HugoCurio.

Privacy Policy

Last updated: 2 July 2026 · Operator: phpMyDEV, LLC ("Curio", "we", "us") · Contact: curio@whitneys.co

Curio is a website AI assistant. This policy explains what data we handle and, just as

importantly, what we deliberately don't keep.

Our two roles

customer's site), we act as a data processor on that customer's behalf. That

customer is the controller of their visitor relationship, and their own privacy policy

governs it. Our processing terms are in our Data Processing Agreement.

What we collect

From businesses (accounts): your email address, the domains you verify, your

assistant's configuration, billing records, and any support tickets you open.

From website visitors (on a customer's behalf): the message a visitor types and the

answer the assistant returns. We do not store conversations. They are processed in

real time to generate an answer and then discarded. If the site owner has turned on

transcript email or a data collector, the transcript is stripped of secrets and sensitive

personal data and relayed to the destination the site owner chose -- we do not retain it.

We keep anonymised, metadata-only analytics (topic labels, question summaries with

personal details removed, counts) so site owners can see what visitors ask; we do not

keep the raw messages unless the site owner explicitly enables message retention.

Automatically: a functional session cookie (for portal sign-in) and browser

localStorage (the assistant keeps your current conversation on your own device). We use

no tracking or advertising cookies.

Why we process it, and our lawful basis

legitimate interest in a working, safe product.

Sub-processors and international transfers

We rely on the third-party providers listed on our Sub-processors page.

Some are located outside the EEA (for example, in the United States). Where that is the

case, transfers rely on the Standard Contractual Clauses and/or the EU-US Data Privacy

Framework as offered by each provider. Visitor messages are sent to our AI providers only

at the moment an answer is generated and are not retained by us or, per their terms, used

to train their models.

How long we keep things

legally required to keep them.

Your rights

If you are in the EEA or UK, you have the right to access, correct, delete, restrict, port,

and object to processing of your personal data, and to complain to your data-protection

authority. Because we don't store conversations, there is usually very little visitor data

to access or erase. To exercise a right, email curio@whitneys.co. If you are a website

visitor, please contact the site owner whose assistant you used -- they are the controller

of that data.

Security

We use TLS in transit; strip secrets and sensitive details before any relay; isolate each

customer's content per domain; and defend against server-side request forgery, abuse, and

prompt-injection. Sign-in links are single-use and bound to the browser and network that

requested them.

Children

Curio is not directed to children and should not be used to knowingly collect personal

data from children under 16.

AI transparency

Curio's assistant is an AI system. Visitors are told they are chatting with an AI, and

are clearly notified if a human from the site's team joins the conversation.

Changes

We may update this policy; the "last updated" date above will change and material updates

will be noted in our changelog. Questions: curio@whitneys.co.