ConvenuConvenu

Privacy Policy

Effective Date: February 23, 2026 · Last Updated: March 7, 2026

1. Introduction

WZJ Infinity Ltd ("we," "us," or "our") operates Convenu, an all-in-one trip planning and networking application available on the web and Android. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Convenu application and related services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: When you sign in via Google OAuth, we receive your name, email address, and profile avatar. When you sign in via Telegram, we receive your Telegram user ID, first and last name, username, language preference, and premium status.
  • Itinerary Data: Trip names, descriptions, event details (titles, dates, times, locations, coordinates), transit information, and trip metrics you create within the app.
  • Contact Data: Names, companies, positions, Telegram handles, email addresses, LinkedIn URLs, notes, and tags of contacts you add to your CRM. You may also add timestamped notes to individual contacts.
  • Profile Information: First name, last name, company, position, bio, X/Twitter handle, LinkedIn URL, and website URL that you provide on your profile page.
  • Wallet Information: Your Solana wallet public address when you connect a wallet (e.g., Phantom, Solflare) to the Service.
  • X/Twitter Information: If you connect your X (Twitter) account via OAuth 2.0, we receive your X username, verified status, and whether you have X Premium (verified_type). Your X OAuth token is stored server-side and is revoked when you disconnect your account.
  • AI Enrichment Data: When you use the AI Contact Enrichment feature, we send contact information you have provided (name, company, position, and any linked social handles) to a third-party AI service to generate an enrichment profile. The AI-generated results — including summaries, professional background, talking points, social links, suggested tags, and confidence scores — are stored in our database and associated with your contact record. We track your monthly enrichment usage count (10 per month).
  • Discover Search Data: When you use the Discover feature to search for events by city or browse organization profiles, your search queries are sent to the Brave Search API. Search results are cached in our database for up to 6 hours to improve performance. We track your monthly search usage count (10 searches per month on the free tier, 50 per month on the premium tier).
  • Telegram Bot Interactions: If you interact with the Convenu Telegram bot (@convenubot), we process commands and conversational state to provide bot features (creating contacts, itineraries, events). If you forward a Telegram message to the bot, the sender's name and username may be used to create or update a contact. Conversational state is temporary and deleted when you unlink your account.

2.2 Information Collected Automatically

  • Device and Usage Data: Browser type, operating system, and basic request metadata transmitted by standard web protocols.
  • Local Storage: We use browser local storage to persist session state, theme preferences, and viewed shared itineraries on your device.

2.3 Information from Third Parties

  • Google Calendar: If you choose to import events, we access your Google Calendar data in read-only mode (scope: calendar.readonly). This data is used solely to populate itinerary events and is not stored on our servers beyond the itinerary records you create. Your Google Calendar access token is stored only in your browser session and is not persisted server-side.
  • Luma Events: If you provide a Luma (lu.ma) event URL, we fetch publicly available event details (title, date, location, description) from that URL to populate your itinerary. No Luma account credentials are accessed.
  • Brave Search: When you use the Discover feature, we send city/location search queries to the Brave Search API to find Luma events. Brave Search returns publicly indexed web results. Search results are cached server-side for up to 6 hours. Brave may receive your query text and our server's IP address; no personal user information is sent to Brave.
  • Telegram: Profile information provided through Telegram Mini App authentication, verified using HMAC-SHA256.
  • X/Twitter: If you connect your X account, we receive your username and verified status via the X OAuth 2.0 API. We detect X Premium status to contribute to your trust score. One X account may be linked to only one Convenu account.
  • AI Services: When you use AI Contact Enrichment, a third-party AI service processes publicly available and user-provided contact information to generate profile summaries, talking points, and suggested tags. The AI service may use this data to generate responses but does not retain your data beyond the request. See Section 4.3 for provider details.

2.4 Information We Do NOT Collect

  • We do not collect GPS or device location data. All location data in itineraries is user-entered.
  • We do not access your camera or microphone.
  • We do not use analytics, advertising, or tracking SDKs (no Google Analytics, Facebook Pixel, etc.).
  • We do not collect private keys or seed phrases. Wallet signing occurs entirely within your wallet application.

3. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account.
  • Provide core features: itinerary planning, event discovery, contact management, AI contact enrichment, itinerary sharing, follow-up messaging, and Proof of Handshake verification.
  • Mint compressed NFTs (cNFTs) on the Solana blockchain as verifiable records of completed handshakes.
  • Generate AI-powered enrichment profiles for your contacts, including professional summaries, talking points, social links, and suggested tags.
  • Calculate trust scores based on Telegram profile signals (premium status, profile photo, username, account age), X/Twitter verification and premium status, wallet verification status, and handshake history.
  • Award points for completed handshakes.
  • Communicate with you regarding your account or the Service (e.g., magic link emails).
  • Enable data portability features, including CSV export of contacts and PDF/print export of itineraries.
  • Facilitate the Telegram bot for creating and managing contacts, itineraries, and events via chat commands.
  • Enforce our Terms of Use and protect against misuse.

