Privacy Policy
Last updated: July 4, 2026
Gestora, Inc. ("Gestora," "we," "us," or "our") provides an operational insights platform that turns the everyday messages your teams already send into organized, owned issues and a real-time health grade for the operations you run (the "Services"). This Privacy Policy explains what information we collect, how we use and share it, and the choices and rights you have.
This policy is written to be clear and universal. It applies wherever you access the Services. Gestora is a Delaware corporation and the Services are operated from the United States; by using the Services you understand that your information will be processed in the United States as described below.
If you have questions, contact us at privacy@mygestora.com.
1. Two kinds of data, two different roles
Gestora is a business-to-business platform. Our customers are organizations ("Customers") that use Gestora to run their operations. Because of this, it is important to understand the two different roles we play with respect to data.
Customer Data — the Customer is in control. When a Customer's team members, contractors, or authorized users send messages, voice notes, photos, and reports into the Services, and when the Services turn that activity into issues, ownership assignments, and health grades, all of that is "Customer Data." The Customer organization decides what data is submitted, who may access it, and how long it is kept. For Customer Data, Gestora acts as a processor (a service provider) that handles the data on the Customer's behalf and under the Customer's instructions, as set out in our Terms of Service. If you are a member or user within a Customer's organization and you have questions or requests about your data, please contact that organization first — they control it. We will support them in responding to you.
Account and platform data — Gestora is in control. Information we collect to create and secure accounts, to bill Customers, to communicate with you, to operate and protect the Services, and to run our marketing website is data for which Gestora acts as the controller. This Privacy Policy is our commitment to you about how we handle that data.
This dual structure — Customer-controlled operational data, Gestora-controlled account and platform data — is the same model used across the professional software industry.
2. Information we collect
Information you or your organization provide to us
- Account and profile information: name, work email address, phone number, job role and permissions, workspace assignment, and language preference. Accounts are created and administered by the Customer organization.
- Customer Data submitted through the Services: messages sent through supported channels (WhatsApp, Telegram, SMS, email, and the web app), voice notes, photos and other files, and the content of those messages. From this activity the Services produce issues, ownership assignments, and health grades, which are also Customer Data.
- Billing information: for paying Customers, billing contact details and subscription information. Payment card details are collected and stored by our payment processor, not by Gestora.
- Communications: messages you send us, including support requests and demo or contact inquiries.
Information we collect automatically
- Usage and log data: actions taken in the Services, timestamps, device and browser type, IP address, and diagnostic and performance data used to operate, secure, and improve the Services.
- Cookies and analytics on our marketing website: our public marketing site (mygestora.com) uses limited analytics. Analytics cookies are disabled by default and only load if you accept them through our cookie banner. See Section 11.
Information we receive from third parties
- Messaging metadata from the communications providers that carry those messages (for example, the sender's phone number and message delivery status).
- Billing and payment status from our payment processor.
We do not intentionally collect special categories of sensitive personal information, and we ask that Customers do not use the Services to submit them except where strictly necessary for a legitimate operational purpose (for example, a safety incident report).
3. How we use information
We use information to:
- Provide and operate the Services — capture messages, organize them into owned issues, assign ownership, and calculate health grades.
- Authenticate users — send and verify one-time passcodes by email and phone, and maintain secure sessions.
- Communicate with you — send service, security, and account messages, respond to inquiries, and (where permitted) share product updates. You can opt out of non-essential messages.
- Bill and manage subscriptions — process payments, manage plans, and prevent billing fraud.
- Secure and improve the Services — monitor for abuse, debug, maintain reliability, and develop new features.
- Comply with law — meet legal obligations and enforce our agreements.
We process Account and platform data on the basis of our legitimate interest in operating a secure and effective service, to perform our contract with the Customer, and to comply with legal obligations. We process Customer Data only to provide the Services to the Customer and on the Customer's instructions.
4. Artificial intelligence and automated processing
The Services are automated: the messages your teams send are analyzed by large language models to organize them into owned issues, group related reports together, and grade the health of your operations. To do this, message content (including text, voice-note transcripts, and image descriptions) is sent to our artificial-intelligence provider solely to produce that result, which is then stored within your organization's environment.
- We use Customer Data to provide the Services to that Customer. We do not use your Customer Data to train our own models, and we do not sell it.
- We contractually require our artificial-intelligence provider to process data only to return results to us and not to train their own models on it.
- Automated processing supports human decision-making; it does not replace it. The issues and health grades the Services produce may be incomplete or inaccurate, and Customers remain responsible for their own operational, safety, and compliance decisions.
