Privacy policy

This Privacy Policy ("Policy") describes how ShopAdvisor Inc., a
Delaware corporation doing business as "Cignara" ("Cignara," "we,"
"us," or "our"), collects, uses, shares, and protects personal
information in connection with cignara.com and the products,
features, content, dashboards, and APIs we make available through
it (collectively, the "Service").

This Policy applies to visitors to our website and to people who
use the Service in a personal capacity, including prospective and
existing customers, partners, applicants, and event attendees. When
our customers deploy the Service to handle conversations with
their own end users, those customers act as the data controller
(or "business" under California law) for that end-user data, and
Cignara processes that data on their behalf under a separate
written agreement. Please contact the relevant customer for their
own privacy practices.

1. SUMMARY

• We collect information you give us, information about how you
use the Service, and information from a small number of
vendors that help us run our business.
• We use information to operate, secure, and improve the Service,
to communicate with you, and to meet legal obligations.
• We do NOT sell your personal information, and we do NOT use
customer conversation data to train foundation or third-party
large language models.
• We retain personal information only as long as needed for the
purposes described in this Policy, subject to legal-hold
obligations.
• You have rights over your personal information, including
access, correction, deletion, portability, and objection,
described in Section 9.
• Questions? Email compliance@cignara.com.

2. INFORMATION WE COLLECT

2.1 Information you give us. When you contact us, request a demo,
sign up for an account, subscribe to a newsletter, attend an
event, apply for a job, or otherwise interact with us, you may
provide:

• Identifiers — name, business email, phone number, job title, company name, country. • Communications — the content of messages you send us, including via forms, email, chat, voicemail, or calendar invites. • Account credentials — sign-in identifiers and authentication data for any account we provision for you. • Recruiting information — resume, work history, references, and other information you submit when applying for a role.

2.2 Information collected automatically. When you visit cignara.com
or interact with the Service, we automatically collect:

• Device and connection data — IP address, browser type, operating system, language preference, referrer, and approximate location derived from IP. • Usage data — pages and features viewed, links clicked, search queries, time-stamped event logs, performance metrics, and error data. • Cookies and similar technologies — see Section 11.

2.3 Information from other sources. We may receive information
about you from:

• Service vendors who help us deliver the Service (for example, cloud-infrastructure providers, communications vendors, and analytics or marketing partners). • Publicly available sources, including business directories and social-media profiles you have made public. • Customers or partners that refer you to us.

2.4 Customer conversation data. Where Cignara processes voice,
chat, transcript, or related conversation data on behalf of a
customer, we do so as a data processor under that customer's
instructions and the written contract between us. We handle that
data only to provide the Service, to maintain security, and to
comply with law. We do not use that data to train foundation or
third-party large language models, and our vendors are
contractually prohibited from doing the same.

2.5 Sensitive information. We do not seek to collect sensitive
categories of personal information (such as health, biometric,
financial-account, or government-ID data) about visitors to our
website. Where customers deploy the Service to handle conversations
that may include sensitive information, our processing of that
information is governed by the contract with the customer and any
applicable data-processing addendum.

3. HOW WE USE INFORMATION

We use personal information to:

(a) provide, operate, maintain, and support the Service; (b) authenticate users and prevent fraudulent, unauthorized, or illegal activity; (c) measure, monitor, and improve the Service, including performance, quality, and security; (d) respond to inquiries, requests for information, demos, sales conversations, and customer-support tickets; (e) send service-related communications, including security notices, billing notices, and policy updates; (f) with your consent or as otherwise permitted by law, send marketing communications about our products and events, from which you can unsubscribe at any time; (g) administer recruiting and consider applicants for employment; (h) comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Use; and (i) protect the rights, property, and safety of Cignara, our customers, and the public.

4. LEGAL BASES FOR PROCESSING (EU / UK)

If you are located in the European Economic Area, the United
Kingdom, or Switzerland, we process personal information on the
following legal bases under the EU/UK GDPR:

• Contractual necessity — to provide the Service you have requested or that your organization has signed up for. • Legitimate interests — to operate, secure, and improve the Service, to communicate about our products, and to prevent fraud, provided those interests are not overridden by your rights and freedoms. • Consent — where you have given us specific consent, for example, for certain marketing communications or cookies. You may withdraw consent at any time. • Legal obligation — to comply with applicable laws and lawful requests.

5. AI TRAINING AND CUSTOMER DATA

We design our Service to keep customer data within the customer's
own logical environment. Specifically:

• We do not use customer conversation data, customer-provided knowledge bases, or any other customer content to train, fine-tune, or improve foundation or third-party large language models. • Our vendors that provide model inference, speech-to-text, text-to-speech, or telephony are contractually required to process customer data only on our instructions and not to use it for their own training or other purposes. • Where we operate Cignara-managed model infrastructure, we may use de-identified, aggregated operational telemetry (for example, latency, error rates, throughput) to monitor and improve the Service, but not to train language models on customer content. • Where a customer separately opts in to a feature that uses their data to improve their own configuration of the Service (for example, an internal evaluation or fine-tune), we do so only for that customer's benefit, in accordance with the contract between us.

6. SHARING OF INFORMATION

We share personal information only as described below.

6.1 Service vendors and sub-processors. We rely on a limited number
of trusted vendors who help us operate the Service, including
cloud-infrastructure providers, communications vendors, model and
speech vendors, analytics and customer-support tools, billing
vendors, and security and compliance vendors. These vendors are
contractually bound to use personal information only to perform
services for us and to maintain appropriate security and
confidentiality.

A current list of material sub-processors used for the production
Service can be made available to customers on request to
compliance@cignara.com. We provide customers with notice of changes
to our sub-processor list as required under the relevant data
processing agreement.

