ConveneHome

Privacy Policy

Last updated: June 2, 2026

Convene is a place to think with several AI models at once. This policy explains what we collect, why, who we share it with, how long we keep it, the rights you have under UK and EU data-protection law, and how to contact us. Convene is operated by Heuricity Ltd, a company registered in England and Wales. We are the data controller for the personal data described below.

What we collect

  • Account information. When you sign up we receive your email address and name from our authentication provider (Clerk). We do not store your password.
  • Your rooms. The messages you write, the conversations the AI models produce, the context and files you add to a room, the notes you save, and the documents you generate. This is the core content of the product and may contain personal data you choose to include.
  • Usage and billing. How much your rooms cost to run (so we can apply your plan limits) and, if you subscribe, billing details handled by our payment provider (Stripe). We never see your full card number.
  • Technical data. Basic logs needed to operate and secure the service (IP address, request paths, error metadata). We do not log the content of your messages or rooms.

Why we process your data (lawful basis)

Under UK GDPR, we rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)): to run your rooms, save your notes, generate your documents, apply your plan's usage limits, and process payment.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, detect and investigate abuse, debug errors, and improve the product. We weigh these against your privacy and use only the minimum data needed.
  • Consent (Art. 6(1)(a)): where we ask for it (for example, marketing emails if we ever offer them). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with laws that apply to us (e.g. tax and accounting records, lawful requests from authorities).

How AI models use your conversations

To generate responses, the content of your rooms (your messages, the conversation so far, and any context you add) is sent to the AI providers whose models you have chosen: Anthropic (Claude), OpenAI (GPT), Google (Gemini), and xAI (Grok). Each provider acts as a processor under its own data-processing terms to produce the model's reply. We send only what is needed to run the room. We do not train any model on your conversations, and we do not authorise our providers to do so under their API terms.

Each provider is based in the United States. International transfers of your personal data are governed by the Standard Contractual Clauses (SCCs) in each provider's Data Processing Addendum, plus the UK International Data Transfer Addendum where applicable.

Sharing a room (the Fork)

You can create a public link to a room. A public link exposes the room's conversation (the messages and the models' replies) to anyone who has the link, and lets them copy it into their own room. A public link never includes the standing context or files you added to the room. You can turn a link off at any time; revocation takes effect immediately.

Who we share data with

We share data only with the service providers that make Convene work, each acting as a processor under a written agreement:

  • Authentication: Clerk Inc. (United States).
  • Payments: Stripe, Inc. (United States) for card processing; we never receive your card details.
  • AI providers: Anthropic PBC, OpenAI OpCo LLC, Google LLC, and X.AI Corp (all United States), as described above.
  • Hosting and infrastructure: Railway Corp and Vercel Inc. (United States) for hosting; Cloudflare Inc. (United States) for edge protection. These providers process data on our behalf to run the service.

We do not sell your data, and we do not share it for advertising.

Retention and deletion

We keep your rooms and their content until you delete them or close your account. Deleting a room removes its content from your account immediately. Deleting your account removes your rooms, messages, notes, and generated documents from our active database immediately. Backups are purged on a 30-day rolling basis. We retain a de-identified record of usage cost for accounting purposes (no user identifier, no room content, just billable tokens), which is not linked to your conversations.

Your rights

Under UK GDPR (and equivalent EU GDPR rules if you are in the EU) you have the right to:

  • Access: receive a copy of the personal data we hold about you. You can download a machine-readable JSON export at any time from your account ("Export my data"), or email us.
  • Rectification: correct inaccurate data. You can edit your display name in settings, or contact us for anything else.
  • Erasure: delete your account from your account screen. The deletion is immediate; see "Retention and deletion" above.
  • Restriction and objection: ask us to stop or limit certain processing. Where you object to processing based on legitimate interests, we will stop unless we can demonstrate compelling legitimate grounds that override your rights.
  • Portability: receive your data in a structured, commonly used, machine-readable format. The JSON export covers this.
  • Withdraw consent: where processing relies on consent, withdraw it at any time (without affecting the lawfulness of processing already done).
  • Complain to a regulator: if you are in the UK, the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU, your local supervisory authority.

To exercise any right, contact privacy@convene.heuricity.com. We will respond within one month.

Children

Convene is not directed to children under 13 (or the minimum age in your country), and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

Our access to your content

We do not routinely read the content of your rooms. Our team may access specific room content only where necessary: to investigate a report about a shared room, to resolve a support request you raise with us, to comply with a legal obligation, or to protect the security of the service. Access is limited to the people who need it. Routine product, billing, and reliability work uses aggregate, de-identified metrics, never your room content.

Security

We use reputable providers and standard safeguards to protect your data, including TLS in transit, encrypted backups, access controls, and an authorisation model that ties every piece of stored content to the user who created it. No service can promise perfect security, so please do not put information into a room that you could not tolerate being exposed.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly.

Changes

We may update this policy as the product evolves. Material changes will be reflected in the "Last updated" date above and, where the change materially affects your rights, we will notify you in the app or by email.

Contact

Data-protection enquiries: privacy@convene.heuricity.com. We will respond within one month.