Who we are
Xovera is operated by Kroc Fitness & Lifestyle Pty Ltd (“Xovera”, “we”, “us”). We provide an AI conversational agent platform that connects to your CRM and messaging channels (including Facebook Pages, Instagram, SMS, and voice) to handle customer conversations on your behalf.
What we collect
- Account data. Email, name, workspace name, and authentication tokens.
- Connected-platform data. Access tokens and metadata for the platforms you connect — e.g. Facebook Page IDs, Instagram Business accounts, CRM contact lists, calendars.
- Conversation data. Messages exchanged between your agents and end users on connected channels, including timestamps and channel identifiers.
- Usage data. Logs of how you use the product (page views, feature usage, error reports) to operate and improve the service.
How we use it
- To run your AI agents — receive incoming messages, generate replies, send them back through the original channel.
- To sync contacts, appointments, and pipeline updates with your connected CRM.
- To provide product analytics and account support.
- To detect abuse, debug errors, and meet legal obligations.
We do not sell your data, and we do not use end-user message content to train foundation AI models.
Data from Facebook and Instagram
When you connect a Facebook Page or Instagram Business account through Meta’s Login for Business flow, we receive a Page access token (or System User token) and metadata for the assets you select during consent. We use this exclusively to send and receive messages through Messenger and Instagram Direct on your behalf.
We retain these tokens for as long as the connection is active. If you remove Xovera from Facebook Settings → Business Integrations, Meta sends a deauthorization webhook and we automatically purge the token and cached Page metadata.
Sharing
We share data only with subprocessors required to run the service: cloud hosting (Vercel), database (Supabase), AI inference providers (OpenAI, Anthropic), and telephony (Twilio, Vonage). Each subprocessor is contractually bound to confidentiality and security obligations. We don’t share your data with advertisers or data brokers.
Retention
Account, workspace, and conversation data is retained for as long as your account is active. Connected-platform tokens are deleted when you disconnect that platform. Backups are retained for 30 days. After account deletion, all personal data is removed within 30 days, except where we’re required by law to retain billing or audit records.
Your rights
You can access, correct, or delete your data at any time. To request deletion, see our
Data Deletion page or email us at
support@xovera.io. If you’re in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, or CCPA respectively — including the right to object to processing and the right to data portability. We’ll respond to verified requests within 30 days.
Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Access tokens are encrypted with a key separate from the application database. Production access is limited to authorized engineering staff and audited.
Children
Xovera is not intended for use by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we’ll delete it.
Changes
We may update this policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.