Privacy Policy
Last updated: March 18, 2026
This Privacy Policy explains how Optimal Digital LLC ("Company," "we," "us") collects, uses, shares, and protects information through the Webevo platform ("Service"). We are committed to protecting the privacy of our users, their clients, and the end consumers whose data flows through our platform.
1. Information We Collect
1.1 Information You Provide
- Account Information: Name, email address, organization name, role, and profile data provided during registration via Clerk (our identity provider)
- Client/Business Data: Business name, address, phone number, industry, and operational details for managed locations
- Content: Blog posts, social media content, email campaigns, ad creatives, review responses, and other content created or uploaded through the Service
- Communications: Messages sent via email, SMS, and voice through the platform; support tickets and feedback
- Payment Information: Billing details processed securely through Stripe — we do not store credit card numbers
1.2 Information from Integrations
When you connect third-party accounts, we receive data from these services:
- Google Services: Analytics data (GA4), advertising metrics (Google Ads), business reviews (Google Business Profile), search performance (Search Console), and calendar events
- Meta Platforms: Page insights, advertising metrics, audience data from connected Facebook and Instagram accounts
- TikTok: Account profile data, video performance metrics, and audience insights from TikTok for Business
- LinkedIn: Company page data, post engagement, and advertising metrics
- Twilio: Call logs, SMS message logs, voicemail transcriptions, and call recordings
1.3 Automatically Collected Information
- Usage Data: Feature usage, API calls, login frequency, content approval times, and platform interaction patterns
- Device & Browser Data: IP address, browser type, operating system, and device identifiers
- Website Visitor Data: Through our tracking pixel (when installed on client websites) — page views, session duration, referral source, UTM parameters, and conversion events
- Email Engagement: Open rates, click-through rates, bounce notifications, and spam complaints via webhook from our email delivery provider
2. How We Use Your Information
- Service Delivery: Provide, maintain, and improve platform features including analytics, content management, and advertising
- AI Processing: Generate content recommendations, lead scores, churn predictions, campaign optimizations, and business intelligence insights using AI models
- Communications: Send automated emails, SMS, and voice communications on your behalf to your clients' customers
- Email Deliverability: Monitor domain health (SPF, DKIM, DMARC), manage email warmup schedules, and track sender reputation
- Billing & Account Management: Process payments, manage subscriptions, and send account-related notifications
- Platform Monitoring: Track platform usage, resource consumption, and system health for operational purposes
- Security: Detect and prevent fraud, abuse, and unauthorized access
- Legal Compliance: Comply with legal obligations, respond to lawful requests, and enforce our terms
3. AI & Automated Processing
The Service uses artificial intelligence extensively. Key disclosures:
- AI Model Providers: We route AI requests through third-party providers including OpenRouter, which may use models from OpenAI, Anthropic, Google, Meta, and others. Your data is processed according to each provider's data handling policies.
- No Training on Your Data: We do not use your business data, content, or customer information to train AI models. Your data is used solely for inference (generating responses and recommendations).
- Automated Decisions: Lead scoring, churn predictions, and content recommendations are generated algorithmically. These outputs are advisory — they inform but do not replace human decisions. No automated decision has legal or similarly significant effects on individuals without human review.
- Voice AI Disclosure: When AI handles voice calls, callers are informed they are interacting with an AI assistant. Call transcriptions are stored securely and associated with the client account.
- Cost Tracking: We internally track AI token usage, API call costs, and compute resources per organization for operational monitoring. This data is used for platform health and is not shared with agencies or clients.
4. How We Share Information
We do not sell your personal information. We share data only in these circumstances:
- With Your Agency: If you are a client managed by an agency, your agency has access to your account data as part of the managed service relationship
- Service Providers (Sub-Processors): We share data with service providers necessary to operate the platform (see Section 5)
- At Your Direction: When you connect third-party integrations, publish content, or send communications through the platform
- Legal Requirements: When required by law, court order, or governmental authority
- Business Transfers: In connection with a merger, acquisition, or sale of company assets, with appropriate confidentiality protections
5. Sub-Processors & Third-Party Services
The following third-party services process data on our behalf:
| Service | Purpose | Data Processed |
|---|
| Clerk | Authentication & identity | User profiles, session data |
| Neon (PostgreSQL) | Primary database | All platform data |
| Vercel | Application hosting | Application code, environment variables |
| OpenRouter | AI model routing | Prompts, content for AI processing |
| Stripe | Payment processing | Billing details, transaction history |
| Resend | Email delivery | Email addresses, message content |
| Twilio | Voice & SMS | Phone numbers, call/message content |
| Cloudflare | DNS, CDN, domain management | Domain records, traffic data |
| Upstash (Redis) | Caching & rate limiting | Session keys, rate limit counters |
| Pusher | Real-time notifications | Event payloads, channel subscriptions |
| Sentry | Error monitoring | Error logs, stack traces |
| Inngest | Workflow orchestration | Event payloads, workflow state |
| Firecrawl | Web scraping & data extraction | URLs, extracted web content |
| GCP Cloud Run | Media rendering | Video/image assets |
| Liveblocks | Collaborative editing | Document content, cursor positions |
| Telegram Bot API | Operational alerts | System notifications (no customer PII) |
6. Tracking Pixel & Website Analytics
The Webevo Pixel, when installed on client websites, collects visitor behavior data including page views, session duration, referral source, and conversion events. This data is used solely to provide analytics and attribution insights to the website owner (our client). Visitors may opt out of tracking through standard browser privacy mechanisms (Do Not Track headers, cookie blocking). The pixel does not collect personally identifiable information unless the visitor voluntarily submits a form.
7. Data Security
- All data in transit is encrypted via TLS 1.2+
- Database encryption at rest provided by our database provider (Neon)
- Role-based access control with organization-level data isolation
- API keys and secrets stored as encrypted environment variables
- Webhook signature verification for all incoming webhooks
- Rate limiting on all public endpoints
- Regular automated security monitoring and alerting
8. Data Retention
- Account Data: Retained while your account is active, plus 30 days for data export after termination
- Analytics Data: Retained for 24 months, then aggregated and anonymized
- Communication Logs: SMS and voice call logs retained for 12 months
- AI Processing Logs: Cost and usage logs retained for 12 months for billing reconciliation
- Activity Logs: System audit logs retained for 24 months
- Content: Retained indefinitely while account is active; deleted 30 days after account termination
9. Your Privacy Rights
All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data, subject to legal retention requirements
- Data Portability: Receive your data in a structured, commonly used format
- Opt-Out: Unsubscribe from marketing communications at any time
California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt out of the "sale" or "sharing" of personal information — we do not sell personal information
- Not be discriminated against for exercising your privacy rights
- Limit the use of sensitive personal information
EU/EEA Residents (GDPR)
If you are in the European Economic Area, you have additional rights including:
- Right to restrict processing of your personal data
- Right to object to processing based on legitimate interests
- Right not to be subject to automated decision-making with legal effects
- Right to lodge a complaint with your local data protection authority
- Our legal bases for processing include: contract performance, legitimate interests, and consent
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses and data processing agreements with our sub-processors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notification at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
13. Contact Us
For privacy inquiries, data requests, or to exercise your rights, contact us at:
privacy@webevo.ai
Optimal Digital LLC
Salt Lake City, Utah
Data Protection inquiries are typically responded to within 30 days.