Vixro is an assistant that handles your Instagram DMs 24/7. When a potential client comments on your post or messages you directly, Vixro replies instantly in your voice — answering pricing questions, sharing your availability, and booking appointments — so you can stay focused on the work.

How does the Instagram comment feature work?

When someone comments on your post with a buying signal — words like 'price', 'book', or 'available' — Vixro automatically replies to the comment and sends them a private DM. The DM is handled entirely by your AI: it answers their questions, checks your calendar, and locks in the booking. You only get notified when a human touch is needed.

Do I need an Instagram Business or Creator account?

Yes. Meta requires a Business or Creator account to enable the API that powers Vixro's DM and comment automation. If you're on a personal account, switching takes about 30 seconds in the Instagram app — and it's free.

Will the AI reply to every comment on my posts?

No. Vixro only engages comments that contain a buying signal — words like 'price', 'how much', 'book', or 'available'. Casual engagement like 'Love this!' is left alone. This keeps your comment section natural and stays well within Meta's automation guidelines.

What happens when the AI can't answer a question?

Vixro is designed to stay within what it knows. When a question falls outside its training, it flags the conversation and alerts you so you can step in. You stay in control.

How long does setup take?

Setup takes 30–60 minutes for most businesses, depending on the detail you provide. It's like training a new hire on your services, prices, and policies — the more context you share, the smarter and more on-brand your AI becomes.

Can I customize what the AI says?

Yes. You define the context — your services, pricing, policies, and tone — and Vixro's responses reflect that. The more detail you provide during setup, the more accurate and on-brand your AI becomes.

Does Vixro work with WhatsApp too?

WhatsApp is coming soon as an add-on channel. Instagram DMs are the primary channel at launch — that's where most solo service businesses already get their client inquiries.

Vix/ro

Privacy Policy

Last updated: May 2026

Vixro ("we", "us", or "our") operates an AI messaging assistant platform built for solo, appointment-based businesses. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our platform, in accordance with Canada's Personal Information Protection and Electronic Documents Act(PIPEDA), Alberta's Personal Information Protection Act (Alberta PIPA), and British Columbia's Personal Information Protection Act (BC PIPA), as applicable.

This policy covers two distinct groups of individuals: Subscribers (business owners who sign up for and use the Vixro platform) and End-Customers (the customers of those businesses who interact with the AI Receptionist via Instagram Direct or WhatsApp).

1. Information We Collect — Subscribers

When a business owner creates a Vixro account and completes the onboarding process, we collect:

Account information: Full name, email address, and any business name provided at signup.
Business profile data: Business type, services and pricing, operating hours, booking policies, pre-care and post-care instructions, custom Q&A pairs, and any other information entered during the onboarding wizard.
Messaging channel configuration: The Instagram Business Account ID and/or WhatsApp Business phone number linked to the Subscriber's account.
Onboarding auto-fill inputs: If the Subscriber chooses to use the optional auto-fill feature during signup, the website URL and/or Instagram handle they provide is used to scrape publicly available business information (bio, services, hours) to pre-populate the onboarding form. This scraping is performed via a third-party data extraction service (Apify) and the extracted content is then summarized by Anthropic's Claude API.
Billing information: Subscription tier and billing status. Payment card details are processed and stored exclusively by Stripe (PCI DSS Level 1 certified) — Vixro does not store credit card numbers or banking information.
Usage data: Login timestamps, dashboard activity, and platform usage metrics.

2. How We Use Subscriber Information

We use Subscriber data to:

Provision and operate the Vixro AI Receptionist on the Subscriber's behalf;
Generate and maintain the AI system prompt that powers the Subscriber's AI Receptionist;
Process subscription payments and manage billing;
Send transactional emails (account confirmation, magic-link login, weekly conversation reports);
Provide customer support and respond to inquiries;
Improve platform reliability and performance.

