Privacy Policy

Orbixa Technologies Ltd (“we”, “Leva”) is the data controller for personal data processed through the Leva platform.

Registered office: 22 - 28 Willow Street, Accrington, Lancashire, BB5 1LP
Registered in England and Wales — Company number 16519488
ICO Registration: ZC054842
Privacy contact: privacy@getleva.ai

• Account data: name, email address, password hash (never stored in plaintext)
• Business data: company information, goals, strategies, brand guidelines, and founder profile data you configure
• Visual assets: logos, images, and brand materials you upload — stored in encrypted cloud storage and may be processed by AI for brand analysis
• Integration data: OAuth tokens for Gmail, LinkedIn, Meta, HubSpot, and other connected tools — stored in an encrypted vault and used solely to act on your behalf
• AI output feedback: thumbs-up/thumbs-down reactions and optional text feedback you provide on AI-generated outputs
• MCP tool invocations: when your agents use connected integrations (e.g. sending email, updating your CRM), the action, timing, and cost are logged for billing and audit purposes
• Usage data: agent runs, task outcomes, feature usage, and performance metrics
• Payment data: handled entirely by Stripe; we do not store card numbers or CVVs
• Support data: messages you send to our support team

We process personal data on the following bases under UK GDPR:

• Contract: delivering, maintaining, and improving the Leva service
• Legitimate interest: security, fraud prevention, product analytics, and service improvement
• Consent: marketing communications and non-essential analytics (you may withdraw at any time)
• Legal obligation: compliance with applicable laws and regulations

Leva uses large language models to power its agent functionality. Here is how your data flows through our AI infrastructure:

• Anthropic Claude:your business data (goals, company context, drafts) is sent to Anthropic's API to generate agent outputs. All Anthropic calls are routed through Portkey, a gateway service that provides cost observability and caching. Portkey processes prompts and responses but does not store or use them for any purpose outside of logging for your usage dashboard.
• OpenAI (DALL-E 3): when you use image generation features, ad creative briefs are sent to OpenAI to generate images. This is also routed through Portkey.
• fal.ai: when you use video generation features, text prompts are sent to fal.ai to generate short video content.

No AI training on your data: Anthropic, OpenAI, and fal.ai do not use your inputs or outputs to train their models under their respective API data processing agreements. Your business data is not used to train any AI model.

Feedback and improvement: when you provide thumbs-up/thumbs-down feedback on agent outputs, this feedback is stored in Leva and used to tune future agent behaviour for your account only. It is not shared externally.

You can review AI provider privacy policies at anthropic.com/legal, openai.com/policies, and fal.ai/privacy.

We share data only with sub-processors necessary to deliver the service. For a full list including jurisdictions and DPA links, see our Sub-Processors page.

Key sub-processors:

• Supabase — database, authentication, file storage, and secrets vault (EU West)
• Vercel — application hosting and edge delivery (US/global)
• Anthropic — AI inference for all agent tasks (US)
• OpenAI — image generation (DALL-E 3) (US)
• Portkey — LLM gateway routing all Anthropic and OpenAI calls (US)
• fal.ai — AI video generation (US)
• Stripe — payment processing (US/UK)
• Resend — transactional email delivery (US)
• Upstash — Redis rate limiting and background job queue (US)
• Composio— OAuth integration aggregator and action execution layer for third-party tools (US). When you connect integrations such as LinkedIn, Meta Ads, HubSpot, or other platforms, your OAuth credentials are stored and managed by Composio, and integration actions (posting, campaign management, CRM writes) are executed through Composio's infrastructure. Composio holds SOC 2 Type 2 and ISO 27001 certification — see trust.composio.dev. Leva has a Data Processing Agreement with Composio covering GDPR Article 28 obligations.
• Instantly — cold email campaign sending (US)
• HeyReach — LinkedIn outreach drafts (US)
• Cloudflare — CAPTCHA and bot protection (US/global)

All sub-processors are bound by data processing agreements that require GDPR-equivalent protections. We do not sell your data.

Composio (integration layer — GDPR Article 28 disclosure): Leva uses Composio as a sub-processor for OAuth credential management and integration action execution. Under Article 28, Composio processes integration data solely on our documented instructions, implements appropriate technical and organisational security measures, and assists Leva in fulfilling data subject rights requests. Composio does not use your data for its own purposes. To revoke Composio-mediated integration access, disconnect the relevant integration from your Integrations settings — this triggers token revocation with Composio.

Third-party integrations you connect: when you authorise Leva to connect to platforms such as Gmail, HubSpot, Meta Ads, or LinkedIn, your data is also processed by those platforms under their own privacy policies. Leva acts as your authorised agent for these connections; you control which integrations are active and can disconnect them at any time.

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your data (“right to be forgotten”)
• Restriction — ask us to limit how we use your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — for any processing based on consent (e.g. marketing, analytics cookies)

To exercise any right, email privacy@getleva.ai. You can also lodge a complaint with the ICO at ico.org.uk.

We protect your data using TLS encryption in transit, AES-256 encryption at rest, role-based access controls, and audit logging. Credentials (OAuth tokens, API keys) are stored in an encrypted secrets vault (Supabase Vault). We conduct regular security reviews. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

Some sub-processors operate outside the UK or EU (see our Sub-Processors page for jurisdictions). Where data is transferred internationally, we rely on UK adequacy regulations, standard contractual clauses (SCCs), or equivalent safeguards approved by the ICO or European Commission.

We use the following categories of cookies and tracking technologies:

• Essential cookies: required for authentication and session management. These cannot be disabled without breaking core functionality.
• Analytics (non-essential): Vercel Analytics and Speed Insights collect anonymised usage data. These are only loaded with your consent, managed via the cookie banner or our Cookies page.

We do not use advertising, retargeting, or behavioural tracking cookies. You can withdraw consent at any time from the Cookies page.

We will notify you of material changes to this policy by email at least 30 days before they take effect. The date at the top of this page indicates when the policy was last revised.