Privacy Policy

This Privacy Policy explains how Ent Laboratories LLC (“Envvoy,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use envvoy.com, our marketing and discovery-enablement services for AI agents, and any related products or features (the “Service”).

We don’t sell personal information to data brokers, we honor the privacy rights you have under California, EU/UK, and other applicable laws, and we explain in detail below what we do and don’t do.

If you don’t agree with how we handle information as described here, please don’t use the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.

At a Glance

This table summarizes how we handle information. The full policy below is the binding version.

1. Who We Are

Envvoy is operated by Ent Laboratories LLC, a [Insert State] limited liability company. For privacy questions, contact privacy@envvoy.com or write to: Ent Laboratories LLC, [Insert Mailing Address].

EU Representative. If you are located in the European Economic Area (EEA) or the United Kingdom, you may also contact our EU/UK representative at [Insert EU Representative Name and Address] regarding our processing of your personal data. Until an EU representative is appointed, EU/UK users may contact privacy@envvoy.com directly with any data-protection inquiries.

2. Two Categories of Information

This Privacy Policy is built around an important distinction. Different rules apply depending on which category your information falls into.

2.1 Public Listing Content

“Public Listing Content” means information you publish, or authorize us to publish, in connection with promoting your Agent. This is the material the Service is designed to publish, host, syndicate, and amplify. It includes:

• Your Agent Listing — all text, images, video, audio, code, links, descriptions, and metadata it contains.
• Your public profile — the name, photo, biographical details, professional credentials, and social/external links you choose to display publicly.
• Public Persona elements — the name, likeness, voice, and biographical details associated with your Agent Listing or public profile (see Section 7.4 for what we will and will not do with Persona).
• Derivative Marketing Materials we create — SEO landing pages, social posts, AI-generated summaries and descriptions, screenshots, embeddings, syndicated copies, newsletter inclusions, and similar promotional assets derived from your public-facing content (as defined in our Terms of Service).
• Public engagement signals — aggregate or pseudonymized engagement data tied to public Listing pages.

2.2 Private Account Data

“Private Account Data” means information that runs the Service for you and is not part of any public-facing publication. It includes:

• Authentication credentials — passwords (stored hashed), authentication tokens, OAuth tokens, two-factor secrets, and similar.
• Account contact information — your account email, phone number (if provided), and contact details that are not part of a public profile.
• Payment and billing information — limited transaction details from our payment processor (e.g., last four digits, transaction amount, billing country); we do not store full card numbers.
• Support communications — emails, support tickets, in-app messages, and other private communications between you and Envvoy.
• Unpublished drafts — Agent Listings or other Content saved but not yet made public.
• Internal account configuration — settings, preferences, admin metadata, and similar non-public account state.
• Identity-tied technical data — IP addresses, device identifiers, session data, and similar signals when linked to an identified account (as opposed to aggregated/anonymized analytics).

Why this distinction matters. We use Public Listing Content broadly to do the marketing job you signed up for — hosting, distribution, generating Derivative Marketing Materials, and training the AI systems that produce those materials. We use Private Account Data narrowly to operate, secure, support, bill, and protect the Service. We do not use Private Account Data to train machine-learning models, generate Derivative Marketing Materials, or create derivative datasets. Section 7 explains this in detail.

3. What We Collect

We collect information in three ways: (a) information you give us, (b) information we collect automatically, and (c) information we receive from third parties.

3.1 Information You Give Us

When you sign up, submit an Agent Listing, contact us, or otherwise interact with the Service, you may give us:

• Account information: name, email address, password (stored hashed), username, and similar credentials. (Private Account Data.)
• Public profile information: profile photo, biographical details, professional credentials, social media links, and public-facing display name. (Public Listing Content, when published.)
• Agent Listing content: any text, images, video, audio, code, links, metadata, or other material you submit to promote your Agent. (Public Listing Content, once published. While in unpublished draft form, Private Account Data.)
• Communications: messages you send to us via email, support requests, comments, surveys, or other channels. (Private Account Data.)
• Payment information: if you pay for any feature, our payment processor (Stripe or another processor) collects and processes your payment-card information; we receive limited transaction details. (Private Account Data.)
• Marketing preferences: your communication and email preferences. (Private Account Data.)

