Privacy Policy

Effective Date: June 25, 2026  |  Last Updated: June 24, 2026

1. Introduction & Scope

This Privacy Policy explains how Weaver Integrations Inc. ("Weaver," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal data and business data in connection with Weaver OS (the "Platform" or "Service") and our marketing website.

Weaver Integrations Inc. is incorporated in Delaware and maintains its principal place of business in Texas. The privacy laws of both states — the Delaware Personal Data Privacy Act (DPDPA) and the Texas Data Privacy and Security Act (TDPSA) — apply to us, alongside any other state's law that applies based on our data-processing activities. We are a Delaware C-corporation; our principal place of business is 17501 Dallas Pkwy, Dallas, TX 75287, United States.

1.1 What the Platform Does

Weaver OS is an AI-concierge software service that unifies a small business's operations across the third-party tools it already uses. Rather than asking you to abandon Stripe, QuickBooks, HubSpot, Mailchimp, Calendly, or the dozens of other apps that run your business, Weaver connects to those tools, pulls the relevant data into one place, and gives you an AI concierge (we call her "Weavie") that can answer questions, draft content, and prepare actions for your approval. Weaver currently offers more than two dozen integrations (27 integrations) spanning payments, e-commerce, accounting, payroll, CRM, marketing, scheduling, analytics, reviews, and content creation.

1.2 Who This Policy Covers

This policy covers two distinct groups of people, and it is important to understand the difference:

This Privacy Policy is effective as of the Effective Date shown above and supersedes any prior version. Capitalized terms not defined here have the meaning given in our Terms of Service.

2. Definitions

3. Categories of Data We Collect

3.1 Account Information

When you create a Weaver account and set up your business, we collect:

3.2 Authentication Data

To secure your account, we store:

3.3 Connected-Tool Credentials

When you connect a third-party tool, we store the credentials needed to access it (such as OAuth tokens or API keys), encrypted at rest using AES-256-GCM encryption. We also store the scope of data each connection is permitted to access.

3.4 Business Data Ingested from Connected Tools

Depending on which tools you connect and what you authorize, Weaver may ingest and store:

Much of this Business Data describes your customers, not you. As explained in Section 1.2, we process that data as your processor.

3.5 AI Conversation Data

When you use Weavie, we collect and store:

3.6 Usage and Log Data

We automatically collect operational data, including:

3.7 Cookies

We use a small number of strictly necessary cookies for session management and authentication, and a CSRF-protection token. We do not use advertising or cross-site tracking cookies. See Section 18 for detail.

3.8 Communications

When you contact us for support, sales, or legal requests, we keep a record of that correspondence so we can respond and improve our service.

3.9 What We Do and Do Not Collect — Sensitive Data

To be transparent and accurate rather than over-disclaiming:

4. How We Collect Data

5. Purposes of Processing

6. Legal Bases for Processing

For individuals protected by the EU/UK General Data Protection Regulation (GDPR), we rely on the following legal bases:

Where Weaver processes end-customer data as a processor on behalf of an account holder, the account holder is responsible for establishing the legal basis for that processing.

7. AI-Specific Disclosures

7.1 AI Model Providers

Weavie is powered by several AI model providers. Anthropic (Claude) is our primary model provider for all conversational features — chat, briefings, and content generation. OpenAI (GPT) and Google (Gemini) serve as fallbacks when the primary provider is unavailable. Perplexity is used solely for real-time web research (for example, looking up current industry trends), where it returns sourced results with citations.

7.2 Memory Embeddings

Separately from chat, Weavie's long-term memory text is converted into mathematical representations called vector embeddings so that relevant memories can be retrieved later. This embedding step uses OpenAI's embeddings service (the text-embedding-3-small model) regardless of which provider handled your chat. As a result, your memory text is sent to OpenAI for vectorization even when Anthropic answered your conversation. We disclose this explicitly so you understand the full data flow.

