Privacy Policy
1. Who We Are
Zavora 360 is a Virtual Customer Care platform operated by Royal Bengal AI, based in Bangladesh. References in this Policy to "we," "us," "our," or "Zavora 360" mean Royal Bengal AI in its capacity as operator of the platform.
For privacy questions or data-subject requests, contact us at: support@royalbengal.ai.
2. Scope of This Policy
This Policy covers the Zavora 360 platform accessible at zavora360.royalbengal.ai, including the customer dashboard, the admin panel, the Virtual Receptionist voice service, the WordPress plugin, and any related APIs and embeddable widgets.
The Policy distinguishes between two categories of people whose data we handle:
- Customers — businesses and individuals who sign up for a Zavora 360 account and configure the service.
- End Callers — visitors to a Customer's website or callers to a Customer's phone number who interact with the Customer's Virtual Receptionist.
3. What Information We Collect
3.1 Information from Customers
| Category | Examples | Purpose |
|---|---|---|
| Account data | Email address, hashed password, company name | Account creation, authentication, billing communication |
| Configuration data | Knowledge base documents you upload, agent name, language preferences, business hours | Operating the Virtual Receptionist as you configure it |
| Billing data | Stripe customer ID, subscription status, plan tier (full card data is held by Stripe, not by us) | Processing payments and managing subscriptions |
| Usage data | Login times, IP address, browser user agent, account activity audit log | Security, fraud prevention, support diagnostics |
3.2 Information from End Callers
| Category | Examples | Purpose |
|---|---|---|
| Caller identifier | Phone number (for phone calls), session token (for web calls) | Connecting the call and associating it with the correct Customer |
| Call transcript | Real-time speech-to-text transcript of what the caller and the Virtual Receptionist say | Lead extraction, call analytics, providing the transcript to our Customer who operates the Receptionist |
| Extracted lead data | Information the caller voluntarily shares during the conversation — name, email, intent | Delivering lead capture to the Customer |
| Call metadata | Duration, language used, time of call, whether transferred to a human | Billing the Customer for minutes used; operational analytics |
3.3 What We Do NOT Collect or Store
- We do not store audio recordings. Speech is converted to text in real time during the call and the audio is not archived. Only the resulting transcript is stored.
- The WordPress plugin does not send visitor data to us. Until a visitor clicks the button and opens the Virtual Receptionist popup, no information from the WordPress site reaches our servers.
- We do not use tracking cookies. Authentication uses tokens stored in your browser's localStorage; we do not set cookies for advertising or analytics tracking.
- We do not sell personal data to anyone. Ever.
4. How We Use Information
We use the information described above only for the following purposes:
- To provide the service — operating the Virtual Receptionist, processing calls, delivering transcripts and leads to Customers, providing the admin and customer dashboards.
- To bill Customers accurately — tracking minute usage, processing payments through Stripe, sending receipts.
- To communicate with Customers — sending account verification emails, password reset emails, billing notifications, and (rarely) service announcements. Marketing emails are sent only with consent and can be unsubscribed at any time.
- To improve the service — analyzing aggregate usage patterns (e.g., which features are used, error rates). We do not read individual call transcripts for product development unless a Customer explicitly grants access for a support investigation.
- To comply with legal obligations — responding to lawful requests from authorities, preventing fraud, enforcing our Terms of Service.
5. Sub-Processors and Third-Party Services
Zavora 360 relies on a small number of trusted third-party services to operate. Each is bound by its own privacy policy and applicable data-protection agreements with us.
| Sub-Processor | Purpose | Data Shared |
|---|---|---|
| Twilio | Voice telephony, phone-number provisioning, call routing | Caller phone number, call duration, call audio (in transit only) |
| Deepgram | Speech-to-text transcription | Call audio (in transit only); transcripts are returned to us |
| ElevenLabs & Google Cloud TTS | Text-to-speech for the Virtual Receptionist's voice | The text the Receptionist will speak (no caller PII unless the caller stated it) |
| Anthropic (Claude API) | Large-language-model reasoning that drives the Receptionist's responses | Conversation context — what was said in the call so far, plus the Customer's knowledge base |
| Stripe | Payment processing for top-ups and subscriptions | Customer email, billing details. Card numbers are entered directly into Stripe's hosted checkout and never touch our servers. |
| Supabase | Database hosting (Postgres) for accounts, transcripts, configuration | All Customer and call data described in Section 3, stored at rest |
| Railway | Application hosting (the server that runs the platform) | Data passes through in transit; Railway has access to server logs |
6. Where Your Data Is Stored
Zavora 360 is operated from Bangladesh, but the sub-processors listed above operate globally. Practically, this means data may be processed and stored in the United States, the European Union, and other regions depending on which sub-processor handles which step. If you are located in the EU, EEA, UK, or another region with strict data-transfer rules, your data will be subject to cross-border transfers. We rely on each sub-processor's own legal mechanisms (such as Standard Contractual Clauses) for these transfers.
7. How Long We Keep Information
| Data Type | Retention |
|---|---|
| Customer account data | For as long as the account is active. Deleted within 30 days of account deletion. |
| Call transcripts and lead data | For as long as the Customer's account is active. Deleted with the account. |
| Billing records | Retained as required by applicable tax and accounting law (typically 5–7 years), then deleted. |
| Audit log entries | Retained for security investigation purposes for up to 24 months after the event. |
| Audio of calls | Not retained at all. Audio is processed in real time and discarded. |
8. Your Rights
Depending on your location, you may have the following rights with respect to your personal data:
- Access — request a copy of the data we hold about you.
- Correction — request that inaccurate data be updated.
- Deletion — request that we delete your data. Customers can self-delete their account from the dashboard (Settings → Delete Account). Account deletion removes all associated transcripts, leads, knowledge base content, and personal data within 30 days.
- Portability — request that your data be provided to you in a machine-readable format.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Object or restrict processing — in certain circumstances under GDPR.
- Complaint to a supervisory authority — if you believe we have mishandled your data.
To exercise any of these rights, email support@royalbengal.ai. We respond to verified requests within 30 days.
End Callers who interacted with a Customer's Virtual Receptionist and want their data removed should contact the Customer directly, as the Customer controls how long they retain call transcripts associated with their account. If you do not know how to reach the Customer, contact us and we will assist.
9. Security
We take reasonable technical and organizational measures to protect personal data, including:
- HTTPS encryption for all data in transit between your browser and our servers.
- Passwords stored using one-way cryptographic hashing (bcrypt) — we never store passwords in readable form.
- API keys stored as one-way hashes, not in recoverable form.
- Email verification required before account access.
- Optional two-factor authentication available to all Customers.
- Account activity audit logging for security review.
- Limited internal access — only personnel who need access for support or operations have it, and access is logged.
No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and any relevant authorities as required by applicable law.
10. Children
Zavora 360 is a business-to-business service and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Cookies and Local Storage
Zavora 360 does not use tracking cookies. We do use your browser's localStorage to keep you signed in (an authentication token) and to remember your interface language preference. This is strictly necessary for the service to function and is not used for tracking, advertising, or analytics.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in the service, sub-processors, or applicable law. When we make material changes, we will update the "Last Updated" date at the top and, for significant changes affecting Customers, notify you by email. Continued use of the service after an update constitutes acceptance of the revised Policy.
13. Contact
For privacy questions, data-subject requests, or any concerns about how we handle your data:
Royal Bengal AI
Bangladesh
Email: support@royalbengal.ai