6.2 Legal compliance and protection. We may disclose personal
information when we believe in good faith that disclosure is
required:

(a) to comply with applicable law, legal process, or lawful government requests; (b) to enforce our Terms of Use and other agreements; (c) to detect, prevent, or address fraud, security, compliance, or technical issues; or (d) to protect the rights, property, or safety of Cignara, our customers, our employees, or the public.

6.3 Business transfers. If we are involved in a merger,
acquisition, financing, reorganization, bankruptcy, or sale of
assets, personal information may be transferred as part of that
transaction. We will require the receiving entity to honor this
Policy with respect to information transferred to it.

6.4 With your consent. We may share personal information for any
other purpose disclosed to you at the time of collection or with
your consent.

We do not sell or "share" personal information for cross-context
behavioral advertising as defined under California law.

7. DATA RETENTION

We retain personal information for as long as needed to fulfill
the purposes described in this Policy, to comply with our legal,
accounting, or reporting obligations, to resolve disputes, and to
enforce our agreements. When personal information is no longer
required, we delete or anonymize it in accordance with our
retention schedule.

For customer conversation data processed on behalf of a customer,
retention is governed by the customer's own retention settings and
the contract between us, including any data processing addendum.

8. DATA SECURITY

We maintain a written information-security program designed to
protect personal information against unauthorized access,
disclosure, alteration, or destruction. Our controls include
administrative, technical, and physical safeguards, including:

• encryption of data in transit using industry-standard protocols, and encryption of data at rest using industry-standard algorithms; • role-based access control with least-privilege defaults and mandatory multi-factor authentication for production systems; • continuous monitoring, logging, and alerting on production infrastructure; • secure software-development practices, code review, and vulnerability management; • vendor risk-management and contractual security requirements for sub-processors; and • incident-response procedures, including documented breach notification commitments.

No system is perfectly secure. If you have reason to believe an
account or interaction with the Service is no longer secure, please
contact us immediately at compliance@cignara.com.

In the event of a personal-data breach affecting your information,
we will notify you and applicable regulators as required by law
and by our contracts with our customers.

9. YOUR RIGHTS

Subject to applicable law, you have rights with respect to your
personal information, which may include the right to:

• access the personal information we hold about you; • correct inaccurate or incomplete personal information; • request deletion of personal information; • restrict or object to certain processing; • port personal information to another provider in a structured, commonly used, machine-readable format; • withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing); and • lodge a complaint with a supervisory authority.

9.1 California residents. If you are a California resident, you
have rights under the California Consumer Privacy Act, as amended
by the California Privacy Rights Act ("CCPA/CPRA"), including the
right to know, the right to delete, the right to correct, the right
to limit the use of sensitive personal information, and the right
not to be discriminated against for exercising your rights. As
noted above, we do not sell or share personal information for
cross-context behavioral advertising.

9.2 EU, UK, and Swiss residents. You have rights under the EU/UK
GDPR and the Swiss FADP, as described in this section. You may
also lodge a complaint with your local supervisory authority.

9.3 How to exercise your rights. To exercise any of these rights,
contact us at compliance@cignara.com. We may need to verify your
identity before responding. We will respond within the time period
required by applicable law. If you are an end user whose data is
processed by Cignara on behalf of a customer, please direct your
request to that customer, who is the controller of your data; we
will support the customer in responding.

10. INTERNATIONAL DATA TRANSFERS

Cignara is headquartered in the United States, and the Service may
be operated from data-center regions in the United States and
other jurisdictions. When we transfer personal information across
borders, we rely on appropriate safeguards as required by
applicable law, including European Commission Standard Contractual
Clauses, the UK International Data Transfer Addendum, and
equivalent mechanisms. Where customers select a specific region
for their deployment under a separate written agreement, we
process customer conversation data within that region as agreed.

11. COOKIES AND SIMILAR TECHNOLOGIES

We and our service vendors use cookies and similar technologies on
cignara.com to:

• keep the website functioning (strictly necessary cookies); • remember preferences such as language and consent choices (preference cookies); • measure how visitors interact with the website so we can improve it (analytics cookies); and • where you have consented, support limited marketing activities (marketing cookies).

You can manage your cookie preferences through your browser
settings and, where available, through the cookie banner on our
website. Disabling certain cookies may affect the functionality of
the Service.

12. CHILDREN'S PRIVACY

The Service is intended for business users and is not directed to
children under the age of 16. We do not knowingly collect personal
information from children. If you believe a child has provided
personal information to us, please contact
compliance@cignara.com so we can delete it.

13. THIRD-PARTY LINKS

The Service may contain links to third-party websites and
services. We are not responsible for the privacy practices of
those third parties, and this Policy does not cover them. We
encourage you to read the privacy policies of any third party
before sharing personal information with it.

14. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in
our practices, technology, legal requirements, or for other
operational reasons. When we make material changes, we will update
the "Last Updated" date at the top and, where appropriate, provide
additional notice (for example, on our website or by email). Your
continued use of the Service after the effective date of an updated
Policy constitutes acknowledgment of the changes.

15. CONTACT US

If you have questions about this Policy, want to exercise a
privacy right, or want to file a privacy-related complaint, please
contact us at:

ShopAdvisor Inc. (d/b/a Cignara) Attn: Privacy & Compliance compliance@cignara.com
Mailing address: 1222 Harrison St, San Francisco, California - 94103

If you are an EU/UK data subject and prefer to contact a
representative in the EEA or UK, please email
compliance@cignara.com and we will direct your request to the
appropriate contact.

© ShopAdvisor Inc. All rights reserved. Cignara is a trade name of
ShopAdvisor Inc.