7.3 Data Sent to AI Providers and No-Training Commitment

When you use AI features, we send the relevant conversation content, business context, prompts, and (for research) search queries to the applicable provider so it can generate a response. Under the contractual terms we have in place with these providers, your content is not used to train or improve their general models. This no-training commitment is a contractual term set by each provider's API terms and data-processing agreement; it is not something Weaver enforces inside its own code. The providers may still process content for their own safety, abuse-prevention, and infrastructure-operation purposes as described in their policies.

7.4 Automated Decision-Making

Weavie is designed to keep a human in the loop for consequential, outbound actions. Most such actions — publishing content, sending email, scheduling events, and posting review replies — are placed in a hold-for-approval queue and do not execute until you (or, for action types you have explicitly pre-authorized with a daily cap, an opt-in auto-approval rule) approve them. We disclose one honest exception: sending an SMS text message may execute within a chat turn without passing through the approval queue when SMS features are enabled. We do not use AI to make decisions that produce legal or similarly significant effects about you without human involvement, and where automated decision-making applies you have the right to request human review (see Section 14 and Section 15).

7.5 Deleting AI Data

You may request deletion of specific Weavie conversations or your entire AI conversation and memory history by contacting us at legal@weaverintegrations.com.

8. Cross-Integration Data Correlation

This section describes something distinctive about how Weaver works, so we want to be especially clear about it.

To build a single, unified view of each of your customers, Weaver uses the customer's email address as a join key to correlate data across the different tools you have connected. Before matching, we normalize each email — lowercasing it, trimming spaces, and stripping any "+alias" portion (so "Sarah+Orders@Acme.com" and "sarah@acme.com" are treated as the same person). Using that normalized email, Weaver can connect, for example, a Stripe payment to a HubSpot contact, then update that contact's lifetime value. This is how Weaver attributes revenue, builds unified customer profiles, and computes per-customer analytics.

This correlation happens strictly within a single account holder's own account (a single "tenant"). Weaver never correlates one account holder's customer data with another account holder's data. Every attribution query is scoped to one tenant. The unified profile we build for your business is built only from your connected tools.

Because this feature joins data about the account holder's own customers, the multi-party distinction in Section 1.2 matters here: the unified profiles describe the account holder's customers, and the account holder remains responsible, as controller, for the lawful collection of that customer data.

Cross-tenant benchmarks. Separately, Weaver computes anonymized, aggregated benchmarks across businesses in the same niche — for example, average conversion rate or average review rating. These benchmarks contain only aggregate statistics (sample size, average, median, percentiles). Raw data is never shared across tenants, and the identities of other businesses are masked (for example, shown only as "Business #2"). What enters an AI prompt from this feature is pre-formatted aggregate text, never another business's identity or raw rows.

9. Subprocessors

We engage the following subprocessors to operate the Platform. Each is bound by contract to protect your data and to use it only for the purposes we authorize.

Name Purpose Data Received Location Privacy Policy
Anthropic, Inc. Primary LLM for Weavie chat, briefings, and content Conversation content, business context, prompts United States anthropic.com/legal/privacy
OpenAI, L.L.C. Fallback LLM and memory embeddings Same chat data shape; memory text for vectorization United States openai.com/policies/privacy-policy
Google LLC Fallback LLM (Gemini) Same chat data shape United States (SOC 2 / ISO 27001) policies.google.com/privacy
Perplexity, Inc. Real-time web research Search queries United States perplexity.ai/hub/legal/privacy-policy
Stripe, Inc. Weaver subscription billing (PCI-DSS) Name, email, payment card data (Weaver does not store card numbers) United States (PCI DSS) stripe.com/privacy
Resend, Inc. Transactional email delivery Recipient email, message content United States resend.com/legal/privacy-policy
Railway Corp. Application and Postgres database hosting All application data at rest (database encrypted at rest) United States railway.app/legal/privacy
Netlify, Inc. Marketing site and portal frontend hosting Site and request data United States netlify.com/privacy
AWS / Cloudflare R2 File and document storage Uploaded documents and assets United States (SOC 2 / ISO 27001) aws.amazon.com/privacy & cloudflare.com/privacypolicy
Sentry (Functional Software, Inc.) Error monitoring Error stack traces (may incidentally include identifiers) United States sentry.io/privacy

In addition, SMS delivery — when SMS features are enabled — uses a third-party telephony provider (Twilio, United States), which would then receive the relevant phone numbers and message content. Where a subprocessor is independently known for a security or compliance certification, we have noted it above (for example, Stripe maintains PCI DSS; AWS and Google maintain SOC 2 / ISO 27001). We commit to updating this list before engaging any new subprocessor.

