Privacy Statement

1. Who We Are

INVSBL, Inc. ("INVSBL," "we," "us," or "our") provides privacy-first AI software that orchestrates any OpenAI-compatible model — frontier, self-hosted, or open-weight. Our intelligent routing layer detects private, PII, and sensitive data in your prompts and ensures such information is shielded from provider retention and model training.

2. Scope

This Privacy Statement applies to our desktop and mobile applications, websites, and related services that link to it.

3. Information We Collect

Information Processed by the Models

• User Content (Prompts/Outputs). The text, images, files, and instructions you submit and the model responses you receive ("User Content").
• Model Execution. Your requests are routed to third-party API providers. INVSBL's routing layer analyzes your prompts to detect private, PII, and sensitive data. When sensitive content is identified, it is protected from provider retention and model training. Some model providers may retain or train on non-sensitive portions of requests in accordance with their own policies.
• Prompt Caching. Some endpoints/models provide implicit caching of prompts. This keeps repeated prompt data in an in-memory cache in the provider's datacenter, so that the repeated part of the prompt does not need to be re-processed which can lead to considerable cost savings. INVSBL has taken the stance that in-memory caching of prompts is not considered "retaining" data, and we therefore allow our selected endpoints/models with implicit caching to be hit when a ZDR routing policy is in effect.
• Storage & Encryption. All conversation data is protected by zero-knowledge encryption (AES-256-GCM). Messages are encrypted on your device before leaving the browser, and only encrypted data is persisted on our servers. INVSBL does not hold decryption keys and cannot read your content. You may delete your encrypted data at any time. A local copy is also stored on your device for offline access; if you clear app data or uninstall, your local content will be deleted from that device.

Other Information

• Account/Billing (if you create an account or purchase). Minimal details needed for sign-in and payments (e.g., email, transaction records).
• Operational telemetry (non-content). Aggregate, non-personal metrics like crash reports or uptime. We do not collect or analyze your prompts/outputs for this purpose.

4. How We Use Information

• Provide the Services. Operate core features, route your requests to model endpoints with sensitive-data protections, maintain security, and manage your account.
• Reliability & security (without content tracking). We may process non-content, aggregate operational metrics (e.g., error counts, uptime).
• Communications & legal compliance. Send service notices, handle support, and comply with applicable laws.

5. How Your Information Is Shared

We minimize sharing.

a. Third-Party Model API Providers

We route your requests to third-party model providers. Our routing layer ensures that private, PII, and sensitive data detected in your prompts is shielded from provider retention and training. Provider selection and data-handling policies vary by endpoint; INVSBL's protections focus specifically on your confidential information.

b. Service Providers

Infrastructure vendors (cloud hosting, database, email delivery) may process account/billing and operational data as processors under contract. They are prohibited from using it for their own purposes.

c. Legal & Safety

We may disclose information if required by law or to protect INVSBL, our users, or the public, consistent with legal standards.

d. Business Transfers

If we undergo a merger, acquisition, or asset sale, account and billing data may transfer as permitted by law. If any change reduces your privacy rights, we'll provide notice and choices where required.

e. Aggregated/De-identified

We may share non-personal, aggregated operational statistics (e.g., uptime) that cannot reasonably identify you.

6. Data Security

We implement administrative, technical, and organizational safeguards, least‑privilege access, encryption in transit and at rest for account data, and strict internal controls. No method of electronic transmission or storage is perfectly secure, but we continually improve our defenses.

7. Data Retention

Prompts & Outputs

• Zero-Knowledge Encryption. Your conversations are protected with zero-knowledge encryption. Messages are encrypted on your device before reaching our servers. INVSBL cannot decrypt your content. Encrypted data is stored on our servers for cross-device sync and can be deleted by you at any time.
• Conversation TTL. All conversations have a default time-to-live (TTL) of 24 hours, unless extended by the user. Deleted chats cannot be recovered, and we accept no liability for their loss.
• Cross-Device Access. Your zero-knowledge encrypted conversation data is stored on our servers to enable access across your devices. Because this data is encrypted with keys only you possess, INVSBL cannot read it at any point. If we ever expand sync or backup capabilities, it will require explicit opt-in and will be covered by an updated statement.

Embeddings/Derived Data

If embeddings or profile signals are generated to power on-device features, they are stored client-side alongside your content and follow the same local deletion controls. We do not use embeddings for training, ads, or content analytics, and we never sell them.

Account & Billing Data

Retained while your account is active and as required for legal, tax, security, and fraud-prevention obligations. Where applicable law permits, you may request deletion or restriction; some records must be kept to comply with statutory requirements.

Backups

Server-side conversation data is stored exclusively in zero-knowledge encrypted form and is subject to the same TTL and deletion controls described above. Encrypted backups may exist for account/billing systems only and are used solely for disaster recovery.

Legal Holds

If required to preserve records for litigation or investigations, we may place a temporary legal hold on account/billing data until the matter is resolved.

Access & Security

Any server-side data (e.g., account/billing) is encrypted in transit and at rest and protected by least-privilege access controls and audit logging. Only authorized personnel with a need-to-know may access limited data to operate the Services or fulfill your requests (e.g., export/delete).

Never Sold. Sensitive Data Never Trained On.

Regardless of settings, we never sell your prompts/outputs or embeddings. INVSBL never uses your data to train our own models. Our routing layer ensures that private, PII, and sensitive data is shielded from third-party model training.

8. Your Choices & Rights

Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal data. You can:

• Manage account data in settings or by contacting us.
• Disable cookies (note: strictly necessary cookies may be required for sign-in).
• Opt out of marketing emails via unsubscribe links.

To exercise rights, contact contact@invsbl.dev. We will respond consistent with applicable laws (e.g., GDPR, CCPA/CPRA).

9. Children's Privacy

The Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children.

10. International Data Transfers

If account/billing data is processed outside your country, we use appropriate safeguards (e.g., Standard Contractual Clauses) as required by law. Conversation data stored on INVSBL servers is zero-knowledge encrypted and unreadable by INVSBL or any third party. Our routing layer additionally protects sensitive data from provider retention.

11. Changes to This Privacy Statement

We may update this Privacy Statement to reflect changes in our practices or legal requirements. If we make material changes, we will post the update here and, where required, notify you.

12. Contact Us