Privacy Policy
Last updated: February 16, 2026
1. Introduction
Nova Carpathians Creations S.R.L. ("Company", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, with whom we share it, and what your rights are.
Data controller identification details:
- Name: Nova Carpathians Creations S.R.L.
- Tax ID (CUI): RO40526927
- Registration No.: J7/158/2019
- Email: contact@greenlead.ro
- Website: https://selio.dev
Data protection contact person: contact@greenlead.ro
This policy applies to all users of the Selio AI desktop application (macOS and Windows) and associated services.
2. What Data We Collect
2.1 Data you provide directly
Account and identity data:
- Email address (at registration and authentication)
- Password (stored exclusively as a bcrypt cryptographic hash; we never have access to the plaintext password)
- Full name / Display name (provided by user in settings)
Organizational data:
- Organization name
- Industry and business description
- User's role in the organization (agent, manager, admin)
Client/prospect contact data:
- Name, email, phone, company (entered manually or extracted from conversations)
Uploaded documents:
- PDF, DOCX, TXT, Excel, image files uploaded to the knowledge base
Communications:
- Content of follow-up emails drafted and sent through the Gmail integration
2.2 Data generated automatically from Service usage
Call data:
- Complete transcriptions of sales phone conversations
- Call segmentation by phases (introduction, discovery, presentation, objections, closing, etc.)
- Speaking time distribution between agent and client
- Call duration, number of questions, detected objections, buying signals
AI-generated data:
- Coaching insights and suggestions
- Lead qualification scores (0-100, with level: COLD / WARM / HOT / VERY_HOT / ON_FIRE)
- Dimensional breakdown (Interest, Readiness, Authority, Momentum, Friction)
- Auto-generated follow-up emails
- Summaries and information extraction (client name, location, call topic)
- Messages and responses from AI chat conversations
AI usage data:
- Number of tokens consumed per operation
- AI model used
- Cost estimate per operation
- Operation type (follow-up generation, insight, summarization, etc.)
2.3 Technical data collected automatically
Data stored locally on your device:
- Interface preferences (language, theme, timezone)
- Selected audio device ID
- Voice activity detection sensitivity (VAD)
- Temporary transcription cache
- Authentication tokens (in OS Keyring — macOS Keychain or Windows Credential Manager)
Technical data detected automatically (not saved to server):
- Time zone (detected from the operating system, for personalization)
- Operating system language (for initial interface language setting)
- Primary monitor information (for window positioning — not transmitted to server)
2.4 Data we do NOT collect
- We do not explicitly collect IP addresses (Supabase, as an infrastructure provider, may log IP addresses in server logs)
- We do not collect GPS location data
- We do not collect contacts from your phone or address book
- We do not collect biometric data for identification purposes
- We do not use device fingerprinting
- We do not collect operating system or browser version
- We do not collect data through third-party tracking cookies or analytics
3. How We Use Your Data
3.1 Legal basis for processing (under GDPR)
| Processing purpose | Legal basis (Art. 6 GDPR) | Details |
|---|---|---|
| Providing the Service (account, transcription, AI, dashboard) | Art. 6(1)(b) — Performance of contract | Necessary for application functionality per subscription |
| Call processing and insight generation | Art. 6(1)(b) — Performance of contract | Core functionality of the Service |
| Sending follow-up emails via Gmail | Art. 6(1)(a) — Consent | User voluntarily connects their Gmail account and approves each email |
| Knowledge base document storage | Art. 6(1)(b) — Performance of contract | Voluntarily uploaded by user for RAG search |
| AI usage monitoring (tokens, costs) | Art. 6(1)(f) — Legitimate interest | Resource management and abuse prevention |
| Account security and fraud prevention | Art. 6(1)(f) — Legitimate interest | Protection of user and service |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation | Tax requirements, authority requests |
| Service communications (notifications, updates) | Art. 6(1)(b) — Performance of contract | Essential notifications regarding Service operation |
3.2 Audio processing — Important clarifications
The transcription feature captures audio from your device's microphone and processes it in real-time through a third-party transcription service (ElevenLabs). Audio is transmitted as a stream and transcribed into text.
Voice is personal data. Processing audio through third-party services constitutes a transfer of personal data to an external processor. This transfer is made on the basis of Art. 6(1)(b) GDPR (performance of contract — transcription is the core functionality of the Service) and with the safeguards described in Section 5.
