Privacy Policy
Last updated June 14, 2026
01 Overview
This Privacy Policy explains how Souvenir, Inc. (“Souvenir,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use the Souvenir products, the website at getsouvenir.com, our APIs, and related services (the “Service”).
By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.
Roles: For individual users, we generally act as a controller of your personal information. For business and organization customers, when we process data on the organization’s behalf (including data brought in through Connectors), we generally act as a processor / service provider, and the organization is the controller responsible for that data and for the lawful basis to process it.
02 Information We Collect
Information you provide
- Account information: name, email address, password or login credentials, and organization or team details.
- Billing information: plan, credits, and transaction records. Card details are collected and processed by our payment processor, not stored by us.
- Content you submit: prompts, messages, uploaded documents and files (e.g., PDF, DOCX, PPTX, XLSX, text, images), AI Assistant definitions, and instructions (“Your Content”).
- Support communications: messages you send us.
Information from your connected services (Connectors)
When you enable a Connector (for example, Shopify, Slack, Meta Ads, Klaviyo, HubSpot, ShipStation, Google Drive, Gmail, and others), we and our integration providers access and process data from those services according to the permissions you grant. This may include:
- Access tokens / credentials needed to maintain the connection;
- Business and operational data retrieved on your behalf (e.g., orders, customers, messages, analytics, records), which may itself contain personal information about your own customers or contacts.
You are responsible for ensuring you have the right to connect each account and to authorize this access.
Information collected automatically
- Usage data: features used, credits consumed, actions taken, timestamps, and interaction logs.
- Device and log data: IP address, browser/device type, and similar technical data.
- Cookies and similar technologies: used for authentication, preferences, and analytics. See the Cookies and Tracking section.
Derived information
- Memory and summaries: we may extract and store memories, summaries, or embeddings from your interactions and documents to power continuity, search, and personalization features.
Information from our Slack managerial bot
If the Souvenir Slack managerial bot is installed in a workspace, we process Slack data needed to operate the bot, including:
- Workspace and installation data: team/workspace identifiers and the OAuth access tokens issued to operate the app for that workspace;
- Conversation content: messages and content in the channels or conversations where the bot is added, mentioned, or messaged, including any files or links shared with it;
- Workspace metadata: user, channel, and team identifiers needed to route responses and apply permissions.
The bot only processes data in conversations it has been added to. This data is used to respond to requests and provide the Service, consistent with Slack’s API Terms of Service. We use Slack data only to provide the Service and not for advertising. Slack workspace administrators are the controllers of workspace content; direct requests about that content to your administrator.
03 How We Use Information
We use personal information to:
- Provide, operate, maintain, and secure the Service;
- Generate AI Output in response to your inputs;
- Execute Connector reads and actions you request or approve through Brain & Automation;
- Authenticate users, manage accounts, organizations, and teams;
- Process payments, manage credits, plans, trials, and prevent abuse of billing;
- Provide personalization and memory features;
- Monitor, debug, and improve the Service and develop new features;
- Communicate with you about the Service, including service and security notices;
- Detect, prevent, and address fraud, abuse, security, and legal issues;
- Comply with legal obligations and enforce our Terms of Service.
Legal bases (where GDPR / UK GDPR applies): performance of a contract; our legitimate interests (securing and improving the Service, preventing abuse); consent (e.g., certain cookies, certain Connectors); and compliance with legal obligations.
04 AI Model Providers and How Your Inputs Are Used
To generate Output, we transmit your prompts and relevant context (which may include Your Content and Connector data) to third-party AI model providers, currently OpenAI, Anthropic, Google (Gemini), and Mistral.
- These providers process inputs to return Output to you.
- We rely on these providers’ enterprise / API terms, under which, per their current policies, API inputs and outputs are not used to train their foundation models except as their terms permit. Their handling of data is governed by their own privacy terms.
- We do not use Your Content to train our own or third parties’ foundation models without your consent.
06 Data Retention
- We retain personal information for as long as your account is active and as needed to provide the Service.
- We retain Your Content until you delete it or your account, subject to backups and legal / operational requirements.
- We may retain certain data longer where required for legal compliance, dispute resolution, security, and enforcement of our agreements.
- Some large Connector results may be stored temporarily as files within your chat to allow the AI to process them; these follow the same deletion controls as your other chat content.
07 Security
We implement reasonable technical and organizational measures to protect personal information, including encryption in transit and at rest, access controls, and isolation between accounts. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Protect your credentials and connected accounts, and notify us of any suspected compromise. If a security breach affecting your personal information occurs, we will notify you and the relevant authorities as required by applicable law.
08 Your Rights and Choices
Depending on your location, you may have rights to:
- Access the personal information we hold about you;
- Correct inaccurate information;
- Delete your information;
- Port your information;
- Object to or restrict certain processing;
- Withdraw consent where processing is based on consent;
- Opt out of sale / sharing / targeted advertising (note: we do not sell or share as defined by law).
To exercise these rights, contact contact@getsouvenir.com. We will verify your request and respond as required by law. You will not be discriminated against for exercising your rights. If you are part of an organization, please direct requests concerning organization-controlled data to that organization; we will assist them as the processor.
California (CCPA / CPRA), Virginia, Colorado, and other U.S. state residents have the rights described above. We do not sell your personal information, and we do not share it for cross-context behavioral advertising as defined by law. To opt out of any processing that may be considered “sale” or “sharing,” email contact@getsouvenir.com or enable a recognized opt-out preference signal (such as Global Privacy Control) in your browser, which we honor.
EU / UK / EEA residents have rights under GDPR / UK GDPR and may lodge a complaint with their supervisory authority. Where we transfer data outside the EEA or UK, we rely on Standard Contractual Clauses and will appoint an EU / UK representative if required by applicable law.
10 International Data Transfers
We are based in the United States and use infrastructure (including AWS) and subprocessors that may process data in the United States and other countries. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses where applicable.
11 Children’s Privacy
The Service is intended for users aged 16 and over (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children under that age. If you believe a child has provided us personal information, contact us and we will delete it.
12 Third-Party Services
The Service integrates with and links to third-party services. This Policy does not cover those third parties’ practices. Your use of connected services remains subject to their own privacy policies and terms.
13 Changes to This Policy
We may update this Privacy Policy from time to time and review it at least annually. If we make material changes, we will provide notice (for example, by email or in-product). The “Last updated” date reflects the latest revision. Your continued use after changes take effect constitutes acceptance.
14 Contact Us
Questions or requests regarding this Privacy Policy or your personal information: contact@getsouvenir.com — Souvenir, Inc. 211 28th Street, Des Moines, Iowa, USA.