Privacy Policy

Optivian · Last updated: June 2, 2026

I. Introduction

In the following, we provide information about the collection and processing of personal data in the context of the AI sales co-worker and platform and related cloud-based services provided by Optivian Solutions Oy ("Optivian", "we", "us").

Depending on the processing activity, Optivian acts either as a Processor or a Controller:

As a Processor (see Section II), we process your personal data on behalf of your employer (our Customer), who in this case is the Controller. Please contact your employer directly for any questions regarding such processing.

As a Controller (see Section III), we process personal data for our own business purposes, such as account administration, billing, support, marketing, and website operation.

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.

II. Optivian as a Processor

Our platform is provided to companies as an AI sales co-worker and platform. If the Service is made available to you by your employer, your employer is the Controller of your personal data and Optivian is the Processor. Optivian processes your personal data only under the documented instructions of your employer (an Article 28 Data Processing Agreement) and is not responsible for your employer’s independent privacy practices.

1. Types of personal data processed as a Processor

a) Profile data

Name, work email address, profile photo, login credentials.

Additional profile attributes may be added by you or your employer.

b) Customer data

CRM records from connected systems (Salesforce or HubSpot), such as contacts, opportunities and deal stages.

Business communications related to sales (e.g. work emails, meeting notes).

c) Calendar and meeting data

If you choose to connect your Google Calendar or Microsoft Outlook account, we access calendar event data through our sub-processor Recall (Hyperdoc, Inc.) to identify and join meetings for recording purposes. Transcription is performed by our sub-processor AssemblyAI, Inc. This data includes:

Calendar event metadata (event titles, scheduled times, attendee lists, and meeting URLs).

Meeting recordings and transcripts.

Speaker identification and timeline data.

Where a meeting is recorded, the customer (Controller) is responsible for providing notice and a lawful basis to all participants, including those who are not users of the Service.

Meeting recordings are deleted from our recording sub-processor within 72 hours of processing.

d) Access and technical data

IP address, browser type, operating system, device identifiers, date and time of access, error logs, and usage metrics (for stability and security).

e) Metadata

Pseudonymised statistics about how the Service is used.

2. Use of AI and profiling as a Processor

The Service uses artificial intelligence models to analyse Customer Data and generate sales recommendations and insights.

Some of this processing may constitute profiling under the GDPR, as it can involve automated analysis of personal data to identify patterns, assess engagement, evaluate commercial relationships, or predict likely sales outcomes.

The AI outputs are advisory only and are designed to support human decision-making. Optivian does not use solely automated decision-making that produces legal effects or similarly significant effects on individuals. All business decisions remain the responsibility of human users acting on behalf of the Customer.

Data subjects have the right to object to profiling under GDPR Art. 21. If Optivian were ever to introduce fully automated decision-making with legal or significant effects, data subjects would also have the right to request human intervention, express their views, and contest the decision (Art. 22 GDPR).

All AI-related data transfers occur over encrypted connections. Our AI inference providers are contractually prohibited from using Customer Data to train or optimise their general AI models.

3. Storage duration as a Processor

Customer Data: Deleted within 90 days after contract termination, unless required longer for legal claims.

User Account Data: Deleted within 90 days after termination of the Customer’s contract.

Technical Logs: Deleted within 90 days.

III. Optivian as a Controller

Optivian is the Controller for personal data processed for our own business purposes, including account management, billing, communications, support, marketing, and website operation.

1. Categories of data processed as a Controller

a) Account and contact data

Names, job titles, business email addresses, profile photos, Customer billing information.

b) Support and communication data

Data from support requests, administrative correspondence, or other communications with Optivian.

c) Website and marketing data

Cookies and analytics information (where applicable). For details of cookies used on our website, see our Cookie Notice.

Newsletter or product update subscription information.

2. Legal bases for processing as a Controller

Optivian processes personal data under the following GDPR legal bases (Art. 6):

Contract (Art. 6(1)(b)): To provide and administer the Service, manage user accounts, and fulfil agreements.

Legitimate Interest (Art. 6(1)(f)): To secure, improve and operate the Service, support Customers, and communicate relevant updates.

Legal Obligation (Art. 6(1)(c)): To comply with statutory obligations (e.g. tax, accounting).

Consent (Art. 6(1)(a)): For optional activities such as marketing or participation in product feedback programs. Consent can be withdrawn at any time.

3. Storage duration as a Controller

Account and billing data: Stored for the duration of the contractual relationship and thereafter as required by law.

Marketing data: Retained until you withdraw consent or opt out.

Support and communications data: Retained as long as necessary to resolve the issue and for legitimate record-keeping.

4. How we use your information

We use the information for a few key purposes:

To Provide and Improve the Service: We use technical and usage data to operate, maintain and improve the Service, including stability, performance and feature development.

For Security and Troubleshooting: We monitor our systems to prevent security incidents and fix bugs.

To Communicate With You: We use your contact information to send service updates and support messages.

To Create Anonymised Insights: We may anonymise and aggregate data to analyse usage trends and improve our product. This Anonymised Data cannot be used to identify any individual or company.

IV. International transfers and data residency

Optivian is based in Finland. By default, the Service is hosted in the European Union. For customers requiring US data residency, US-based hosting is available as an option, selected per customer at onboarding; customer data then resides in the selected US region.

Where personal data is processed by sub-processors with operations in third countries (such as the United States), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and, where applicable, certification under the EU–U.S. Data Privacy Framework (DPF).

V. Sub-processors

To deliver the Service and operate our business, Optivian engages a small number of sub-processors. These include hosting and database providers, AI inference providers, meeting capture and transcription providers, error-tracking and analytics providers. All sub-processors are bound by written Data Processing Agreements.

The current list of sub-processors is set out in our Data Processing Agreement, available at optivian.ai/dpa.

VI. Your Rights

As a data subject, you have the following rights under the GDPR (depending on the processing context and legal basis):

Right of access: to obtain confirmation as to whether your personal data is processed and to receive a copy (Art. 15 GDPR).

Right to rectification: to correct inaccurate or incomplete personal data (Art. 16 GDPR).

Right to erasure ("right to be forgotten"): to request deletion of personal data under certain conditions (Art. 17 GDPR).

Right to restriction of processing: to request limitation of processing under certain conditions (Art. 18 GDPR).

Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another Controller (Art. 20 GDPR).

Right to object: to processing of personal data, including profiling, where the legal basis is legitimate interest (Art. 21 GDPR).

Right to withdraw consent: if processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR).

We will respond to rights requests without undue delay and at the latest within one month of receipt.

For Customer Data (e.g. CRM records, work emails) processed by Optivian as a Processor, please contact your employer (the Controller).

For User Account, billing or website data processed by Optivian as a Controller, please contact us at info@optivian.ai.

You also have the right to lodge a complaint with your local data protection authority.

VII. Changes to this Policy

We may update this Privacy Policy from time to time. If we make any material changes, we will notify Customers’ designated administrators by email or through the Service. The updated version will always be available at optivian.ai/privacy.

VIII. Contact

If you have any questions about this Privacy Policy or our handling of your personal data, please reach out.