Privacy & Data

Privacy Policy

Last updated June 14, 2026


01   Overview

This Privacy Policy explains how Souvenir, Inc. (“Souvenir,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use the Souvenir products, the website at getsouvenir.com, our APIs, and related services (the “Service”).

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

Roles: For individual users, we generally act as a controller of your personal information. For business and organization customers, when we process data on the organization’s behalf (including data brought in through Connectors), we generally act as a processor / service provider, and the organization is the controller responsible for that data and for the lawful basis to process it.

02   Information We Collect

Information you provide

  • Account information: name, email address, password or login credentials, and organization or team details.
  • Billing information: plan, credits, and transaction records. Card details are collected and processed by our payment processor, not stored by us.
  • Content you submit: prompts, messages, uploaded documents and files (e.g., PDF, DOCX, PPTX, XLSX, text, images), AI Assistant definitions, and instructions (“Your Content”).
  • Support communications: messages you send us.

Information from your connected services (Connectors)

When you enable a Connector (for example, Shopify, Slack, Meta Ads, Klaviyo, HubSpot, ShipStation, Google Drive, Gmail, and others), we and our integration providers access and process data from those services according to the permissions you grant. This may include:

  • Access tokens / credentials needed to maintain the connection;
  • Business and operational data retrieved on your behalf (e.g., orders, customers, messages, analytics, records), which may itself contain personal information about your own customers or contacts.

You are responsible for ensuring you have the right to connect each account and to authorize this access.

Information collected automatically

  • Usage data: features used, credits consumed, actions taken, timestamps, and interaction logs.
  • Device and log data: IP address, browser/device type, and similar technical data.
  • Cookies and similar technologies: used for authentication, preferences, and analytics. See the Cookies and Tracking section.

Derived information

  • Memory and summaries: we may extract and store memories, summaries, or embeddings from your interactions and documents to power continuity, search, and personalization features.

Information from our Slack managerial bot

If the Souvenir Slack managerial bot is installed in a workspace, we process Slack data needed to operate the bot, including:

  • Workspace and installation data: team/workspace identifiers and the OAuth access tokens issued to operate the app for that workspace;
  • Conversation content: messages and content in the channels or conversations where the bot is added, mentioned, or messaged, including any files or links shared with it;
  • Workspace metadata: user, channel, and team identifiers needed to route responses and apply permissions.

The bot only processes data in conversations it has been added to. This data is used to respond to requests and provide the Service, consistent with Slack’s API Terms of Service. We use Slack data only to provide the Service and not for advertising. Slack workspace administrators are the controllers of workspace content; direct requests about that content to your administrator.

03   How We Use Information

We use personal information to:

  • Provide, operate, maintain, and secure the Service;
  • Generate AI Output in response to your inputs;
  • Execute Connector reads and actions you request or approve through Brain & Automation;
  • Authenticate users, manage accounts, organizations, and teams;
  • Process payments, manage credits, plans, trials, and prevent abuse of billing;
  • Provide personalization and memory features;
  • Monitor, debug, and improve the Service and develop new features;
  • Communicate with you about the Service, including service and security notices;
  • Detect, prevent, and address fraud, abuse, security, and legal issues;
  • Comply with legal obligations and enforce our Terms of Service.

Legal bases (where GDPR / UK GDPR applies): performance of a contract; our legitimate interests (securing and improving the Service, preventing abuse); consent (e.g., certain cookies, certain Connectors); and compliance with legal obligations.

04   AI Model Providers and How Your Inputs Are Used

To generate Output, we transmit your prompts and relevant context (which may include Your Content and Connector data) to third-party AI model providers, currently OpenAI, Anthropic, Google (Gemini), and Mistral.

  • These providers process inputs to return Output to you.
  • We rely on these providers’ enterprise / API terms, under which, per their current policies, API inputs and outputs are not used to train their foundation models except as their terms permit. Their handling of data is governed by their own privacy terms.
  • We do not use Your Content to train our own or third parties’ foundation models without your consent.

