Privacy policy

1. Who we are

Mova Desk is operated by Greenwood 360 LLC ("Greenwood 360", "we", "us", or "our"). This policy describes how we collect, use, and protect information when you use the Mova Desk service at desk.usemova.app and movadesk.com, including our website, web application, mobile applications, APIs, embeddable widgets, and any related services (collectively, the "Service").

2. Information we collect

Account information

When you create an account, we collect your first name, last name, email address, and optionally your phone number. If you sign up through an organization, we also collect your organization name and role.

Support and content data

We store the content you create within Mova Desk, including:

• Tickets, customer messages, internal notes, and file attachments
• Knowledge base articles, categories, and search queries
• Live chat transcripts, voice recordings (with dual consent), and screen-share sessions
• AI conversation history and agent action logs
• Automation rules, SLA configurations, and workflow settings
• Canned responses and email templates

API keys (BYOK)

If you provide your own API keys for Anthropic or OpenAI, we store them in encrypted form using application-level encryption. We only use these keys to process your AI requests and never share them with any third party.

Usage data

We automatically collect:

• Feature usage patterns (which features you use and how often)
• AI token consumption per action
• Login timestamps and IP addresses
• Device type and browser information
• Error logs and performance data

Billing information

Payment processing is handled by Stripe. We do not store your full credit card number. Stripe provides us with a partial card number (last four digits), expiration date, and billing address for record-keeping purposes. See Stripe's Privacy Policy for details on how they handle payment data.

Phone numbers and SMS data

If you or your organization uses Mova Desk's SMS/MMS features, we collect and store:

• Phone numbers of your agents, customers, and message recipients
• SMS/MMS message content (sent and received) for support history and compliance purposes
• Opt-in and opt-out records, including timestamps and method of consent
• Delivery status and carrier information for troubleshooting
• A2P 10DLC brand and campaign registration data

We retain SMS consent records for a minimum of five (5) years after the last message is sent to a given number, as required by TCPA and CTIA guidelines.

OAuth and third-party sign-in data

If you sign in using a third-party provider (Google, Microsoft, GitHub, Apple, etc.), we receive and store:

• Your name, email address, and profile picture as provided by the OAuth provider
• A unique identifier from the provider (used to link your external account to your Mova Desk account)
• An encrypted access token used solely for authentication purposes

We do not receive or store your password from any OAuth provider.

3. How we use your information

We use your information for the following purposes:

• Providing the Service: Operating the platform, processing AI requests, delivering notifications, managing your tickets and support workflows
• Billing: Processing payments, tracking credit usage, issuing receipts
• Communication: Sending service-related notices, responding to support requests, delivering notifications you have configured (including SMS/MMS)
• Improvement: Analyzing aggregated usage patterns to improve features, fix bugs, and develop new capabilities
• Security: Detecting and preventing fraud, abuse, and unauthorized access
• Legal compliance: Meeting our legal obligations and responding to lawful requests
• SMS campaign facilitation: Sending SMS and MMS messages on behalf of your organization to your customers, as configured and authorized by you

We do not sell your personal information. We do not use your support data, conversations, or content for advertising purposes.

4. AI data processing

When you use AI features in Mova Desk:

• Ticket content, customer messages, and relevant context are sent to the configured AI provider (Anthropic Claude or OpenAI) for processing.
• Mova Desk does not train AI models on your data. We use the AI APIs strictly to generate responses for your requests.
• AI providers process your data according to their own privacy policies and data processing agreements:
  • Anthropic's Privacy Policy
  • OpenAI's Privacy Policy
• When using Mova Desk-provided API access (not BYOK), API calls are made through our accounts with these providers, and standard API data-handling terms apply (which generally do not include training on API inputs).
• We store AI conversation history on our servers so you can review past interactions. You can delete conversation history at any time.

5. Google API Services — user data policy compliance

Mova Desk's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This section details our compliance:

5.1 Data we access from Google

When you sign in with Google, we request only the following OAuth scopes:

• openid — to verify your identity
• email — to retrieve your email address
• profile — to retrieve your name and profile picture

We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google Workspace service through the sign-in flow.

5.2 How we use Google user data

• Google user data is used solely to authenticate you, create or link your Mova Desk account, and display your name and avatar within the Service.
• We do not use Google user data for serving advertisements, market research, or email marketing.
• We do not combine Google user data with data from other Google services or third-party services for purposes unrelated to providing the Service.

5.3 Limited Use disclosure

In accordance with Google's Limited Use requirements, Mova Desk:

• Does not transfer Google user data to third parties unless: (a) necessary to provide or improve the Service (e.g., displaying your name to teammates), (b) you provide explicit consent, (c) required by law, or (d) as part of a merger, acquisition, or asset sale with adequate data protection provisions.
• Does not use Google user data for serving advertisements.
• Does not allow humans to read Google user data unless: (a) you have given explicit consent, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.

5.4 Revoking access

You may revoke Mova Desk's access to your Google account at any time by visiting your Google Account Permissions page. Upon revocation, your stored Google access token is deleted from our systems. You may continue using Mova Desk by signing in with an alternative method.

6. Other OAuth providers

6.1 Microsoft

When you sign in with Microsoft, we access only your display name, email address, and profile photo. We comply with the Microsoft APIs Terms of Use. We do not access Microsoft 365 data (Outlook, OneDrive, Teams) unless you explicitly enable a separate integration.