10. Data Sharing & Disclosure

We disclose data only in the following circumstances:

We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising.

11. International Data Transfers

All processing currently takes place in the United States. If you access the Platform from outside the US, your data will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country. For transfers of personal data from the EU/UK that require it, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs). By using the Platform, you acknowledge this transfer.

12. Data Retention

We retain data only as long as needed for the purposes described in this policy, and we frame the following as our retention policy and commitments:

We may retain certain data longer where required by law, to resolve disputes, to prevent fraud and abuse, or to enforce our agreements.

13. Data Security

We use technical and organizational measures designed to protect your data, including:

We are working toward formal third-party security attestation (such as SOC 2); that work is in progress and aspirational, and no statement here should be read as a current certification.

No system is perfectly secure. If we become aware of a data breach affecting your Personal Data, we will notify affected parties and regulators as required by law — generally within 72 hours under the GDPR, and within 45 days under the Delaware DPDPA, Texas TDPSA, and most other US state laws.

14. User Rights

Depending on where you live, you may have some or all of the following rights regarding your Personal Data:

How to exercise your rights. Email legal@weaverintegrations.com with a description of your request. We may need to verify your identity before acting. We will respond within 45 days (extendable where the law allows and we notify you), and we do not charge a fee for a reasonable request. There is no self-service "delete my account" button today; deletion is a right you exercise by contacting us, and we honor it within the applicable statutory window, subject to the exceptions above.

15. State-Specific Disclosures

15.1 California (CCPA / CPRA)

California residents have the rights to know, access, correct, delete, opt out of sale or sharing, and limit the use of sensitive Personal Information, plus the right to non-discrimination. As noted, we do not sell or share Personal Data. We honor the Global Privacy Control (GPC) browser signal as an opt-out request. Consistent with 2026 requirements, where we use automated decision-making technology you may have rights to access information about, and to opt out of, certain uses; you may also direct us to limit the use of your sensitive Personal Information. Contact legal@weaverintegrations.com; we respond within 45 days.

15.2 Delaware (DPDPA)

As a Delaware corporation, we draw particular attention to the Delaware Personal Data Privacy Act (DPDPA). Delaware residents have the rights to confirm and access their data, to correct inaccuracies, to delete data, to obtain a portable copy, and to opt out of targeted advertising, sale of personal data, and certain profiling. You also have the right to appeal a refusal to act on your request; we will respond to an appeal within 60 days. We respond to initial requests within 45 days. Contact legal@weaverintegrations.com.

15.3 Texas (TDPSA)

Because our principal place of business is in Texas, we also draw particular attention to the Texas Data Privacy and Security Act (TDPSA). Texas residents have the rights to confirm and access their data, correct it, delete it, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling, plus the right to appeal. We respond within 45 days. Contact legal@weaverintegrations.com.

15.4 Virginia (VCDPA)

Virginia residents have the rights to access, correct, delete, obtain a portable copy of their data, opt out of targeted advertising, sale, and profiling, and to appeal. We respond within 45 days. Contact legal@weaverintegrations.com.

15.5 Colorado (CPA)

Colorado residents have comparable rights to access, correction, deletion, portability, opt-out (including via a recognized universal opt-out mechanism), and appeal. We respond within 45 days. Contact legal@weaverintegrations.com.

15.6 Connecticut (CTDPA)

Connecticut residents have comparable rights to access, correction, deletion, portability, opt-out, and appeal. We respond within 45 days. Contact legal@weaverintegrations.com.

15.7 Utah (UCPA)

Utah residents have the rights to access, delete, obtain a portable copy of their data, and opt out of targeted advertising and sale. We respond within 45 days. Contact legal@weaverintegrations.com.

