Privacy Policy

Effective date: 18 May 2026

1. Who we are and who this policy covers

This Privacy Policy describes how Saad Riaz, a sole proprietor trading as Algovon (“AgentDesk”, “we”, “our”, or “us”), collects, uses, and protects personal data when you use the AgentDesk service at agentdesk.algovon.com (the “Service”).

It covers two groups: (a) account holders — the merchants, agents, and administrators who sign up for AgentDesk, and (b) end customers— the people who message your store and whose data passes through the Service while you provide support. Where we refer to “you”, we mean an account holder unless context makes clear we mean an end customer.

We act as the data controller for account holders’ personal data, and as a data processorfor end-customer personal data that you submit to the Service. You are the data controller for your end customers’ personal data.

2. Personal data we collect

From account holders

  • Account information: full name, email address, hashed password (via Supabase Auth), profile photo if provided.
  • Workspace information: workspace name, time zone, settings.
  • Billing information: billing email and subscription status; we do not store payment card details — those are handled by Paddle.
  • Usage data: log files showing which pages and API endpoints you access, IP address, browser user-agent, and timestamps. Used to operate and secure the Service.
  • Communications: any email or message you send us at info@algovon.com.

From end customers (on your behalf)

The Service receives end-customer data that you send to it through your chat widget or store integrations:

  • Name and email address (when provided in chat or order).
  • Message content sent to your support chat.
  • Order, shipment, and refund data retrieved from your connected ecommerce platform.
  • IP address and browser metadata captured by the chat widget for security and rate-limiting.

3. How we use personal data

  • To provide, maintain, and improve the Service.
  • To authenticate users and secure accounts.
  • To process subscription payments (via Paddle).
  • To generate AI-assisted reply drafts and risk scores on the Pro plan, by sending relevant conversation context to our AI sub-processor.
  • To send transactional emails (e.g. password resets, billing receipts, security notices).
  • To investigate abuse and enforce our Terms & Conditions.
  • To comply with applicable law and respond to lawful requests.

We do not sell personal data. We do not use end-customer messages to train AI models for any party other than AgentDesk’s own service improvements.

4. Legal bases (where applicable)

If you are in a jurisdiction that requires us to identify a legal basis for processing (e.g. UK / EU GDPR), we rely on:

  • Performance of a contract: to deliver the Service to account holders.
  • Legitimate interests: to keep the Service secure, prevent abuse, and improve our product.
  • Legal obligation: to comply with tax, accounting, and other legal requirements.
  • Consent: where we ask for it, for example for non-essential cookies or product marketing emails.

5. Sub-processors

We share personal data with a limited set of vendors who process it on our behalf:

  • Supabase — authentication and account database (US/EU regions).
  • Neon — managed Postgres database hosting (US/EU regions).
  • Paddle — payment processing and merchant-of-record services (UK/US).
  • OpenAI — AI reply drafting and classification, on Pro-plan accounts only.
  • Vercel — web hosting and content delivery.
  • Email delivery provider — transactional email (e.g. password resets).

Each sub-processor is contractually bound to protect personal data and use it only to provide its service. We will update this list when the set of sub-processors changes.

6. International transfers

We are based in Pakistan. Our sub-processors may store and process personal data outside Pakistan, including in the United States and the European Union. Where required, we rely on standard contractual clauses or equivalent safeguards to ensure personal data remains protected during international transfers.

7. Data retention

  • Account data: retained while your account is active and for up to 30 days after deletion, after which we delete or anonymise it (subject to legal retention requirements such as tax records, which we keep for up to 7 years).
  • Conversation data: retained for the life of your workspace so your team can reference past tickets. You may delete individual conversations at any time from the dashboard.
  • Billing records: retained for up to 7 years to satisfy accounting and tax obligations.
  • Server logs: retained for up to 90 days for security and debugging, then deleted.

8. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your personal data, subject to legal retention requirements.
  • Restriction or objection to processing.
  • Data portability — receive your data in a portable, machine-readable format.
  • Withdraw consent at any time where we rely on consent.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email info@algovon.com. We will respond within 30 days. For end-customer data that you control, please direct your end customers to you in the first instance; we will support you in fulfilling their requests.

9. Security

We use industry-standard security measures, including encryption in transit (TLS), encryption at rest for the database, HMAC signature verification on webhooks, role-based access controls, and audit logging. No system is perfectly secure; if we become aware of a security incident that affects your personal data, we will notify you without undue delay.

10. Cookies

The Service uses a small number of essential cookies to authenticate sessions and remember preferences (such as theme). We do not use third-party advertising cookies. Where local law requires consent for non-essential cookies, we obtain it through an in-product notice before setting them.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@algovon.com and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top and, for material changes, notify account holders by email or in-product notice before the change takes effect.

13. Contact

Privacy questions, requests, or complaints: email info@algovon.com, or write to Saad Riaz, trading as Algovon, Office L2, Software Technology Park, Muzaffarabad, Azad Kashmir, Pakistan.