SORAVIO
Soravio's privacy policy describes how we collect, use, store, and protect your personal data when you use our WhatsApp-native loyalty platform.
Account Information: When you sign up, we collect your name, email address, and password (or authentication via Google SSO through our authentication provider, Clerk).
Business Information: Business name, category, phone number, logo, and business hours.
Team Member Information: Names and email addresses of staff you invite to your organisation.
Customer Information: Names, phone numbers (WhatsApp, E.164 format), and optional birthday dates of your customers that you enrol into your loyalty program.
Transaction Data: Visit logs, point transactions, redemption records, and campaign interactions.
Usage Data: Pages visited, features used, timestamps, and session duration.
Device Information: Browser type, operating system, device type, and screen resolution.
Log Data: IP addresses, access times, and referring URLs.
Analytics Data: Aggregated product analytics collected via PostHog.
Authentication Provider (Clerk): Profile information from SSO providers (e.g., Google) when you choose to authenticate through them.
Payment Processor (Stripe): We receive confirmation of subscription status and payment method type, but do not store full payment card details.
WhatsApp (Meta Cloud API): Message delivery status, read receipts, and customer-initiated messages (e.g., BALANCE, REDEEM, STOP commands).
We use the information we collect to:
Provide the Service: Operate the loyalty platform, process point transactions, deliver WhatsApp messages, and generate business analytics.
AI-Powered Features: Analyse customer visit patterns to calculate churn risk scores, generate personalised campaign messages, and provide business intelligence through our AI chat assistant.
Communication: Send transactional emails, WhatsApp messages to enrolled customers on behalf of your business, and service announcements.
Billing: Process subscription payments, manage free trials, and handle invoicing through Stripe.
Improve the Platform: Analyse usage patterns, diagnose technical issues, and develop new features.
Security: Detect fraud, prevent abuse, and enforce our terms of service.
We do not sell your personal data. We share information only in the following circumstances:
We use third-party services to operate Soravio, including Vercel (hosting), Clerk (authentication), Neon (database), Stripe (payments), Meta WhatsApp Cloud API (messaging), Resend (email), PostHog (analytics), Sentry (error monitoring), and BetterStack (logging).
We may disclose your information if required by law or to protect the rights, property, or safety of Soravio, our users, or the public.
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
We may share information with third parties when you have given us explicit consent.
Soravio uses a strict multi-tenant architecture. Each business operates as an isolated organisation. All data queries are scoped by organisation ID at the database level. No cross-organisation data access is architecturally possible.
Account Data: Retained while your account is active. Deleted within 30 days of account closure.
Customer Data: Retained while the enrolling business's account is active. STOP via WhatsApp removes from campaigns immediately.
Transaction Logs: Retained for 7 years (Malaysian tax requirements).
Backups: Retained for 30 days, automatically purged thereafter.
We implement encryption in transit (HTTPS/TLS), encryption at rest (Neon), secure authentication (Clerk with MFA support), role-based access control, bot protection (Arcjet WAF), and host on Vercel's SOC 2 Type II certified infrastructure.
You may request access, correction, deletion, portability of your data, object to processing, or withdraw consent. Contact privacy@soravio.app to exercise these rights.
As a business using Soravio, you are the data controller for your customers' data. Soravio acts as a data processor. You are responsible for obtaining consent before enrolling customers. Customers can opt out via STOP.
Soravio uses essential cookies for authentication and PostHog for analytics. No third-party advertising cookies.
Your data may be processed globally via Vercel and Neon, protected by appropriate safeguards.
Soravio is not directed at individuals under 18.
We will notify you of material changes via our website and email.
We comply with all seven principles of the Personal Data Protection Act 2010: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.
Email: privacy@soravio.app
Website: soravio.app
Address: Soravio, Kuala Lumpur, Malaysia
The loyalty platform for experience businesses.