3. Information We Collect — End-Customers

When a person messages a business powered by Vixro — via WhatsApp, SMS, or Instagram Direct — we collect:

The sender's WhatsApp phone number (provided by Twilio via the WhatsApp Business API);
The sender's SMS phone number (provided by Twilio via the SMS API);
The sender's Instagram user ID (assigned by Meta, provided via the Meta Graph API) — for Instagram DM interactions;
The content of messages sent and received in the conversation;
Timestamps of each message;
Inferred message metadata: A safety risk classification (score and risk type), intent category (e.g., booking inquiry, pricing question), and sentiment label are derived from each inbound message using automated analysis and stored alongside the message. These are used solely to protect against harmful content, improve AI response quality, and provide the relevant Subscriber with operational analytics in their dashboard. This inferred metadata is never sold, never used for cross-Subscriber profiling, and never disclosed to any party outside the Subscriber whose business is being messaged.
During booking: Customer name, email address, phone number, and service details provided to confirm an appointment.

We collect email addresses only when a customer books an appointment through the AI Receptionist. This email address is used solely for booking confirmations and appointment reminders related to that specific booking.

Instagram comment funnel:When a Subscriber enables the comment-to-DM feature, Vixro monitors public comments on the Subscriber's Instagram posts and processes comment text to identify potential booking inquiries (e.g., comments containing pricing or availability questions, or the exact-match keyword "PILOT" used in our pilot intake flow). If a comment is identified as a booking inquiry, Vixro will send the commenter a private Direct Message on behalf of the Subscriber. Comment content is processed through Anthropic's Claude API for intent classification before any DM is sent. Commenters who do not wish to receive a DM may ignore it; no further automated contact is initiated if they do not reply. For Subscribers and commenters located in the European Union, we rely on legitimate interest under GDPR Art. 6(1)(f)as the lawful basis for processing public Instagram comments (purpose: identifying customer inquiries directed at the Subscriber's business).

4. How We Use End-Customer Information

End-Customer data is used to:

Generate AI responses on behalf of the business being contacted;
Maintain conversation history so the AI has context for follow-up messages;
Allow the Subscriber (business owner) to review conversations through their Vixro dashboard;
Send booking confirmations and appointment reminders to the customer's email address (transactional email only, no marketing);
Store appointment details (date, time, service, customer contact info) for the business owner to manage bookings.

4.1 Automated Decision-Making and AI Transparency

Vixro uses automated systems (Anthropic's Claude AI) to (a) generate response text on the Subscriber's behalf, (b) classify inbound messages for safety risk, intent, and sentiment, and (c) confirm appointments where the Subscriber has authorized the AI to do so.

No fully automated decision producing legal or similarly significant effects on an End-Customer is made by the Service. All booking confirmations are reviewable by the Subscriber in the dashboard, and an End-Customer who believes an automated response or classification has affected them unfairly may request human review by contacting hello@vixro.app.

AI training:Vixro's use of Anthropic's API is governed by Anthropic's commercial API terms, under which customer data is not used to train Anthropic's models by default. Vixro does not opt in to any training program that would use Subscriber or End-Customer data.

5. Data Controller and Processor Roles

For the purposes of PIPEDA and applicable privacy law:

Vixro acts as a Data Controller with respect to Subscriber personal information (account data, billing data, usage data). We determine the purposes and means of processing this data.
Vixro acts as a Data Processorwith respect to End-Customer personal information (customer conversations via Instagram Direct and WhatsApp). The Subscriber (business owner) is the Data Controller for their customers' data. Vixro processes End-Customer data only on the Subscriber's behalf and in accordance with these Terms.

6. Data Sharing

We do not sell personal information. Data is shared only with the following third-party service providers, strictly for platform operation purposes:

Google Cloud Platform (GCP) — backend hosting (Cloud Run) and, where enabled, AI inference (Vertex AI);
Twilio — WhatsApp and SMS message delivery and receipt;
Meta (WhatsApp Business API & Instagram Graph API) — underlying messaging infrastructure for WhatsApp and Instagram Direct;
Anthropic (Claude AI) — AI response generation and inbound-message classification;
Apify — public business-data scraping during optional onboarding auto-fill;
Supabase — secure database storage;
Stripe — subscription payment processing;
Resend — transactional email delivery;
Vercel (incl. Vercel Analytics) — frontend hosting and aggregated traffic analytics for the marketing site and dashboard;
PostHog — product analytics for the marketing site (event-level, identified only when a Subscriber is authenticated).

