Privacy Policy

1. Data Controller

2. About This Privacy Policy

This Privacy Policy describes how Boyraz Solutions BV ("Suavi", "we", "us") collects, uses and protects personal data in the context of:

• The website suavi.io
• The Suavi interoperability platform (workpanel) — a bridge between the customer's Gmail, calendar, contacts and other administrative tools (CRM, invoicing, accounting)
• All related services

This policy applies to:

• Customers: businesses (BVs, VOFs, sole proprietors) that use the Suavi platform
• Users: individuals who access the platform on behalf of a customer
• Contacts: individuals whose data is stored in the platform by customers (customers of our customers)
• Website visitors: people who visit suavi.io

3. What Data Do We Collect?

3.1 Data of Customers and Users

3.2 Data Processed on Behalf of Customers

As a processor, we process the following data on behalf of our customers (the customer is the data controller for this data):

The processing of this data is governed by the Data Processing Agreement (DPA) we sign with each customer.

3.3 Data of Website Visitors

4. What We Use Your Data For

1. Service delivery: providing the interoperability services you signed up for — bridging your Gmail, calendar, contacts and other administrative tools (CRM, invoicing, accounting) with AI-assisted automation.
2. Account management: creating and maintaining your account, authentication and authorization.
3. Billing: issuing and sending invoices for our services.
4. Communication: informing you about service changes, updates, maintenance or security incidents.
5. Platform improvement: analyzing (anonymized) usage patterns to improve our services.
6. Security: detecting and preventing fraud, abuse and security incidents.
7. Legal obligations: complying with tax, accounting and other statutory record-keeping requirements.

5. Use of Artificial Intelligence

The Suavi platform uses AI models from third parties to generate emails, invoices, content and other output on behalf of the customer.

No automated individual decision-making: During the initial period (Shadow Mode), all AI output is submitted to the customer for approval. The customer decides when the system transitions to autonomous operation.

Transparency: Customers can view which actions the system has performed at any time and can revert to manual approval.

The AI models are provided by:

• Anthropic (Claude) — based in the US
• Google (Gemini) — based in the US/EU
• OpenAI (GPT-4o) — based in the US

Data submitted to AI models is used solely to generate the requested output and is not used to train the models (in accordance with the business processing agreements with these providers).

6. Sub-Processors and Transfers Outside the EEA

To deliver our service, we use the following sub-processors. Some are located outside the European Economic Area (EEA), particularly in the United States. For these transfers, we apply Standard Contractual Clauses (SCCs) as approved by the European Commission, encryption in transit and at rest, and business processing agreements with each sub-processor.

We do not share personal data with third parties for commercial or marketing purposes. An up-to-date list of sub-processors is always available at suavi.io/privacy. Customers are notified of material changes at least 30 days in advance.

7. Retention Periods

8. Security

We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss or destruction, including:

• Encrypted connections (TLS)
• Per-customer database isolation (tenant isolation)
• Encrypted backups (AES-256)
• Access control and authentication
• Automated security monitoring (Guard module)
• Continuous backups to European data centers
• Audit logging of all system actions

9. Your Rights

Under the GDPR, you have the following rights:

1. Right of access (art. 15 GDPR): you can request a copy of the personal data we process about you.
2. Right to rectification (art. 16 GDPR): you can request correction of inaccurate or incomplete data.
3. Right to erasure (art. 17 GDPR): you can request deletion of your personal data, unless we are subject to a statutory retention obligation.
4. Right to restriction (art. 18 GDPR): you can request that we restrict the processing of your data.
5. Right to data portability (art. 20 GDPR): you can request your data in a machine-readable format.
6. Right to object (art. 21 GDPR): you can object to processing based on legitimate interest.
7. Right to withdraw consent: if processing is based on consent, you can withdraw it at any time.

To exercise your rights: send an email to info@suavi.io with a copy of your ID. We respond within 30 days.

Note: if you are a contact of one of our customers (a customer of our customer), please direct your request to the relevant customer, who is the data controller for your data.

10. Cookies

Suavi.io uses the following cookies:

Strictly necessary cookies do not require consent. If we add analytics or marketing cookies in the future, we will ask for your consent beforehand via a cookie banner.

11. Changes

We may update this Privacy Policy from time to time. Material changes are communicated at least 30 days in advance by email to our customers. The most recent version is always available at suavi.io.

