Privacy Policy

1.1 Account Information

When you create an account, we collect your name, email address, organization name, and authentication credentials (managed by our auth provider, Clerk).

1.2 Business & Agent Data

Information you provide to configure your AI agents: business description, knowledge base content, agent personalities, conversation scripts, product catalogs, pricing, and lead records.

1.3 Conversation Data

Messages exchanged between your End Users and your AI Agents, including message content, timestamps, and conversation metadata (channel, session duration, resolution status).

1.4 Usage Data

We automatically collect: IP addresses, browser type, device information, pages visited, feature usage patterns, and performance metrics (response times, error rates).

1.5 Payment Data

Payment information (credit card numbers, billing address) is collected and processed directly by Paddle, our Merchant of Record. We do not store your payment card details.

• Provide the Service: Process conversations, generate AI responses, execute agent actions, and display your dashboard analytics.
• Improve the Service: Analyze aggregated, de-identified usage patterns to improve features, performance, and reliability.
• Billing: Manage subscriptions, process payments, and enforce plan limits (via Paddle).
• Communications: Send transactional emails (account alerts, approval requests, billing receipts) and, with your consent, product updates.
• Security: Detect abuse, prevent fraud, and enforce our Terms of Service.

We do not use your Customer Data to train AI or machine learning models.

When your Agent processes a conversation, the message content is sent to third-party LLM providers (via OpenRouter) solely to generate a real-time response. These providers process the data under their own data processing agreements and do not retain conversation data for model training.

We use Retrieval-Augmented Generation (RAG) to provide your Agent with relevant knowledge — your data is stored as vector embeddings in our database and retrieved at query time. It is never used to fine-tune or train foundation models.

We share data with the following categories of providers, solely to operate the Service:

We do not sell your personal data to advertisers or data brokers.

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and locale preferences.
• Analytics cookies: Help us understand how the Service is used (aggregated, de-identified).

We do not use advertising cookies or cross-site tracking. You can disable non-essential cookies through your browser settings.

We retain your Customer Data for as long as your account is active and for a reasonable period thereafter to fulfill legal obligations, resolve disputes, and enforce our agreements.

Conversation data is retained for the duration of your subscription. Upon account deletion, we delete or anonymize your data within 30 days, except where retention is required by law.

We implement industry-standard security measures including:

• Encryption in transit (TLS) and at rest;
• Row-Level Security (RLS) for strict tenant isolation — your data is inaccessible to other customers at the database level;
• Role-based access controls and audit logging;
• Regular security reviews and dependency updates.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Camello is based in Colombia. Your data may be processed in the United States and other countries where our service providers operate (Supabase, Vercel, Railway, Cloudflare). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required for transfers from the EU/EEA.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All Users

• Access your personal data we hold;
• Correct inaccurate or incomplete data;
• Delete your account and associated data;
• Export your data in a portable format.

EU/EEA Residents (GDPR)

• Right to restrict or object to processing based on legitimate interest;
• Right to data portability;
• Right to withdraw consent at any time;
• Right to lodge a complaint with your local Data Protection Authority.

Colombian Residents (Ley 1581 de 2012)

• Right to know, update, and rectify your personal data (habeas data);
• Right to request deletion of your data;
• Right to revoke authorization for data processing;
• Right to file complaints with the Superintendencia de Industria y Comercio (SIC).

California Residents (CCPA)

• Right to know what personal information we collect and why;
• Right to delete your personal information;
• Right to opt out of the sale of personal information;
• Right to non-discrimination for exercising your rights.

To exercise any of these rights, contact us at privacy@camello.xyz.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the dashboard at least 30 days before they take effect. The “Effective date” at the top indicates the latest revision.

For privacy-related questions or to exercise your data rights, contact us at: privacy@camello.xyz.

Data Controller: Camello
Location: Colombia