Conversation data is accessible only to the Subscriber whose business is being messaged and to Vixro for platform operation purposes. No End-Customer data is shared with any other Subscriber or third party beyond the providers listed above.

7. Data Storage Location

Vixro is a Canadian business. Our database infrastructure is hosted by Supabase on Amazon Web Services (AWS) in the United States. Our backend application infrastructure is hosted by Google Cloud Platform (Cloud Run) in the United States (us-central1). By using our platform, you acknowledge that your data may be stored and processed in the United States. We have selected providers with strong contractual data protection commitments consistent with Canadian privacy law (PIPEDA, Alberta PIPA, BC PIPA). For EU-based Subscribers, transfers to the United States are made in reliance on the providers' Standard Contractual Clauses and supplementary measures.

8. Data Retention

We retain personal data only as long as necessary to provide our services and fulfill legal obligations:

Conversation data (Vixro database): Retained for up to 12 months in our own database, regardless of any shorter retention applied by upstream messaging providers. Upon deletion request, conversation records are deleted within 30 days.
Customer booking data (including email): Retained for the duration of the appointment relationship (typically 1 year after the appointment date). After 1 year, appointment records and associated customer email addresses are automatically purged unless the customer books another appointment with the business.
Subscriber account data: Retained for the duration of the active subscription, plus 90 days thereafter (for billing reconciliation and legal compliance).
Analytics and usage logs: Aggregated analytics retained for 1 year; individual session logs retained for 30 days.
WhatsApp and SMS metadata (held by Twilio): Message metadata held by Twilio is retained per Twilio's standard policy (30 days maximum). This is in addition to, not in place of, Vixro's own 12-month conversation retention.
Email logs: Transactional email records retained for 90 days (Resend's standard retention).
A/B-test cookies: First-party experiment cookies (vixro_ab_*) persist on the visitor's device for 30 days.

Upon written request, we will delete personal data subject to any legal retention requirements. Deletion requests are processed within 30 days of receipt.

9. Security

We take the security of your data seriously. Our platform is built on enterprise-grade infrastructure with the following protections:

Encryption in transit: All data between your device, our servers, and our database is encrypted using TLS 1.2 or higher.
Encryption at rest: All data stored in our database (Supabase/AWS) is encrypted at rest using AES-256.
Row-level security: Our database enforces access controls at the row level, ensuring that business data is isolated between clients.
Authenticated access only: The Vixro dashboard requires authentication for every request. Sessions are managed using short-lived JWT tokens, and the administrative panel additionally requires multi-factor authentication (TOTP, AAL2).
Webhook signature validation: All incoming messages from WhatsApp/SMS (via Twilio) are validated using HMAC-SHA1 signatures, and all incoming Instagram and WhatsApp webhooks from Meta are validated using HMAC-SHA256 (X-Hub-Signature-256) before processing.
Rate limiting: Our system limits the number of messages any single contact can send in a 24-hour period, protecting against automated abuse.
No payment data stored: Vixro does not store credit card numbers or banking information. All subscription payments are processed by Stripe (PCI DSS Level 1 certified).
Secrets management: API keys and credentials are stored as environment variables. They are never hardcoded or exposed in source code.
Infrastructure providers: Vixro's frontend (marketing site and dashboard) is hosted on Vercel; the backend API is hosted on Google Cloud Platform (Cloud Run); data is stored in Supabase (PostgreSQL on AWS). Vercel, Google Cloud Platform, AWS, and Supabase all maintain SOC 2 Type II certification.

If you discover a security vulnerability in our platform, please report it responsibly to hello@vixro.app.

10. Your Rights

Under PIPEDA, Alberta PIPA, and BC PIPA (as applicable), individuals have the right to access, correct, and request deletion of their personal information, and to withdraw consent at any time (subject to legal or contractual restrictions). Subscribers may update their business profile data at any time through the Vixro dashboard. End-Customers may request deletion of their conversation data by contacting us at hello@vixro.app. We will respond to all privacy requests within 30 days.

Alberta and British Columbia residents: You may file a complaint with the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca) or British Columbia (oipc.bc.ca) if you believe your rights under Alberta PIPA or BC PIPA have not been respected.

