Last updated: March 11, 2026
eloqo is a product of narmiAI FZ-LLC, a company registered in the United Arab Emirates under the Ras Al Khaimah Economic Zone (RAKEZ), license number 47025802. We operate the website eloqo.io and provide an AI-powered review response service for hotels, restaurants, and hospitality businesses. In this policy, "we", "us", and "our" refer to narmiAI FZ-LLC. "You" and "your" refer to the user of our service.
We collect the following categories of personal data: (a) Account data — your name, email address, and profile picture, obtained through Google OAuth when you sign in. (b) Business data — your Google Business Profile name, location ID, account ID, business type, and brand voice configuration (tone, formality, signature, context phrases). (c) Review data — review text, star rating, reviewer display name, review date, and detected language, fetched from your connected Google Business Profile via the Google My Business API. (d) Response data — AI-generated draft responses, any edits you make, the final published text, timestamps, and the AI model version used. (e) Payment data — your Stripe customer ID, subscription plan, billing period, and payment currency. We do not store credit card numbers; these are handled entirely by Stripe. (f) Usage data — server logs including IP address, browser type, pages visited, and timestamps. We use this for security monitoring and service improvement. (g) Preference data — your selected language, currency, notification preferences, and response mode settings.
We process your data for the following purposes: (a) To provide the service — displaying your reviews, generating AI responses using your brand voice settings, and publishing approved replies to your Google Business Profile. (b) To manage your account — authentication, subscription management, and customer support. (c) To send transactional communications — welcome emails, trial expiry notices, daily review digests, and AI insights reports (if enabled). (d) To improve the service — analyzing usage patterns and error logs to fix bugs and improve features. We do not use your review data or AI responses to train AI models. (e) To comply with legal obligations — tax compliance, fraud prevention, and responding to lawful requests from authorities.
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases: (a) Contract performance (Article 6(1)(b) GDPR) — processing necessary to provide the eloqo service you subscribed to. (b) Legitimate interest (Article 6(1)(f) GDPR) — service improvement, security monitoring, and fraud prevention. (c) Consent (Article 6(1)(a) GDPR) — for optional marketing communications (you may withdraw consent at any time). (d) Legal obligation (Article 6(1)(c) GDPR) — tax and accounting requirements.
We share data with the following third-party processors, each under appropriate data processing agreements: (a) Supabase (database and authentication) — servers in the EU. Stores your account data, business configuration, reviews, and responses. (b) Anthropic (AI generation) — review text, brand voice settings, and detected language are sent to the Claude API to generate responses. Anthropic does not use this data to train models under our commercial agreement. (c) Google APIs — we use the Google My Business API to read reviews from and publish responses to your connected Google Business Profile, using your encrypted OAuth tokens. (d) Stripe (payment processing) — handles all payment transactions. Subject to Stripe's privacy policy. (e) Resend (transactional email) — sends welcome emails, trial notices, review digests, and insights reports. (f) Vercel (hosting) — serves the eloqo application. May process IP addresses and request metadata. Data may be transferred outside the EEA to the United States (Anthropic, Stripe, Vercel). These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.
When you connect your Google Business Profile, we request the following OAuth scopes: (1) openid and email for authentication, and (2) business.manage to read your reviews and publish responses. We store your OAuth access and refresh tokens encrypted at rest using AES-256-GCM encryption. Tokens are used solely to read reviews and post approved responses on your behalf. We do not access any other Google services or data beyond what is described here. You may revoke eloqo's access at any time through your Google Account settings (myaccount.google.com > Security > Third-party apps). Revoking access will stop eloqo from reading new reviews or publishing responses, but will not delete data already stored in your eloqo account.
We retain your data for as long as your account is active and your subscription is valid. Specifically: (a) Account and business data — retained until you delete your account. (b) Review and response data — retained for 24 months after the review date, or until account deletion, whichever comes first. (c) Payment records — retained for 7 years as required by UAE tax law. (d) Server logs — retained for 90 days. When you delete your account, all personal data (except payment records required by law) is permanently deleted within 30 days.
We implement the following security measures: (a) All data in transit is encrypted with TLS 1.2 or higher. (b) OAuth tokens are encrypted at rest with AES-256-GCM. (c) Database access is controlled via Row-Level Security (RLS) — users can only access their own data. (d) The Supabase service role key is never exposed to client-side code. (e) We use HTTPS-only cookies with Secure and HttpOnly flags. (f) Administrative access requires multi-factor authentication.
Depending on your jurisdiction, you have the following rights: (a) Right of access — request a copy of your personal data. (b) Right to rectification — correct inaccurate data. (c) Right to erasure — request deletion of your data (subject to legal retention requirements). (d) Right to data portability — receive your data in a structured, machine-readable format. (e) Right to restrict processing — limit how we use your data. (f) Right to object — object to processing based on legitimate interest. (g) Right to withdraw consent — where processing is based on consent. For EU/UK/Swiss residents, you also have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, email info@narmiai.com with the subject line "Privacy Request".
We use the following cookies: (a) Authentication cookies — essential, set by Supabase Auth to maintain your login session. (b) Locale cookie — stores your preferred language (en, fr, es, de, it, pt). Set when you choose a language. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
eloqo is a business service not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us immediately.
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
For privacy inquiries, data requests, or complaints: narmiAI FZ-LLC RAKEZ, Ras Al Khaimah, United Arab Emirates Email: info@narmiai.com