Conversion Privacy Policy

Last Updated: December 2025
Effective Date: January 1, 2026

Overview

Relentlo, Inc., doing business as Conversion ("Conversion," "we," "us," or "our") is an AI-native marketing automation platform that empowers enterprise and mid-market marketing teams to store lead data, send personalized email campaigns, automate marketing workflows, and integrate seamlessly with customer relationship management (CRM) systems. Our mission is to simplify modern marketing through intelligent automation and data-driven insights while maintaining the highest standards of privacy and data protection.

This Privacy Policy ("Policy"), available at https://www.conversion.ai/privacy, outlines how Conversion collects, uses, shares, and otherwise processes personal information from users, customers, and business contacts ("User," "you," or "your") of our website, platform, and services (collectively, our "Services").

By using our Services, you acknowledge and agree to the terms of this Policy. Our legal basis for processing may include contract performance, legitimate interests, or legal obligations, as set out in this Policy. This Policy incorporates our Terms of Service and any applicable Data Processing Agreement (DPA) by reference. If you do not agree with the terms of this Policy, please discontinue your use of our Services. In the event of any conflict between this Policy and a signed DPA, the DPA will control with respect to Customer Personal Data.

1. Definitions

1.1 Core Data Definitions

• "Personal Data" (or "Personal Information"): Any information that relates to an identified or identifiable natural person or is reasonably capable of being linked to a particular individual, consumer, or household. For purposes of this Policy, "Personal Data" is interpreted in accordance with the European Union General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act/Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the revised Swiss Federal Act on Data Protection (rev-FADP), and other applicable privacy laws in jurisdictions where Conversion operates. Personal Data may include, for example:
  
  • Names, business email addresses, work phone numbers, job titles, and company information
  • Billing addresses, shipping addresses, and postal addresses
  • User identifiers, usernames, authentication credentials, and login metadata
  • Internet Protocol (IP) addresses, device identifiers, and unique browser identifiers
  • Usage and telemetry logs, event logs, activity logs, and feature usage data
  • Inferred information and derived data (such as engagement scores or predicted preferences)
  • Any biometric, genetic, or special category data as defined under GDPR and international equivalents
• "Special Category Data" (or "Sensitive Personal Information"): Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for identification purposes, health data, or data concerning sex life or sexual orientation. Conversion does not intentionally collect or process special category data and prohibits customers from uploading such information unless expressly authorized in writing via a separate amendment to the DPA or MSA.
• "Anonymized Data": Data that has been irreversibly anonymized and aggregated such that it can no longer be associated with or re-identified to any Data Subject, individual, or customer. Anonymized Data is not treated as Personal Data under this Policy.
• "Pseudonymized Data": Personal Data processed in such a way that it cannot be attributed to a specific Data Subject without the use of additional information kept separately and subject to technical and organizational measures.

1.2 Service Data and Processing Definitions

• "Customer Data": All data submitted to the Services by or on behalf of Conversion's business customers, including Personal Data, business contact information, content, files, documents, messages, campaign data, and any other information uploaded, stored, or processed through the Services.
• "Service Data": Operational metrics, telemetry, event logs, and usage analytics that Conversion collects and processes independently for the purposes of operating, maintaining, securing, improving, and billing the Services. Service Data includes logs of feature usage, API calls, storage usage, performance metrics, security events, error rates, and similar operational information. Service Data may contain technical identifiers but is processed on an aggregated or anonymized basis for system administration, security, product improvement, and analytics.
• "Processing": Any operation performed on Personal Data or Customer Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
• "Data Subject": An identified or identifiable natural person to whom Personal Data relates, including employees, customers, and business contacts of Conversion's customers.
• "Controller": The natural or legal person who determines the purposes and means of Processing Personal Data. Customers of Conversion's Services are Controllers with respect to their own Customer Data.
• "Processor": The natural or legal person who processes Personal Data on behalf of a Controller. Conversion acts as a Processor with respect to Customer Data processed on behalf of customers.
• "Sub-processor": Any processor engaged by Conversion to process Personal Data on behalf of customers.
• "Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data or Customer Data.

