Privacy Policy

1. Introduction

VaioTech Ltd ("we", "us", "our"), a company registered in England and Wales, operates the Zivvo platform at zivvo.ai. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI agent platform. We are committed to protecting your privacy and handling your data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA/CPRA) where applicable.

2. Data We Collect

Account Information

When you register, we collect your name, email address, and password (stored as a cryptographic hash). If you sign in via LinkedIn, we receive your name, email, and profile picture from LinkedIn's API.

Document Data

Documents you upload (PDFs, text files) are processed to extract text, which is then stored as vector embeddings for AI retrieval. The original files are stored securely on our servers.

Agent Activity Data

We log all actions taken by your AI agents, including messages sent and received, tool calls made, and their outcomes. This data is used to power the activity dashboard and analytics features.

Third-Party Integration Data

When you connect third-party services (Gmail, LinkedIn, Meta, X/Twitter), we store OAuth access tokens and refresh tokens to maintain the connection. We access only the data necessary to perform the actions you configure your agents to take.

LinkedIn Data

When you connect LinkedIn and authorise Zivvo to act on your behalf, we may access and store the following LinkedIn data depending on the features you use:

• Profile data: Name, email address, job title, company, and profile picture — used to authenticate your account and personalise the Platform.
• Lead data (Lead Sync API): Contact information (name, email, company, job title) from LinkedIn lead generation forms or connection requests — used solely to populate your Zivvo CRM and enable your AI agents to follow up with leads on your instruction.
• Member data (Member Data Portability API): A defined subset of LinkedIn member data — first-degree connections, work history, education, current company, and skills — accessed only upon the member’s explicit OAuth authorisation. Held under a 90-day rolling cache; purged within 24 hours of revocation. See the dedicated LinkedIn Member Data Portability API subsection below for full detail on data categories, lawful basis, retention, and member rights.
• Posts and engagement data: LinkedIn posts and engagement actions (likes, comments) performed by your AI agents on your behalf — logged in your activity dashboard.

You may revoke Zivvo's access to your LinkedIn account at any time via LinkedIn's security settings or by disconnecting LinkedIn in the Zivvo Connections page. Upon revocation, we will delete stored LinkedIn OAuth tokens immediately, cease all LinkedIn activity on your behalf, and purge any cached LinkedIn member profile data within 24 hours of receiving LinkedIn's revocation webhook. Backup snapshots age out within 90 days with no manual intervention required.

LinkedIn and its authorised representatives may audit VaioTech Ltd's use of LinkedIn APIs and member data for compliance verification purposes upon reasonable notice.

LinkedIn Member Data Portability API

Zivvo is an approved third-party developer for LinkedIn’s Member Data Portability API (3rd Party), which LinkedIn provides in response to the EU’s Digital Markets Act (DMA). The API allows LinkedIn members based in the European Economic Area to authorise the export of a defined subset of their LinkedIn data to Zivvo for the purpose of populating their AI agent’s CRM, professional context, and outreach features. Per LinkedIn’s eligibility rules, this feature is available only to LinkedIn members located in the EEA.

What data the OAuth scope grants access to. When a LinkedIn member explicitly authorises Zivvo via LinkedIn’s OAuth consent screen for the r_dma_portability_3rd_party scope, the authorisation grants Zivvo permission to access the data categories LinkedIn discloses on that consent screen, which include:

• Profile information — name, headline, photo, work history, education, current company, summary, and skills as listed on the member’s LinkedIn profile.
• Posts — content the member has published on LinkedIn.
• Synced contacts — contacts the member has imported into LinkedIn.
• Connection requests — sent, received, and pending.
• Messages — 1:1 conversations the member has on LinkedIn.
• Likes — posts and comments the member has reacted to.
• Other activity data — comments, reactions, follows, and related engagement signals.

What Zivvo actually processes today. As of the date of this Policy, Zivvo’s MDP integration retrieves and stores only the member’s profile information (the first category above). Zivvo does not retrieve, store, or process posts, synced contacts, connection requests, messages, likes, or other activity data, despite the OAuth scope granting permission to do so. Should Zivvo expand the integration to process additional categories from the list above, this Policy will be updated and existing connected members will be notified before the expanded processing begins.

Zivvo does not receive payment information or any data outside the authorised scope.

Lawful basis. Processing under the MDP API is carried out on the basis of the member’s explicit consent (EU GDPR / UK GDPR Article 6(1)(a) and, where special-category inferences could be drawn, Article 9(2)(a)). Consent is obtained via the LinkedIn OAuth authorisation screen at the point of connection. The member may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Retention. MDP-derived data is retained on a 90-day rolling cache. Each authenticated refresh resets the retention window for the records returned by that refresh. Records that are not refreshed within 90 days are automatically purged from the cache.

LinkedIn as sub-processor. LinkedIn Ireland Unlimited Company is the originating source of all data processed under this section and is listed in our sub-processor register (see Section 5 below). Zivvo’s use of the MDP API is governed by LinkedIn’s API Terms of Use and is subject to audit by LinkedIn and its authorised representatives.

