Privacy Policy
Last updated: 2 July 2026 · Operator: phpMyDEV, LLC ("Curio", "we", "us") · Contact: curio@whitneys.co
Curio is a website AI assistant. This policy explains what data we handle and, just as
importantly, what we deliberately don't keep.
Our two roles
- For account data (the businesses who sign up for Curio), we are the data controller.
- For website-visitor data (the messages people type into a Curio assistant on a
customer's site), we act as a data processor on that customer's behalf. That
customer is the controller of their visitor relationship, and their own privacy policy
governs it. Our processing terms are in our Data Processing Agreement.
What we collect
From businesses (accounts): your email address, the domains you verify, your
assistant's configuration, billing records, and any support tickets you open.
From website visitors (on a customer's behalf): the message a visitor types and the
answer the assistant returns. We do not store conversations. They are processed in
real time to generate an answer and then discarded. If the site owner has turned on
transcript email or a data collector, the transcript is stripped of secrets and sensitive
personal data and relayed to the destination the site owner chose -- we do not retain it.
We keep anonymised, metadata-only analytics (topic labels, question summaries with
personal details removed, counts) so site owners can see what visitors ask; we do not
keep the raw messages unless the site owner explicitly enables message retention.
Automatically: a functional session cookie (for portal sign-in) and browser
localStorage (the assistant keeps your current conversation on your own device). We use
no tracking or advertising cookies.
Why we process it, and our lawful basis
- To provide and secure the service -- performance of our contract with you and our
legitimate interest in a working, safe product.
- To prevent abuse (rate limiting, spam and prompt-injection defences) -- legitimate interests.
- To take payment -- performance of contract and legal obligation.
- To send transactional email (sign-in links, transcripts you requested, notices) -- contract.
Sub-processors and international transfers
We rely on the third-party providers listed on our Sub-processors page.
Some are located outside the EEA (for example, in the United States). Where that is the
case, transfers rely on the Standard Contractual Clauses and/or the EU-US Data Privacy
Framework as offered by each provider. Visitor messages are sent to our AI providers only
at the moment an answer is generated and are not retained by us or, per their terms, used
to train their models.
How long we keep things
- Conversations: not retained.
- Anonymised analytics metadata: up to 12 months.
- Account and billing records: for the life of your account and any period we are
legally required to keep them.
- Support tickets: up to 24 months after resolution.
- Sign-in tokens, rate-limit and security keys: minutes to hours (they auto-expire).
Your rights
If you are in the EEA or UK, you have the right to access, correct, delete, restrict, port,
and object to processing of your personal data, and to complain to your data-protection
authority. Because we don't store conversations, there is usually very little visitor data
to access or erase. To exercise a right, email curio@whitneys.co. If you are a website
visitor, please contact the site owner whose assistant you used -- they are the controller
of that data.
Security
We use TLS in transit; strip secrets and sensitive details before any relay; isolate each
customer's content per domain; and defend against server-side request forgery, abuse, and
prompt-injection. Sign-in links are single-use and bound to the browser and network that
requested them.
Children
Curio is not directed to children and should not be used to knowingly collect personal
data from children under 16.
AI transparency
Curio's assistant is an AI system. Visitors are told they are chatting with an AI, and
are clearly notified if a human from the site's team joins the conversation.
Changes
We may update this policy; the "last updated" date above will change and material updates
will be noted in our changelog. Questions: curio@whitneys.co.