← Provia

Privacy Policy

Last updated: 2026-05-23

Provia is an AI-powered sales platform that helps store owners chat with their customers on Instagram, Facebook Messenger, and the web. This Privacy Policy explains what data Provia collects, how it's used, who can see it, and how to delete it. The policy applies to both store owners (people who run stores on Provia) and end customers (people who chat with those stores).

Provia is currently operated by Ali M. Afana as the product owner. If a question is not answered here, email aliafana@smail.ucas.edu.ps.

1. Data we collect

From store owners

  • Account: email address and authentication credentials, stored by Supabase Auth.
  • Profile: full name and role on the platform.
  • Store configuration: store name, description, persona, target country, language, currency, sales approach, policies, and connected social accounts (e.g. Facebook Page ID).
  • Product catalog: product names, descriptions, prices, stock indicators, images, categories, sizes, colors, materials, and AI-generated summaries.
  • Vector embeddings: numerical representations of product descriptions used for semantic search.

From end customers

  • Identifier: Facebook Messenger Page-Scoped ID (PSID) for Messenger chats; an anonymous session identifier for web chats.
  • Display name: first and last name returned by the Messenger profile API, when the platform provides it.
  • Messages: the content of messages a customer sends to a Provia store, and the bot's replies.
  • Lead metadata: conversation stage (discovery, offer, objection, closing), status (open, closed, qualified, converted, lost), and time stamps.
  • Phone number or email address, only if the customer provides them in chat.

Operational logs

  • AI call metadata: model, endpoint, token counts, cost, latency, and search query parameters. Logged for cost monitoring; never contains the message body of a customer chat.
  • Webhook events: inbound and outbound Messenger payloads, sanitized (redacted tokens, redacted long fields), with IP and user-agent. Used for delivery debugging.
  • Standard server logs: HTTP status codes, request paths, and error stack traces. No request bodies.

2. How we use the data

  • To generate AI replies that match the store's configured persona, language, and product catalog.
  • To show store owners the history of conversations and leads in their dashboard.
  • To monitor and reduce the cost of AI calls, and to debug delivery failures on Messenger.
  • To improve Provia's search quality and detect regressions.

Provia does not sell personal data. Provia does not use customer chat content to train third-party models. Customer chat content is sent to the AI providers listed below only to generate a reply for that specific conversation, under each provider's API terms.

3. Third-party processors

The following services process data on Provia's behalf:

  • Supabase — Postgres database, authentication, file storage. Data hosted in Supabase's managed infrastructure.
  • OpenAI — generates chat replies (GPT-4o-mini) and analyzes product images (GPT-4o). Subject to OpenAI's API data policy: data sent via API is not used for training by default.
  • Google AI Studio / Generative Language API — generates chat replies when a store selects a Gemma model. Subject to Google's Generative AI API terms.
  • OpenRouter — routes chat replies to non-OpenAI models when configured.
  • Vercel — application hosting and edge runtime.
  • Meta (Facebook Messenger) — delivers messages between end customers and Provia stores connected to Facebook Pages.

Each processor has its own privacy policy and data-handling terms. By using Provia, you agree that data may be sent to these processors for the purposes described above.

4. Retention

  • Active accounts: data is kept for the lifetime of the account.
  • Deleted accounts: data is removed within 30 days of an account deletion request.
  • Customer-initiated deletion: when an end customer removes Provia via Facebook's app settings, their messages, lead record, and webhook history are deleted within 30 days. See Data Deletion.
  • Operational logs: AI call logs and webhook logs are retained while the account is active for cost monitoring and debugging; deleted with the account.

5. Your rights

You have the right to:

  • Access the data Provia holds about you.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Export a copy of your data in a portable format.
  • Object to specific uses of your data.

To exercise any of these rights, email aliafana@smail.ucas.edu.ps from the address associated with your account. Provia will respond within 30 days.

6. Security

Provia uses HTTPS for all traffic, row-level security on every tenant-scoped table, HMAC-SHA256 signature verification on Messenger webhooks, and admin-gated access on all internal endpoints. Service-role database keys are server-only and never exposed to the browser. No security control is absolute; Provia will notify affected users without undue delay in the event of a data breach that materially affects their data.

7. Children

Provia is intended for use by store owners aged 18 and older, and is not directed at children under 13. Provia does not knowingly collect data from children under 13. If a parent or guardian believes their child has used Provia, email aliafana@smail.ucas.edu.ps and the relevant data will be deleted.

8. International data transfers

Provia's processors (Supabase, OpenAI, Google, OpenRouter, Vercel, Meta) operate global infrastructure. Data may be processed outside the country where it was collected, subject to each processor's standard contractual safeguards.

9. Changes to this policy

Provia may update this policy as the product evolves. Changes are reflected by the “Last updated” date at the top of this page. Material changes will be announced to active account holders by email at least 30 days before they take effect.

10. Contact

Questions, requests, or complaints: aliafana@smail.ucas.edu.ps.