Skip to main content
Convira
How it worksPricingDownloadHelp
Sign inSign up
How it worksPricingDownloadHelp
Sign inSign up

Legal

Privacy Policy

Last updated: 14 July 2026

This policy explains what personal data Convira OÜ collects, why we collect it, who we share it with, and the choices and rights you have. It covers our website at convira.ai, the Convira desktop application, and the Convira cloud service.

On this page

  1. Who we are
  2. Scope and the short version
  3. The data we collect and why
  4. Cookies and similar technologies
  5. How we share data
  6. International data transfers
  7. How long we keep data
  8. Your rights
  9. Children
  10. How we protect data
  11. Changes to this policy
  12. How to contact us

1. Who we are

Convira is operated by Convira OÜ, a private limited company registered in Estonia (registry code 17268095), with its registered office at Järvevana tee 9, Kesklinn, 11314 Tallinn, Harju County, Estonia.

For anything relating to this policy or your personal data, contact us at support@convira.ai. We have not appointed a Data Protection Officer; privacy questions are handled by our team at that address.

For the purposes of the EU General Data Protection Regulation (GDPR), Convira OÜ is the “controller” of the personal data described here. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

2. Scope and the short version

This policy applies to the Convira website, the Convira desktop app, and the Convira cloud service. It does not apply to third-party services we merely link to, or to AI model providers' own handling of data (covered below).

The short version:

  • Local and Private Box runs stay on your hardware. When you run Convira locally or on a self-hosted Private Box, the agent runs on your machine against models you host. Prompts, responses, and the session record stay on your hardware unless you deliberately invoke a managed online tool, described below.
  • We don't store the contents of your cloud runs. To run a cloud task, your prompt and the content it needs pass through our infrastructure to the AI model provider handling the request, and the response streams back to your device, where it is stored. We keep only operational details about the run - timing, status, which model was used, and how many tokens and credits it consumed.
  • The AI model providers see your cloud prompts. Cloud runs are fulfilled by Anthropic, OpenAI, Google, or xAI. They receive the content needed to generate a response and process it under their own terms.
  • We collect the data we need to run an account. Your email, your plan and billing status (via Stripe), and the technical records needed to keep the service secure.
  • We don't sell your data, and we don't run advertising or cross-site tracking.
  • You have rights over your data - access, correction, deletion, and more - described in “Your rights” below.

The rest of this policy is the detail.

3. The data we collect and why

Below is each category of personal data we process, why we process it, and our legal basis under the GDPR.

Account data

When you create a Convira account we store your email address, an optional first and last name, a securely hashed version of your password (we never store the password itself), and a record of whether your email has been verified. If you belong to a team or organization, we store your membership and role. Legal basis: performance of our contract with you (providing the service). We do not currently offer single sign-on or social login.

Billing data

Payments are processed by Stripe. We do not see or store your card details - those go directly to Stripe. We store the identifiers and metadata needed to manage your subscription: your Stripe customer and subscription IDs, your plan, your billing currency and amount, your seat count (for teams), your billing period dates, and a ledger of credit consumption and top-ups. Legal basis: performance of our contract with you, and compliance with our legal obligations (accounting and tax law).

Authentication and security data

To keep your account secure we store hashed session tokens, hashed one-time codes for email verification and password resets, a limited audit log of administrative actions on our side, and security event records. Our error-monitoring tooling (see “How we share data”) may incidentally process technical request data; it is configured to exclude authentication credentials and other sensitive values. Legal basis: our legitimate interest in securing the service and preventing abuse, and performance of our contract with you.

Cloud runs

When you run an agent task on the cloud runtime, the prompt, files, and context the task needs are sent from your device to our cloud service and on to the AI model provider that handles the request; the response is returned to your device, which keeps the record of the run locally.

We do not store the contents of cloud runs. We retain only operational metadata about each run - such as its status, timestamps, the runtime and AI model and provider used, durations, and token and credit usage. The text you entered, the files involved, the tool inputs and outputs, and the model's responses are not stored on our systems; that record lives on your device. Legal basis: performance of our contract with you.

