Privacy Policy

Last updated: April 2026

Vixro ("we", "us", or "our") operates an AI messaging assistant platform built for solo, appointment-based businesses. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our platform, in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

This policy covers two distinct groups of individuals: Subscribers (business owners who sign up for and use the Vixro platform) and End-Customers (the customers of those businesses who interact with the AI assistant via WhatsApp).

1. Information We Collect — Subscribers

When a business owner creates a Vixro account and completes the onboarding process, we collect:

• Account information: Full name, email address, and any business name provided at signup.
• Business profile data: Business type, services and pricing, operating hours, booking policies, pre-care and post-care instructions, custom Q&A pairs, and any other information entered during the onboarding wizard.
• WhatsApp configuration: The WhatsApp Business phone number linked to the Subscriber's account.
• Billing information: Subscription tier and billing status. Payment card details are processed and stored exclusively by Stripe (PCI DSS Level 1 certified) — Vixro does not store credit card numbers or banking information.
• Usage data: Login timestamps, dashboard activity, and platform usage metrics.

2. How We Use Subscriber Information

We use Subscriber data to:

• Provision and operate the Vixro AI assistant on the Subscriber's behalf;
• Generate and maintain the AI system prompt that powers the Subscriber's assistant;
• Process subscription payments and manage billing;
• Send transactional emails (account confirmation, magic-link login, weekly conversation reports);
• Provide customer support and respond to inquiries;
• Improve platform reliability and performance.

3. Information We Collect — End-Customers

When a person messages a business powered by Vixro — via WhatsApp or Instagram Direct — we collect:

• The sender's WhatsApp phone number (provided by Twilio via the WhatsApp Business API); or
• The sender's Instagram user ID (assigned by Meta, provided via the Meta Graph API) — for Instagram DM interactions;
• The content of messages sent and received in the conversation;
• Timestamps of each message;
• During booking: Customer name, email address, phone number, and service details provided to confirm an appointment.

We collect email addresses only when a customer books an appointment through the AI assistant. This email address is used solely for booking confirmations and appointment reminders related to that specific booking.

4. How We Use End-Customer Information

End-Customer data is used to:

• Generate AI responses on behalf of the business being contacted;
• Maintain conversation history so the AI has context for follow-up messages;
• Allow the Subscriber (business owner) to review conversations through their Vixro dashboard;
• Send booking confirmations and appointment reminders to the customer's email address (transactional email only, no marketing);
• Store appointment details (date, time, service, customer contact info) for the business owner to manage bookings.

5. Data Controller and Processor Roles

For the purposes of PIPEDA and applicable privacy law:

• Vixro acts as a Data Controller with respect to Subscriber personal information (account data, billing data, usage data). We determine the purposes and means of processing this data.
• Vixro acts as a Data Processor with respect to End-Customer personal information (WhatsApp conversations). The Subscriber (business owner) is the Data Controller for their customers' data. Vixro processes End-Customer data only on the Subscriber's behalf and in accordance with these Terms.

6. Data Sharing

We do not sell personal information. Data is shared only with the following third-party service providers, strictly for platform operation purposes:

• Twilio — WhatsApp message delivery and receipt;
• Meta (WhatsApp Business API & Instagram Graph API) — underlying messaging infrastructure for WhatsApp and Instagram Direct;
• Anthropic (Claude AI) — AI response generation;
• Supabase — secure database storage;
• Stripe — subscription payment processing;
• Resend — transactional email delivery.

Conversation data is accessible only to the Subscriber whose business is being messaged and to Vixro for platform operation purposes. No End-Customer data is shared with any other Subscriber or third party beyond the providers listed above.

7. Data Storage Location

Vixro is a Canadian business. Our database infrastructure is hosted by Supabase on Amazon Web Services (AWS) in the United States (us-east-1, Northern Virginia). By using our platform, you acknowledge that your data may be stored and processed in the United States. We have selected providers with strong contractual data protection commitments consistent with Canadian privacy law (PIPEDA).

8. Data Retention

We retain personal data only as long as necessary to provide our services and fulfill legal obligations:

• Conversation data: Retained for up to 12 months. Upon deletion request, conversation records are deleted within 30 days.
• Customer booking data (including email): Retained for the duration of the appointment relationship (typically 1 year after the appointment date). After 1 year, appointment records and associated customer email addresses are automatically purged unless the customer books another appointment with the business.
• Subscriber account data: Retained for the duration of the active subscription, plus 90 days thereafter (for billing reconciliation and legal compliance).
• Analytics and usage logs: Aggregated analytics retained for 1 year; individual session logs retained for 30 days.
• WhatsApp metadata: Message timestamps and phone numbers are retained per Twilio's standard policy (30 days maximum).
• Email logs: Transactional email records retained for 90 days (Resend's standard retention).

Upon written request, we will delete personal data subject to any legal retention requirements. Deletion requests are processed within 30 days of receipt.

9. Security

We take the security of your data seriously. Our platform is built on enterprise-grade infrastructure with the following protections:

• Encryption in transit: All data between your device, our servers, and our database is encrypted using TLS 1.2 or higher.
• Encryption at rest: All data stored in our database (Supabase/AWS) is encrypted at rest using AES-256.
• Row-level security: Our database enforces access controls at the row level, ensuring that business data is isolated between clients.
• Authenticated access only: The Vixro dashboard requires authentication for every request. Sessions are managed using short-lived JWT tokens.
• Webhook signature validation: All incoming messages from WhatsApp (via Twilio) are validated using HMAC-SHA1 signatures before processing.
• Rate limiting: Our system limits the number of messages any single contact can send in a 24-hour period, protecting against automated abuse.
• No payment data stored: Vixro does not store credit card numbers or banking information. All subscription payments are processed by Stripe (PCI DSS Level 1 certified).
• Secrets management: API keys and credentials are stored as environment variables. They are never hardcoded or exposed in source code.
• Infrastructure providers: Vixro is hosted on Vercel and Railway, with data stored in Supabase (PostgreSQL on AWS). All three providers maintain SOC 2 Type II certification.

If you discover a security vulnerability in our platform, please report it responsibly to hello@vixro.app.

10. Your Rights

Under PIPEDA, individuals have the right to access, correct, and request deletion of their personal information. Subscribers may update their business profile data at any time through the Vixro dashboard. End-Customers may request deletion of their conversation data by contacting us at hello@vixro.app. We will respond to all privacy requests within 30 days.

11. Contact

For any privacy-related questions or to exercise your rights under PIPEDA, contact us at hello@vixro.app.