12. Google API Services — User Data Policy

Suavi's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

12.1 Google APIs We Access

When a Customer connects their Google Workspace or personal Google account to Suavi, we access the following Google APIs exclusively to deliver the services the Customer has subscribed to:

12.2 Limited Use Commitment

Data received from Google APIs is subject to the following Limited Use restrictions, in strict compliance with Google's User Data Policy:

• User-facing features only: Google user data is only used to provide or improve the user-facing features of the Suavi platform (email automation, CRM, calendar, scheduling). It is not used for any other purpose.
• No advertising: Suavi does not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising.
• No sale or transfer: Suavi does not sell Google user data to third parties, nor transfer it to third parties for advertising, credit-worthiness, or other commercial purposes.
• No human access except in narrow circumstances: Suavi does not allow humans to read Google user data, except (a) with the Customer's explicit consent for specific messages, (b) for security investigations, (c) to comply with applicable law, or (d) when data is aggregated and used for internal operations in compliance with applicable privacy laws.
• No use for AI model training: Google user data is not used to develop, improve, or train generalized or non-personalized AI or machine-learning models. AI processing occurs via API calls to Anthropic, Google and OpenAI under business-processing agreements that contractually exclude training on customer data.

12.3 Revoking Google Access and Deleting Google Data

Customers can revoke Suavi's access to their Google account at any time:

• In Suavi: go to Settings → Integrations → Gmail / Google Calendar. Two distinct actions are available:
  • Refresh tokens — signs you in to Google again without removing any data. Used during Google's verification cycle for OAuth apps awaiting approval. Tokens are replaced; emails, calendar events, contacts and embeddings remain.
  • Erase integration — with a typed-word confirmation step and an automatic backup taken beforehand, this immediately deletes all stored OAuth tokens for that platform and all cached data that originated from that Google service: email messages, calendar events, message embeddings, and contacts imported via the Google Contacts API.
• In Google: go to myaccount.google.com/permissions and remove Suavi's access. Tokens immediately become invalid on Suavi's side.
• Full data deletion request: send an email to info@suavi.io with "Google data deletion" in the subject, including the email address, name and (optional) phone number you wish to have erased. We process deletion requests manually within 30 days. The procedure consists of an identifier-based search and deletion across the data categories listed in §7, with anonymization rather than deletion of statutory invoicing data (kept for the periods set out in §7).

12.4 Retention of Google Data

Google OAuth tokens and associated metadata are retained only while the integration is active. Fetched email content, calendar events and contacts imported from Google Contacts are stored encrypted. They are deleted immediately when the Customer uses the in-product "Erase integration" action described in §12.3. The "Refresh tokens" action does not delete data; it only replaces the OAuth tokens. Upon termination of the Agreement, all remaining Customer data is deleted manually within 30 days following a written request to info@suavi.io, subject to statutory retention for invoicing data (see §7).

12.5 Scope of "Google data"

The "Erase integration" action removes data that originated from the Google service connected through that integration: email messages (Gmail), calendar events (Google Calendar), message embeddings derived from Gmail content, and contacts imported via the Google Contacts API at OAuth grant time. It does not delete contacts that were imported from other sources, including but not limited to: the Customer's own address book or contact files (e.g. vCard/CSV upload), manual entries made through the Suavi interface, contacts auto-extracted by Suavi from non-Google email content, or contacts synchronized from non-Google billing platforms. These are not "Google data" within the meaning of Google's API Services User Data Policy and require a separate full data deletion request as described in §12.3.

13. Other Third-Party Platform Integrations

13.1 Microsoft (Outlook, Microsoft 365)

When a Customer connects their Microsoft 365 / Outlook account, Suavi accesses the following scopes through the Microsoft Graph API, exclusively to deliver the subscribed services: Mail.ReadWrite, Mail.Send, Calendars.ReadWrite, and offline_access. The same Limited Use principles described in §12.2 apply to Microsoft data: no advertising use, no sale or transfer, no use for AI model training, and no human access except with explicit Customer consent.

13.2 Meta Platforms (Instagram Business, Facebook Pages)

When a Customer connects an Instagram Business or Facebook Page account to Suavi, we access profile data, published content, engagement data (comments and direct messages on Suavi-managed content), and webhook notifications from Meta via the Meta Graph API. Meta platform data is only used to provide the functionality the Customer actively requested (connecting the account, publishing content, receiving events); it is never sold, rented, shared with advertisers, or used to train AI models. Suavi's use of Meta API information complies with the Meta Platform Terms and Developer Policies. Customers can revoke access via Suavi → Settings → Disconnect, or via their Instagram/Facebook app settings; Meta's deauthorize callback is handled at https://suavi.io/workpanel/api/meta/data-deletion.

14. Complaints

If you believe we are not processing your personal data correctly, you can:

1. Contact us at info@suavi.io
2. File a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit):

15. Contact

For questions about this Privacy Policy or about the processing of your personal data: