Privacy Policy

Platform: aiagent.atavika.com

Effective Date: June 14, 2026

Atavika Innovation Private Limited (“Atavika,” “we,” “our,” or “us”) operates the Atavika AgentOS platform available at aiagent.atavika.com (“Platform” or “Service”) — a B2B SaaS product that enables businesses (“Tenants”) to deploy AI-powered voice and chat agents capable of autonomously handling customer conversations, lead capture, and appointment scheduling. This Privacy Policy explains how we collect, use, store, disclose, and protect your information. By accessing or using the Platform, you agree to the terms of this Privacy Policy.

ATAVIKA INNOVATION PRIVATE LIMITED is incorporated under the Companies Act, 2013, in India.


1. Scope

This Privacy Policy applies to:

  • Atavika AgentOS web platform (aiagent.atavika.com)
  • AI website chat widgets embedded by Tenants
  • AI voice calling systems (powered by Twilio)
  • WhatsApp Business automation services
  • Google Calendar integration for appointment scheduling
  • APIs, dashboards, and third-party integrations
  • Business users (“Tenants” / “Customers”)
  • End users interacting with Tenant-deployed AI agents

2. Information We Collect

A. Account Registration (Tenants)

Tenants register using email and password — not Google Sign-In. We collect:

  • Business name and description
  • Business email address
  • Password (stored as a bcrypt hash — plain-text passwords are never stored)
  • WhatsApp Business API credentials (stored encrypted at rest)
  • Twilio voice credentials (stored encrypted at rest)
  • Billing plan preferences and usage thresholds
  • AI agent configuration (name, persona, system instructions, knowledge base)

B. Google Calendar Authorization (OAuth)

When a Tenant connects their Google Calendar for appointment scheduling, we receive an OAuth refresh token scoped exclusively to:

  • .../auth/calendar.readonly — to read free/busy times
  • .../auth/calendar.events — to create, update, and delete booking events

We do not receive your Google account password. We do not access Gmail, Drive, Contacts, Photos, or any other Google service. See Section 4 for full details.

C. End-User / Customer Conversation Data

When end users interact with Tenant-deployed AI agents, we may process:

  • Phone numbers, names, email addresses
  • Chat message content and WhatsApp media
  • Voice call recordings and transcripts
  • Lead information and appointment booking requests
  • Timestamps, IP address, device/browser type

D. Automatically Collected Information

  • API request and error logs (for debugging and security)
  • JWT session tokens (short-lived, stored client-side only)
  • Anonymized usage statistics and performance diagnostics

3. How We Use Your Information

We do not use your data for advertising or sell it to third parties.

PurposeData Used
Tenant account loginBusiness email, hashed password
AI agent training & configurationKnowledge base, agent settings
Real-time calendar availability checkingGoogle Calendar free/busy times
Automated appointment bookingGoogle Calendar write access (create events)
Appointment cancellation / reschedulingGoogle Calendar write access (delete/update events)
AI conversation processingChat/voice transcripts, lead data
Billing & usage trackingPlan, call minutes, messages
WhatsApp messagingWhatsApp credentials, message content
Voice call routingTwilio credentials, call logs
Security & abuse preventionIP address, request logs
Service improvementAnonymized analytics, error logs

4. Google Calendar OAuth — Scope Justification, Data Use & Disclosure

Note: Google OAuth on Atavika AgentOS is used exclusively for Google Calendar integration — not for login or authentication. Tenants log in using their email and password.

4.1 Why We Request Calendar Access

Atavika AgentOS enables Tenants to offer AI-driven appointment booking to their customers. The AI agent must be able to autonomously check the business owner’s calendar for availability and create or remove events when bookings are confirmed or cancelled. These operations require the following OAuth scopes:

4.2 Scope: .../auth/calendar.readonly

Purpose:Read the business owner’s calendar busy times to verify slot availability before offering appointment options to clients.

