Privacy Policy

1. About This Policy

This Privacy Policy (“Policy”) explains how Aivrio Solutions Pte. Ltd. (“Aivrio”, “we”, “us”, or “our”), a company incorporated in Singapore (UEN: 202610813K), collects, uses, discloses, and protects personal data in connection with the ArcheFlow AI platform and related services (collectively, the “Services”).

This Policy is our notification to you under the Personal Data Protection Act 2012 of Singapore (“PDPA”). By accessing or using the Services, you acknowledge that you have read and understood this Policy.

Please also read our Terms of Service, which govern your use of the Services.

The Services are provided to two categories of persons:

1. Customers — businesses or individuals who subscribe to or engage Aivrio for Services; and
2. End-Users — individuals who interact with AI-powered chatbots, scheduling tools, or automation workflows deployed by our Customers.

Where this Policy refers to “you”, it applies to both Customers and End-Users unless the context specifies otherwise.

2. Who We Are

For personal data we collect directly from Customers for account management, billing, and service delivery, Aivrio acts as a data controller.

For personal data belonging to End-Users that Customers route through our platform (e.g. chatbot conversation messages, appointment details, captured lead information), Aivrio acts as a data processor on behalf of the Customer, who remains the data controller for that End-User data. Customers are responsible for ensuring they have a lawful basis to collect and process their End-Users’ personal data and for providing appropriate privacy notices to those End-Users.

3. Information We Collect

3.1 Customer Account and Business Information

When a Customer registers for or uses the Services, we collect:

• Contact and identity information: name, email address, and account login credentials (authentication is managed by a third-party authentication provider; Aivrio does not store raw passwords).
• Business information: business name, industry, and service configuration preferences.
• Billing and payment information: subscription plan, billing cycle, and payment transaction references. Payment card details are processed exclusively by our third-party payment processor; Aivrio does not store card numbers.
• Communications: messages sent to us for support, enquiries, or feedback.
• Team member information: names and email addresses of team members added to a Customer account, subject to seat limits under the applicable plan.

3.2 End-User Conversation and Interaction Data (Processed on behalf of Customers)

When End-Users interact with chatbots, scheduling assistants, or lead capture flows deployed by our Customers, we may process on the Customer’s behalf:

• Conversation messages and chat history.
• Contact details voluntarily provided by End-Users during lead capture (name, email address, phone number, company name, and stated need).
• Appointment booking details (attendee name, email address, requested time slot).
• Channel identifiers (e.g. messaging platform user IDs) used to route and deliver responses.

This data is processed solely to provide the contracted Services to the Customer and is not used by Aivrio for its own marketing or analytics.

3.3 Usage and Technical Data

We collect data generated through use of the platform, including:

• Feature interactions and navigation events within the dashboard.
• Message volume and AI usage metrics, used for billing, rate limiting, and service improvement.
• Device and browser information, IP address, and session data.
• Error and performance logs used for debugging.

3.4 Workflow Automation Project Data

For Customers engaging Aivrio for bespoke workflow automation services, we may process documents, records, and data provided by the Customer as part of scoping, building, and testing the automation. This data is used solely for the purposes of delivering the agreed automation project and is handled under strict confidentiality obligations.

4. How We Use Your Information

We process personal data for the following purposes:

1. Account and service management — creating and managing Customer accounts, authenticating users, and provisioning subscribed services.
2. Service delivery — operating AI chatbot workflows, appointment scheduling tools, lead capture features, and automation projects on behalf of Customers.
3. Billing and payments — processing subscription fees and automation project payments.
4. Communications — sending transactional messages (account verification, subscription confirmations, service alerts) and, with consent, product updates.
5. Support and troubleshooting — responding to Customer enquiries and resolving technical issues.
6. Service improvement — analysing anonymised and aggregated usage data to improve platform features and reliability.
7. Legal and compliance — complying with applicable laws, court orders, and regulatory obligations, and enforcing our Terms of Service.

5. AI Features and Data Processing

The Services incorporate artificial intelligence to power chatbot responses, knowledge base queries, lead capture conversations, and scheduling assistance. This involves submitting Customer-configured content (such as FAQ documents, system prompts, and website content) and End-User messages to AI processing systems.

Key points regarding AI processing:

• AI-generated outputs are probabilistic and may contain errors or inaccuracies. They do not constitute professional, legal, medical, financial, or regulatory advice.
• We do not use identifiable personal data to train AI models operated by Aivrio or its third-party AI providers, beyond what is permitted under those providers’ data processing terms.
• Content submitted through the platform is processed by third-party AI infrastructure providers under contractual obligations requiring appropriate data protection standards.

Customers are responsible for ensuring that their deployment of AI-powered features complies with applicable laws, including any disclosure obligations to their End-Users regarding AI interaction.