One limit worth being clear about: although we do not store cloud run content, it necessarily passes through our infrastructure in transit and is sent to the AI model provider handling the request. On the local runtime or a Private Box, your prompts, files, memory, and AI inference stay on hardware you control. The one exception is a billed tool you choose to run - web and X research, image and video generation, and connector actions - which need managed provider keys we hold, so that single tool call (its input, plus the run, session, and device identifiers used to route and bill it) is sent to Convira to execute and returned to your device. A tool's input can include a URL, query, document value, or reference media needed for that action, but it does not include the rest of the conversation or unrelated run content. These tools run only while you are online; offline, they are simply unavailable.

AI model providers

Cloud runs are fulfilled by third-party AI model providers - currently Anthropic, OpenAI, Google, and xAI. To generate a response, the provider receives the content of your request. Each provider processes that data under its own privacy policy and data-retention practices, which we do not control. We pass requests through to the routed provider; we do not retain the request or response content ourselves. Legal basis: performance of our contract with you.

Local and Private Box runs

When you use the local runtime or a self-hosted Private Box, the agent runs on your own machine or your own server, against AI models you host. Run content is stored on that hardware and is not transmitted to Convira as a run. Aside from authenticating your licence or account, the only run-linked data sent to Convira is the input and routing identifiers for a managed online tool you deliberately invoke.

The website

When you use convira.ai:

  • Contact and enterprise-inquiry forms. If you submit the help page contact form or the enterprise inquiry form on the pricing page, we receive the name, email address, and message you provide (plus, for enterprise inquiries, your company and optional team size). These are delivered to us by email via Resend. We briefly hold your IP address in memory to rate-limit submissions, and forms are protected by a Cloudflare Turnstile bot check. Legal basis: our legitimate interest in responding to your enquiry and preventing spam.
  • Newsletter sign-up. If you sign up for product updates in the site footer, we store your email address (and the date, IP address, and browser of the sign-up, as a record of consent) so we can send those updates. We do not send any newsletters yet. Legal basis: your consent - withdraw any time via the unsubscribe link in any message we send, or by emailing us.
  • Currency preference cookie. A functional cookie remembers whether to show prices in EUR or USD, set from the country your IP address resolves to. Legal basis: our legitimate interest in showing you relevant pricing and keeping that display consistent across visits.
  • Aggregate analytics. We use Vercel Analytics, which is cookieless. We collect page views and selected marketing interactions such as a plan, tab, or call-to-action click using static labels, the page path, and aggregate context such as referrer, country, and device type. We do not send form values, email addresses, search parameters, or auth-page activity to analytics. It does not set cookies, build a cross-site profile, or track you across sites. Legal basis: our legitimate interest in understanding how the site is used.

Support communications

If you email us or otherwise contact support, we keep that correspondence so we can help you and keep a record of the issue. Legal basis: our legitimate interest in providing support and the performance of our contract with you.

4. Cookies and similar technologies

We keep our use of cookies and device storage to a minimum. We do not use advertising cookies, cross-site tracking pixels, or third-party marketing trackers. We use the following first-party cookies and browser storage:

CookieTypePurposeLifetime
convira_currencyFunctionalRemembers whether to show prices in EUR or USD.1 year
convira_countryFunctionalApplies regional purchase availability and chooses the initial currency.1 year
convira_csrfStrictly necessaryProtects account actions against cross-site request forgery.2 hours
convira_sessionStrictly necessaryKeeps a signed-in account authenticated.Browser session, or up to 30 days when you choose Remember me
convira_login_token and verification cooldown dataSession storageCompletes two-step sign-in and prevents repeated verification sends.Until the browser tab closes
convira_pricing_stateSession storageRestores your plan, billing period, seat count, and currency after a cancelled checkout.Until the browser tab closes

Our aggregate analytics (Vercel Analytics) is cookieless and does not store anything on your device. The storage above is necessary for requested account functions or used for limited first-party preferences, and our analytics is cookieless, so we do not currently show a cookie consent banner. If we introduce technologies that require consent under EU or Estonian law, we will ask for consent before loading them.

