Privacy Policy
Effective Date: March 25, 2026 | Version 1.0
Plain-Language Summary
1. When you create a Convertus account, you provide personal information (such as your email). We store it securely and use it to provide you with the Service.
2. When you install our Service on your website, we collect visitor data (such as randomly generated identifiers and browsing behaviour) to deliver personalised content.
3. The Service is designed not to require direct personal identifiers. However, certain data processed through the Service may still qualify as personal data under applicable law. You are responsible for ensuring no personal data is sent through the Service without appropriate safeguards.
4. Your data is hosted within the European Union.
5. This policy explains what data we collect, how we use it, and your rights.
1. Introduction
Convertus ("Convertus", "we", "us", or "our") is committed to protecting the privacy of individuals who visit the Convertus website at convertus.ai (the "Website"), customers who register to use our services (the "Service"), and visitors of our customers' websites whose browsing data is processed through the Service (collectively, "you" or "your").
This Privacy Policy describes our practices regarding the collection, use, and disclosure of information through the Website and the Service. By accessing or using the Website or the Service, you acknowledge that you have read and understood this Privacy Policy.
We may update this Privacy Policy from time to time. The "Effective Date" at the top indicates when the policy was last revised. Your continued use of the Website or the Service after any changes constitutes your acceptance of the updated policy.
2. Definitions
- "Customer" means a business, company, or professional entity that registers for an account with Convertus to use the Service.
- "Visitor" means an end-user who browses a Customer's website on which the Service has been deployed.
- "Service" means the Convertus platform, including the dashboard, APIs, JavaScript snippet, and related tools and features provided by Convertus.
- "Visitor Data" means any data collected through the Service from or about Visitors, including randomly generated identifiers, behavioural events, and URL parameters.
- "Account Data" means any information provided by or collected from the Customer in connection with the Customer's account, including contact details, billing information, and configuration settings.
- "Snippet" means the JavaScript code provided by Convertus for Customers to integrate into their websites in order to use the Service.
3. Information We Collect
3.1 Account Information (From Customers)
When you create an account or interact with Convertus, we may collect the following information:
- Name and email address
- Password (stored in hashed form only)
- Phone number (if provided)
- Company or organisation name
- Website domain(s) registered for the Service
- Billing and payment information (processed by our third-party payment processor)
- Content and preferences you configure within the Service (such as audience descriptions, personalisation instructions, and domain-wide prompts)
3.2 Visitor Data (Collected via the Service)
When a Customer installs the Snippet on their website, the following data is collected from Visitors:
- Visitor Identifier — A randomly generated unique identifier (UUID) assigned to each Visitor via a first-party cookie. This identifier does not contain a name, email, or other direct personal identifier.
- Session Identifier — A randomly generated unique identifier for the current browsing session.
- URL Parameters — Traffic-source parameters (such as UTM parameters) present in the page URL at the time of the visit.
- Behavioural Events — Custom events that the Customer chooses to track (such as button clicks, page views, or form interactions). The Customer controls which events are sent and what data accompanies them.
- Page URL — The normalised URL of the page being visited, used for content matching purposes.
The Service is designed not to require direct personal identifiers from Visitors, such as names, email addresses, phone numbers, IP addresses, precise geolocation data, or identity documents. The Service relies on randomly generated identifiers and behavioural data. However, certain data processed through the Service (including online identifiers) may still qualify as personal data under applicable data protection law. Because Customers control which events and data are transmitted through the Service, it is the Customer's sole responsibility to determine the legal classification of such data and to ensure that no data is sent without appropriate legal basis and safeguards.
3.3 Automatically Collected Information
When you visit our Website, we may automatically collect standard web log information, including your browser type, operating system, referring URL, pages viewed, and access times. This information is collected through cookies and similar technologies as described in Section 4.
4. Cookies and Similar Technologies
We use cookies and similar technologies in the following ways:
4.1 Cookies Set by the Service (on Customer Websites)
When a Customer deploys the Snippet on their website, the following first-party cookies are set on the Visitor's browser:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
| pz_visitor_id | Assigns a persistent randomly generated identifier to the Visitor to enable personalised content delivery across sessions. | 400 days | First-party, Secure, SameSite=Lax |
| pz_session_id | Tracks the current browsing session for short-term content matching. | 30 minutes (rolling) | First-party, Secure, SameSite=Lax |
These are first-party cookies set on the Customer's domain. They do not enable cross-site tracking, do not contain direct personal identifiers such as names or email addresses, and are configured with the Secure and SameSite=Lax attributes to prevent misuse.