Your rights under EU GDPR / UK GDPR Articles 15–22. As a LinkedIn member whose data is processed by Zivvo under the MDP API, you have the right to:

• Access (Art. 15): request a copy of the MDP-derived personal data Zivvo holds about you;
• Rectification (Art. 16): request correction of inaccurate data (note: corrections to your underlying LinkedIn profile must be made on LinkedIn directly and will propagate to Zivvo on the next authenticated refresh);
• Erasure (Art. 17): request immediate deletion of MDP-derived data held by Zivvo, independent of the 90-day rolling cache;
• Data portability (Art. 20): receive the MDP-derived data Zivvo holds about you in a structured, commonly-used, machine-readable format.

How to exercise your rights. Email [email protected] with the subject line “MDP Data Subject Request” and identify (a) the right you are exercising, (b) the LinkedIn member identifier the data is attached to, and (c) a verification method we may use to confirm your identity. Zivvo will acknowledge within 7 days and fulfil the request within 30 days of verified receipt. Complex requests may extend to 60 days; you will be notified in writing if so.

Revocation. You may revoke Zivvo’s MDP authorisation at any time via LinkedIn’s own privacy and security settings (Settings → Data Privacy → Permitted Services). Upon receiving LinkedIn’s revocation webhook, Zivvo will purge MDP-derived data attached to your member identifier from its active profile cache within 24 hours. Backup snapshots age out within 90 days with no further action required.

Usage and Technical Data

We collect standard server logs including IP addresses, browser type, and pages visited to maintain security and improve the Platform.

3. How We Use Your Data

• To provide and operate the Platform and its features
• To authenticate your identity and secure your account
• To process your documents for AI retrieval
• To execute AI agent actions on your behalf via connected services
• To import and manage LinkedIn lead and member data you authorise us to access, solely for your CRM and agent automation workflows
• To display analytics, conversation logs, and activity history
• To process payments and manage subscriptions
• To send service-related notifications (e.g., agent escalations, billing alerts)
• To improve the Platform's performance and features

4. Legal Basis for Processing

We process your data under the following legal bases:

• Contract: Processing necessary to provide the services you have signed up for
• Legitimate interest: Platform security, fraud prevention, and service improvement
• Consent: Where you explicitly opt in, such as connecting third-party accounts

5. Data Sharing

We share your data only in the following circumstances:

• AI processing: Document content and conversation data are sent to Google (Gemini API) for AI reasoning and to OpenAI for text embeddings only. Google does not use Gemini API data to train their models when used via the paid API. OpenAI does not use API data to train their models.
• Third-party integrations: Data is sent to connected services (Google, Meta, LinkedIn, X) only as directed by your agent configuration
• Payment processing: Billing information is processed by Stripe. We do not store your card details.
• Legal requirements: We may disclose data if required by law or to protect our legal rights

Sub-processors: the full list of organisations Zivvo engages to process your data on our behalf:

Zivvo's Data Processing Agreement with each sub-processor binds them to UK/EU GDPR-equivalent obligations. The DPA is available on request to enterprise customers.

We do not sell your personal data to third parties.

6. Data Storage and Security

Your data is stored on servers hosted by Hetzner Online GmbH in Falkenstein, Germany (European Union). We implement appropriate technical and organisational measures to protect your data, including encryption of data in transit (TLS/SSL), hashed passwords (BCrypt), AES-256-GCM encrypted OAuth tokens, and strict access controls. However, no method of electronic storage is 100% secure.

7. International Data Transfers

Our servers are located in Germany, within the European Union. Data stored on our servers is therefore subject to EU GDPR protections by default. For users in the United Kingdom, Germany benefits from the UK's adequacy regulations for EU member states, meaning your data is protected to an equivalent standard. Where we use third-party processors (such as Google for AI processing, OpenAI for embeddings, or Stripe for payments) that may process data outside the EEA/UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).

8. Data Retention

We retain your data per the schedule below. Upon account deletion, we will delete your personal data within 30 days, except where we are required by law to retain it.

9. Your Rights

Under UK GDPR and EU GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request restriction of processing in certain circumstances
• Portability: Request your data in a portable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

California Residents (CCPA/CPRA): If you are a California resident, you additionally have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale or sharing of your personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

How to make a request:

Email [email protected] with the subject line “Data Subject Request” and identify:

• the right you are exercising,
• the email address(es) or LinkedIn member identifier the data is attached to,
• a verification method we may use to confirm your identity (we will not action requests on unverified contact details).

Response SLA: we acknowledge any request within 7 days and fulfil it within 30 days. Complex requests may extend to 60 days; we will notify you in writing if so. CCPA requests: 45 days as required by California law.

10. Cookies

We use essential cookies to maintain your login session (JWT token stored in local storage). We do not use third-party tracking cookies or advertising cookies. Analytics, if implemented in the future, will be disclosed in an updated version of this policy.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

VaioTech Ltd (trading as Zivvo)
Privacy / Data Subject Requests: [email protected]
General enquiries: [email protected]

UK residents: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

EU residents: You may lodge a complaint with your local Data Protection Authority (DPA).