1.3 Regulatory and Legal Definitions

• "Applicable Data Protection Laws": All applicable laws and regulations relating to privacy, data protection, and data security, including without limitation:
  
  • The European Union General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679]
  • The UK General Data Protection Regulation (UK GDPR)
  • The revised Swiss Federal Act on Data Protection (rev-FADP)
  • California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Other applicable U.S. state privacy laws
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Any other applicable privacy or data protection law in jurisdictions where Conversion or its customers operate
• "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended.
• "CCPA/CPRA": The California Consumer Privacy Act of 2018 (Civil Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (Civil Code § 1798.100 et seq.).
• "HIPAA": The Health Insurance Portability and Accountability Act of 1996, as amended, 45 U.S.C. § 1320d et seq., and the Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 U.S.C. § 17921 et seq., and all implementing regulations (45 CFR Parts 160, 162, and 164). References to HIPAA apply only to business associate relationships where expressly agreed in writing.
• "Standard Contractual Clauses" or "SCCs": The standard contractual clauses for the transfer of personal data to processors in third countries, as approved by the European Commission, including Module Two (Controller-to-Processor) per Commission Decision 2021/914.
• "DPA": Data Processing Agreement, which forms part of the Master Services Agreement or other written agreement between Conversion and its customers.

1.4 Business and Technical Definitions

• "Services": Conversion's AI-native marketing automation platform, including but not limited to:
  
  • Email campaign management and orchestration
  • Customer data activation and segmentation
  • Marketing workflow automation
  • CRM integrations (including Salesforce, HubSpot, Marketo, and others)
  • Lead data storage and management
  • Performance analytics and reporting
  • Implementation, onboarding, and professional services
  • All related support, documentation, and enhancements to the foregoing
• "Conversion Platform" or "Platform": The software-as-a-service (SaaS) platform provided by Conversion that enables customers to manage, automate, and optimize marketing campaigns.
• "AI Features" or "AI Functionality": Any artificial intelligence, machine learning, or algorithmic features within the Services that analyze Customer Data, generate recommendations, optimize campaign delivery, personalize messaging, or otherwise apply computational models to improve marketing outcomes. Conversion does not use Customer Data to train, fine-tune, or improve general-purpose or multi-customer AI models without explicit customer authorization.
• "Telemetry": Operational data automatically collected by Conversion regarding the use of the Services, including feature adoption metrics, API call volumes, workflow execution data, system performance, security events, and similar analytics.
• "Encryption": The conversion of data into code to prevent unauthorized access, using encryption standards such as TLS 1.2 or higher for data in transit and AES-256 or equivalent for data at rest.

2. Collection and Use of Information

2.1 Information You Provide Directly

When you create an account, purchase a subscription, request professional services, open a support ticket, or otherwise interact with our Services, you may supply Personal Data such as:

• Name, business email address, phone number, and job title
• Company name, business address, and industry
• Billing address, shipping address, and payment information (processed via Stripe)
• Account details, user preferences, and configuration data
• Project artifacts, campaign content, email templates, and uploaded files
• Communications with our support team and sales representatives

For usage-based services, we collect and process Usage Data (e.g., API calls, email sends, storage consumption, workflow executions) to:

• Meter consumption for billing purposes
• Generate monthly invoices showing consumption by feature
• Optimize platform performance and capacity planning

2.2 Information Collected Automatically

When you interact with the Services, we automatically collect technical data including:

• IP address, browser type, operating system, and device identifiers
• Pages visited, features accessed, timestamps, and duration of sessions
• Unique session identifiers, authentication tokens, and device information
• Error logs, performance metrics, and security event data
• Workflow execution data, API request logs, and feature usage analytics
• Email delivery metrics, campaign open rates, click-through rates, and conversion data
• CRM synchronization events, data migration logs, and integration health metrics