GDPR (If you are in the EU)

If you are located in the European Union, your data is protected under the General Data Protection Regulation (GDPR). In addition to the rights above, you have the right to:

Right to Rectification: Request correction of inaccurate personal data.
Right to Object: Object to processing of your data for marketing purposes (you can opt out of analytics and reports in dashboard settings).
Right to Restrict Processing: Request that we limit how we use your data.
Right Not to Be Subject to Solely Automated Decisions: Under GDPR Art. 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 4.1 above.
Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise any of these rights, email hello@vixro.appwith "GDPR REQUEST" in the subject line.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights:

Right to know the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it (see Sections 1, 3, and 6 of this Policy).
Right to delete personal information we have collected from you, subject to certain exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing: Vixro does not sell personal information and does not share personal information for cross-context behavioural advertising. We therefore do not provide a "Do Not Sell or Share My Personal Information" link, but you may confirm or update this preference by emailing hello@vixro.app.
Right to limit use of sensitive personal information: Vixro does not use sensitive personal information for purposes beyond those permitted by the CPRA.
Right to non-discrimination for exercising any of the above rights.

To exercise any of these rights, email hello@vixro.appwith "CCPA REQUEST" in the subject line. We will verify your identity before processing the request and respond within 45 days.

Data Processing Agreement — Standard Terms (Article 28 GDPR)

For Subscribers operating as Data Controllers of their End-Customers' personal data, Vixro acts as a Data Processor under Article 28 of the GDPR. The following standard terms describe our obligations as your processor.

A signed DPA is required for GDPR compliance. These terms constitute the basis of the bilateral agreement — to request a countersigned Data Processing Agreement for your records, contact hello@vixro.app.

Processing Scope: Vixro processes personal data (customer messages, contact details, booking information) solely for the purpose of operating the AI messaging assistant on the Subscriber's behalf.
Processing Instructions: All processing is carried out in accordance with the Subscriber's configuration (business profile, services, policies) and the platform's standard operational requirements.
Confidentiality: Vixro staff with access to customer data are bound by confidentiality obligations.
Security Measures: Vixro implements appropriate technical and organizational security measures as described in Section 9 (Security).
Subprocessors (Art. 28(2) & 28(4)): Vixro uses the subprocessors listed in Section 13 under a general written authorization. Vixro will inform Subscribers of any intended addition or replacement of subprocessors, giving Subscribers the opportunity to object on reasonable grounds. Vixro imposes on each subprocessor data-protection obligations equivalent to those set out in this DPA (Art. 28(4)).
Data Subject Rights: Vixro will assist Subscribers in fulfilling data subject requests as required under Article 28(3)(e). Contact hello@vixro.app.
Data Breach Notification: In the event of a personal data breach, Vixro will notify the affected Subscriber within 72 hours of becoming aware.
Audit Rights (Art. 28(3)(h)): Vixro will make available to the Subscriber all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Subscriber or an auditor mandated by the Subscriber, no more than once per twelve-month period and on reasonable prior written notice, except where required by a supervisory authority.
International Transfers: Transfers of personal data outside the EEA, UK, or Switzerland are made under the European Commission's Standard Contractual Clauses (Module 2 or 3, as applicable) and the UK International Data Transfer Addendum, incorporated by reference.
Deletion or Return: Upon account termination, Vixro will return or securely delete all personal data within 30 days.

11. Contact

For any privacy-related questions or to exercise your rights under PIPEDA, Alberta PIPA, BC PIPA, GDPR, or CCPA, contact us at hello@vixro.app.

12. CASL Compliance

As a Canadian business, Vixro complies with Canada's Anti-Spam Legislation (CASL). We only send you:

Transactional emails: Account confirmations, billing receipts, password resets, and appointment booking confirmations and reminders (no consent required under CASL).
Service announcements: Critical updates to the platform (no consent required).
Marketing emails: Only if you have opted in. You can unsubscribe at any time via the link in every email.

Appointment Booking Emails: When a customer books an appointment through our AI Receptionist, they will receive a booking confirmation email and appointment reminder emails to the address they provided during booking. These emails are transactional in nature and are exempt from CASL consent requirements. However, we inform customers at the time of booking that they will receive these emails to their provided address.

