Privacy Policy

Last updated: April 29, 2026

This Privacy Policy describes how Octve, LLC (“Octve”, “we”, “us”, or “our”) collects, uses, and shares information when you use our websites, app, and related services (collectively, the “Service”). Controller: Octve, LLC, 1930 Village Center Cir 3-2953, Las Vegas, NV 89134. Contact: hello@octve.io.

1) Information we collect

  • You provide: Account/profile details, organization and role, support communications, and content you upload or create. Payment card data is handled by our processors (e.g., Stripe); we do not store full card numbers on our servers.
  • Connected Google data (if you enable): Gmail message metadata and content as needed to send, thread, label, template, or organize messages you own/control; Calendar events, attendees, and related metadata you own/control to sync schedules; Drive files and metadata(such as file names, IDs, MIME types, sizes) and file content you own/control as needed to create, upload, store, or manage assets in your Google Drive (e.g., contracts, attachments, templates, exports); Maps/Places venue/location details to enrich your records.
  • Usage and device data: Log data (timestamps, IP, device/browser), app actions, diagnostics, and performance metrics.
  • AI assistant interactions: When you use OCTVE AI, we collect the messages you send, the responses generated, files you attach for analysis, and metadata such as tools invoked and response times. This data is stored in our database and is associated with your user account and organization. Your AI conversation data is isolated to your organization and is never accessible to other accounts.
  • From third parties: Payment status from processors, delivery/analytic signals, and anti‑abuse signals.

2) How we use information

  • Provide, operate, secure, and improve the Service.
  • Connect and sync data that you explicitly authorize (Gmail, Calendar, Drive, Maps/Places).
  • Generate documents, manage events, track financials, and send messages you request.
  • Create, upload, store, and manage files in your Google Drive that you authorize (e.g., contracts, attachments, templates, and exports).
  • Process your queries through our AI assistant (OCTVE AI), which uses third‑party AI model providers (currently OpenAI) to generate responses. Your messages are sent to the provider’s API to produce answers; conversation history is stored in our database to enable you to resume past conversations.
  • Provide support, troubleshoot, prevent abuse, and comply with legal obligations.
  • We do not use Google user data for advertising or unrelated profiling.

OCTVE AI, data isolation and model training:

  • Organization-level isolation: All data processed by OCTVE AI, including conversations, uploaded documents, extracted financial data, and AI-generated memories, is strictly isolated to your organization. No other account or organization can access your data through OCTVE AI or any other part of the Service.
  • No model training on your data: Your conversations, documents, and business data are never used to train, fine-tune, or improve any AI model (ours or any third-party provider’s). We use API configurations with our AI providers that explicitly opt out of training on customer data. Your data is used solely to generate responses to your requests during active sessions.
  • Third-party AI processing: When OCTVE AI processes your request, the content is sent to our AI model provider (currently OpenAI) via their API. We use API terms that prohibit the provider from using your data for model training. The provider may retain API inputs/outputs for a limited period for abuse monitoring and safety purposes, as described in their data processing terms.

3) Google API Services User Data Policy (Limited Use)

We comply with the Google API Services User Data Policy, including the Limited Use requirements (as applicable, e.g., for Gmail scopes). Data obtained via Google APIs is used only to provide or improve user‑facing features that are prominent in our user interface and that you engage with. We do not transfer Google user data to third parties except as necessary to provide or improve the features you request, to comply with applicable law, or with your explicit direction. We do not use Google user data for serving ads. Human access is prohibited except with your consent, for security/abuse/compliance, or where legally required.

You may revoke our access at any time via your Google Account settings:myaccount.google.com/permissions.

4) Payments

Payments are processed by third parties (e.g., Stripe). We do not store full card numbers on our servers. Payment processors act under their own privacy policies and agreements.

5) Sharing and disclosures

We do not sell personal information, and we do not share personal information for cross‑context behavioral advertising, as those terms are defined under the California Privacy Rights Act (CPRA). We honor opt‑out preference signals, including the Global Privacy Control (GPC) browser signal — see Section 8.

Service providers and contractors (data processors)

We engage the following service providers under contracts that limit use of personal information to providing services to us, prohibit selling or sharing, and require appropriate security:

  • Supabase, Inc. — database hosting, authentication, file storage. Privacy policy
  • Vercel, Inc. — application hosting and edge delivery. Privacy policy
  • Stripe, Inc. — payment processing, billing, marketplace payouts. Privacy policy
  • OpenAI, L.L.C. — AI model inference for OCTVE AI features. We use API configurations that prohibit training on customer data. Privacy policy
  • Google LLC — Gmail, Calendar, Drive, Maps/Places APIs (only with your explicit OAuth consent). Privacy policy
  • Resend, Inc. — transactional email delivery (password resets, invitations, notifications). Privacy policy
  • Soundcharts SAS — public artist analytics data (only when you connect an artist). Privacy policy
  • Tolt — affiliate program tracking. Privacy policy
  • Meta (Facebook) and Google Analytics — anonymous analytics on our marketing pages only (not the application). Meta privacy · Google privacy

Other disclosures

  • Within your organization: certain data may be visible to admins and other members of your organization according to role permissions you control.
  • Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and service integrity.
  • Business transfers: in a merger, acquisition, financing, reorganization, or asset sale, with safeguards and notice where required by law.

