Privacy Policy
Platform: aiagent.atavika.com
Effective Date: June 14, 2026
Atavika Innovation Private Limited (“Atavika,” “we,” “our,” or “us”) operates the Atavika AgentOS platform available at aiagent.atavika.com (“Platform” or “Service”) — a B2B SaaS product that enables businesses (“Tenants”) to deploy AI-powered voice and chat agents capable of autonomously handling customer conversations, lead capture, and appointment scheduling. This Privacy Policy explains how we collect, use, store, disclose, and protect your information. By accessing or using the Platform, you agree to the terms of this Privacy Policy.
ATAVIKA INNOVATION PRIVATE LIMITED is incorporated under the Companies Act, 2013, in India.
1. Scope
This Privacy Policy applies to:
- Atavika AgentOS web platform (aiagent.atavika.com)
- AI website chat widgets embedded by Tenants
- AI voice calling systems (powered by Twilio)
- WhatsApp Business automation services
- Google Calendar integration for appointment scheduling
- APIs, dashboards, and third-party integrations
- Business users (“Tenants” / “Customers”)
- End users interacting with Tenant-deployed AI agents
2. Information We Collect
A. Account Registration (Tenants)
Tenants register using email and password — not Google Sign-In. We collect:
- Business name and description
- Business email address
- Password (stored as a bcrypt hash — plain-text passwords are never stored)
- WhatsApp Business API credentials (stored encrypted at rest)
- Twilio voice credentials (stored encrypted at rest)
- Billing plan preferences and usage thresholds
- AI agent configuration (name, persona, system instructions, knowledge base)
B. Google Calendar Authorization (OAuth)
When a Tenant connects their Google Calendar for appointment scheduling, we receive an OAuth refresh token scoped exclusively to:
.../auth/calendar.readonly— to read free/busy times.../auth/calendar.events— to create, update, and delete booking events
We do not receive your Google account password. We do not access Gmail, Drive, Contacts, Photos, or any other Google service. See Section 4 for full details.
C. End-User / Customer Conversation Data
When end users interact with Tenant-deployed AI agents, we may process:
- Phone numbers, names, email addresses
- Chat message content and WhatsApp media
- Voice call recordings and transcripts
- Lead information and appointment booking requests
- Timestamps, IP address, device/browser type
D. Automatically Collected Information
- API request and error logs (for debugging and security)
- JWT session tokens (short-lived, stored client-side only)
- Anonymized usage statistics and performance diagnostics
3. How We Use Your Information
We do not use your data for advertising or sell it to third parties.
| Purpose | Data Used |
|---|---|
| Tenant account login | Business email, hashed password |
| AI agent training & configuration | Knowledge base, agent settings |
| Real-time calendar availability checking | Google Calendar free/busy times |
| Automated appointment booking | Google Calendar write access (create events) |
| Appointment cancellation / rescheduling | Google Calendar write access (delete/update events) |
| AI conversation processing | Chat/voice transcripts, lead data |
| Billing & usage tracking | Plan, call minutes, messages |
| WhatsApp messaging | WhatsApp credentials, message content |
| Voice call routing | Twilio credentials, call logs |
| Security & abuse prevention | IP address, request logs |
| Service improvement | Anonymized analytics, error logs |
4. Google Calendar OAuth — Scope Justification, Data Use & Disclosure
4.1 Why We Request Calendar Access
Atavika AgentOS enables Tenants to offer AI-driven appointment booking to their customers. The AI agent must be able to autonomously check the business owner’s calendar for availability and create or remove events when bookings are confirmed or cancelled. These operations require the following OAuth scopes:
4.2 Scope: .../auth/calendar.readonly
Purpose:Read the business owner’s calendar busy times to verify slot availability before offering appointment options to clients.
How it is used: When a client requests an appointment, the AI agent queries the Google Calendar API in real-time to retrieve free/busy blocks for the requested date range. This prevents double-bookings by ensuring only genuinely available slots are offered. We read only free/busy information — we do not read event titles, descriptions, attendee lists, or any other event metadata.