Responsibility: The user is solely responsible for obtaining consent from all parties involved in the conversation before activating transcription (see Terms of Service, Section 7).
4. How We Store Your Data
4.1 Main infrastructure: Supabase
Data is stored on Supabase servers (PostgreSQL), hosted by Amazon Web Services (AWS) in the European Union (Frankfurt region, eu-central-1).
Supabase provides:
- Encryption in transit (TLS 1.2/1.3)
- Encryption at rest at disk level
- Automatic backups
- SOC 2 Type II compliance
4.2 Data isolation
Each organization benefits from complete data isolation through Row Level Security (RLS) at the PostgreSQL database level. This means:
- A user from one organization cannot access another organization's data.
- User personal data (settings, chat conversations, Gmail connection) is accessible only by that user.
- Access is based on encrypted JWT tokens containing the user's identity and organization.
4.3 Encryption
| Data type | Encryption method | Details |
|---|---|---|
| Gmail OAuth tokens | AES-256-GCM | Random 12-byte IV, 16-byte Auth Tag. Encrypted before database storage |
| Passwords | bcrypt | Cryptographic hash; plaintext password is never stored |
| Authentication tokens | OS Keyring | macOS Keychain / Windows Credential Manager |
| API communication | TLS 1.2/1.3 | All server communications are encrypted |
| Application updates | Minisign | Digital signature verification of binaries |
4.4 Local storage
On your device, the Application stores:
- Interface preferences in localStorage (internal WebView of the application, not accessible from browser)
- Authentication tokens in OS Keyring (native security mechanism of the operating system)
- Temporary cache for transcription and RAG searches (in the operating system's temporary directory, with limited TTL)
Upon logout, all local data is automatically deleted.
4.5 Retention periods
| Data type | Retention period | Configurable |
|---|---|---|
| User account | Until account deletion | No |
| Call transcriptions | 6, 12, 24, or 36 months | Yes (from organization settings) |
| Lead scores | 6, 12, 24, or 36 months | Yes (from organization settings) |
| Knowledge base documents | Until manual deletion | No |
| AI chat conversations | Until manual deletion or account deletion | No |
| Gmail tokens | Until disconnection or account deletion | No |
| Local cache | Automatic (hot: 2 hours, cold: 90 days) | No |
| AI usage (tokens, costs) | For the duration of the organization account | No |
5. With Whom We Share Your Data
5.1 Data processors (sub-processors)
We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with processors necessary to provide the Service:
| Processor | Headquarters | Data received | Purpose | Transfer basis |
|---|---|---|---|---|
| Supabase Inc. | USA (servers in EU — Frankfurt) | All application data | Database, authentication, file storage, edge functions | Data stored in EU; GDPR-compliant DPA |
| OpenAI, L.L.C. | USA | Transcription fragments, analysis prompts, complete audio (diarization) | AI insight generation, coaching, summarization, follow-up email generation, speaker diarization | Standard Contractual Clauses (SCC) |
| Google LLC | USA / Global | Document text, search queries, files for indexing | Vector embeddings, RAG search, File Search, Gmail API | Standard Contractual Clauses (SCC) |
| ElevenLabs Inc. | USA | Live PCM audio stream | Real-time audio-to-text transcription | Standard Contractual Clauses (SCC) |
| Deepgram Inc. | USA | Audio (only if activated as alternative provider) | Alternative audio transcription | Standard Contractual Clauses (SCC) |
5.2 International data transfers
The main database (Supabase) is hosted in the European Union (Frankfurt). However, certain data processing is performed by US-based services (OpenAI, ElevenLabs, Google Gemini API).
For these transfers, we rely on:
- Standard Contractual Clauses (SCC) of the European Commission, pursuant to Art. 46(2)(c) GDPR
- Data Processing Agreements (DPA) concluded with each processor
- Additional technical measures: TLS encryption in transit, data minimization, processing without permanent storage by the processor (API calls, not batch storage)
5.3 Other disclosures
We may disclose personal data if:
- Required by law (authority requests, court orders).
- Necessary to protect our rights, property, or safety, or that of our users or the public.
- Necessary in the context of a merger, acquisition, or sale of assets (with prior notification).
6. Your Rights
6.1 Rights under GDPR (EU/EEA users)
You have the following rights regarding your personal data:
Right of access (Art. 15) — You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — You may request correction of inaccurate data or completion of incomplete data. Most data can be corrected directly from application settings.
