Privacy Policy
Last updated: February 28, 2026
Weavin ("we," "us," or "our") operates the website at https://weavin.ai and the Weavin platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you are located in the European Economic Area (EEA), United Kingdom, or California, you have additional rights described in Sections 9 and 10 below.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address and, optionally, your name. Authentication is handled by our identity provider (Neon Auth), which may also receive a profile image if you sign in via a third-party OAuth provider (e.g., Google, GitHub).
1.2 Payment Information
When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store a Stripe Customer ID to associate your account with your subscription. We do not store credit card numbers, bank account details, or other financial credentials on our servers.
1.3 API Keys
To power your AI avatars, you provide LLM API keys from third-party providers (e.g., Anthropic, OpenAI, Google, OpenRouter). These keys are encrypted using AES-256-GCM before storage and are only decrypted server-side when proxying requests to the respective LLM provider.
1.4 Channel Credentials
When you connect a messaging platform (Telegram, Discord, Slack, Feishu, etc.), we store the associated credentials (bot tokens, app secrets) encrypted using AES-256-GCM. These credentials are decrypted only when deploying your avatar to our infrastructure.
1.5 Avatar Configuration
We store the configuration of your AI avatars, including their name, personality instructions, language preference, selected AI model, and channel type.
1.6 Conversation Data
For the WebChat channel, conversation messages between end users and your avatar may be stored on our servers to maintain session continuity. For all other channels (Telegram, Discord, Slack, Feishu, etc.), conversations are processed locally on the avatar's dedicated Fly.io machine and are not stored in our central database. In all cases, conversation content is forwarded to the configured LLM provider to generate responses.
1.7 Usage Data
We track token consumption on a per-user, per-day, per-model basis for billing and analytics purposes. This data is aggregated and does not include the content of conversations.
1.8 Waitlist Information
If you join our waitlist, we collect your email address and, optionally, your name and a note. This information is used solely to notify you when capacity becomes available.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, maintain, and improve the Service
- Deploy and manage your AI avatars across messaging platforms
- Proxy LLM requests using your provided API keys
- Process payments and manage your subscription via Stripe
- Track token usage for billing and capacity planning
- Send transactional emails, technical notices, and support messages
- Respond to your inquiries and provide customer support
- Detect, prevent, and address technical issues or abuse
3. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):
- Contract performance — Processing necessary to provide the Service you have subscribed to (account data, avatar configuration, API key management, payment processing).
- Legitimate interests — Processing necessary for our legitimate business interests, such as usage analytics, fraud prevention, and service improvement, where these interests are not overridden by your rights.
- Consent — Where you have provided explicit consent, such as joining our waitlist. You may withdraw consent at any time.
- Legal obligation — Processing necessary to comply with applicable laws and regulations.
4. Data Sharing and Third-Party Services
We do not sell, rent, or trade your personal information. We share data with the following third-party service providers solely to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Neon | Database hosting & authentication | Account data, encrypted credentials, usage data |
| Stripe | Payment processing | Email, subscription metadata |
| Fly.io | Avatar hosting infrastructure | Avatar configuration, decrypted channel credentials (as environment variables on isolated machines) |
| Vercel | Application hosting | Standard HTTP request data (IP address, User-Agent) |
| LLM Providers (Anthropic, OpenAI, Google, OpenRouter) | AI model inference | Conversation content (real-time, not stored by us), your API key (used per-request) |
Each provider operates under its own privacy policy and data processing terms. We encourage you to review their policies.
5. Cookies and Tracking
We use only essential cookies required for authentication and session management, provided by our identity provider (Neon Auth). We do not use advertising cookies, social media tracking pixels, or third-party analytics services (e.g., Google Analytics).
Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR. You can disable cookies in your browser settings, but this will prevent you from logging into the Service.
6. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: All sensitive credentials (API keys, bot tokens, channel configurations) are encrypted using AES-256-GCM before storage.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS (HTTPS).
- Isolated infrastructure: Each avatar runs on a dedicated Fly.io machine with its own compute resources and storage volume.
- Access control: Credentials are only decrypted server-side when necessary for service operation.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained until account deletion.
- Avatar configurations and credentials: Retained until you delete the avatar or your account.
- Token usage data: Retained for up to 12 months for billing and analytics purposes.
- WebChat conversation data: Retained for the duration of the avatar's deployment. Deleted when the avatar is removed.
- Waitlist data: Retained until you are onboarded or request removal.
Upon account deletion, all associated data — including avatar configurations, encrypted credentials, usage records, and machine data — is permanently deleted within 30 days.
8. International Data Transfers
Your data is processed and stored in the United States through our infrastructure providers (Neon, Vercel, Fly.io). If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our providers' data processing agreements to ensure adequate protection for international data transfers as required by GDPR.
9. Your Rights Under GDPR (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@weavin.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10. Your Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:
- Right to know: You can request that we disclose what personal information we have collected, used, disclosed, and sold about you.
- Right to delete: You can request that we delete your personal information, subject to certain exceptions.
- Right to opt-out of sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise these rights, contact us at privacy@weavin.ai. We will verify your identity before processing your request and respond within 45 days.
11. Do Not Sell My Personal Information
Weavin does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This applies to all users, including California residents under the CCPA.
12. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@weavin.ai.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) or by posting a prominent notice on the Service prior to the change becoming effective. The "Last updated" date at the top of this page indicates when this policy was last revised.
14. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: privacy@weavin.ai
- General inquiries: hello@weavin.ai