Privacy Statement

1. Who We Are

INVSBL, Inc. ("INVSBL," "we," "us," or "our") provides privacy-first AI software that orchestrates open-weight models via third-party API providers configured for no training and no retention of your prompts/outputs.

2. Scope

This Privacy Statement applies to our desktop and mobile applications, websites, and related services that link to it.

3. Information We Collect

Information Processed by the Models

• User Content (Prompts/Outputs). The text, images, files, and instructions you submit and the model responses you receive ("User Content").
• Model Execution. Your requests are routed to third-party open-weight API providers configured for no training and no content retention. These providers do not keep your content after completing the request.
• Prompt Caching. Some endpoints/models provide implicit caching of prompts. This keeps repeated prompt data in an in-memory cache in the provider's datacenter, so that the repeated part of the prompt does not need to be re-processed which can lead to considerable cost savings. INVSBL has taken the stance that in-memory caching of prompts is not considered "retaining" data, and we therefore allow our selected endpoints/models with implicit caching to be hit when a ZDR routing policy is in effect.
• Storage Location. INVSBL does not store User Content server-side. Your prompts and outputs are stored on your device (client-side) and remain under your control. If you clear app data or uninstall, your local content will be deleted from that device.

Other Information

• Account/Billing (if you create an account or purchase). Minimal details needed for sign-in and payments (e.g., email, transaction records).
• Operational telemetry (non-content). Aggregate, non-personal metrics like crash reports or uptime. We do not collect or analyze your prompts/outputs for this purpose.

4. How We Use Information

• Provide the Services. Operate core features, process your requests with open-weight models, maintain security, and manage your account.
• Reliability & security (without content tracking). We may process non-content, aggregate operational metrics (e.g., error counts, uptime).
• Communications & legal compliance. Send service notices, handle support, and comply with applicable laws.

5. How Your Information Is Shared

We minimize sharing.

a. Third-Party Open-Weight API Providers

We route your requests to vetted providers that contractually and technically commit to no content retention and no training on your prompts/outputs.

b. Service Providers

Infrastructure vendors (cloud hosting, database, email delivery) may process account/billing and operational data as processors under contract. They are prohibited from using it for their own purposes.

c. Legal & Safety

We may disclose information if required by law or to protect INVSBL, our users, or the public, consistent with legal standards.

d. Business Transfers

If we undergo a merger, acquisition, or asset sale, account and billing data may transfer as permitted by law. If any change reduces your privacy rights, we'll provide notice and choices where required.

e. Aggregated/De-identified

We may share non-personal, aggregated operational statistics (e.g., uptime) that cannot reasonably identify you.

6. Data Security

We implement administrative, technical, and organizational safeguards, least‑privilege access, encryption in transit and at rest for account data, and strict internal controls. No method of electronic transmission or storage is perfectly secure, but we continually improve our defenses.

7. Data Retention

Prompts & Outputs

• Client-Side Only. INVSBL does not store prompts/outputs on our servers. Your content is stored on your device and can be deleted by you at any time (e.g., clearing app data, deleting a chat, or uninstalling).
• Conversation TTL. All conversations have a default time-to-live (TTL) of 24 hours, unless extended by the user. Deleted chats cannot be recovered, and we accept no liability for their loss.
• Sync/Cloud Backups. We do not provide server-side history or cloud sync. If we ever offer optional sync, it will require explicit opt-in and will be covered by an updated statement.

Embeddings/Derived Data

If embeddings or profile signals are generated to power on-device features, they are stored client-side alongside your content and follow the same local deletion controls. We do not use embeddings for training, ads, or content analytics, and we never sell them.

Account & Billing Data

Retained while your account is active and as required for legal, tax, security, and fraud-prevention obligations. Where applicable law permits, you may request deletion or restriction; some records must be kept to comply with statutory requirements.

Backups

We do not back up your prompts/outputs server-side. Encrypted backups may exist for account/billing systems only and are used solely for disaster recovery.

Legal Holds

If required to preserve records for litigation or investigations, we may place a temporary legal hold on account/billing data until the matter is resolved.

Access & Security

Any server-side data (e.g., account/billing) is encrypted in transit and at rest and protected by least-privilege access controls and audit logging. Only authorized personnel with a need-to-know may access limited data to operate the Services or fulfill your requests (e.g., export/delete).

Never Sold. Never Used for Training.

Regardless of settings, we never sell your prompts/outputs or embeddings and never use them to train models.

8. Your Choices & Rights

Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal data. You can:

• Manage account data in settings or by contacting us.
• Disable cookies (note: strictly necessary cookies may be required for sign-in).
• Opt out of marketing emails via unsubscribe links.

To exercise rights, contact contact@invsbl.dev. We will respond consistent with applicable laws (e.g., GDPR, CCPA/CPRA).

9. Children's Privacy

The Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children.

10. International Data Transfers

If account/billing data is processed outside your country, we use appropriate safeguards (e.g., Standard Contractual Clauses) as required by law. Prompts/outputs are not retained server-side, and model providers are configured for non-retention.

11. Changes to This Privacy Statement

We may update this Privacy Statement to reflect changes in our practices or legal requirements. If we make material changes, we will post the update here and, where required, notify you.

12. Contact Us