Last updated: 2 Nov 2025

Who we are. Shopay Pty Ltd (ABN 60 619 658 669) trading as Observant Convo Automation Agency (“Observant Convo”, “we”, “us”).
Websites & apps covered: observantconvo.com, makevo.app, their subdomains, and tools listed at observantconvo.com/tools, including Makevo Publish and Meta Ad Planner.
Contact: [email protected], Sydney, Australia.

1) Scope

This policy explains what we collect, how we use it, who we share it with, how long we keep it, and your rights under Australian law (Privacy Act 1988 (Cth) & Australian Privacy Principles) and applicable US laws (incl. CCPA/CPRA, where relevant).

2) Data we collect

A. Account & Identity
Name, email, company, role, timezone; password (hashed) or SSO identifiers.

B. Platform Data from LinkedIn (for Makevo Publish)
Only after you connect and consent, we may receive:

• Basic profile & ID/URN (r_liteprofile)

• Email (r_emailaddress)

• Publishing permission (w_member_social) and, if you choose, organization publishing (w_organization_social)
  We do not collect connection lists or inbox data. Access tokens are stored encrypted and used only to perform actions you authorize.

C. Platform Data from Meta (for Meta Ad Planner)
Only after you connect and consent, we may access: pages/ad accounts you select, campaign structure & performance metrics, and (optionally) lead form data you direct to your CRM. We request the minimum data to provide enabled features.

D. Content & Usage
Drafts, uploads, schedules, funnels, performance you choose to track; device/browser/IP, timestamps, product events, and error logs.

E. Billing
Processed by Stripe; we don’t store full card details.

F. Cookies/local storage
For login sessions, preferences, and privacy-respecting analytics.

3) How we use data (purposes)

1. Provide services (draft → publish, analytics, forecasts, funnels).

2. Operate, secure & improve products (diagnostics, abuse prevention).

3. Billing & account (subscriptions, invoices, fraud prevention).

4. Service communications (updates about features you use).

5. Legal/compliance (enforce terms, respond to lawful requests).

We do not sell personal information and do not “share” it for cross-context behavioral advertising under the CPRA.

4) Retention

• Account data: while active + up to 24 months after last activity (or sooner on request), except billing records kept up to 7 years.

• LinkedIn data: we don’t permanently store profile data beyond what’s necessary. Any cache respects LinkedIn limits (e.g., ≤ 24 hours). Posts/schedules/analytics you create remain until you delete them. Tokens are deleted on disconnect or after 90 days of inactivity.

• Meta data: tokens deleted on disconnect; cached metrics purged within 30 days.

• Logs/analytics: typically ≤ 12 months (or anonymised).

5) Sharing & processors

We use vetted service providers under data-processing terms, only for the purposes above, e.g.: Stripe (payments), Supabase/managed Postgres (DB/auth/storage), Hosting/CDN (e.g., Vercel/AWS), Email/support (transactional mail/helpdesk), GoHighLevel (GHL) if you enable CRM sync, and AI/model providers you explicitly use for content transforms.
A current list is available on request at [email protected]. We may disclose data if required by law or to protect rights/safety.

6) International transfers

Data may be stored/processed in Australia and the United States. We apply reasonable safeguards and access controls.

7) Security & breaches

Encryption in transit and at rest (where supported), credential hashing, least-privilege access, audit logging, backups. If a breach is likely to cause serious harm, we’ll notify affected individuals and (in Australia) the OAIC under the Notifiable Data Breaches scheme; in the US, we’ll notify as required by state laws.

8) Your rights

Australia (APPs): Request access and correction of your personal information.
US (incl. California): Subject to verification, request to know/access, correct, or delete your personal information. We don’t sell/share personal information.

Request anytime at [email protected].
You can also revoke platform permissions directly:

• LinkedIn: Settings → Data Privacy → Permitted Services (remove “Makevo Publish”).

• Meta: Facebook/Instagram Settings → Business Integrations.

9) Cookies

We use necessary cookies (auth), functional cookies (preferences), and privacy-respecting analytics. Blocking some cookies may limit features.

10) Children

Our services are for business users and not directed to children under 16. We do not knowingly collect personal information from children under 13.

11) Product-specific details

A) Makevo Publish (LinkedIn)

Scopes (minimum): r_liteprofile, r_emailaddress, w_member_social and optionally w_organization_social.
Use: transform drafts into LinkedIn posts, schedule/publish on your behalf, and fetch performance metrics you opt in to.
Storage: your drafts, published content metadata, schedules, chosen analytics; encrypted tokens only while needed. No connection lists or messages.

B) Meta Ad Planner (Meta/Facebook/Instagram)

Access: pages/ad accounts you select; campaign structure & metrics; optional lead form data you route to your CRM.
Use: planning, forecasting, reporting you request; optional CRM sync.
Storage: configuration & aggregated metrics; encrypted tokens.

C) makevo.app (Funnel Builder)

Data: projects/funnels, team invites, hosting settings you configure.
Use: render pages, manage assets, measure performance you enable.
Control: export/delete projects; request account deletion anytime.

12) Data deletion instructions

Email [email protected] with subject “Data Deletion Request” from your account email. Include any linked LinkedIn/Meta IDs or profile URLs. We’ll delete or anonymise personal information within 30 days (except records we must retain by law, e.g., invoices).
You can also revoke LinkedIn/Meta access immediately in their settings (which invalidates tokens).

13) Changes

We’ll update this policy as products evolve. Material changes will be announced in-app or by email. The “Last updated” date shows the latest version.