how to control them. The cookie banner is shown to visitors in the EU, UK, and Australia. To revisit your choices, click in the footer.

13. Data breach notification

If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required) and, where the risk is high, we will notify you without undue delay. Australian Notifiable Data Breach obligations are handled in parallel.

14. Changes to this policy

We will post any material changes here and update the "last updated" date at the top of the page. For significant changes, we will give you notice by email or in-product before the changes take effect.

15. Contact us

Privacy enquiries: privacy@chevvi.com

Postal: Chevvi Pty Ltd · Sydney, NSW 2000 · Australia · ABN 54 682 793 602

If you are in the EU and we are required to designate an EU representative under GDPR Art. 27, we will publish that designation here once appointed.