15.8 Other Comprehensive-Law States

Residents of other states with comprehensive privacy laws now in effect — including Florida, Oregon, Montana, Iowa, Indiana, Tennessee, Nebraska, and New Jersey — have substantially similar rights (access, correction, deletion, portability, opt-out, and, in most cases, appeal). We respond within 45 days. Contact legal@weaverintegrations.com.

15.9 New York (SHIELD Act)

For New York residents, we maintain reasonable safeguards consistent with the New York SHIELD Act and will provide breach notification as required by that law in the event of a qualifying security incident.

15.10 Other States

If you reside in any other US state that grants privacy rights now or in the future, we will honor those rights as the applicable law requires. Contact legal@weaverintegrations.com, and we will respond within the timeframe the law provides (generally 45 days).

16. EU / UK Residents

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described under the GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, and objection, as well as rights related to automated decision-making. The legal bases on which we rely are described in Section 6. For now, our designated privacy contact / Data Protection Officer function is handled by Reece Burnett (reece@weaverintegrations.com). You also have the right to lodge a complaint with your local supervisory authority. International transfers are addressed in Section 11.

17. Children's Privacy

The Platform is not directed to children, and we do not knowingly collect Personal Data from children under 13 (United States) or under 16 (European Union). If we learn that we have collected such data without the required consent, we will delete it promptly. If you believe a child's information has been provided to us, contact legal@weaverintegrations.com and we will investigate and delete as appropriate.

18. Cookies & Tracking

We use a minimal set of cookies:

We do not use advertising trackers or cross-site behavioral-advertising cookies. We honor browser Do Not Track signals and the Global Privacy Control (GPC) where applicable.

19. Third-Party Integrations

Each tool you connect to Weaver is governed by its own privacy policy and terms, and you are responsible for your compliance with them. When you connect a tool, you authorize Weaver to access data on your behalf within the scope you grant.

Disconnecting a tool revokes Weaver's ongoing access to it, but it does not automatically delete data already synced into Weaver. To have already-synced data erased, request deletion by emailing legal@weaverintegrations.com (see Section 14).

Data export. A data export is available on request. Today it covers key categories — contacts, reviews, analytics, invoices, scheduling events, and content — and a broader export can be requested. Portability is request-based; we do not currently provide a one-click full data dump.

20. Changes to This Policy

We may update this Privacy Policy as our practices, technology, and applicable laws change. For material changes, we will provide at least 30 days' notice by email to your registered address and will update the "Effective Date" and "Last Updated" dates above. Your continued use of the Platform after the effective date of an update constitutes acceptance of the updated policy.

21. Contact Us

For questions about this policy, our data practices, or to exercise your rights, contact us:

Weaver Integrations Inc.
Mailing address: 17501 Dallas Pkwy, Dallas, TX 75287
General legal and privacy-rights requests: legal@weaverintegrations.com
Privacy Officer / Founder: Reece Burnett (reece@weaverintegrations.com)

Registered agent for service of process in Delaware: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States.

For the terms that govern your use of the Platform, please also see our Terms of Service.

22. Appendix: Data Categories by Role

22.1 Business Owner / Primary Account Holder

You have full access to all of your business's data, team messages, integration settings, and Weavie conversations, and you control which team members can access what.

22.2 Team Members

Team members you invite have access only to what your role-based permissions grant them.

22.3 Weaver Support Staff

Support staff access your account only to resolve issues you raise. Such access is recorded to the audit trail.

22.4 Weaver Admin (via impersonation)

To troubleshoot, an authorized Weaver administrator may start a support session that grants temporary access to your account. These sessions are time-limited to 15 minutes and cannot be refreshed, nested support sessions are blocked, and both the start and end of each session are recorded to your account's audit trail.

23. About This Document

This document was prepared with the assistance of AI tools. It reflects a good-faith effort to describe Weaver's practices accurately. It is not legal advice and is not a substitute for review by qualified counsel. We will update it as our practices and applicable laws change.