05   How We Share Information

We share personal information with:

  • Subprocessors and service providers who help operate the Service, under contracts requiring appropriate protection. Categories include: cloud infrastructure (Amazon Web Services — compute, storage including Amazon S3, databases via PostgreSQL, and caching via Redis); AI model providers (OpenAI, Anthropic, Google Gemini, and Mistral); Connector / integration providers (Composio and Nango); payment processing (Stripe); and analytics, email, and operational tooling.
  • Within your organization: if you use the Service as part of an organization, your account information, content, and usage may be accessible to that organization’s administrators and, where resources are shared, to other authorized members.
  • Third-party services you connect: when you direct the AI to take actions, we send data to those services as needed to perform the action.
  • Legal and safety: to comply with law, legal process, or governmental requests; to enforce our terms; and to protect the rights, property, or safety of Souvenir, our users, or others.
  • Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

06   Data Retention

  • We retain personal information for as long as your account is active and as needed to provide the Service.
  • We retain Your Content until you delete it or your account, subject to backups and legal / operational requirements.
  • We may retain certain data longer where required for legal compliance, dispute resolution, security, and enforcement of our agreements.
  • Some large Connector results may be stored temporarily as files within your chat to allow the AI to process them; these follow the same deletion controls as your other chat content.

07   Security

We implement reasonable technical and organizational measures to protect personal information, including encryption in transit and at rest, access controls, and isolation between accounts. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Protect your credentials and connected accounts, and notify us of any suspected compromise. If a security breach affecting your personal information occurs, we will notify you and the relevant authorities as required by applicable law.

08   Your Rights and Choices

Depending on your location, you may have rights to:

  • Access the personal information we hold about you;
  • Correct inaccurate information;
  • Delete your information;
  • Port your information;
  • Object to or restrict certain processing;
  • Withdraw consent where processing is based on consent;
  • Opt out of sale / sharing / targeted advertising (note: we do not sell or share as defined by law).

To exercise these rights, contact contact@getsouvenir.com. We will verify your request and respond as required by law. You will not be discriminated against for exercising your rights. If you are part of an organization, please direct requests concerning organization-controlled data to that organization; we will assist them as the processor.

California (CCPA / CPRA), Virginia, Colorado, and other U.S. state residents have the rights described above. We do not sell your personal information, and we do not share it for cross-context behavioral advertising as defined by law. To opt out of any processing that may be considered “sale” or “sharing,” email contact@getsouvenir.com or enable a recognized opt-out preference signal (such as Global Privacy Control) in your browser, which we honor.

EU / UK / EEA residents have rights under GDPR / UK GDPR and may lodge a complaint with their supervisory authority. Where we transfer data outside the EEA or UK, we rely on Standard Contractual Clauses and will appoint an EU / UK representative if required by applicable law.

09   Cookies and Tracking

We use cookies and similar technologies for authentication, to remember your preferences, and to understand usage. You can control cookies through your browser settings; disabling some cookies may affect functionality. For more detail, see our Cookie Policy.

10   International Data Transfers

We are based in the United States and use infrastructure (including AWS) and subprocessors that may process data in the United States and other countries. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses where applicable.

11   Children’s Privacy

The Service is intended for users aged 16 and over (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children under that age. If you believe a child has provided us personal information, contact us and we will delete it.

12   Third-Party Services

The Service integrates with and links to third-party services. This Policy does not cover those third parties’ practices. Your use of connected services remains subject to their own privacy policies and terms.

13   Changes to This Policy

We may update this Privacy Policy from time to time and review it at least annually. If we make material changes, we will provide notice (for example, by email or in-product). The “Last updated” date reflects the latest revision. Your continued use after changes take effect constitutes acceptance.

14   Contact Us

Questions or requests regarding this Privacy Policy or your personal information: contact@getsouvenir.com — Souvenir, Inc. 211 28th Street, Des Moines, Iowa, USA.