Privacy Policy

Convened ("we", "us") provides an Organizational Intelligence Platform that includes AI Echoes, Process Echoes, the Echo Mesh, the Board of Experts, meeting capture, and an immutable decision journal (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, the choices available to you, and the commitments we make about what we will not do with your data. It applies to individual users and, where applicable, to organizations ("Companies") that deploy the Service for their personnel.

For Enterprise customers, a separate Data Processing Addendum (DPA) governs the parties' relationship on these subjects. Where the DPA conflicts with this Policy, the DPA controls for that customer.

1. Information We Collect

Account and organization data. Name, work email, role, Company affiliation, team structure, reporting relationships, administrator designations, and authentication identifiers (including SSO identifiers where applicable).

Echo interview and process data. Audio, transcripts, and written responses from the Socratic interview used to synthesize a Person Echo (typically 45–60 minutes); process descriptions, triggers, steps, and decision rules used to create a Process Echo. This content captures decision-making patterns, communication style, domain expertise, and stated constraints.

Document and knowledge content. Documents you upload for Echo enrichment, Board deliberation, financial analysis, or workshop generation. This may include financial statements, pitch decks, contracts, memos, transcripts, spreadsheets, and other business documents.

Mesh activity data. Directives authored through the Mesh, their contextualizations per Echo, variance rules, bubble-up signals, conflict deliberations, Board sessions and briefs, colleague invitations to mesh sessions, and entries in the Decision Journal.

Meeting capture data. Where meeting capture is enabled, audio, video, transcripts, and derived analysis of meetings, including dual-track data that separates in-meeting context from post-meeting analysis. Capture is an opt-in feature configured per tenant, and participants in a recorded meeting may be represented in the captured content.

Voice data. Audio inputs for speech-to-text, voice synthesis, and voice-authored interview responses, where you or your Company enables voice features.

Usage and telemetry. Feature interactions, session duration, tier and entitlement data, fidelity and effectiveness measurements, error and diagnostic logs, IP addresses, device and browser identifiers, and referrer data.

Integration data. If you connect third-party systems (for example, calendar, CRM, accounting, identity provider, or file storage), we receive the data you authorize during connection.

Payment and billing data. Processed by our payment processor (Stripe); we receive only the tokenized and metadata portions necessary to administer billing. Convened does not store full payment card numbers.

We do not knowingly collect special categories of personal data (such as health, genetic, or sexual-orientation data) and we ask that you not submit such data to the Service.

2. How We Use Information

We process personal data only for the purposes below. We will not use personal data for materially different purposes without notifying you and, where required, obtaining your consent.

• To create, operate, and calibrate AI Echoes and expert personas, and to compute and publish Fidelity Scores;
• To power the Echo Mesh — contextualize directives for each role, orchestrate bubble-up signals, resolve conflicts, and maintain decision lineage;
• To run Board of Experts deliberations under the Convened Protocol and to generate briefs with preserved dissent, confidence bands, and source citations;
• To maintain the immutable Decision Journal (SHA-256 hash-chained records) and to support 90-day Decision Effectiveness tracking that feeds back into persona calibration;
• To provide supporting functionality — meeting capture, financial analysis, health scoring, action items, intelligence reports, microsites, and document generation;
• To authenticate users, enforce role-based access control (RBAC), and isolate tenant data;
• To detect, investigate, and respond to security incidents, abuse, and policy violations;
• To process payments and administer subscriptions;
• To communicate service-related updates and, where permitted, product updates you have not opted out of;
• To meet legal, regulatory, and audit obligations.

3. What We Do Not Do

• We do not sell personal data.
• We do not use Customer Content to train third-party foundation models. Our agreements with model providers prohibit such training on your data.
• We do not use voice data for biometric identification or to create voiceprints for authentication.
• We do not share Customer Content across Company tenants. Cross-organization benchmarking, where elected, uses only de-identified statistical aggregates (see Section 7).
• We do not use third-party advertising trackers, and we do not profile users for advertising.
• We do not monitor employees on behalf of Companies beyond the product functions a Company administrator has configured, and those functions are subject to the visibility rules in Section 6.

4. AI Processing and Model Providers

Echo interviews, uploaded documents, deliberation inputs, meeting content, and other Customer Content are processed by large language models (currently Anthropic's Claude and, for narrow tasks, Groq and OpenAI) and by embedding and vector search systems (Pinecone, OpenAI embeddings). We send only the context necessary for the requested operation.

Our agreements with model providers prohibit the use of your data to train their foundation models. Prompt caching, where used, operates within the provider's secure environment and is scoped to your tenant. A current list of AI subprocessors and their processing purposes is maintained and provided to Enterprise customers on request.

AI Output is probabilistic. We publish Fidelity Scores, confidence bands, dissent, and source citations in deliberation output; unsourced factual claims are flagged. AI Output is not professional advice.

5. Echoes and Consent

An Echo is created only with explicit, granular consent from the person it represents (for Person Echoes) or from an authorized Company representative (for Process Echoes and future non-human Echoes). The consent flow covers (a) use of interview or process data to synthesize the Echo, (b) participation in the Echo Mesh, (c) document enrichment for grounding, and (d) any sharing or delegation inside the Company. Consents are versioned and auditable.

The subject of a Person Echo may at any time: review their Echo's profile card and system prompt inputs; deactivate the Echo so it no longer participates in Mesh operations; or delete the Echo and its underlying interview data, subject to the retention rules in Section 10.

Colleague invitations. Mesh features that invite another user's Echo into a shared session notify the Echo's owner and allow that owner to decline, configure scope, or revoke participation. These features are bound by the Company's configured visibility and trust levels.

If a Company creates Echoes of its personnel, the Company is the data controller for that activity and is responsible for the lawful basis under applicable law.

6. Organizational Visibility Inside the Mesh

Within a Company tenant, directives, deliberations, decisions, and attribution data are visible according to the Company's configured RBAC, trust levels, and IP-isolation settings. By default:

• Directives cascade only to the Echoes in the explicit distribution;
• Bubble-up signals flow upward with attribution;
• Decision Journal entries are visible to authorized roles per Company policy;
• Meeting capture data separates "context" (shared per the meeting's configured audience) from "analysis" (restricted by default to the meeting owner);
• Private categories (authentication secrets, personal settings, individual Echo interview transcripts) are never exposed across users or to managers absent an explicit configuration choice and the subject's consent.

Administrators configure visibility; individual users can see the visibility scope for each artifact before contributing.

7. Meeting Capture, Voice, and Biometric Data

Meeting capture is an opt-in feature. Convened provides in-product indicators that capture is active, but those indicators do not by themselves satisfy legal consent requirements. The Company enabling capture is responsible for obtaining any consents required by applicable law from every participant before a meeting is recorded or transcribed, including under two-party consent statutes in the U.S. and under comparable laws in other jurisdictions.

Voice data is processed only for the feature you invoked (for example, transcription of an interview answer or generation of Echo playback). We do not create voiceprints, we do not use voice data for biometric identification, and we do not sell or license voice data. Where applicable biometric privacy laws (including Illinois BIPA, Texas CUBI, and Washington's biometric statute) apply to you or your participants, you are responsible for ensuring that your use of the Service complies with those laws as applied to your use.

Meeting audio and raw voice inputs are retained only as long as necessary to produce and store the derived outputs you elected (such as a transcript or summary) and the retention period configured in your plan, after which the raw audio is deleted on our standard cycle.

8. Cross-Organization Benchmarking

Cross-organization benchmarking is off by default and requires an explicit, opt-in election by a Company administrator. Where opted in, the Service derives statistical aggregates that are de-identified and not reasonably attributable to any Company, user, or individual. Raw Customer Content, directives, decisions, and deliberation transcripts are never shared across tenants under any configuration. Opt-in may be revoked at any time; revocation applies to future benchmark participation.

9. Data Sharing

We do not sell personal information. We share information only as described here:

• Service providers and subprocessors under contract and confidentiality obligations: Anthropic, OpenAI, Groq (AI model and embedding processing); Pinecone (vector search); Stripe (billing); GoHighLevel (CRM — where applicable to your tier or deployment); cloud hosting, database, and email infrastructure providers. A current subprocessor list is available on request for Enterprise customers and is updated with at least 30 days' notice of material changes.
• Your Company. If you use the Service under a Company account, your Company administrator may access configuration, usage, and artifacts created under the Company tenant consistent with Sections 5 and 6.
• Legal and safety. We may disclose information when required by law, to enforce our Terms, to investigate fraud or abuse, or to protect the rights, safety, and property of Convened, our users, or the public. We will object to overbroad requests and, where permitted by law, provide notice to affected customers before disclosure.
• Corporate transactions. If we are involved in a merger, acquisition, or asset sale, information may be transferred subject to customary confidentiality protections and continued application of this Policy or a materially similar one.