5. How we share information
We do not sell personal information. We share information only as described here:
- With your organization. Issues are routed to the owners and users your organization designates. Access within the Services is governed by the roles your organization assigns.
- With service providers (subprocessors) that help us run the Services, under contracts that require them to protect the information and use it only to provide their service to us. These fall into a few categories:
- cloud hosting and database infrastructure that runs the Services and stores data;
- communications providers that deliver messages across channels such as WhatsApp, SMS, and email;
- an artificial-intelligence provider that performs the automated analysis described in Section 4;
- a payment processor that handles subscription billing; and
- a website-analytics provider (consent-based) on our marketing site.
- For legal and safety reasons — to comply with law, respond to lawful requests, enforce our agreements, or protect the rights, safety, and property of Gestora, our Customers, or others.
- In a business transfer — if Gestora is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy.
We maintain a current list of the specific subprocessors we use and make it available on request. Our infrastructure and databases are hosted in the United States.
6. International data transfers
The Services are operated from the United States, and information is stored and processed in the United States. If you access the Services from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those of your location. Where required, we put appropriate safeguards in place for such transfers.
7. How long we keep information
We retain information for as long as needed to provide the Services and for legitimate business and legal purposes.
- One-time passcodes are short-lived and expire within minutes.
- Idle messaging sessions on non-web channels are archived automatically after a short period of inactivity.
- Operational data stays in the Customer's dedicated environment for as long as the Customer maintains its account, and we use it only to provide the Services to that Customer — never for our own purposes. The Customer can delete data or change its retention at any time.
- Account and billing records are kept for the life of the account and for the period afterward required by law and legitimate business needs.
When an account closes, we do not keep using your data. When a Customer's account closes or its subscription ends, the Customer has 30 days to request an export of its Customer Data. After that, we delete or de-identify the Customer Data — including copies held in backups — within 90 days, except for anything we are required by law to retain. Because each Customer has its own dedicated database, deleting an account removes that Customer's operational data as a unit.
8. How we protect information
We use technical and organizational measures designed to protect information, including:
- Tenant isolation — each Customer's operational data is stored in a dedicated database, and uploaded files are segregated per Customer.
- Encryption in transit and at rest through our infrastructure providers.
- Access controls — role-based access within the Services and least-privilege access to systems by our team.
- Authentication by one-time passcode, with short-lived codes and limited attempts.
No system is perfectly secure, but we work continuously to protect the information entrusted to us and to improve our safeguards.
9. Your rights and choices
Depending on where you live and the laws that apply to you, you may have rights over your personal information, including the right to access, correct, delete, or receive a copy of it, and to object to or restrict certain processing.
- For Customer Data, the Customer organization controls the data. If you are a member or user within a Customer's organization, please direct your request to that organization; we will assist them in fulfilling it.
- For Account and platform data that Gestora controls, you can contact us at privacy@mygestora.com and we will respond consistent with applicable law. We will not discriminate against you for exercising your rights.
You can also:
- Opt out of non-essential emails using the unsubscribe link or by contacting us.
- Manage analytics cookies on our marketing site through the cookie banner (see Section 11).
10. Anonymous reporting
Anonymous reporting is a core part of the Services, so that people can raise a problem or a safety concern without their name being attached to it.
- Anonymous reports are not attributed to an individual. They are surfaced to the people who manage the work by what was reported, not by who reported it.
- We will not reveal who reported, even if asked. The Services do not show who submitted an anonymous report, and Gestora will not disclose the identity behind one, including to a Customer's own administrators. Protecting the people who speak up is a deliberate design choice.
- This anonymity covers reporting. Actions taken by users who manage issues in the app are recorded to that user, so a team can see who is handling and resolving each issue.
- One honest limit. Reports reach Gestora through your organization's own messaging channels, so your organization may independently hold the sender's contact details (such as a phone number) outside of Gestora. What your organization does with its own records is governed by its policies, not this one.
11. Cookies and analytics
Our marketing website uses only essential cookies by default. Analytics cookies (which help us understand aggregate website traffic) are disabled until you accept them through the cookie banner, and you can decline. The Services themselves use only the cookies necessary to keep you signed in and to operate securely. We do not use advertising cookies or sell data to advertisers.
12. Children
The Services are intended for use by businesses and their workforce and are not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Services after an update means you accept the revised policy.
14. Contact us
Gestora, Inc.
131 Continental Drive, Suite 305
Newark, DE 19713, United States
Privacy inquiries: privacy@mygestora.com
General: hello@mygestora.com