6. How We Share Your Information

6.1 Service Providers and Sub-processors

We share personal data with third-party service providers engaged to assist in operating the Services. These providers act under contractual obligations and may only process personal data as instructed by Aivrio. Categories of providers include: cloud infrastructure and database hosting, AI processing, authentication, payment processing, transactional email delivery, and application hosting.

A list of key sub-processors is available upon written request at legal@aivrio.cloud.

6.2 Customer Access to End-User Data

End-User conversation data, lead information, and usage logs are made accessible to the relevant Customer through the ArcheFlow AI dashboard. Customers are responsible for the lawful handling of this data under their own obligations as data controllers.

6.3 Corporate Affiliates and Business Transfers

We may share personal data with our corporate affiliates. In the event of a merger, acquisition, or disposal of business assets, personal data may be transferred to the relevant entity, which will be required to honour this Policy or provide you with prior notice.

6.4 Legal Requirements and Safety

We may disclose personal data where required by law, court order, regulatory authority, or government request, or where we reasonably believe disclosure is necessary to prevent harm, fraud, or abuse, or to protect Aivrio’s legal rights.

7. Cookies and Tracking Technologies

The ArcheFlow AI marketing website and dashboard use analytics tools to measure traffic and feature usage. These tools operate on a pseudonymised or anonymised basis.

We do not use tracking cookies for cross-site advertising. If we introduce advertising-related tracking in the future, we will update this Policy accordingly and implement any required consent mechanisms.

8. Your Privacy Rights

Under the PDPA and applicable law, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you. We will respond within 30 days.
• Correction: request correction of inaccurate or incomplete personal data. Most account information can be updated directly within the dashboard.
• Deletion: request deletion of your account and associated personal data. We will action verified deletion requests within 30 days, subject to retention obligations described in Section 11.
• Withdrawal of Consent: withdraw consent for specific processing activities (e.g. marketing communications) at any time. Withdrawal does not affect lawfulness of prior processing.
• Portability: request a portable export of your personal data where technically feasible.

To exercise any of these rights, contact us at legal@aivrio.cloud.

End-Users wishing to exercise rights over data processed by Aivrio on behalf of a Customer should, in the first instance, contact the relevant Customer directly, as the Customer is the data controller for that data. We will assist Customers in responding to End-User requests as required.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) at www.pdpc.gov.sg.

9. Children and Minors

The Services are not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, we will promptly delete it.

For B2C deployments of Customer chatbots, Customers are responsible for ensuring their own services comply with applicable laws relating to minors, including any age-gating requirements.

10. How We Protect Your Information

We implement technical, administrative, and organisational safeguards to protect personal data, including: encryption of data in transit and at rest, access controls on a need-to-know basis, and security monitoring. Despite these measures, no method of data transmission or storage is completely secure.

In the event of a data breach that is notifiable under the PDPA, we will notify affected individuals and the Personal Data Protection Commission of Singapore within the timeframes required by law (currently three business days for significant breaches).

11. Data Retention

We retain personal data for as long as necessary to provide the Services and fulfil the purposes described in this Policy, in accordance with PDPA obligations:

• Customer account data: retained for the duration of the Customer relationship, and for five (5) years thereafter for compliance and business record-keeping purposes (aligned to ACRA and IRAS record-keeping requirements).
• End-User conversation data and lead data: retained for two (2) years from the date of collection, or until the Customer requests earlier deletion through the dashboard or by written request.
• Billing and payment records: retained for seven (7) years from the date of transaction in accordance with IRAS tax record-keeping requirements.
• Usage and error logs: retained for twelve (12) months.
• Backup copies: encrypted backup copies may persist for up to 90 days following active deletion for technical and disaster recovery reasons, after which they are permanently purged.
• De-identified or aggregated data: may be retained indefinitely as it no longer constitutes personal data.

Customers may request earlier deletion of their data by contacting legal@aivrio.cloud. Deletion requests are subject to any overriding legal or regulatory obligations.

12. International Data Transfers

To deliver the Services, personal data may be transferred to and processed in countries other than Singapore, including jurisdictions where our cloud infrastructure and AI providers operate. We ensure that such transfers are governed by contractual safeguards requiring the recipient to maintain a standard of protection comparable to the PDPA.

13. Updates to This Policy

We may update this Policy from time to time. We will notify Customers of material changes via email or dashboard notification with at least 14 days’ notice before changes take effect. The updated Policy will be posted at ArcheFlowAI.com with a revised effective date. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact Us and Data Protection Officer

For privacy enquiries, to exercise your rights, or to reach our Data Protection Officer, please write to:

We aim to respond to all enquiries within 30 days.