4.2 Cookies on the Convertus Website
We may use essential cookies on our own Website for functionality (such as authentication and session management) and analytics purposes (to understand how visitors interact with our Website). You may control cookie preferences through your browser settings.
5. How We Use Your Information
We use the information we collect for the following purposes:
- To provide the Service — Delivering personalised content to Visitors based on segments configured by Customers, processing events, and generating AI-powered content variants.
- To operate and improve the Service — Maintaining infrastructure, monitoring performance, analysing aggregate usage patterns, and developing new features.
- To manage accounts — Registering and authenticating Customers, processing payments, and communicating about account-related matters (such as service updates, security alerts, and technical notices).
- To communicate — Responding to inquiries, providing support, and sending service-related communications. We may also send promotional communications where permitted, from which you can opt out at any time.
- To ensure security and compliance — Detecting and preventing fraud, abuse, or other harmful activities, and complying with applicable laws and legal obligations.
- To generate aggregate insights — Creating anonymised, aggregated data to understand usage trends. Such data cannot identify any individual and may be used for any lawful purpose.
- To train and improve AI models — Using aggregated, de-identified data derived from Customer content and usage patterns to train, improve, and enhance Convertus's machine learning models, algorithms, and the Service generally, including through the use of third-party AI providers. This data does not contain direct personal identifiers and is used solely to improve the quality and effectiveness of the Service.
6. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area ("EEA") or the United Kingdom, our legal basis for collecting and processing personal information depends on the context:
| Processing Purpose | Legal Basis |
|---|---|
| Providing the Service and managing your account | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing Visitor Data on behalf of a Customer | Performance of a contract with the Customer (our role as data processor) |
| Improving the Service, analytics, and security | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) or legitimate interests where applicable |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
7. Data Sharing and Sub-Processors
We do not sell your personal information. We may share information with the following categories of recipients, solely as necessary to provide and operate the Service:
- Cloud Infrastructure Providers — We use third-party cloud services to host our infrastructure within the European Union, including compute, database, caching, and content delivery services.
- AI Service Providers — We use third-party AI models to generate personalised content variants. Only the Customer's website content and audience descriptions are sent to these providers. No Visitor Data or visitor identifiers are shared with AI providers.
- Payment Processors — Payment information is collected and processed directly by our third-party payment processor. We do not store your full payment card details.
- Professional Advisors — We may share information with lawyers, auditors, or insurers where necessary in the course of the professional services they provide to us.
- Law Enforcement and Government Authorities — We may disclose information where required by applicable law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business Transfers — In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.
8. International Data Transfers
Our primary infrastructure, including databases and caching services, is hosted within the European Union (Frankfurt, Germany). Your data is stored and processed within the EU.
Certain sub-processors may process data outside of the EU/EEA. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including the use of European Commission-approved Standard Contractual Clauses (SCCs) or transfers to countries with an adequacy decision.
9. Data Retention
We retain personal information for as long as necessary to fulfil the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
- Account Data — Retained for the duration of the Customer's account and for a reasonable period thereafter as permitted by applicable law.
- Visitor Data — Visitor identifiers and segment membership data are retained for as long as the Customer's account is active. Upon account deletion or termination, all associated Visitor Data will be permanently deleted within a reasonable period, unless applicable law requires retention.
- Cookies — The Visitor ID cookie expires after 400 days. The Session ID cookie expires after 30 minutes of inactivity. Visitors can clear these cookies at any time through their browser settings.
When data is no longer required, it is securely deleted or anonymised.
10. Customer Responsibilities Regarding Visitor Data
This section is addressed to our Customers who deploy the Service on their websites:
- Data Controller Role — With respect to Visitor Data collected through the Service, the Customer is the data controller and Convertus acts as a data processor. The Customer determines the purposes and means of processing Visitor Data.
- Legal Compliance — The Customer is solely responsible for ensuring that their use of the Service complies with all applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the Turkish Law on the Protection of Personal Data (KVKK), and any other applicable privacy legislation.
- Visitor Consent and Transparency — The Customer must provide adequate notice to their Visitors about the nature of the Service, the data being collected, and the use of cookies. Where required by applicable law, the Customer must obtain all necessary consents and permissions from Visitors prior to deploying the Snippet on their website.
- Data Sent Through the Service — The Customer is solely responsible for the data they choose to collect and transmit through the Service, including any custom events and their associated parameters. The Customer must ensure that no personally identifiable information of Visitors is sent to Convertus without appropriate legal basis and safeguards. The accuracy, legality, and appropriateness of all data transmitted through the Service is the Customer's exclusive responsibility.
