Data processing
This page is maintained by the workspace owner as a starting template. It describes the app-visible controls Thrivio provides today; it is not a certification, DPA, or legal advice. Owners should review the copy below with counsel before publishing it as a customer-facing commitment.
What we process
Thrivio receives inbound enquiry payloads through the workspace's configured webhook endpoints. Payloads may contain: name, email address, phone number, company, message or call transcript, page URL, referrer, and UTM parameters. AI analysis outputs (summary, intent, temperature, score, tags) are derived from that payload.
How we secure it
- All traffic is served over HTTPS.
- Webhook endpoints support HMAC-SHA256 signing (enabled by default) with optional timestamp-based replay protection.
- Signing secrets are encrypted at rest with AES-GCM and shown to the workspace only once at creation or rotation.
- Row-level security scopes every read to the workspace that owns the lead.
- Per-endpoint rate limits (60 req/min, 5000 req/day) and a 1 MiB body cap apply to inbound traffic.
Retention
The default lead retention window is 365 days. Workspace owners can set it between 30 and 3650 days in Settings → Lead Insights → Data requests. A nightly job deletes leads older than the configured window.
Sub-processors
Inbound payloads are sent to the Lovable AI Gateway (Google Gemini) for analysis; prompts and responses are not used to train the underlying model. For the full list of providers, regions, and data categories see our Sub-processors page. The workspace owner is responsible for disclosing sub-processors to end users in their own privacy notice — a starting template is available on our Privacy policy page.
Data-subject rights
A workspace member can export or erase leads matching a specific email or phone number from Settings → Lead Insights → Data requests. Every export and erase action is logged with the actor's user ID, timestamp, and row count.
Security contact
Report a vulnerability at security@thrivio.example or read our security.txt.
Related pages
What this page is not
A DPA, GDPR compliance statement, SOC 2/ISO/HIPAA certification, or breach-notification commitment. Those artefacts are the workspace owner's responsibility; contact your legal team to author them.