2.3 Data Handling in Customer Workflows

When you use Conversion to manage marketing campaigns:

• Lead Data: You may upload or import business contact information (names, email addresses, phone numbers, titles, company data) from existing sources. This data is stored in our platform and used to deliver personalized emails and automate marketing workflows according to your instructions.
• Campaign Content: Email templates, marketing messages, landing page content, and other materials you create or upload are stored and processed to execute your campaigns.
• CRM Integration Data: If you authorize Conversion to integrate with your CRM (such as Salesforce, HubSpot, or Marketo), we access only the minimum data required to provide the integration, such as customer revenue data, deal stages, account information, and contact details. This integration data is processed under the same terms as other Customer Data.
• AI Gateway and Third-Party Integrations: If you use Conversion's integrations with third-party AI providers (including OpenAI, Google Gemini, or OpenRouter), your prompts and inputs are transmitted to these providers for processing and response generation on a pass-through basis. We do not store raw prompts or responses unless you explicitly save them in your workspace. By using these integrations, you consent to such transfers under the privacy policies of the respective providers.

2.4 Children's Data

Conversion's Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect or solicit Personal Data from anyone under this age. By using our Services, you represent that you are at least 18 years old or the age of majority in your jurisdiction. If we discover that we have collected Personal Data from a minor without verifiable parental consent, we will promptly delete that information.

2.5 Legal Bases and Purposes

We process information on the legal basis of:

• Contract Performance: To provide, operate, and maintain the Services you have requested
• Legitimate Interests: To secure the platform, detect fraud, generate aggregate analytics, and improve Services
• Consent: For non-essential cookies, marketing communications, and other processing requiring explicit opt-in
• Legal Obligation: To comply with legal and regulatory obligations
• Protection of Vital Interests: In rare cases, to prevent serious harm or respond to emergencies

We use Personal Data and Customer Data for the following purposes:

• To provide, operate, maintain, and support the Services, including storing data, executing campaigns, and managing integrations
• To personalize your experience and optimize AI-driven features
• To analyze usage patterns and improve platform functionality, reliability, and security
• To detect, prevent, and investigate fraud, abuse, or security incidents
• To deliver product updates, feature announcements, and service communications
• To process payments and manage billing and subscription renewals
• To comply with legal, regulatory, and tax obligations
• To respond to customer inquiries and provide technical support
• To meet record-keeping, accounting, and audit requirements
• To protect our intellectual property and legal rights

3. Data Security and Safeguards

Conversion implements comprehensive technical and organizational safeguards to protect Personal Data and Customer Data:

3.1 Administrative Safeguards

• Designated privacy and security officers responsible for policy development and compliance oversight
• Comprehensive information security program with written policies and procedures
• Security management processes to identify and mitigate risks to confidentiality, integrity, and availability
• Workforce access controls, identification mechanisms, and authentication requirements
• Security awareness training for all employees with access to Personal Data
• Documented incident response procedures and breach notification protocols
• Business continuity and disaster recovery planning
• Regular risk assessments and security testing

3.2 Physical Safeguards

• Data hosted on Google Cloud Platform (GCP) with SOC 2 and/or ISO 27001 certifications
• 24/7 physical security, biometric access controls, CCTV surveillance, and environmental controls
• Secure facility access and visitor management procedures
• Restrictions on the physical movement of equipment and media containing Personal Data

3.3 Technical Safeguards

• Encryption in Transit: All data transmitted between users' systems and Conversion servers is protected with TLS 1.2 or higher
• Encryption at Rest: All stored Customer Data is encrypted using AES-256 or equivalent encryption standards
• Access Controls: Role-based access control (RBAC) limiting access to Personal Data to authorized personnel with a legitimate business need
• Multi-Factor Authentication: Required for administrative access and available for customer accounts
• Audit Controls and Logging: Comprehensive logging of access to Personal Data with 90-day retention for security monitoring
• Integrity Controls: Protection against improper modification or loss of data
• Automatic Logoff: Automatic logout of user sessions after periods of inactivity
• Transmission Security: Secure APIs with authentication, digital signatures, and encrypted channels