5. How we share data

We do not sell personal data. We share it only with the service providers (“processors”) we rely on to run Convira, and only as needed. The main ones are:

ProviderWhat it does for usWhere
StripePayments, subscriptions, invoicingEU / US
ResendDelivering transactional and contact-form emailUS
CloudflareBot protection (Turnstile) on web formsGlobal
VercelHosting the website and cookieless analyticsGlobal / US
SentryError and performance monitoring (personal data scrubbed)US
Anthropic, OpenAI, Google, xAIAI model inference for cloud runsUS
SupabaseDatabase and backend hosting for the Convira APIEU

We will also disclose personal data if we are legally required to (for example, a valid court order), where necessary to protect the rights, safety, or property of Convira, our users, or others, or as part of a merger, acquisition, or sale of assets - in which case we will require the recipient to honour this policy or notify you of any change.

6. International data transfers

Convira OÜ is based in Estonia, in the EU. Some of the providers listed above are located in, or process data in, countries outside the European Economic Area, in particular the United States. Where that happens, the transfer is covered by an adequacy decision of the European Commission, by the EU Standard Contractual Clauses, or by another lawful transfer mechanism. You can ask us for more detail using the contact details below.

7. How long we keep data

  • Account data - for as long as your account exists, and for a short wind-down period after you close it.
  • Billing and accounting records - for as long as required by Estonian accounting and tax law (generally seven years).
  • Authentication tokens and session records - until they expire or are revoked, then they are removed in routine cleanup.
  • Security and administrative audit logs - for a limited period proportionate to security needs.
  • Cloud run content - not retained by us at all; the record lives on your device. Operational run metadata is retained while your account is active.
  • “Help improve Convira” data (if you ever opt in) - a limited period, currently 90 days in our active systems, with a purge-on-request path.
  • Contact-form and support correspondence - for as long as needed to handle the matter and a reasonable period afterwards.

When we no longer need personal data, we delete it or irreversibly anonymize it.

8. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you, and get a copy of it.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data (the “right to be forgotten”) in the circumstances the law allows.
  • Restrict or object to certain processing, including processing based on our legitimate interests.
  • Data portability - receive data you gave us in a portable format.
  • Withdraw consent at any time, where we rely on consent (this doesn't affect processing already carried out).

To exercise any of these, email support@convira.ai. We will respond within the time limits the law sets (normally one month). Data-export and account-deletion requests are handled manually by email rather than through a self-service portal.

If you think we've mishandled your data, you can complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee/en), or to the supervisory authority in your country of residence. We'd appreciate the chance to put things right first, though.

9. Children

Convira is not directed to children. The service is intended for users aged 16 or older (or older where local law requires). We do not knowingly collect personal data from children; if you believe a child has provided us with personal data, contact us and we will delete it.

10. How we protect data

We apply appropriate technical and organizational measures to protect personal data, including encryption of data in transit and at rest, secure (hashed) storage of passwords, encryption of sensitive stored credentials, and access controls that limit production data to the people who need it. As described above, the cloud runtime is also designed so that the contents of your runs are not stored on our systems. No system can be perfectly secure, but we work to keep risks low and to respond promptly if something goes wrong.

11. Changes to this policy

We may update this policy as the product and the law evolve. When we do, we will change the “last updated” date at the top, and for significant changes we will give you a more prominent notice (for example, by email or an in-product notice). Continuing to use Convira after a change takes effect means the updated policy applies to you.

12. How to contact us

Convira OÜ
Järvevana tee 9, Kesklinn, 11314 Tallinn, Harju County, Estonia
Registry code 17268095
support@convira.ai

Back to home
Convira

The agent that stays on your computer.

© 2026 Convira

Product

  • How it works
  • Pricing
  • Download
  • Help

Company

  • Security
  • Privacy
  • Terms

Stay updated

Product updates and release notes. No spam.

By subscribing you agree to our Privacy Policy.