Why a more limited scope is insufficient: Without this scope, the AI assistant cannot verify availability, resulting in scheduling conflicts and double-bookings.
4.3 Scope: .../auth/calendar.events
Purpose: Programmatically create a calendar invite when a client confirms a booking, and delete or update the event when the client cancels or reschedules.
How it is used:When a client confirms an appointment through the AI assistant, we create a Google Calendar event in the Tenant’s calendar with the booking details (client name, time slot, meeting type). When cancelled or rescheduled, we delete or update the corresponding event. All calendar operations are strictly triggered by real-time client interactions — no background scanning or batch operations occur.
Why a more limited scope is insufficient: Without this scope, the AI agent cannot write appointments to the calendar, making the core booking feature non-functional.
4.4 Calendar Data We Access vs. Store
| Data Accessed | Purpose | Stored? |
|---|---|---|
| Free/busy time blocks | Check slot availability | No — queried in real-time only |
| Calendar event ID (on booking create) | Reference for future cancel/reschedule | Yes — in Supabase, encrypted |
| Booking event details (time, title) | Create calendar invite for Tenant | Yes — as appointment record |
We do not read or store: event descriptions or notes, attendee email addresses of pre-existing events, recurring event patterns, or any calendar data unrelated to booking operations.
4.5 Sharing, Transfer & Disclosure of Google Calendar Data
We do not share Google Calendar data with any advertising or marketing platform, sell or rent it, or use it to build user profiles beyond scheduling functionality.
We disclose Google Calendar data only in these limited circumstances:
| Recipient | Purpose | What Is Shared |
|---|---|---|
| Google Calendar API | Read availability; create/delete booking events | OAuth tokens used to call the API on Tenant's behalf |
| Hetzner VPS (Backend Server) | Processing all API requests | OAuth tokens and booking records processed in memory |
| Supabase (Database) | Storing OAuth tokens and appointment records | OAuth refresh tokens (encrypted), booking event IDs |
| Google Gemini / Grok AI | AI determines available slots and generates booking messages | Availability time ranges only — no raw calendar event content |
| Law enforcement / legal authorities | If required by applicable law or court order | Minimum data required by law |
4.6 OAuth Token Storage & Revocation
- OAuth refresh tokens are stored encrypted at rest in our Supabase database.
- Short-lived access tokens are requested on-demand and never persisted.
- Tenants can revoke access at any time via Platform Settings → Integrations → Disconnect Google Calendar, or via myaccount.google.com/permissions.
- Upon revocation or account deletion, all stored OAuth tokens are immediately invalidated and deleted.
4.7 Google API Limited Use Disclosure
Atavika AgentOS's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, the use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5. AI Services We Use
Atavika AgentOS uses third-party AI providers to power agent responses and voice interactions.
| AI Provider | Purpose | Data Sent |
|---|---|---|
| Google Gemini (via langchain-google-genai) | Generative AI for chat and voice agent responses, intent understanding, and conversation management | Conversation content (user messages, agent context) |
| Grok (xAI) | Generative AI and native audio processing for voice interactions | Conversation content and voice audio transcripts |
Important: Google account data (email, name) and raw Google Calendar event content are never sent to any AI provider. Only computed availability time ranges are shared with the AI to generate booking suggestions. Both providers process data subject to their own Terms of Service; Atavika does not permit them to use your data for training their models under our API agreements.
6. Third-Party Services We Use
We do not allow these services to sell your data. Each processes only the minimum data required.
| Service | Purpose | Data Processed |
|---|---|---|
| Google Calendar API | Appointment availability & booking | Calendar free/busy times, booking event data |
| Google Gemini | AI chat & voice intelligence | Conversation messages and context |
| Grok (xAI) | AI generation & native audio voice processing | Conversation messages, voice audio |
| Twilio | Voice call routing and telephony | Phone numbers, call metadata, voice audio |
| WhatsApp Business API (Meta) | Business messaging channel | Message content, media, phone numbers |
| Hetzner VPS | Backend application server & compute | All application traffic processed here |
| Supabase | PostgreSQL database hosting | All Platform data (encrypted at rest) |
| SMTP Email Provider | Transactional notifications | Business email address |
7. Data Storage & Security
Infrastructure
- Backend Server: Hosted on Hetzner VPS (dedicated virtual private server) — all API requests are processed here.