3.4 Continuous Monitoring and Improvement

Conversion maintains:

• Real-time monitoring for anomalous activity and security threats
• Regular security vulnerability assessments and penetration testing
• Timely patching of known vulnerabilities
• Annual SOC 2 Type II audits and compliance certifications
• Documented processing activities in accordance with GDPR Article 30

4. Data Processing and Sub-Processors

As a data processor, Conversion processes Personal Data on behalf of customers in accordance with their instructions and applicable Data Processing Agreements. We engage third-party sub-processors to support our Services:

• Cloud Infrastructure: Google Cloud Platform (GCP) for hosting, compute, and storage
• Payment Processing: Stripe for secure payment processing and billing
• Email Delivery: Third-party email service providers for campaign delivery and tracking
• CRM Integrations: Salesforce, HubSpot, Marketo, and other CRM platforms (accessed only per customer authorization)
• Analytics: PostHog, Google Analytics, and similar tools for usage analytics and performance monitoring
• Support and Communication: Help desk and customer communication platforms
• Data Backup and Recovery: Cloud backup providers for business continuity

All sub-processors are bound by written agreements imposing data protection obligations equivalent to those in our DPAs. Conversion remains fully liable to customers for any sub-processor's failure to fulfill data protection obligations.

Sub-Processor List: A current list of authorized sub-processors is available at https://trust.conversion.ai or upon written request. Conversion provides notice of new or replacement sub-processors with at least 15 days' prior written notice. Customers may object to new sub-processors on reasonable data protection grounds within 15 days of notice.

5. International Data Transfers

5.1 Data Location

Conversion stores and processes Personal Data and Customer Data primarily in the United States. Conversion may change storage locations with prior notice, provided equivalent security measures are maintained.

5.2 Transfers from the EEA, UK, and Switzerland

To the extent Conversion processes Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland:

• EU-US Data Privacy Framework (DPF): Where applicable, Conversion relies on its DPF certification (and the UK and Swiss Extensions) for transfers to the United States
• Standard Contractual Clauses (SCCs): Module Two (Controller-to-Processor) per Commission Decision 2021/914, incorporated into applicable DPAs
• UK International Data Transfer Addendum: Version B1.0, issued by the UK Information Commissioner's Office (ICO)
• Swiss Addendum: Adapted SCCs to the revised Swiss FADP, with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as competent authority

Conversion implements appropriate supplementary measures as necessary to ensure adequate protection of Personal Data transferred outside the EEA in accordance with European Data Protection Board guidance.

6. Retention of Customer Data

6.1 During the Subscription Term

During the active subscription term, Conversion retains Customer Data as long as necessary to provide the Services and in accordance with customer configurations and instructions. Customers may export their data at any time using self-service tools in the Services.

6.2 Post-Termination

Upon termination or expiration of the customer's subscription:

• Customers have 30 days to export their Customer Data using the Services interface or by requesting assistance from Conversion support
• Within 60 days after termination (or longer as required by applicable law), Conversion will delete or anonymize all Customer Data in its possession, except:
  
  • Data required by applicable law (which will be securely isolated from further processing)
  • Copies in backup systems, which will be deleted or overwritten within 180 days in accordance with standard backup retention schedules

6.3 Certification of Deletion

Upon reasonable written request, Conversion will provide written certification that Customer Data has been deleted in accordance with this Section.

6.4 Anonymized Data Retention

Notwithstanding deletion of Customer Data, Conversion may retain fully anonymized and aggregated data (that cannot be re-identified to any individual or customer) for product improvement, benchmarking, marketing, and research purposes.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Conversion will provide commercially reasonable assistance to customers to enable them to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including:

• Right to access their Personal Data
• Right to rectification (correction) of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

Conversion will provide such assistance within 10 business days at customer's request.

