Back to Help Center
Privacy & Consent

GDPR compliance guide

6 min read
Last updated: November 24th, 2025

Convo is fully compliant with the General Data Protection Regulation (GDPR). This guide explains your data rights and how to exercise them when using Convo.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of EU residents. GDPR gives you control over your personal data and how it's used.

Who does GDPR apply to? If you're an EU resident or your organization operates in the EU, GDPR protections apply to your use of Convo—regardless of where Convo's servers are located.

Your GDPR Rights

Under GDPR, you have eight fundamental rights regarding your personal data:

1. Right to Be Informed

You have the right to know what personal data we collect, why we collect it, how we use it, and who we share it with. This information is available in our Privacy Policy and this guide.

2. Right of Access

You can request a copy of all personal data we hold about you. This includes your account information, conversation transcripts, meeting metadata, and usage history.

3. Right to Rectification

If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update most information directly in your account settings.

4. Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data. When you delete your account, all associated data is permanently removed from our systems within 30 days.

5. Right to Restrict Processing

You can ask us to limit how we use your personal data while we investigate a complaint or verify the accuracy of your data.

6. Right to Data Portability

You can receive your personal data in a structured, commonly used format (JSON, CSV) and have it transferred to another service provider.

7. Right to Object

You can object to processing of your personal data for direct marketing, scientific research, or legitimate interests purposes.

8. Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing. Convo's AI provides suggestions, but you make all final decisions.

How to Exercise Your Rights

Accessing Your Data

To view and access your personal data:

  1. Sign in to your Convo account
  2. Go to Settings → My Account
  3. View your profile information, subscription details, and account settings
  4. Navigate to Dashboard → All Calls to access your conversation history
  5. For a complete data export, contact privacy@itsconvo.com

Correcting Your Data

To update inaccurate or incomplete information:

  1. Open Settings → My Account
  2. Update your name, email, or other profile information
  3. Changes are saved automatically
  4. For conversation data corrections, contact support

Deleting Your Data

You can delete specific conversations or your entire account:

Delete Individual Conversations

  1. Go to Dashboard → All Calls
  2. Find the conversation you want to delete
  3. Click the menu icon (⋯) → Delete
  4. Confirm deletion
  5. The conversation is permanently removed from our systems

Delete Your Account

  1. Go to Settings → My Account
  2. Scroll to the bottom and click "Delete Account"
  3. Confirm you want to permanently delete your account
  4. All data is marked for deletion and removed within 30 days
  5. You'll receive an email confirmation once deletion is complete

Important: Account deletion is permanent and cannot be undone. Your subscription will be cancelled, and all conversation data, settings, and history will be permanently deleted.

Exporting Your Data

To receive a copy of your data in a portable format:

  1. Email privacy@itsconvo.com with subject: "GDPR Data Export Request"
  2. Include your account email address
  3. We'll verify your identity
  4. You'll receive a download link within 30 days
  5. Data is provided in JSON and CSV formats

What's included in data exports:

  • Account profile information
  • All conversation transcripts and summaries
  • Meeting metadata (dates, times, participants)
  • AI suggestions and action buttons generated
  • Usage statistics and subscription history
  • Connected calendar events (if applicable)

What Personal Data We Collect

Account Information

Name, email address, password (encrypted), account creation date, subscription tier, billing information (stored by Stripe).

Conversation Data

Audio transcripts, meeting participants, timestamps, conversation summaries, AI-generated suggestions, action items.

Usage Data

Feature usage statistics, API call counts, session duration, device information, app version, error logs.

Integration Data

Google Calendar events (if connected), video platform metadata, calendar access tokens (encrypted).

Legal Basis for Processing

Under GDPR, we must have a legal basis to process your personal data. Convo processes data under these bases:

Contractual Necessity

Processing necessary to provide Convo's services under our Terms of Service (e.g., transcribing meetings, storing conversations, providing AI assistance).

Consent

When you grant explicit consent for specific processing activities (e.g., connecting Google Calendar, enabling cloud transcription, sharing data with integrations).

Legitimate Interests

Processing necessary for our legitimate business interests (e.g., improving product features, preventing fraud, ensuring security) balanced against your privacy rights.

Legal Obligations

Processing required to comply with legal requirements (e.g., tax records, responding to lawful requests from authorities).

Data Retention Periods

Convo retains personal data only as long as necessary for the purposes outlined:

Conversation Data

Default: 30 days. Configurable from immediate deletion to 7 years for compliance needs. Automatically deleted based on your retention settings.

Account Information

Retained while your account is active. Deleted within 30 days after account deletion, except where legally required to retain (e.g., billing records for 7 years).

Usage Data

Aggregated analytics retained for 2 years. Individual usage logs deleted after 90 days.

Backup Data

Backups containing your data are retained for 90 days for disaster recovery purposes, then permanently deleted.

International Data Transfers

If you're in the EU, your data may be transferred outside the European Economic Area (EEA):

How We Protect Your Data During Transfers

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with all service providers
  • Adequacy Decisions: We transfer to countries with EU adequacy decisions where possible
  • Privacy Shield (where applicable): US-based services comply with Privacy Shield principles
  • Encryption: All data in transit is encrypted using TLS 1.3
  • EU Data Centers (Coming Q1 2025): Option to store all data within the EU

Data Protection Officer

For GDPR-related questions or concerns, you can contact our Data Protection Officer:

Email: dpo@itsconvo.com
Mail: Data Protection Officer, Convo Inc., [Address]
Response Time: We respond to GDPR requests within 30 days

Filing a Complaint

If you believe we're not handling your personal data properly, you have the right to lodge a complaint:

1. Contact Us First

Email privacy@itsconvo.com with your concern. We aim to resolve issues directly within 30 days.

2. Contact Your Supervisory Authority

If not satisfied with our response, you can file a complaint with your local data protection authority:

  • EU residents: Contact your national supervisory authority (find yours at edpb.europa.eu)
  • UK residents: Information Commissioner's Office (ICO) - ico.org.uk

GDPR for Organizations

If you're using Convo for your organization, you have additional responsibilities:

Data Controller vs Data Processor

  • You (the customer) are the data controller - you determine what data is processed and why
  • Convo is the data processor - we process data on your behalf according to your instructions
  • A Data Processing Agreement (DPA) governs this relationship

Your Responsibilities

  • Obtain consent from meeting participants before recording
  • Inform participants about data processing and their rights
  • Configure retention settings appropriate for your use case
  • Maintain records of processing activities
  • Respond to data subject requests from your employees/customers
  • Report data breaches to authorities (if required)

Data Processing Agreement

Enterprise customers can request a signed DPA:

  1. Contact enterprise@itsconvo.com
  2. Request the DPA template
  3. Review and sign the agreement
  4. Return to us for countersignature
  5. Receive fully executed DPA within 14 days

Updates to GDPR Compliance

We continuously improve our GDPR compliance. Recent updates include:

  • November 2025: Enhanced data export functionality with JSON/CSV formats
  • Q1 2025 (planned): EU data centers for data residency
  • Q2 2025 (planned): Automated data subject request portal
  • Q3 2025 (planned): Granular consent management UI

Next Steps

Learn more about data protection at Convo:

Need help with GDPR compliance?

Our privacy team can help you understand your GDPR obligations and configure Convo for compliance. Contact us at privacy@itsconvo.com.

Was this article helpful?