3.2 Information We Collect Automatically

When you use the Service, we and our service providers automatically collect:

• Device and connection information: IP address, browser type and version, operating system, device identifiers, screen size, language, and time zone.
• Usage information: pages and Agent Listings viewed, links clicked, time spent, referring URL, search queries within the Service, and similar interaction data.
• Performance and reliability information: page load times, errors, crashes, and other technical signals.
• Cookies and similar technologies: see Section 10.

When this information is tied to an identified account, we treat it as Private Account Data. When aggregated or de-identified, we may use it for analytics and product development as described in Section 4.

3.3 Information from Third Parties

We may receive information about you from:

• Authentication providers: if you sign in using a third-party account (e.g., Google, GitHub, X, or similar), we receive basic profile information from that provider as you authorize.
• Payment processors: limited transaction details necessary to confirm payment.
• Analytics and advertising partners: aggregated and pseudonymized signals about how you arrived at and used the Service.
• Public sources: where applicable, publicly available information about an Agent or Developer (e.g., on-chain identifiers, public GitHub profiles, or similar) that you have made publicly available and that we use to improve discovery and indexing of your Agent Listing.

3.4 Information We Don’t Want and Won’t Process

Some categories of information should not be uploaded to the Service. You agree not to submit, and we will not knowingly process, the following through the Service — in either Public Listing Content or Private Account Data:

• Protected Health Information (PHI) regulated by HIPAA or comparable health-data laws.
• Social Security numbers, taxpayer identification numbers, or government-issued IDs (except where we specifically request them for tax or compliance purposes, e.g., a W-9/W-8 form).
• Financial account numbers, full payment-card numbers, or banking credentials, except as collected by our payment processor through its own forms.
• Biometric identifiers or biometric information (faceprints, voiceprints, fingerprints, retinal scans) intended to identify a person.
• Genetic information.
• Information about children under 16.
• Other categories of “sensitive personal information” under applicable law where you have not obtained the necessary authorizations.

If you upload such information, we may delete it without notice. If we determine that you have repeatedly uploaded such information, we may suspend or terminate your account. If we inadvertently receive sensitive personal information through the Service, we will use reasonable means to delete it.

3.5 Information About Children

The Service is not intended for and may not be used by anyone under 16. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it. If you believe a child has provided personal information to us, please contact privacy@envvoy.com.

4. How We Use Information

4.1 Uses That Apply to All Information

Across both Public Listing Content and Private Account Data, we use information to:

• Provide, operate, secure, and maintain the Service, including authentication, payment processing, and customer support.
• Communicate with you about your account, transactions, security alerts, and changes to the Service.
• Send marketing communications about Envvoy products, features, and offers, where permitted by law and subject to your preferences.
• Detect, prevent, and address fraud, abuse, security incidents, and other harmful or unlawful activity, including by screening accounts and transactions against sanctions lists (OFAC, UK HMT, EU consolidated lists, and equivalents) and applying anti-fraud and anti-abuse models.
• Comply with legal obligations and respond to lawful requests from authorities.
• Enforce our Terms of Service and protect the rights, property, and safety of Envvoy, our users, and others.

4.2 Additional Uses for Public Listing Content

In addition to the uses above, we use Public Listing Content to:

• Create, host, and distribute Agent Listings and Derivative Marketing Materials, including SEO-optimized landing pages, social posts, AI-generated summaries, screenshots, embeddings, and syndicated copies, as further described in our Terms of Service.
• Power search, ranking, recommendation, and discovery features within the Service. These features are automated and operational in nature; their output reflects relevance, freshness, and user behavior signals and does not constitute an endorsement, evaluation, certification, or merit-based judgment by Envvoy.
• Train, fine-tune, evaluate, and improve the machine-learning models, embeddings, classifiers, recommendation systems, and search systems used to operate the Service, as described further in Section 7.
• Improve the Service overall, including through analytics, performance measurement, A/B testing, and product research.

4.3 Limited Uses for Private Account Data

Private Account Data is used only to operate the Service and protect users, not to train models or create derivative datasets. Specifically, we use Private Account Data to:

• Authenticate you, manage your account, and provide customer support.
• Process payments and bill for paid features.
• Diagnose technical issues and improve reliability.
• Detect and prevent fraud, abuse, security incidents, and sanctions violations.
• Communicate with you about your account.
• Comply with legal obligations and enforce our agreements.

We do not use Private Account Data to train machine-learning models, generate Derivative Marketing Materials, create derivative datasets, or develop new commercial products. Where we need data to improve internal systems, we use aggregated, de-identified, or anonymized data wherever practical.

5. Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA or UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to identify a legal basis for each purpose for which we process your personal data. The legal bases we rely on are:

If you would like more information about the specific legal basis we rely on for any particular processing activity, contact privacy@envvoy.com. We acknowledge that the use of legitimate interests as a legal basis for AI training is an evolving area in EU and UK law; if applicable law changes, we will adjust this Policy and our practices accordingly.

6. Who We Share Information With

6.1 Service Providers

We share information with vendors that help us operate the Service. Categories include:

• Hosting and infrastructure providers.
• Web analytics, product analytics, A/B testing, and session replay providers.
• Error monitoring and observability providers.
• Authentication and identity providers.
• Payment processors.
• Email, communications, and customer support providers.
• Marketing and advertising platforms.
• AI and machine-learning service providers, including providers of large language models, embedding APIs, and ML infrastructure that we use to operate AI features and to train and run Service systems.
• Customer data platforms and data-routing tools.
• Sanctions and fraud-screening providers.

The specific vendors we use within these categories may change over time. As we grow, we will publish a current list of subprocessors. We require service providers to handle personal information consistent with this Privacy Policy and applicable law. Where required, we enter into data-protection agreements with them, including agreements that restrict the providers from using your data to train their own models for their independent purposes.

6.2 Marketing and Promotion Partners

As described in our Terms of Service, Envvoy is a marketing and discovery-enablement service. To perform that function, we may share Public Listing Content and Derivative Marketing Materials — which may include public Persona elements you have chosen to display — with distribution and syndication partners, search engines, social platforms, newsletter audiences, and other channels selected to promote your Agent. This is the core of what the Service does for you.

We do not share Private Account Data with marketing partners except as needed to operate the marketing channels you have authorized (for example, sending you marketing emails through an email service provider).

6.3 Other Users and the Public

Public Listing Content is intended to be publicly visible. Other users and the general public can view, copy, share, and link to that information. Don’t include anything in Public Listing Content that you wouldn’t want to be public.

6.4 Legal and Safety

We may disclose information when we believe disclosure is reasonably necessary to: (a) comply with applicable law, regulation, legal process, or governmental request, including subpoenas and court orders; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, abuse, security, technical, or sanctions issues; or (d) protect the rights, property, or safety of Envvoy, our users, or others.

6.5 Business Transfers

If Envvoy is involved in a merger, acquisition, financing, sale of assets, or similar transaction, or in connection with due diligence for such a transaction, information may be transferred to the counterparty subject to customary confidentiality protections.

6.6 With Your Direction

We may share information at your direction or with your consent, for example when you connect a third-party service to your Envvoy account.

6.7 Aggregated and De-Identified Information

We may share information that has been aggregated, de-identified, or anonymized so that it does not directly or indirectly identify you. This may include public-facing analytics, research, benchmarks, and derivative datasets.

6.8 What We Do Not Do

We do not sell raw Persona information — such as your name, photo, voice, or biographical details — as a standalone product to data brokers or to third parties for their independent marketing purposes. We do not license raw account credentials or authentication information. We do not perform facial recognition, biometric identification, or voiceprint extraction on Personas, and we do not use Personas to identify individuals across services or across the open internet.

7. AI and Machine Learning

Our Service uses AI and machine learning extensively. This section explains, in detail, what data goes into AI systems and what doesn’t.

7.1 What We Use AI For

• Generating Derivative Marketing Materials — such as AI-written summaries, taglines, comparisons, and descriptions of Agent Listings.
• Search, ranking, recommendation, and discovery features within the Service. These features are automated and operational in nature; they reflect relevance, freshness, and behavioral signals and do not constitute endorsements, evaluations, or certifications by Envvoy.
• Content moderation, sanctions screening, and abuse detection.
• Analytics, classification, and embedding generation.
• Internal product development and research.

7.2 What Goes Into Training and Embeddings

Public Listing Content is used. We use Public Listing Content (including Agent Listings, public profile information, and the public-facing Persona elements you choose to display) and the Derivative Marketing Materials we create from that Content to train, fine-tune, evaluate, and improve our machine-learning models, embeddings, classifiers, recommendation systems, and search systems. We may generate vector embeddings, derivative datasets, training corpora, and synthetic data based on Public Listing Content. Where these derivatives are aggregated or de-identified such that they do not identify any specific individual, we may license them to third parties.

