Privacy Policy

Celvo ("we," "us," "our") is an AI-powered subscription recovery platform operated by Mustafa as a sole proprietor based in Australia. We help SaaS businesses recover failed payments through automated dunning emails, intelligent reply classification, and payment retry logic.

This Privacy Policy explains how we collect, use, and protect personal data when you use our service at getcelvo.com, and when your customers interact with recovery communications sent through Celvo.

Celvo acts as a data processor when handling your customers' data on your behalf, and as a data controller for data about merchants (our direct customers). See our Data Processing Agreement for details.

When you create a Celvo account and connect your Stripe account, we collect and store:

• Account information: name, email address, and authentication credentials (via Firebase Authentication)
• Stripe connection: OAuth access tokens and connected account identifiers (we never store your Stripe API keys)
• Billing information: Stripe customer ID for Celvo subscription billing (card details are stored by Stripe, not by us)
• Usage data: recovery case activity, email send/open events, feature usage, and dashboard interactions
• Branding settings: company name, sender name, and brand preferences used to customize recovery emails

We use this data to provide and improve the Celvo service, send you account-related communications, and bill for recovery fees.

When processing recovery cases for your customers, we access and process the following data via Stripe Connect on your behalf:

• Customer identity: name and email address
• Payment details: last 4 digits of the payment method, card expiry date, payment failure reason, and decline codes (we never access or store full card numbers)
• Subscription details: plan name, subscription status, and invoice amounts
• Email reply content: when a customer replies to a recovery email, the reply text is processed to classify intent and route appropriate actions
• Card update activity: page view timestamps, device type, and update results on the branded card update page

This data is processed solely to perform the recovery service you have engaged us for. We do not use your customers' data for any other purpose, and we do not sell or share it with third parties for marketing.

Celvo uses artificial intelligence (OpenAI GPT-4o-mini) to classify customer email replies into intent categories such as: payment updated, forwarding to accounts payable, out of office, cancellation request, promise to pay, question, dispute, or other.

This classification is used to:

• Automatically route replies to the appropriate action (e.g., forwarding a payment link to an AP department)
• Pause recovery sequences when customers are out of office
• Escalate cancellation or dispute intents for human review

Important:

• Reply content is sent to OpenAI's API for classification only. OpenAI does not use API data for model training.
• No automated decisions are made about charging customers. Card updates and payment retries always require customer action (entering new card details or completing bank verification).
• AI classification results include a confidence score, and low-confidence classifications are escalated for human review.

If SMS recovery is enabled by your service provider, we collect and process your phone number solely to send transactional payment failure notifications and payment method update reminders. SMS message frequency is limited to a maximum of 2 messages per payment failure event.

We do not share, sell, or distribute phone numbers to third parties for marketing or any non-operational purpose. Phone numbers are stored securely and used exclusively for payment recovery communications.

You may opt out of SMS messages at any time by replying STOP to any message. To resume, reply START. For help, reply HELP. Message and data rates may apply.

We use the following third-party services to operate Celvo:

Each processor is bound by their own data processing terms and we have reviewed their security practices. See our DPA for the full sub-processor list.

Celvo uses minimal cookies:

• Authentication session cookie: required for logging into the Celvo dashboard. This is a strictly necessary cookie.
• No tracking cookies: we do not use third-party analytics, advertising, or tracking cookies.
• No ad cookies: we do not serve ads or share data with ad networks.

The branded card update page shown to end customers does not set any cookies.

• All data is encrypted in transit using TLS 1.2+
• Firestore data is encrypted at rest by Google Cloud
• Stripe handles all payment card data — we never see, store, or transmit full card numbers
• Stripe Connect uses OAuth tokens (not API keys) for account access, and merchants can revoke access at any time
• Firebase Authentication handles user credentials with industry-standard security
• Access to production systems is restricted to authorized personnel
• Webhook endpoints verify cryptographic signatures before processing events

• Recovery case data: retained for 90 days after case resolution (recovered, lost, or cancelled), then archived
• Merchant account data: retained while your account is active, plus 30 days after account deletion to allow for reactivation
• Email content: customer reply text is stored with the recovery case and follows the same 90-day retention period
• Webhook events: raw Stripe webhook payloads retained for 30 days for debugging purposes

If you are located in the European Economic Area, United Kingdom, or a jurisdiction with similar data protection laws, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your personal data ("right to be forgotten")
• Port your data to another service in a machine-readable format
• Restrict processing of your data in certain circumstances
• Object to processing based on legitimate interests

For merchants: contact us at privacy@getcelvo.com to exercise any of these rights.

For end customers: your data is processed by Celvo on behalf of the merchant whose service you subscribe to. Please contact the merchant directly to exercise your data rights, or contact us and we will forward your request.

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• The right to know what personal information we collect and how it is used
• The right to request deletion of your personal information
• The right to opt out of the sale of personal information — we do not sell personal information
• The right to non-discrimination for exercising your privacy rights

To submit a CCPA request, email privacy@getcelvo.com.

Celvo is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify merchants via email and update the "Last updated" date at the top of this page.

For privacy-related questions or data requests:

• Email: privacy@getcelvo.com
• General: hello@getcelvo.com

Celvo is operated by Mustafa, sole proprietor, based in Australia.