6.2 GitHub

When you sign in with GitHub, we request only the user:email scope. We access your GitHub username, email address, and avatar. We do not access your repositories, gists, organizations, or other GitHub data.

6.3 Apple

When you sign in with Apple, we receive your name and email address (which Apple may relay through a private email address if you choose "Hide My Email"). We comply with Apple's Sign in with Apple guidelines.

6.4 General provisions for all OAuth providers

• OAuth data is used solely for authentication and account linking.
• Access tokens are encrypted at rest and are not shared with third parties.
• You may disconnect any provider from your account settings at any time, which removes the stored token.
• We comply with each provider's developer terms and API policies.

7. SMS, MMS, and messaging privacy

7.1 Messages we send to you

If you provide your phone number and enable SMS notifications, we send you transactional and service-related text messages. These messages are delivered through Twilio. Your phone number and message content are shared with Twilio solely for delivery purposes and are subject to Twilio's Privacy Policy.

7.2 Messages your organization sends

When your organization sends SMS/MMS messages to customers through Mova Desk, we act as a data processor on your behalf. You (the organization) are the data controller and are responsible for:

• Obtaining and maintaining proper consent from message recipients
• Complying with TCPA, CTIA, CAN-SPAM, and other applicable messaging regulations
• Honoring opt-out requests promptly
• Ensuring message content complies with carrier acceptable use policies

7.3 SMS data we share

Phone numbers and message content are shared with Twilio for delivery. A2P 10DLC registration data (brand name, EIN, address) is shared with The Campaign Registry (TCR) and participating carriers for campaign registration. We do not sell, rent, or share phone numbers or SMS data with third parties for marketing purposes.

7.4 SMS data retention

Message logs (including content, sender, recipient, timestamp, and delivery status) are retained for the life of your account plus 30 days. Consent records (opt-in/opt-out events) are retained for a minimum of five (5) years after the last message to a given number, as required by TCPA and CTIA guidelines.

8. Data isolation

Every organization's data is isolated at the database level. We do not share, sell, or expose your data to other customers or organizations. AI processing uses your organization's data only to serve your organization.

9. Data storage and security

We take the security of your data seriously and implement the following measures:

• Encryption in transit: All connections use HTTPS/TLS encryption.
• Encryption at rest: Databases are encrypted. API keys, OAuth tokens, and integration credentials are encrypted using application-level encryption before storage.
• Password security: Passwords are hashed using bcrypt. We never store plain-text passwords.
• Access controls: Multi-tenant data isolation ensures each organization's data is accessible only to its authorized members.
• Audit logging: Security-relevant events are logged in an append-only audit log for accountability and compliance.
• Infrastructure: Our servers are hosted with reputable cloud infrastructure providers with industry-standard security certifications.

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

10. Third-party services

We share data with the following third-party services as necessary to operate the platform:

Each third-party service processes data according to its own privacy policy and terms of service. We only share the minimum data necessary for each integration to function.

11. Data retention

• Active accounts: Your data is retained for as long as your account remains active.
• Deleted accounts: When you delete your account, your data is retained for 30 days (to allow recovery) and then permanently purged from our primary systems.
• Backups: Data may persist in encrypted backup systems for up to 90 days after deletion, after which it is purged through normal backup rotation.
• Billing records: Transaction records and invoices may be retained longer as required by applicable tax and financial regulations.
• SMS consent records: Opt-in and opt-out records are retained for a minimum of five (5) years after the last message, as required by TCPA and CTIA guidelines.
• Anonymized data: Aggregated, anonymized usage statistics (which cannot identify you) may be retained indefinitely.

12. Cookies and tracking

We use cookies and similar technologies minimally and only for essential functionality:

• Session cookies: Required to keep you logged in and maintain session state. Deleted when you close your browser or your session expires.
• Security cookies: Used for CSRF protection and fraud prevention.
• Preference cookies: Used to remember your settings (theme, notification preferences).

We do not use third-party advertising cookies, social media tracking pixels, or cross-site analytics trackers. We do not participate in ad networks or sell tracking data.

13. Children's privacy

Mova Desk is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@usemova.app.

14. International data transfers

Mova Desk is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using the Service, you acknowledge that your data may be transferred to countries that may have different data protection laws than your country of residence. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, we rely on standard contractual clauses and other lawful transfer mechanisms where applicable.

15. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Export: Download your support data, tickets, and content in a portable format.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated data.
• Restriction: Request that we limit the processing of your data in certain circumstances.
• Objection: Object to our processing of your data for certain purposes.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• SMS opt-out: Opt out of SMS messages at any time by replying STOP or updating your notification settings.

To exercise any of these rights, contact us at privacy@usemova.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

16. BYOK privacy practices

When you use the Bring Your Own Key (BYOK) feature:

• API calls are made using your key, and usage is billed directly to your account with the AI provider.
• Mova Desk does not independently monitor or log the content of BYOK API calls beyond what is necessary to display responses and maintain conversation history.
• Your API key is encrypted at rest using application-level encryption and is never exposed in logs, error messages, or to other users.
• We do not transmit your API key to any party other than the intended AI provider.
• Your API key is permanently deleted when you remove it from your settings or when your account is deleted.

17. California privacy rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt-out: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA/CPRA rights, contact us at privacy@usemova.app with the subject line "CCPA Request."

18. Changes to this privacy policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through an in-app notification at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.