- Privacy Policy Update — The Customer must update their own privacy policy to disclose the use of Convertus and the associated data collection practices to their Visitors.
- Recourse — If Convertus becomes subject to any claim, proceeding, or regulatory action arising from or related to the Customer's collection, use, or processing of Visitor Data, or the Customer's failure to comply with applicable data protection laws, the Customer shall be fully responsible and shall indemnify Convertus. Convertus reserves the right to seek recourse against the Customer for any such claims, including all associated costs, damages, and legal fees.
11. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal information we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal information. |
| Erasure | Request deletion of your personal information where it is no longer necessary for the purposes for which it was collected. |
| Restriction | Request that we limit the processing of your personal information in certain circumstances. |
| Data Portability | Request your personal information in a structured, commonly used, and machine-readable format. |
| Objection | Object to the processing of your personal information based on legitimate interests. |
| Withdraw Consent | Where processing is based on consent, withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal. |
To exercise any of these rights, please contact us at hello@convertus.ai. We will respond within the time period required by applicable law.
For Visitors of Customer Websites: If you are a Visitor of a website that uses the Convertus Service and wish to exercise your data protection rights, please contact the website owner (our Customer) directly, as they are the data controller. You may also clear the cookies set by the Service at any time through your browser settings to remove your visitor identifier.
If you are dissatisfied with our handling of your request, you have the right to lodge a complaint with your local data protection supervisory authority.
12. Data Security
We implement commercially reasonable technical and organisational measures designed to protect the information we process. These measures include encryption in transit and at rest, access controls, and regular security reviews. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.
13. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child under 16 has provided us with personal information, please contact us at hello@convertus.ai, and we will take steps to delete such information.
14. Changes to This Privacy Policy
We may modify this Privacy Policy at any time. If we make changes, we will update the "Effective Date" at the top of this page. For material changes, we may provide additional notice (such as via email to the address associated with your account). Your continued use of the Website or Service after any changes constitutes your acceptance of the updated Privacy Policy.
15. Data Processing Addendum
This section sets out the data processing terms that apply when Convertus processes Visitor Data on behalf of a Customer as a data processor.
15.1 Scope and Roles
With respect to Visitor Data, the Customer is the data controller and Convertus is the data processor. Convertus processes Visitor Data solely on behalf of, and in accordance with the documented instructions of, the Customer. The subject matter and duration of processing, the nature and purpose of processing, the types of data processed, and the categories of data subjects are as described in this Privacy Policy and the applicable agreement between the Customer and Convertus.
15.2 Processing Instructions
Convertus will process Visitor Data only in accordance with the Customer's instructions as documented in the applicable agreement and through the Customer's use and configuration of the Service. Convertus will inform the Customer if, in Convertus's opinion, an instruction infringes applicable data protection law.
15.3 Sub-Processors
The Customer provides general authorisation for Convertus to engage sub-processors to assist in providing the Service. Convertus will maintain a list of sub-processors and will inform Customers of any intended changes, giving them the opportunity to object on reasonable data protection grounds. If the Customer objects to a new sub-processor and Convertus is unable to reasonably accommodate the objection, the Customer's sole and exclusive remedy shall be to terminate the Agreement. No refunds shall be issued for the remaining billing period. Convertus will ensure that sub-processors are bound by data protection obligations no less protective than those in this Addendum.
15.4 Security Measures
Convertus will implement and maintain appropriate technical and organisational measures to protect Visitor Data against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. These measures include encryption in transit and at rest, access controls, and infrastructure monitoring.
15.5 Data Subject Requests
Convertus will assist the Customer in responding to data subject requests under applicable data protection law, to the extent Convertus is able to do so, taking into account the nature of the processing.
15.6 Data Breach Notification
Convertus will notify the Customer without undue delay after becoming aware of a personal data breach affecting Visitor Data, and will provide information necessary for the Customer to fulfil any breach notification obligations.
15.7 Return and Deletion of Data
Upon termination of the Service or upon the Customer's written request, Convertus will delete or return all Visitor Data in its possession, unless applicable law requires retention. Deletion will occur within a reasonable period following termination.
15.8 Audit
Convertus will make available to the Customer, upon reasonable request, information necessary to demonstrate compliance with this Addendum. This may include providing summaries of relevant compliance documentation or third-party audit reports, where available.
15.9 Personnel Confidentiality
Convertus shall ensure that any persons authorised to process Visitor Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
15.10 Data Protection Impact Assessments
Taking into account the nature of processing and the information available to Convertus, Convertus shall assist the Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable data protection law.
16. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:
Convertus
A product of Alpin Ltd.
Email: hello@convertus.ai
Istanbul, Türkiye