Private Account Data is not used. We do not use Private Account Data — including authentication credentials, account contact information, payment and billing information, support communications, unpublished drafts, internal account configuration, or identity-tied technical data — to train, fine-tune, or evaluate machine-learning models; to generate Derivative Marketing Materials; or to create derivative datasets for licensing. Limited use of operational and security data for fraud detection, anti-abuse models, and product reliability is treated as part of operating and securing the Service rather than as model training, and where practical we use aggregated or de-identified data for these purposes.

Sensitive data is not used.Where any of the categories listed in Section 3.4 (PHI, government IDs, financial account numbers, biometric data, genetic information, children’s data) is inadvertently received, it is excluded from training and derivative-dataset use and is targeted for deletion.

Account credentials and authentication information are never sold or licensed. Under any circumstances.

7.3 AI Service Providers

We use third-party AI service providers — such as providers of large language models, embedding APIs, and ML infrastructure — to operate AI features. When we send data to those providers, we do so under contractual terms that, where commercially available, restrict the providers from using your data to train their own models for their independent purposes. Specific AI service providers we use may change over time.

7.4 Persona Use — What We Do and Don’t Do

“Persona” means the name, photo, voice, biographical data, professional credentials, and similar indicia of identity that you choose to display publicly in your Agent Listing or public profile.

We will: use Persona elements you publish to operate the Service, generate Derivative Marketing Materials that promote your Agent, train and operate models that produce or recommend such materials, and syndicate them through our marketing partners as described in Section 6.2.

We will not: perform facial recognition, biometric identification, or voiceprint extraction on Persona elements; build or use models intended to identify individuals across services or across the open internet using your Persona; license your raw Persona to data brokers or to third parties for their independent identity, surveillance, or matching products; or use Persona elements that you have not chosen to make public (e.g., a private profile photo used only for account-level identification).

If you do not want your Persona used for the activities listed under “We will,” do not include Persona elements in your Public Listing Content.

7.5 Automated Decisions

We use automated processing for things like search ranking, content moderation, fraud and sanctions screening, and recommendations. Most of these decisions do not have legal or similarly significant effects on you. If we ever introduce automated decision-making that does have such effects, we will provide additional information and rights as required by applicable law (including GDPR Article 22).

8. International Data Transfers

We are based in the United States, and the Service is primarily operated from the United States. If you are located outside the United States — including in the EEA, UK, or Switzerland — your information will be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate.

Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or another lawful transfer mechanism. You may request a copy of the safeguards by contacting privacy@envvoy.com (we may redact commercially sensitive information).

9. Your Privacy Rights

Depending on where you live, you have certain rights regarding your personal information. We try to make these rights available to all users, regardless of jurisdiction, where practical.

9.1 Rights Available to All Users

• Access: request a copy of personal information we hold about you.
• Correction: request correction of information that is inaccurate or incomplete.
• Deletion: request that we delete your personal information.
• Portability: request a copy of certain personal information in a machine-readable format.
• Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior processing.
• Marketing opt-out: opt out of marketing emails through the unsubscribe link in any marketing email or via your account settings.

9.2 EEA, UK, and Swiss Users (GDPR / UK GDPR)

In addition to the rights above, if you are in the EEA, UK, or Switzerland, you have the right to:

• Object to processing based on legitimate interests, including direct marketing and processing for AI training.
• Restrict processing in certain circumstances (e.g., while we verify accuracy of contested data).
• Lodge a complaint with your local data protection authority. A list of EEA authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner’s Office at ico.org.uk.

To exercise GDPR rights, contact privacy@envvoy.com or our EU representative (Section 1).

9.3 California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), including the right to:

• Know what categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we have shared it.
• Delete personal information we have collected from you, subject to certain exceptions.
• Correct inaccurate personal information we maintain about you.
• Opt out of the “sale” or “sharing” of your personal information for cross-context behavioral advertising. We do not sell personal information to data brokers, but our use of advertising and analytics partners may constitute “sharing” under California law.
• Limit the use and disclosure of sensitive personal information. We do not knowingly collect sensitive personal information; if we do, you can limit its use to what is necessary to perform the Service.
• Non-discrimination: we will not discriminate against you for exercising any of these rights.

How to exercise.Submit a request via privacy@envvoy.com. To opt out of “sale” or “sharing,” you can also send a Global Privacy Control signal from your browser (we honor it) or visit our “Do Not Sell or Share My Personal Information” page (link to be added). We may need to verify your identity before responding. You may use an authorized agent to submit a request on your behalf, subject to verification.