How it is used: When a client requests an appointment, the AI agent queries the Google Calendar API in real-time to retrieve free/busy blocks for the requested date range. This prevents double-bookings by ensuring only genuinely available slots are offered. We read only free/busy information — we do not read event titles, descriptions, attendee lists, or any other event metadata.

Why a more limited scope is insufficient: Without this scope, the AI assistant cannot verify availability, resulting in scheduling conflicts and double-bookings.

4.3 Scope: .../auth/calendar.events

Purpose: Programmatically create a calendar invite when a client confirms a booking, and delete or update the event when the client cancels or reschedules.

How it is used:When a client confirms an appointment through the AI assistant, we create a Google Calendar event in the Tenant’s calendar with the booking details (client name, time slot, meeting type). When cancelled or rescheduled, we delete or update the corresponding event. All calendar operations are strictly triggered by real-time client interactions — no background scanning or batch operations occur.

Why a more limited scope is insufficient: Without this scope, the AI agent cannot write appointments to the calendar, making the core booking feature non-functional.

4.4 Calendar Data We Access vs. Store

Data AccessedPurposeStored?
Free/busy time blocksCheck slot availabilityNo — queried in real-time only
Calendar event ID (on booking create)Reference for future cancel/rescheduleYes — in Supabase, encrypted
Booking event details (time, title)Create calendar invite for TenantYes — as appointment record

We do not read or store: event descriptions or notes, attendee email addresses of pre-existing events, recurring event patterns, or any calendar data unrelated to booking operations.

4.5 Sharing, Transfer & Disclosure of Google Calendar Data

We do not share Google Calendar data with any advertising or marketing platform, sell or rent it, or use it to build user profiles beyond scheduling functionality.

We disclose Google Calendar data only in these limited circumstances:

RecipientPurposeWhat Is Shared
Google Calendar APIRead availability; create/delete booking eventsOAuth tokens used to call the API on Tenant's behalf
Hetzner VPS (Backend Server)Processing all API requestsOAuth tokens and booking records processed in memory
Supabase (Database)Storing OAuth tokens and appointment recordsOAuth refresh tokens (encrypted), booking event IDs
Google Gemini / Grok AIAI determines available slots and generates booking messagesAvailability time ranges only — no raw calendar event content
Law enforcement / legal authoritiesIf required by applicable law or court orderMinimum data required by law

4.6 OAuth Token Storage & Revocation

  • OAuth refresh tokens are stored encrypted at rest in our Supabase database.
  • Short-lived access tokens are requested on-demand and never persisted.
  • Tenants can revoke access at any time via Platform Settings → Integrations → Disconnect Google Calendar, or via myaccount.google.com/permissions.
  • Upon revocation or account deletion, all stored OAuth tokens are immediately invalidated and deleted.

4.7 Google API Limited Use Disclosure

Atavika AgentOS's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, the use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.


5. AI Services We Use

Atavika AgentOS uses third-party AI providers to power agent responses and voice interactions.

AI ProviderPurposeData Sent
Google Gemini (via langchain-google-genai)Generative AI for chat and voice agent responses, intent understanding, and conversation managementConversation content (user messages, agent context)
Grok (xAI)Generative AI and native audio processing for voice interactionsConversation content and voice audio transcripts

Important: Google account data (email, name) and raw Google Calendar event content are never sent to any AI provider. Only computed availability time ranges are shared with the AI to generate booking suggestions. Both providers process data subject to their own Terms of Service; Atavika does not permit them to use your data for training their models under our API agreements.


6. Third-Party Services We Use

We do not allow these services to sell your data. Each processes only the minimum data required.

ServicePurposeData Processed
Google Calendar APIAppointment availability & bookingCalendar free/busy times, booking event data
Google GeminiAI chat & voice intelligenceConversation messages and context
Grok (xAI)AI generation & native audio voice processingConversation messages, voice audio
TwilioVoice call routing and telephonyPhone numbers, call metadata, voice audio
WhatsApp Business API (Meta)Business messaging channelMessage content, media, phone numbers
Hetzner VPSBackend application server & computeAll application traffic processed here
SupabasePostgreSQL database hostingAll Platform data (encrypted at rest)
SMTP Email ProviderTransactional notificationsBusiness email address

7. Data Storage & Security

Infrastructure

  • Backend Server: Hosted on Hetzner VPS (dedicated virtual private server) — all API requests are processed here.
  • Database: Supabase (managed PostgreSQL) — Tenant accounts, agent configurations, conversation records, and OAuth tokens are stored here, encrypted at rest.