Right to erasure / "right to be forgotten" (Art. 17) — You may request deletion of your personal data. Upon account deletion, all associated data is permanently deleted through cascade delete.
Right to restriction of processing (Art. 18) — You may request restriction of processing of your data in certain circumstances.
Right to data portability (Art. 20) — You may request and export your data in a structured format (CSV or JSON) from the application dashboard (feature available to managers and administrators).
Right to object (Art. 21) — You may object to the processing of data based on legitimate interest.
Right not to be subject to automated decisions (Art. 22) — Lead scoring is an assistive tool; scores are probabilistic estimates. The sales agent always makes the final decision. We do not make decisions with legal or similarly significant effects based solely on automated processing.
Right to withdraw consent — Where processing is based on consent (e.g., Gmail integration), you may withdraw consent at any time, without affecting the legality of prior processing.
6.2 Rights under CCPA (California, USA users)
If you are a California resident, you have additional rights:
Right to know — You may request to know what categories of personal information we have collected, the sources, the purpose, and the categories of third parties with whom it has been shared.
Right to delete — You may request deletion of personal information, with certain exceptions provided by law.
Right to non-discrimination — We will not treat you differently because you have exercised your CCPA rights.
We do not sell personal data. We have not sold and will not sell your personal information to third parties, as defined by the CCPA.
We do not share data for cross-context behavioral advertising. We do not use your data for targeted advertising.
6.3 How to exercise your rights
To exercise any of the above rights, contact us at:
- Email: contact@greenlead.ro
- Subject: "Data protection request — [requested right]"
We will respond within 30 days of receiving the request (under GDPR) or 45 days (under CCPA). If the request is complex, we may extend the deadline by an additional 60 days, with prior notification.
We may ask you to verify your identity before processing the request, to protect your data.
6.4 Right to lodge a complaint
If you believe our processing of your data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Romania, this is:
National Supervisory Authority for Personal Data Processing (ANSPDCP)
- Website: https://www.dataprotection.ro
- Email: anspdcp@dataprotection.ro
7. No Use of Your Data for AI Model Training
We do not use your data to train AI models. Your call transcriptions, uploaded documents, communications, chat messages, and any other content submitted to the Service are never used for the purpose of training, developing, or improving artificial intelligence models, machine learning systems, or any automated decision-making technology — whether by us or by our third-party AI providers.
All AI processing is performed through stateless API calls to our providers (OpenAI, Google Gemini, ElevenLabs). These providers process your data solely to generate real-time responses and do not retain customer data for model training purposes when accessed through their API services.
Your data is processed exclusively to provide the Service to you. For a complete list of our AI sub-processors and their data handling practices, see our Sub-processors page at https://selio.dev/subprocessors.
8. Data Security
We implement appropriate technical and organizational measures to protect data, including:
- Encryption: TLS in transit, AES-256-GCM for sensitive data, bcrypt for passwords
- Multi-tenant isolation: Row Level Security (RLS) at database level
- Access control: Roles (agent, manager, admin) with differentiated permissions
- Least privilege principle: Each application window has minimal necessary permissions
- Secure credential storage: OS Keyring (macOS Keychain / Windows Credential Manager)
- Content Security Policy (CSP): Strict restriction of permitted external domains
- Update signature verification: Minisign for binary integrity verification
- Server-side API key proxy: Third-party service keys are not exposed in the client application
9. Protection of Minors
Selio AI is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will take steps to delete such data as soon as possible. If you believe a minor has provided us with personal data, please contact us at contact@greenlead.ro.
10. Security Breach Notification
In the event of a data security breach that could pose a risk to your rights and freedoms, we will notify you without undue delay and in accordance with GDPR requirements (Art. 33 and 34):
- We will notify the supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach.
- If the breach poses a high risk, we will notify you directly by email to the address associated with your account.
- The notification will include the nature of the breach, data affected, measures taken, and recommendations.
11. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy. We will notify you of significant changes at least 30 days before they take effect, by email or in-app notification.
The date of the last update is displayed at the beginning of this document. We encourage you to periodically review this policy.
12. Contact
For any questions, requests, or complaints regarding the protection of your data:
- Email: contact@greenlead.ro
- Company: Nova Carpathians Creations S.R.L.
- Tax ID (CUI): RO40526927
- Registration No.: J7/158/2019
This document was published on February 16, 2026, and is effective as of this date.