California Civil Code Section 1798.83 (the “Shine the Light” law) gives California residents the right to request information about disclosures of personal information to third parties for direct marketing purposes. We do not currently make such disclosures. If our practices change, we will update this policy.

9.4 Other U.S. State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other U.S. states with comprehensive privacy laws have rights similar to those described in Section 9.3, including rights of access, correction, deletion, portability, and to opt out of targeted advertising and “sale” of personal data. To exercise these rights, contact privacy@envvoy.com.

9.5 Verification and Response Times

We may need to ask for additional information to verify your identity before responding to a privacy request. We aim to respond within 30 days for GDPR/UK GDPR requests and 45 days for CCPA requests, with extensions where permitted by law. There is generally no fee, except where requests are clearly unfounded, repetitive, or excessive.

10. Cookies and Similar Technologies

We and our service providers use cookies, pixels, web beacons, local storage, software development kits (SDKs), and similar technologies (collectively, “tracking technologies”) to operate the Service, remember your preferences, understand how the Service is used, and — where permitted — deliver and measure marketing.

10.1 Categories We Use

10.2 Your Choices

• Cookie banner: in regions where consent is required (EEA, UK), you can accept, reject, or customize non-essential tracking technologies through our cookie consent banner.
• Browser settings: most browsers let you block or delete cookies. Blocking strictly necessary cookies may break parts of the Service.
• Global Privacy Control (GPC): we honor browser-issued GPC signals as an opt-out from “sale” and “sharing” under California law.
• Do Not Track (DNT): browser DNT signals are not currently standardized; we do not specifically respond to DNT signals beyond what is described above.
• Ad-platform opt-outs: industry opt-out tools include the Network Advertising Initiative (optout.networkadvertising.org), Digital Advertising Alliance (optout.aboutads.info), and the European Interactive Digital Advertising Alliance (youronlinechoices.eu).

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest where applicable, access controls, authentication requirements, and regular review of security practices.

No system is perfectly secure. We cannot guarantee that personal information will never be accessed, disclosed, altered, or destroyed in ways inconsistent with this Privacy Policy. If we become aware of a personal-data breach affecting you, we will notify you and applicable authorities as required by law.

12. Data Retention

We retain personal information for different periods depending on the type of data and the purpose for which we hold it. The categories below describe how we think about retention.

12.1 Operational Retention

We retain Private Account Data (account credentials, contact info, support history, configuration) for as long as your account is active, and for a reasonable period afterward to support reactivation, dispute resolution, and security monitoring — typically up to 12 months after account closure unless a longer period is required by law or by a pending legal matter.

12.2 Legal Retention

Where applicable law requires us to retain certain information for tax, accounting, sanctions compliance, anti-money-laundering, or similar reasons, we retain that information for the period required by the relevant law (typically several years), even if you have deleted your account.

12.3 Public Listing Persistence

Public Listing Content and Derivative Marketing Materials are intended to be public. Even after you delete your account, copies of your Agent Listing or Derivative Marketing Materials may persist in third-party caches, search-engine indexes, partner sites, archive services (such as the Internet Archive), and copies retained by other users. We will delete or remove information from systems we control upon request, but we cannot retrieve information from systems we do not control.

12.4 Backup Retention

Operational backups may retain copies of your information for a limited period after deletion from active systems (typically up to 90 days). Backup data is access-restricted and not used for any purpose other than disaster recovery.

12.5 Model-Derived Retention

Where Public Listing Content has been incorporated into trained models, embeddings, or aggregated derivative datasets, deletion of the underlying record does not necessarily remove the contribution from those derivatives. We will use reasonable means to honor deletion requests as applied to ongoing model use, including by excluding deleted records from future training runs and, where technically and commercially feasible, retraining or re-embedding affected systems on a regular cadence. Retraining a foundation model from scratch to remove a single record is generally not feasible; we will be transparent with you about what is and is not possible upon request.

12.6 Aggregated/De-Identified Data

Aggregated, de-identified, or anonymized data that does not directly or indirectly identify you may be retained indefinitely for research, analytics, benchmarking, and product development.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. If the changes are material, we will provide additional notice (such as by email or in-Service notice). Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Privacy Policy.

14. How to Contact Us

For privacy questions or to exercise your privacy rights:

• Email: privacy@envvoy.com
• Mail: Ent Laboratories LLC, [Insert Mailing Address]
• EU/UK Representative: [Insert EU Representative Name and Address]

© Ent Laboratories LLC. All rights reserved.