4. How We Share Your Information

4.1 With Other Users

  • Shared Itineraries: When you share an itinerary, the recipient can view trip details and events. Your email address is explicitly excluded from shared views.
  • Handshakes: When you initiate or accept a Proof of Handshake, both parties can see each other's name and wallet address.

4.2 On the Blockchain

  • Completed Proof of Handshake records result in compressed NFTs minted on the Solana blockchain. Blockchain data, including wallet addresses and transaction metadata, is public and immutable. We cannot delete or modify blockchain records.

4.3 With Service Providers

ProviderPurposeData Shared
SupabaseDatabase and authenticationAccount data, itineraries, contacts, handshake records
VercelHosting and serverless functionsRequest metadata
Helius / QuikNode / TritonSolana RPC providersWallet addresses, transaction data, IP addresses
Luma (lu.ma)Event data importEvent URLs (server-side fetch only)
Google OAuthAuthenticationOAuth tokens (email, name, avatar)
Telegram APIAuthentication and bot featuresTelegram user ID and profile data
X/Twitter APIAccount verification and trust scoringOAuth tokens, username, verified/premium status
Third-party AI serviceContact enrichment (profile generation)Contact name, company, position, social handles
Brave Search APIEvent discovery (city/location search)Search query text, server IP address

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of WZJ Infinity Ltd, our users, or others.

4.5 No Sale of Data

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

5. Blockchain Data and Wallet Information

Convenu integrates with the Solana blockchain for Proof of Handshake functionality. Please be aware:

  • Public Ledger: Transactions on Solana are recorded on a public, decentralized ledger. Wallet addresses and transaction details are publicly visible.
  • Immutability: Once data is written to the blockchain, it cannot be edited, deleted, or removed by us or any party.
  • Self-Custody: You retain full control of your wallet and private keys. We never access, store, or transmit your private keys or seed phrases.
  • NFT Metadata: Compressed NFT metadata associated with handshakes may be stored permanently on-chain or on decentralized storage networks.
  • Third-Party Wallets: Wallet applications (Phantom, Solflare, etc.) are operated by third parties with their own privacy policies. We encourage you to review their policies.

6. Data Storage and Security

  • Your data is stored in a Supabase-hosted PostgreSQL database with Row Level Security (RLS) enabled, ensuring users can only access their own data.
  • Authentication tokens are verified server-side. Magic link tokens expire after 1 hour.
  • Wallet ownership is verified through Ed25519 cryptographic signature verification.
  • Input data is sanitized using DOMPurify to prevent cross-site scripting.
  • We use HTTPS for all data transmission.

While we implement commercially reasonable safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

  • Account data: Retained for as long as your account is active.
  • Itineraries and contacts: Retained until you delete them or delete your account.
  • Handshake records: Pending handshakes expire after 48 hours. Completed handshake database records are retained; corresponding blockchain records are permanent.
  • AI enrichment data: AI-generated enrichment profiles are retained as long as the associated contact exists. Monthly usage counters reset at the beginning of each calendar month. Enrichment data is deleted when you delete the contact or your account.
  • Discover search cache: Cached search results from the Brave Search API are automatically expired and purged after 6 hours. Monthly search usage counters reset at the beginning of each calendar month.
  • X/Twitter data: Your X verification status and OAuth tokens are retained while your X account is connected. Tokens are revoked and data is cleared when you disconnect your X account.
  • Telegram bot state: Temporary conversational state is automatically deleted when you unlink your Telegram account. Link codes expire after 10 minutes.
  • Blockchain data: Permanent and immutable. Cannot be deleted.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Request deletion of your personal information (subject to blockchain immutability and legal retention obligations).
  • Portability: Request your data in a structured, machine-readable format.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Opt Out: You may disconnect your wallet or stop using blockchain features at any time.

To exercise any of these rights, contact us at dev@convenu.xyz.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • Legal Basis: We process personal data based on: (a) your consent (e.g., connecting a wallet), (b) performance of a contract (e.g., providing the Service), (c) legitimate interests (e.g., improving security), or (d) legal obligations.
  • Data Transfers: Your data may be transferred to and processed in countries outside the EEA. We rely on standard contractual clauses and service provider commitments to ensure adequate protection.
  • Additional Rights: You have the right to lodge a complaint with your local data protection authority.
  • Wallet Addresses: We recognize that Solana wallet addresses may constitute personal data under GDPR when linkable to an identified individual. Off-chain records containing wallet addresses are subject to your deletion rights; on-chain records are immutable.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Categories of personal information collected in the past 12 months: Identifiers (name, email, Telegram ID, wallet address), internet activity (usage data), and user-generated content (itineraries, contacts).

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at dev@convenu.xyz and we will promptly delete it.

The Service may contain links to third-party websites or services (e.g., Phantom Wallet, Google, Telegram). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing them with personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, contact us at:

WZJ Infinity Ltd
Email: dev@convenu.xyz