7.2 Direct Data Subject Requests

If Conversion receives a Data Subject request directly, Conversion will promptly (within 5 business days) notify the customer and, unless prohibited by law, will not respond without the customer's prior written authorization.

8. Breach Notification and Incident Response

8.1 Notification Obligation

Upon discovering a Data Breach affecting Personal Data or Customer Data, Conversion will notify the affected customer without undue delay, unless legally prohibited.

8.2 Notification Content

The notification will include:

• Description of the nature and scope of the breach
• Categories and approximate number of Data Subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address and mitigate the breach
• Contact information for Conversion's data protection officer or security team

8.3 Investigation and Remediation

Conversion will:

• Promptly investigate the breach and take reasonable steps to remediate and mitigate harm
• Provide the customer with cooperation and assistance in investigating and responding to the breach
• Not make public statements regarding the breach without the customer's prior written approval (except as required by law)
• Maintain confidentiality of breach information pending customer notification to affected individuals

9. Audits and Compliance Verification

9.1 Audit Rights

Customers may, at their own expense and with reasonable advance notice (at least 30 days), audit Conversion's compliance with applicable data protection obligations once every 12 months (or more frequently if required by law or following a material breach), provided such audit:

• Is conducted during normal business hours without unreasonably interfering with operations
• Does not exceed 2 business days in duration
• Is conducted by an independent third-party auditor subject to confidentiality obligations
• Is limited in scope to information necessary to verify compliance

9.2 Alternative Compliance Verification

In lieu of on-site audits, customers may accept:

• Conversion's most recent SOC 2 Type II audit report or equivalent third-party certification
• Written responses to a reasonable security questionnaire (limited to 50 questions per year)
• Attestation reports regarding specific data protection practices

9.3 Remediation

If an audit reveals material non-compliance with Applicable Data Protection Laws or applicable DPA, Conversion will, at its own expense, take prompt corrective action within a mutually agreed timeframe.

10. AI and Machine Learning

10.1 AI Features in Conversion

Conversion's Services include AI-native features that help optimize marketing campaigns, including:

• Workflow automation and orchestration
• Email send-time optimization
• Recipient segmentation and targeting
• Campaign performance prediction
• Personalization and recommendation features

10.2 Customer Data and AI Training

Conversion does not use Customer Data to train, fine-tune, or improve general-purpose or multi-customer AI models without explicit customer authorization. Specifically:

• Conversion does not train shared language models or foundational models on Customer Data
• Conversion does not use individual customer's data to benefit other customers' AI features
• Conversion may use fully anonymized and aggregated data (that cannot be re-identified) for product improvement, benchmarking, and research purposes
• Conversion uses operational telemetry (on an aggregated basis) to operate, secure, and improve the Services

Customers who wish to restrict use of their data for AI training may contact Conversion at [email protected].

10.3 Third-Party AI Providers

When customers use Conversion's integrations with third-party AI providers (such as OpenAI, Google Gemini, or OpenRouter), customer inputs and related data are transmitted to these providers for processing in accordance with their respective privacy policies. Conversion does not control these providers' data practices, and customers are responsible for reviewing their policies.

11. Legal Bases for Processing

Conversion processes Personal Data and Customer Data only where a valid legal ground applies:

• Performance of Contract: Processing necessary to provide Services and fulfill contractual obligations
• Legitimate Interests: Processing to operate and improve Services, detect fraud, and ensure security, where not outweighed by individual privacy rights
• Consent: Express opt-in consent for non-essential cookies, marketing communications, and other processing requiring affirmative consent
• Legal Obligation: Retention and disclosure as required by law, regulation, or legal process
• Protection of Vital Interests: Processing necessary to protect individual vital interests or emergency situations

12. Your Privacy Rights and Choices

12.1 Individual Rights (U.S., Canada, EEA, UK, Switzerland)

Depending on your location, you may have the following rights:

• Right of Access: Request disclosure of Personal Data we hold about you
• Right of Correction: Request correction of inaccurate or incomplete Personal Data
• Right of Deletion: Request deletion of Personal Data, subject to legal exceptions
• Right of Portability: Request your Personal Data in a structured, commonly-used format
• Right to Restrict Processing: Request limitation of processing for specified purposes
• Right to Object: Object to processing of your Personal Data on certain grounds
• Right to Withdraw Consent: Withdraw consent for processing activities for which consent is the legal basis

12.2 Exercising Your Rights

To exercise these rights, email [email protected] with your request. Conversion will verify your identity and respond within 30 days (or as required by applicable law).