10. Data Retention and Deletion

We retain personal data only as long as necessary to provide the Service and to meet legal, contractual, and audit obligations. Specifically:

• Echo interview data and synthesized persona artifacts are retained for the life of the Echo; deletion of an Echo removes its active artifacts and, within a reasonable period not to exceed 30 days, the underlying interview content, except where retention is legally required.
• Raw meeting audio is retained only as long as needed to produce the elected derived outputs, after which it is deleted on our standard cycle.
• Audit and security logs are retained for 12 months, or longer where required by law or contract.
• Backups are retained on a rolling basis and purged on our standard cycle.

Decision Journal immutability. The Decision Journal is, by design, a cryptographically hash-chained append-only ledger, intended to preserve audit integrity for enterprise accountability. Where a deletion request affects Decision Journal entries, we implement deletion through redaction and tombstoning rather than removal of chained records: the underlying personal data is redacted from the record, and the record's position and hash are preserved so that the chain remains verifiable. This behavior is disclosed here and surfaced in the Service at the point of journaling. Where applicable law grants a right of erasure that cannot be satisfied by redaction, we will cooperate with the data subject and, where necessary, the Company or supervisory authority to reach a lawful outcome.

You may request export or deletion of your personal data, and Company administrators may request tenant-level export or deletion, via the contact below. We will respond within the period required by applicable law (typically 30 days).

11. Your Rights

Depending on your jurisdiction (including under the GDPR, UK GDPR, Swiss FADP, and the CCPA/CPRA), you may have rights to access, correct, port, restrict, or delete your personal data; to object to certain processing; and to withdraw consent. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; Convened's design, including the Decision Journal and Fidelity Scores, supports human-in-the-loop decision-making, and you should not use the Service to make such decisions purely automatically.

To exercise these rights, contact privacy@convened.ai or use in-product controls where available. If you are covered under a Company tenant, we may direct your request to the Company as controller and cooperate with their response. We will not retaliate for exercising your rights. You may also lodge a complaint with your supervisory authority.

12. Security

We maintain an information security program that includes:

• Encryption in transit (TLS 1.2+) and encryption at rest, including AES-256-GCM for sensitive stores;
• Customer-managed encryption keys (BYOK) for qualifying customers;
• Role-based access control with granular permissions and administrator-configured trust levels;
• Tenant isolation (every query scoped by Company ID);
• PII handling and anonymization controls;
• Audit logging and integrity controls, including SHA-256 hash-chained decision records;
• Secure SDLC, least-privilege access for personnel, vulnerability management, and incident response procedures.

Our compliance roadmap includes SOC 2 Type II, HIPAA (BAA available for qualifying customers), and GDPR. No system is perfectly secure; we will notify affected users and Companies of material incidents without undue delay and in any event within the periods required by applicable law and contract.

13. International Transfers

Convened is operated from the United States and our infrastructure may process data in the U.S. and other regions. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses and the UK IDTA) for cross-border transfers, and Enterprise customers may execute our DPA, which includes transfer terms and subprocessor commitments.

14. Cookies and Local Storage

We use cookies and similar technologies for authentication, session management, security, and first-party product analytics. Where required, we request consent and provide controls. We do not use third-party advertising trackers. Certain product features use in-memory or local storage to preserve in-session state.

15. Children

The Service is intended for business use by adults. It is not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a minor has provided personal data, contact us and we will delete it.

16. Expert Contributors

If you participate as an Expert Contributor, additional disclosures apply. Your persona's Fidelity Score and calibration history may be published within the Service to support transparency. Your name and professional credentials may appear publicly only to the extent you authorize during onboarding.

17. Changes

We may update this Policy from time to time. Material changes will be announced by email or in-app notice and, where appropriate, will require re-acceptance. The "Last updated" date reflects the most recent revision.

18. Contact

Privacy inquiries and rights requests: privacy@convened.ai
Enterprise DPA and security reviews: legal@convened.ai