Privacy Policy

Recovea, Inc. (“Recovea”, “we”) operates recovea.ai, the Recovea gateway, and the managed service. This policy explains what personal data we collect, how we use it, and the rights you have.

Two roles: read this first

For data about website visitors, prospects, and account users (names, work emails, account activity), Recovea is the controller, and this policy applies. For personal data contained in customer traffic routed through the gateway (prompts, completions, and related metadata), Recovea is a processor acting on the customer’s documented instructions. That processing is governed by our Data Processing Addendum, not this policy. If your personal data reached us inside a customer’s traffic, the customer is the controller; contact them first and we will assist them in responding.

What we collect

• Information you provide: when you request a savings scan, book a call, create an account, or contact us: name, work email, company, role, estimated spend, and any log samples or notes you choose to share.
• Account & billing data, for customers: account identifiers, seat and role assignments, billing contact details, and invoicing history. Card details go directly to our payment processor; we never store full card numbers.
• Service metadata: per-request metadata needed to run the gateway and ledger (model, token counts, costs, latency, levers applied). We do not log prompt or completion bodies by default; body logging exists only as an explicit per-tenant opt-in and is then governed by the DPA.
• Site analytics: we use Google Analytics 4 (provided by Google LLC, United States) to understand aggregate traffic — page views, referrers, approximate region, and device and browser type — so we can improve the site. Google acts as our service provider under Google’s data-processing terms and is contractually prohibited from using this data for its own purposes. It runs in measurement-only mode: Google Signals, advertising features, and ad personalization are turned off, so the data is never used to build advertising profiles or to “sell” or “share” personal information as those terms are defined under the CCPA. Google does not store your IP address — GA4 uses it only transiently to derive approximate region, then discards it. Google Analytics sets a first-party cookie holding a pseudonymous identifier, sent to Google with each measurement event, to recognize returning visits. We honor your browser’s Global Privacy Control and Do-Not-Track signals: when either is set, analytics is not loaded and the page sends no request to Google at all. You can also opt out with Google’s opt-out browser add-on. Fonts and all other assets are served from our own domain, so apart from this analytics call your visit sends no requests to third parties.

How we use it, and our legal bases

• To deliver the scan, the teardown, and the Service, and to bill for it (performance of a contract).
• To communicate with you about your request, engagement, or account (performance of a contract; legitimate interests).
• To operate, secure, debug, and improve the Service, and to prevent abuse (legitimate interests).
• To comply with law (legal obligation).
• To send product updates you’ve signed up for. Every email has an unsubscribe link (consent).

What we never do

We never train any model on your data. We never sell personal data, and we do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act. We don’t run advertising trackers. Customer prompts and completions are processed only to serve that customer’s own traffic.

Sharing

We share personal data only: (a) with the vendors listed on our subprocessors page, under contract and only as needed to run the Service; (b) where required by law or valid legal process, in which case we will notify you unless legally prohibited; and (c) in connection with a merger, acquisition, or sale of assets, in which case this policy’s protections continue to apply and we will notify you of any change in controller.

International transfers

Production data is hosted in AWS us-east-1 (N. Virginia, United States). Recovea, Inc. is a US (Delaware) corporation, and for US customers no cross-border transfer of personal data occurs. Where a customer is located in the EEA, UK, or Switzerland and personal data is transferred to the United States, we rely on Standard Contractual Clauses (and the UK Addendum) with the receiving entity. Region pinning beyond the current single us-east-1 deployment is planned; see the DPA.

Retention

Prospect data (scan requests, contact inquiries) is kept while the conversation is live and deleted on request. Account data is kept for the life of the account plus statutory bookkeeping periods. Service metadata is retained per your plan or contract. We delete personal data when it is no longer needed, and on verified request where the law requires it.

Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, and similar laws), you may have rights to access, correct, delete, export, or restrict processing of your personal data, to object to processing based on legitimate interests, and to withdraw consent. Exercise them by emailing privacy@recovea.ai. We respond within the legally required period and never discriminate for exercising rights. You may also lodge a complaint with your supervisory authority.

Security

Encryption in transit; provider keys encrypted at rest (AES-256-GCM); scoped least-privilege access; per-tenant isolation; audit-logged key actions and a hash-chained, append-only ledger history. KMS envelope encryption with per-tenant contexts is planned. Details on our security & trust page. No system is perfectly secure; if a breach affects your personal data we will notify you as required by law.

Children

The Service is for businesses and is not directed at anyone under 16; we do not knowingly collect children’s data.

Changes & contact

We’ll post material changes here with an updated date, and notify customers of significant changes. Controller: Recovea, Inc. Questions or requests: privacy@recovea.ai.