Back to Home

Privacy Policy

Last updated: April 27, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") governs how Relay ("Platform", "we", "us", "our"), a product owned and operated by Virtu Tech Solutions, collects, uses, processes, stores, and safeguards information pertaining to you ("User", "you", "your") in connection with your access to or use of our web application, chat widget, API endpoints, and related services (collectively, the "Services").

Relay is an intelligent support and engagement platform designed to enable organizations to deliver automated, context-aware conversational experiences across multiple channels (Web, Email, WhatsApp, Telegram), manage support tickets, and leverage institutional knowledge through advanced AI.

By accessing or using the Services, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree with the terms of this Policy, you must discontinue use of the Services immediately.

2. Information We Collect

2.1 Account Information

  • Name and email address provided during account registration
  • Organization or team affiliation
  • Authentication credentials managed through our identity provider (Supabase Auth)
  • User profile metadata and configuration preferences
  • Professional details and intro videos for support staff (Agent Profiles)

2.2 Conversational and Support Data

  • Chat transcripts and message history across all connected channels (Web, Email, WhatsApp, Telegram)
  • Voice recordings and transcripts from voice-led conversational sessions
  • Support ticket details, status updates, and escalation logs
  • User-provided feedback and ratings on AI responses
  • Metadata associated with chat sessions (timestamps, duration)

2.3 Knowledge Base and RAG Data

  • Documents and content uploaded by Administrators for AI grounding
  • Document metadata (filenames, categories, ingest dates)
  • Vector embeddings derived from uploaded content

2.4 Usage and Technical Data

  • Usage patterns and interaction data within the Platform
  • Co-browsing session data (page state) captured only with explicit user consent
  • Device and browser information: type, OS version, and browser version
  • Application performance data and error logs
  • IP address and geolocation data (approximate)

Financial Data: Relay does not collect, process, or store credit card numbers, bank account details, or any other financial instrument data directly. All payment processing is handled by PCI-DSS compliant third-party processors.

3. AI and Knowledge Management

Data Isolation: Knowledge base documents and chat sessions are strictly isolated at the organization level. Relay uses Supabase Row-Level Security (RLS) to ensure that data from one organization is never accessible to another, nor used to train models for other users.

Uploaded knowledge base documents are processed to generate vector embeddings, which are stored in our secure database. These embeddings allow our AI to retrieve relevant context using Retrieval-Augmented Generation (RAG) to answer user queries accurately based on your institutional knowledge.

4. How We Use Your Information

4.1 Service Provision

  • Generation of AI-powered conversational responses
  • Management and tracking of support tickets and escalations
  • Context-aware retrieval from organization-specific knowledge bases
  • Operation of administrative dashboards and analytics
  • User authentication and access control

4.2 Service Improvement

  • Enhancement of AI response accuracy and relevance
  • Optimization of search and retrieval performance
  • Development of new conversational features and tools
  • Analysis of aggregate usage trends to improve platform UX

4.3 Communication

  • Delivery of service notifications and updates
  • Response to support inquiries and feedback
  • Notification of system maintenance or critical changes

5. Data Controller and Data Processor

For the purposes of applicable data protection legislation, Relay operates in the following capacities.

Data Controller

With respect to account information, administrative usage data, and marketing communications, Relay acts as the data controller, determining the purposes and means of processing.

Data Processor

With respect to chat transcripts, knowledge base documents, and organization-specific data submitted through the widget or API, Relay acts as a data processor on behalf of your organization. Processing is performed solely in accordance with your instructions and service agreements.

6. Legal Basis for Processing

We process your personal information only where we have a valid legal basis under applicable law. The following table outlines the legal bases applicable to our processing activities.

Contract Performance

Processing necessary to provide the Services, including chat facilitation, ticket management, and knowledge retrieval.

Legitimate Interests

Processing necessary for platform security, service improvement, and aggregate analytics, where such interests are not overridden by your data protection rights.

Legal Obligation

Processing necessary to comply with applicable laws, regulations, or enforceable governmental requests.

Consent

Where required, we obtain your explicit consent before processing. You may withdraw consent at any time by contacting us, without affecting the lawfulness of processing prior to withdrawal.

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. Disclosure of information is limited strictly to the following circumstances.

