Privacy Policy

Last updated: March 8, 2026

Gorem ("we," "us," or "our") operates gorem.ai and provides custom AI agent services for businesses. This Privacy Policy describes how we collect, use, share, and protect personal information when you visit our website, use our services, or interact with an AI agent powered by Gorem.

1. Information We Collect

Website Visitors

• Contact information: Name, email address, phone number, and company name when you book a demo or contact us.
• Usage data: Pages visited, referral source, browser type, device type, and IP address.

Business Clients

• Account information: Business name, contact details, billing information, and login credentials.
• Integration data: Data accessed through connected systems (calendars, CRMs, databases) as configured by the client.
• Configuration data: Knowledge base documents, business policies, and agent settings provided by the client.

End Users (Customers of Our Business Clients)

When you interact with an AI agent powered by Gorem on a business client's website, phone line, or via SMS, we process:

• Conversation data: Messages, voice transcripts, and chat history.
• Contact information: Name, phone number, email address, or other details you voluntarily provide during the conversation.
• Interaction metadata: Timestamps, channel used (chat, phone, SMS), and conversation duration.

2. How We Use Your Information

• To provide our services: Power AI agent conversations, book appointments, look up records, capture leads, and perform actions on behalf of our business clients.
• To process payments: Charge subscription fees and setup fees via our payment processor (Stripe).
• To improve our services: Analyze anonymized, aggregated usage patterns to improve performance and reliability. We do not use individual conversation data for this purpose.
• To communicate with you: Respond to inquiries, send service updates, and provide support.
• To comply with legal obligations: Respond to lawful requests, prevent fraud, and enforce our terms.

3. AI and Large Language Model Processing

• No model training: Your personal data, conversation content, and business client data are never used to train, fine-tune, or improve any AI or machine learning model, whether ours or any third party's.
• Processing only: Data is sent to LLM providers solely to generate real-time responses during active conversations. It is not stored by the LLM provider beyond the duration needed to generate a response.
• Data isolation: Each business client's data is logically isolated. One client's data is never accessible to another client's AI agent.
• AI limitations: AI-generated responses may occasionally be inaccurate, incomplete, or inappropriate. AI agents do not provide legal advice, medical advice, or other professional advice. Responses are informational only.
• Sub-processors: We use third-party AI model providers (such as Anthropic and OpenAI) to generate responses. These providers are bound by data processing agreements that prohibit them from using your data for model training.

4. Data Sharing and Third Parties

We share personal information only in the following circumstances:

• With business clients: End user conversation data is shared with the business client whose AI agent you interacted with. The business client is the data controller for this data.
• Service providers: We use trusted third parties to help operate our services:
  • Stripe (payment processing)
  • Anthropic, OpenAI (AI model providers)
  • Cloud infrastructure providers (hosting and data storage)
  • Telephony and SMS providers (for voice and text channels)
• Legal requirements: When required by law, court order, or government request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

We do not sell or share personal information for advertising or marketing purposes.

5. Data Retention

• Website visitor data: Contact form submissions are retained for up to 2 years or until you request deletion.
• Business client data: Retained for the duration of the subscription plus 90 days for data export, then deleted.
• End user conversation data: Retained according to the business client's configuration and applicable legal requirements. Default retention is 12 months, after which data is automatically deleted unless the client specifies otherwise.
• Payment data: Processed and stored by Stripe in accordance with PCI DSS standards. We do not store credit card numbers.
• Aggregated analytics: Anonymized, aggregated data may be retained indefinitely.

6. Your Rights

All Users

You may contact us at privacy@gorem.ai to:

• Request access to your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Request a copy of your data in a portable format

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including:

• The right to know what personal information we collect, use, and disclose
• The right to delete personal information
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information (we do not sell or share personal information)
• The right to opt out of automated decision-making technology
• The right to non-discrimination for exercising your privacy rights

European Economic Area / UK Residents (GDPR)

If you are located in the EEA or UK, you have the right to:

• Access, correct, or delete your personal data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time
• Object to automated decision-making and profiling
• Lodge a complaint with your local supervisory authority

Our legal basis for processing is: performance of a contract (for clients), legitimate interest (for service improvement and security), and consent (where applicable).

End Users of Business Clients

If you interacted with an AI agent powered by Gorem and wish to exercise your privacy rights, you may contact the business directly or contact us at privacy@gorem.ai. We will coordinate with the relevant business client to fulfill your request.

7. Security

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest
• Access controls and authentication
• Regular security assessments
• Incident response procedures
• Employee security training

No method of transmission or storage is 100% secure. If you become aware of a security incident, please contact us immediately at security@gorem.ai.

8. Children's Privacy

Our services are not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@gorem.ai and we will delete it promptly.

9. International Data Transfers

Your data may be processed in the United States or other countries where our service providers operate. When transferring data from the EEA/UK, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection.

10. Cookies and Tracking

Our website uses minimal cookies:

• Essential cookies: Theme preference (stored in localStorage, not a cookie).
• No third-party tracking: We do not use Google Analytics, advertising pixels, or social media tracking on our website.

If we add analytics or tracking in the future, we will update this policy and provide appropriate consent mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify business clients of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or to exercise your rights:

• Email: privacy@gorem.ai
• General: info@gorem.ai