- Database: Supabase (managed PostgreSQL) — Tenant accounts, agent configurations, conversation records, and OAuth tokens are stored here, encrypted at rest.
Security Practices
- HTTPS / TLS enforced on all connections
- JWT-based stateless authentication with 24-hour expiry
- bcrypt password hashing — plain-text passwords are never stored
- Encrypted storage for all third-party API credentials and OAuth tokens
- Tenant data isolation — each business account is strictly separated
- Rate limiting and brute-force protection on auth endpoints
- CORS origin allowlist enforcement
- PII redaction from application logs
- Regular security reviews and dependency audits
While we follow security best practices, no system can guarantee 100% security. In the event of a data breach, we will notify affected users as required by applicable law.
8. Call Recording & Consent
Certain AI voice calling features may record calls or generate transcripts. Tenants are responsible for:
- Obtaining legally required consent from end users
- Providing legally required disclosures before recording
- Complying with local telecom, privacy, and recording laws
Atavika is not responsible for unlawful recording or misuse by Tenants.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Tenant account & business profile | Until account deletion |
| AI agent configuration & knowledge base | Until Tenant deletes or account closes |
| Google Calendar OAuth tokens | Until Tenant disconnects or account closes |
| Conversation transcripts & lead data | 90 days (configurable per Tenant) |
| Appointment booking records | Until completed/cancelled + 90 days |
| Voice call recordings | Until deleted by Tenant or retention setting |
| Billing records | 7 years (financial compliance requirement) |
| System & access logs | 30 days (rolling) |
10. International Data Transfers
Atavika Innovation Pvt Ltd is based in India. Our infrastructure (Hetzner VPS) and database (Supabase) may be hosted in data centers in Germany (EU) or other jurisdictions. AI providers (Google Gemini, Grok/xAI) process data under their respective data processing agreements. By using the Platform, you consent to the transfer and processing of your data in these jurisdictions.
11. Customer Responsibilities
Businesses using Atavika AgentOS are responsible for:
- Compliance with applicable privacy laws
- Obtaining end-user consent where required
- Providing required notices and disclosures
- Lawful handling of customer data
- Monitoring AI-generated communications before deployment
- Compliance with WhatsApp, Twilio, and telecom regulations
12. Children's Privacy
Atavika AgentOS is a business platform intended solely for adults (18+). We do not knowingly collect personal information from children under 13. If we discover such data has been submitted, it will be deleted immediately.
13. Your Rights
Depending on your jurisdiction (India — IT Act 2000 / DPDPA 2023, GDPR for applicable regions), you may have the right to:
- Access a copy of data we hold about your account
- Correct inaccurate information
- Request deletion of your account and associated data
- Request a machine-readable export of your data
- Revoke Google Calendar access via Platform settings or myaccount.google.com/permissions
14. Account & Integration Deletion
To delete your account and all associated data, email contact@atavika.com with the subject “Account Deletion Request”. Your account will be permanently deleted within 30 days of verification. Billing records required for financial compliance may be retained for up to 7 years.
To disconnect Google Calendar, go to Platform Settings → Integrations → Disconnect Google Calendar, or visit myaccount.google.com/permissions. All stored OAuth tokens will be immediately deleted upon disconnection.
15. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email to your registered business address and via an in-platform notification banner. Continued use of the Platform after changes constitutes acceptance of the revised policy.
16. Contact Information
ATAVIKA INNOVATION PRIVATE LIMITED
Bengaluru – 560038, Karnataka, India
Email: contact@atavika.com
Website: www.atavika.com
Platform: aiagent.atavika.com
Mobile: 9999538868
For privacy-specific concerns, please email with the subject line: “Privacy Policy — Atavika AgentOS”