Privacy Policy

Last updated: April 16, 2026

This Privacy Policy explains how Alenta AI (“Alenta”, “we”, “our”) collects, uses, shares, and protects personal data when you use our website and Service. It applies to account holders, end-user visitors to customer websites that host our AI agent, and anyone else who interacts with us.

1. Data We Collect

We collect the following categories of personal data:

  • Account data — name, email, password hash, organization name, billing address, role.
  • Usage data — pages viewed, features used, timestamps, IP address, device and browser metadata, referrer URLs.
  • Chat content — messages exchanged with AI agents operated by our customers, including any identifiers (name, email, phone) that visitors submit in those conversations.
  • Payment data — processed by Stripe; we receive only a token and the last four digits of the card.
  • Cookies and similar technologies — see the Cookie Policy for details.

2. How We Use Data

We process personal data to:

  • provide, operate, and maintain the Service;
  • authenticate users, prevent fraud, and secure the Service;
  • deliver AI-generated responses to visitor messages (passing context to configured LLM providers);
  • process payments and administer subscriptions through Stripe;
  • communicate transactional and (with consent) marketing messages;
  • analyze usage to improve the Service;
  • comply with legal obligations.

3. Legal Basis (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract — to provide the Service you have subscribed to.
  • Legitimate interests — to secure the Service, prevent abuse, and improve product features, balanced against your rights and freedoms.
  • Consent — for non-essential cookies and marketing communications, which you can withdraw at any time.
  • Legal obligation — to comply with applicable laws, lawful requests, and accounting requirements.

4. Data Retention

We retain personal data for as long as needed to provide the Service and to comply with legal obligations. Default windows (TBD — confirm before publish):

  • Account data: until account deletion + 30 days.
  • Chat transcripts: as configured by the customer; default 13 months.
  • Billing records: 7 years (tax compliance).
  • Security logs: 12 months.

5. Sharing and Sub-Processors

We share personal data with service providers under written data processing agreements. The current sub-processors are:

  • Supabase — database and authentication hosting.
  • Stripe — payment processing and subscription management.
  • Anthropic and/or OpenAI — LLM inference for AI-generated responses. The active provider is configurable per deployment.
  • Twilio — telephony and SMS (only when voice features are enabled).
  • HubSpot and/or Salesforce — CRM sync (only when the customer connects the integration).

We do not sell personal data. We disclose data to law enforcement only when required by valid legal process and, where permitted, will notify affected customers in advance.

6. International Transfers

Personal data may be processed in the United States and other countries where our sub-processors operate. For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and, where applicable, the EU-U.S. Data Privacy Framework, together with supplementary safeguards.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access — request a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure / Deletion — request that we delete your data.
  • Portability — receive your data in a machine-readable format.
  • Restriction — restrict certain processing.
  • Objection — object to processing based on legitimate interests or direct marketing.
  • Withdraw consent — withdraw consent at any time, without affecting prior processing.
  • Complain — lodge a complaint with your supervisory authority.

California residents (CCPA/CPRA) have additional rights to know the categories of personal information collected, to delete personal information, to correct inaccurate personal information, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell personal information as defined under the CCPA.

To exercise any right, email privacy@alenta.ai. We respond within 30 days (or as otherwise required by law).

8. Cookies

We use cookies and similar technologies for strictly necessary, functional, and analytics purposes. See the Cookie Policy for the full breakdown and opt-out mechanisms.

9. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and regular vulnerability assessments. No system is completely secure; if we become aware of a breach affecting your personal data, we will notify you as required by law.

10. Children's Privacy

The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact privacy@alenta.ai and we will delete it.

11. Changes

We may update this Privacy Policy from time to time. Material changes will be announced via email or in-product notice at least 14 days before taking effect. The “Last updated” date indicates the latest revision.

12. Contact

Questions or requests: privacy@alenta.ai. For EU/UK residents, you may also contact your local supervisory authority.