We include clear identification, contact information, and unsubscribe instructions in all marketing communications.

13. Subprocessor Details

Vixro uses the following third-party service providers (subprocessors) to operate our platform. Each has been selected for strong security practices and data protection commitments:

Google Cloud Platform (Cloud Run, and Vertex AI where enabled):Hosts the Vixro backend API responsible for processing inbound messages, running AI logic, and communicating with third-party platforms. GCP maintains SOC 2 Type II, ISO 27001, and ISO 27018 certifications and is GDPR-aligned via Google's Cloud Data Processing Addendum.
Anthropic (Claude API):Processes conversation content for two purposes: (1) generating AI responses to customer messages, and (2) classifying each inbound customer message for safety risk and intent. All data is transmitted over encrypted TLS 1.3 connections. Under Anthropic's commercial API terms, customer data is not used to train Anthropic's models. Anthropic's privacy policy is available at anthropic.com/privacy.
Apify: Public-data scraping platform used during optional onboarding auto-fill to retrieve publicly available business information (Instagram bio, website copy) from URLs and handles the Subscriber provides. Apify is GDPR-compliant and ISO 27001 certified.
Google (Google Calendar API):When a Subscriber connects Google Calendar, Vixro reads the Subscriber's calendar availability and creates appointment events on their behalf. Customer booking details (name, service, appointment time) are included in calendar events. Subject to Google's Data Processing Addendum.
Supabase (PostgreSQL on AWS): Secures all data storage. Database is encrypted at rest (AES-256) and in transit (TLS 1.2+). AWS maintains SOC 2 Type II certification.
Twilio: Handles WhatsApp Business API and SMS message routing and receipt. Twilio is SOC 2 Type II certified and retains message metadata for 30 days per their standard policy.
Meta Platforms (Instagram Graph API & WhatsApp Business API):Underlying messaging infrastructure for Instagram Direct and WhatsApp. Subject to Meta's Data Processing Addendum and GDPR compliance commitments.
Stripe:Processes subscription payments and billing. Stripe is PCI DSS Level 1 certified and does not store credit card data in Vixro's systems. See Stripe's privacy policy for payment data handling.
Resend: Delivers transactional emails (receipts, reports, notifications). Resend is SOC 2 Type II certified and retains email logs for 90 days.
Vercel (incl. Vercel Analytics): Hosts the Vixro marketing site and dashboard and provides aggregated, privacy-friendly traffic analytics (no cross-site tracking). Vercel maintains SOC 2 Type II certification and uses AWS infrastructure.
PostHog: Product-analytics platform used on the marketing site to measure feature usage and conversion. PostHog is hosted in the United States (us.i.posthog.com). Person profiles are created only for identified (signed-in) Subscribers; anonymous visitors are tracked at the event level only.

14. Cookies and Tracking Technologies

Vixro uses a small number of cookies and similar technologies on the marketing site (vixro.app) and the dashboard (app.vixro.app):

Strictly necessary cookies for authentication and session management (set by Supabase Auth and Next.js). These cannot be disabled.
First-party A/B-testing cookies (vixro_ab_*) that persist a visitor's assigned experiment variant for 30 days so the experience remains consistent on return visits. No third party receives this cookie.
Vercel Analytics — aggregated, cookie-less traffic analytics; no cross-site tracking.
PostHog — event-based product analytics. Anonymous visitors are tracked at the event level only; identified person profiles are created only after a Subscriber signs in.

Visitors in the European Union, United Kingdom, and other jurisdictions with opt-in cookie requirements will see a consent banner before any non-essential analytics are activated, and may withdraw consent at any time via the privacy controls in the site footer.

15. Children's Data

The Vixro Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 16. Subscribers must be at least 18 years old (or the age of majority in their jurisdiction) to create an account.

If a Subscriber's business handles bookings for minors (for example, parent-booked services), the Subscriber is responsible for ensuring that any parental or guardian consent required by applicable law has been obtained before sharing a minor's personal information with Vixro. If we become aware that we have collected personal information from a child under 16 without verified parental consent, we will delete that information promptly. Contact hello@vixro.app to report any such case.

← Back to Home