Security Practices

  • HTTPS / TLS enforced on all connections
  • JWT-based stateless authentication with 24-hour expiry
  • bcrypt password hashing — plain-text passwords are never stored
  • Encrypted storage for all third-party API credentials and OAuth tokens
  • Tenant data isolation — each business account is strictly separated
  • Rate limiting and brute-force protection on auth endpoints
  • CORS origin allowlist enforcement
  • PII redaction from application logs
  • Regular security reviews and dependency audits

While we follow security best practices, no system can guarantee 100% security. In the event of a data breach, we will notify affected users as required by applicable law.


8. Call Recording & Consent

Certain AI voice calling features may record calls or generate transcripts. Tenants are responsible for:

  • Obtaining legally required consent from end users
  • Providing legally required disclosures before recording
  • Complying with local telecom, privacy, and recording laws

Atavika is not responsible for unlawful recording or misuse by Tenants.


9. Data Retention

Data TypeRetention Period
Tenant account & business profileUntil account deletion
AI agent configuration & knowledge baseUntil Tenant deletes or account closes
Google Calendar OAuth tokensUntil Tenant disconnects or account closes
Conversation transcripts & lead data90 days (configurable per Tenant)
Appointment booking recordsUntil completed/cancelled + 90 days
Voice call recordingsUntil deleted by Tenant or retention setting
Billing records7 years (financial compliance requirement)
System & access logs30 days (rolling)

10. International Data Transfers

Atavika Innovation Pvt Ltd is based in India. Our infrastructure (Hetzner VPS) and database (Supabase) may be hosted in data centers in Germany (EU) or other jurisdictions. AI providers (Google Gemini, Grok/xAI) process data under their respective data processing agreements. By using the Platform, you consent to the transfer and processing of your data in these jurisdictions.


11. Customer Responsibilities

Businesses using Atavika AgentOS are responsible for:

  • Compliance with applicable privacy laws
  • Obtaining end-user consent where required
  • Providing required notices and disclosures
  • Lawful handling of customer data
  • Monitoring AI-generated communications before deployment
  • Compliance with WhatsApp, Twilio, and telecom regulations

12. Children's Privacy

Atavika AgentOS is a business platform intended solely for adults (18+). We do not knowingly collect personal information from children under 13. If we discover such data has been submitted, it will be deleted immediately.


13. Your Rights

Depending on your jurisdiction (India — IT Act 2000 / DPDPA 2023, GDPR for applicable regions), you may have the right to:

  • Access a copy of data we hold about your account
  • Correct inaccurate information
  • Request deletion of your account and associated data
  • Request a machine-readable export of your data
  • Revoke Google Calendar access via Platform settings or myaccount.google.com/permissions

14. Account & Integration Deletion

To delete your account and all associated data, email contact@atavika.com with the subject “Account Deletion Request”. Your account will be permanently deleted within 30 days of verification. Billing records required for financial compliance may be retained for up to 7 years.

To disconnect Google Calendar, go to Platform Settings → Integrations → Disconnect Google Calendar, or visit myaccount.google.com/permissions. All stored OAuth tokens will be immediately deleted upon disconnection.


15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to your registered business address and via an in-platform notification banner. Continued use of the Platform after changes constitutes acceptance of the revised policy.


16. Contact Information

ATAVIKA INNOVATION PRIVATE LIMITED

Bengaluru – 560038, Karnataka, India

Email: contact@atavika.com

Website: www.atavika.com

Platform: aiagent.atavika.com

Mobile: 9999538868

For privacy-specific concerns, please email with the subject line: “Privacy Policy — Atavika AgentOS”