Categories of personal information disclosed to service providers and contractors (CCPA/CPRA): identifiers (account email, user ID), commercial information (subscription status), internet activity (log data, app actions), professional information (organization, role), audio/visual data (uploaded files you direct us to process), geolocation (only if you connect Google Maps), and inferences from your usage.

Categories disclosed to third parties (not for our purposes, per your direction):email recipients you choose, calendar invitees you add, and similar contacts. We do not otherwise disclose your personal information to third parties.

6) Data retention and account deletion

We retain data only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Some deletion is self‑service in product; you may request account/data deletion at any time.

AI conversation data:

  • AI chat conversations are retained for 30 days to allow you to resume and reference past conversations. After 30 days, conversation data is automatically archived and no longer accessible.
  • Conversations sent to our AI model provider (OpenAI) are subject to the provider’s own data retention policies. We use API configurations that minimize provider‑side retention where available.

When you cancel your subscription:

  • 30-day grace period: After cancellation, your account and data remain intact for 30 days. You can reactivate anytime during this period to retain all your data.
  • Reminder notifications: We send 3 email reminders during the grace period (immediately on cancellation, at day 15, and 7 days before deletion) to ensure you’re aware of the upcoming data deletion.
  • Permanent deletion: After 30 days, your organization data is permanently deleted, including: artist profiles, event history, contracts, financial records, uploaded documents, and all associated files.
  • Audit log retention: For compliance and fraud prevention, we retain a minimal audit log containing only: organization name, admin email address, deletion date, and reason for deletion. This log does not contain any of your business data, financial information, or uploaded content.

To cancel your subscription, visit your account settings or use the Stripe customer portal link in any billing email.

7) Security

We use appropriate technical and organizational measures to protect data in transit and at rest, limit access, and monitor for abuse. No method is 100% secure; we continuously improve our safeguards.

8) Your choices and rights

  • Access, correct, or delete your data via in‑app settings (Settings → Subscription → Delete Account) or by contacting hello@octve.io.
  • Revoke Google access at any time at myaccount.google.com/permissions.
  • Opt out of non‑transactional emails via unsubscribe links.
  • Manage cookies/analytics via your browser or available in‑app controls.
  • GDPR/UK GDPR (where applicable): rights to access, rectify, erase, restrict, object, portability, and to complain to a supervisory authority. Legal bases include contract necessity, legitimate interests (e.g., security/product reliability), consent (where required), and legal compliance.
  • CCPA/CPRA (California): rights to know, access, correct, delete, limit use of sensitive information, and opt out of sale/sharing. We do not sell or share personal information as defined by CPRA. Submit requests to hello@octve.io or via our Do Not Sell or Share page.

Global Privacy Control (GPC) signal:

We honor the Global Privacy Control browser signal. When we detect a GPC signal from your browser, we treat it as a request to opt out of the sale or sharing of your personal information for cross‑context behavioral advertising. Because we do not sell or share for that purpose, we automatically respect this preference for all visitors regardless of GPC status. If practices ever change, the GPC signal will continue to opt you out.

9) Automated decision-making and AI features

Some features of the Service use automated processing, including artificial intelligence, to assist your work. We disclose these in keeping with the California Privacy Protection Agency’s Automated Decision-Making Technology (ADMT) regulations and Article 22 of GDPR.

  • OCTVE AI assistant (productivity tool): generates drafts (emails, contracts, financial summaries) at your request. Output is advisory only. Every action that affects your records — sending an email, saving a contract, updating a payment — requires your explicit confirmation. No decision with legal or similarly significant effects is made by AI without you reviewing and approving it first.
  • Anomaly detection on bank/financial data: we may flag unusual amounts or patterns. The flag is informational; we do not block, charge, or report based on it without your action.
  • Lifecycle email personalization: our internal lifecycle email orchestrator uses a language model to personalize transactional reminders (e.g., trial-ending emails). Personalization affects wording only; the message itself is the same transactional message you would have received without AI.
  • Sales agent (Taylor): our internal sales outreach agent uses AI to write prospecting messages to publicly identified music industry contacts. Recipients can opt out at any time, and we do not use OCTVE customer data to drive Taylor’s decisions.

You may request human review of any AI-assisted output by contacting hello@octve.io. We perform a privacy and security risk assessment for each new AI feature before launch, in keeping with the California Privacy Protection Agency’s 2026 ADMT requirements.

10) Children’s privacy

The Service is not directed to children under 13 (or older age under local law). We do not knowingly collect children’s data.

11) International transfers

We may process data where we or our providers operate. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the equivalent UK and Swiss addenda.

12) Changes

We may update this policy; material changes will be notified in‑app or by email.

13) Contact

Questions or requests: hello@octve.io. Address: Octve, LLC, 1930 Village Center Cir 3-2953, Las Vegas, NV 89134.