12.3 Appeals and Supervisory Authority

If you believe Conversion has wrongly denied a privacy request, you may:

• U.S. Residents: File an appeal within 60 days of Conversion's decision
• EEA, UK, or Swiss Residents: Contact your local supervisory authority:
  
  • EEA: Irish Data Protection Commission (www.dataprotection.ie)
  • UK: UK Information Commissioner's Office (www.ico.org.uk)
  • Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC) (www.edoeb.admin.ch)

12.4 Non-Discrimination

Conversion will not discriminate against you for exercising your privacy rights through denial of service, increase in pricing, or degradation of quality of service.

13. Cookies and Tracking Technologies

13.1 Types of Cookies

Conversion uses cookies and similar tracking technologies for the following purposes:

• Strictly Necessary Cookies: Support core functions including authentication, session management, fraud prevention, and consent storage. These are set based on legitimate interests/contract performance and do not require consent.
• Analytics & Performance Cookies: Measure feature adoption, diagnose errors, track user interactions, and improve service performance. We may use first-party analytics and third-party services for these purposes. These require prior consent in the EEA/UK/Switzerland and respect opt-out signals (e.g., Global Privacy Control) in the United States.
• Functional Cookies: Remember your preferences (language, theme, interface settings) for a personalized experience. These require consent in regulated jurisdictions.
• Marketing Cookies: Enable conversion tracking and campaign measurement through third-party services (TikTok, Facebook/Meta, Google Ads). While we use these cookies to measure marketing effectiveness, we do not "sell" or "share" Customer Personal Data for cross-context behavioral advertising as defined under applicable privacy laws. These require consent in the EEA/UK/Switzerland.

13.2 Managing Cookie Preferences

You can manage or withdraw your Cookie preferences at any time by:

• Clicking the Cookie Preferences button in our Cookie Policy
• Changing your browser privacy settings
• Enabling an authorized browser signal such as Global Privacy Control (GPC)

Disabling non-essential Cookies will not affect core functionality but may limit analytics-based improvements.

13.3 Cookie Retention

Cookie-derived identifiers are retained only for the period necessary to fulfill their purposes, and no longer than 13 months for analytics cookies, after which they are deleted or irreversibly anonymized.

14. Information Security and Your Responsibility

14.1 Conversion's Security Commitments

Conversion is committed to protecting Personal Data and maintaining its accuracy through reasonable industry-standard safeguards, including those detailed in Section 3 of this Policy. We maintain:

• Data encryption in transit and at rest
• Multi-factor authentication for access control
• Regular security monitoring and threat detection
• Annual SOC 2 Type II audits and certifications
• 24/7 incident response capabilities
• Documented information security policies

14.2 Your Responsibility

You are responsible for:

• Keeping your account credentials confidential
• Enabling multi-factor authentication on your account
• Notifying Conversion promptly of any unauthorized access or suspected breach
• Complying with applicable laws regarding data you upload (e.g., obtaining proper consents)
• Reviewing and validating data before upload to Conversion
• Not uploading sensitive or special category data unless expressly authorized

14.3 Third-Party Provider Risks

Conversion's Services rely on third-party infrastructure and service providers (including Google Cloud Platform, Stripe, email delivery services, and CRM integrations). While Conversion implements reasonable safeguards, we cannot guarantee uninterrupted availability, security, or performance of these providers' services. Data interruptions, delays, or losses may occur due to third-party actions or events beyond Conversion's control. Customers indemnify Conversion for claims arising from customer misuse, excessive uploads, or interactions with third-party providers.