7.1 Service Providers

We engage trusted third-party providers for hosting (Supabase, Vercel), AI model inference (Groq, Anthropic, OpenAI), and analytics. These providers are bound by contractual obligations to maintain the confidentiality and security of your information and are prohibited from using it for any purpose other than the delivery of the contracted services.

7.2 AI Model Providers

To generate responses, prompts and relevant context are sent to AI model providers via API. We use providers that offer enterprise-grade data privacy and do not use customer data transmitted via API to train their foundation models.

7.3 Legal and Business Transfers

We may disclose information where required by law or in the context of a business merger or acquisition, with appropriate notifications to affected users.

8. Data Security and Protection

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS 1.2+) and at rest using AES-256 or equivalent protocols
  • Supabase Row-Level Security (RLS) for multi-tenant data isolation
  • Automated PII Redaction to mask sensitive information before AI processing
  • Strict access controls and audit logging ensuring logical tenant isolation
  • Secure session management with HttpOnly, Secure, and SameSite cookie attributes
  • Periodic security assessments and vulnerability testing

Security Notice: Despite the implementation of robust security measures, no method of electronic transmission or data storage can be guaranteed to be completely secure. You acknowledge and accept the inherent risks associated with the electronic transmission of information.

9. Data Retention and Deletion

We retain your information only for as long as reasonably necessary to fulfill the purposes outlined in this Policy, comply with applicable legal obligations, resolve disputes, and enforce our agreements.

Account Information

Retained for the duration of your account. Upon receipt of a deletion request, account data is purged within 30 calendar days.

Chat and Knowledge Data

Retained for the duration of the account or as configured by the organization's retention policy. Historical data may be retained in aggregate, de-identified form for trend analysis.

Usage Data

Retained in aggregate form for up to 24 months for service improvement and platform optimization purposes.

10. Your Rights and Choices

Subject to applicable law and jurisdiction, you may exercise the following rights with respect to your personal information.

  • Access. Request a copy of the personal information we hold about you.
  • Rectification. Request correction of inaccurate or incomplete information through your account settings.
  • Erasure. Request deletion of your personal information and associated project data, subject to legal retention obligations.
  • Portability. Request export of your data in a structured, machine-readable format.
  • Restriction. Request restriction of processing in certain circumstances as permitted by applicable law.
  • Objection. Object to processing based on legitimate interests.

To exercise these rights, email us at relay@virtutechsolutions.com. All requests will be verified and processed within the timeframe mandated by applicable law.

11. Regional Privacy Rights

11.1 European Economic Area and United Kingdom (GDPR)

Users located in the EEA or UK are afforded additional rights under the GDPR, including the right to lodge complaints with a supervisory authority, the right to withdraw consent at any time, and protections with respect to automated decision-making. Our legal basis for processing is contract performance and legitimate interests.

11.2 California Residents (CCPA/CPRA)

California residents are entitled to rights under the CCPA and CPRA, including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information. Relay does not sell or share personal information as defined under the CCPA/CPRA.

12. International Data Transfers

Your information may be transferred to, stored, and processed in jurisdictions outside your country of residence. Where such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by relevant data protection authorities.

13. Do Not Track Signals

Certain web browsers transmit "Do Not Track" (DNT) signals to websites. As there is currently no universally accepted standard for interpreting DNT signals, the Platform does not alter its data collection or processing practices in response to DNT signals. Should a uniform standard be established, we will reassess this position and update this Policy accordingly.

14. Children's Privacy

The Services are intended exclusively for professional and business use. They are not directed at individuals under the age of 13. We do not knowingly collect personal information from minors. Should we become aware that such information has been inadvertently collected, it will be deleted without undue delay.

15. Changes to This Policy

We reserve the right to modify this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or regulatory obligations. Material changes will be communicated through the Platform or via email, with advance notice provided where required by law.

Continued use of the Services following the effective date of any revisions shall constitute acceptance of the updated Policy. We encourage you to review this Policy periodically.

16. Governing Law

This Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the jurisdiction in which Virtu Tech Solutions is incorporated, without regard to its conflict of law provisions.

17. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data handling practices, please direct correspondence to the following.

Email: relay@virtutechsolutions.com

For privacy-related inquiries, please include "Privacy Policy" in the subject line. All inquiries will be acknowledged within 30 days or as required by applicable law.