15. Sub-Processors and Third-Party Sharing

15.1 Sharing Categories

Conversion shares Customer Data with the following categories of recipients:

• Infrastructure Providers: Cloud hosting and data backup providers
• Payment Processors: Stripe for payment processing and billing
• CRM Providers: Customer-authorized CRM integrations 
• Email Delivery Services: Third-party providers for campaign delivery and tracking
• Support and Communication Tools: Help desk and customer support platforms
• Analytics and Monitoring: Services for performance monitoring and improvement
• Third-Party AI Providers: OpenAI, Google Gemini, OpenRouter (for AI Gateway features)

15.2 Restrictions on Sharing

Conversion does not:

• Sell, rent, or trade Personal Data or Customer Data for compensation
• Share Customer Data for behavioral advertising without explicit customer authorization
• Use Customer Data to train multi-customer AI models without authorization
• Disclose Personal Data to third parties except as permitted by this Policy or DPA
• Share data with law enforcement except as compelled by legal process (with notice where legally permitted)

16. Governing Law and Jurisdiction

This Policy is governed by the laws of the State of California, United States, without regard to conflicts of law principles. However, if you are located in a jurisdiction that grants you mandatory consumer protection or data protection rights under local law, those provisions will take precedence to the extent they conflict with this Policy.

For residents of the EEA, UK, or Switzerland, international data transfers are governed by:

• EEA: Standard Contractual Clauses (SCCs) governed by Irish law with Dublin courts as forum
• UK: International Data Transfer Addendum governed by laws of England and Wales with London courts as forum
• Switzerland: Swiss Addendum governed by Swiss law with the FDPIC as competent authority

Any disputes arising under this Policy shall be exclusively resolved in the state or federal courts located in San Francisco, California, unless otherwise required by mandatory law.

17. Contact Information

If you have questions, concerns, or wish to exercise your privacy rights, please contact Conversion:

• Email: [email protected]
• Mailing Address:
  Relentlo, Inc. d/b/a Conversion
  Attn: Privacy Officer
  300 Beale St, Suite A
  San Francisco, CA 94105
  United States

18. Changes to This Policy

Conversion reserves the right to update or revise this Privacy Policy to reflect changes in our practices, legal requirements, or Services. We will post any revised Policy at https://www.conversion.ai/privacy and indicate the "Last Updated" and "Effective Date" at the top of the document.

For material changes that reduce your privacy rights or expand our processing purposes, Conversion will provide at least 30 days' advance notice by email or in-product banner (where applicable). Your continued use of the Services after the new Policy takes effect constitutes acceptance of the revised terms.

19. Relationship to Other Agreements

This Policy is supplemental to and does not replace or modify:

• Conversion's Terms of Service
• Any signed Data Processing Agreement (DPA)
• Service Level Agreements (SLAs)
• Master Services Agreements (MSAs)

In the event of conflict:

1. A signed DPA controls with respect to Personal Data processing
2. This Policy controls for general privacy practices
3. The Terms of Service provide framework terms

20. Company Information

Relentlo, Inc. d/b/a Conversion

• State of Incorporation: Delaware
• Principal Business Address: 300 Beale St, Suite A, San Francisco, CA 94105, USA
• Governing Law: California and Delaware (contract terms), California (privacy matters)
• Preferred Venue for Disputes: San Francisco County, California (U.S.); Dublin (EEA); London (UK); Swiss courts/FDPIC (Switzerland)
• Privacy Officer: Available at [email protected]

21. Severability

If any provision of this Policy is found to be unlawful, void, or unenforceable under applicable law, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, deemed severed, and the remaining provisions will remain in full force and effect.

22. Entire Agreement

This Policy, together with Conversion's Terms of Service, the applicable Data Processing Agreement (if signed), and any supplemental product terms, constitutes the entire agreement between you and Conversion regarding privacy and data protection in connection with the Services.

‍