Privacy Policy

About Avi

Avi is a cloud-hosted AI agent platform. Your conversations, tasks, notes, contacts, and files are stored on our servers (AWS Aurora Serverless and S3) so the agent can work on your behalf across sessions, schedule recurring tasks, and collaborate with your team. The desktop application is an optional companion that bridges local tools (terminal, filesystem) to the cloud backend.

Applicability

This Privacy Policy explains our practices regarding the collection, use, disclosure, and processing of your information when you:

• Visit our website at avi.run and affiliated sites, blogs, or social media platforms (collectively, our “Sites”);
• Access or use the Avi web application, desktop application, APIs, or any related software or services;
• Interact with us for support, marketing, or other purposes.

This Privacy Policy does not apply to third-party products, services, or integrations accessible via the Service. Contact those third parties directly for their privacy practices.

1. Information We Collect

Information You Provide Directly

• Account Information. Name, email address, and profile photo when you sign in via Google OAuth.
• Transactional Information. Payment details are handled by Stripe; we receive only tokenized references, not raw card data. Billing address may be collected for tax purposes.
• Support Information. Messages, attachments, and preferences you share when contacting support.
• Feedback. Suggestions, bug reports, or other voluntary submissions.

Content You Create in the Service

Because Avi is a cloud-hosted platform, the content you create is stored on our servers so the agent can operate across sessions and devices:

• Conversations and Messages. Your chat messages and the agent's responses are stored in our database to maintain conversation history, support rolling summarization, and enable continuity across sessions.
• Tasks and Schedules. Tasks you create, including recurring schedules and per-run instructions.
• Notes and Contacts. Notes and contact records you store within the Service.
• Files. Files uploaded to cloud-mode projects are stored in Amazon S3.
• Skills. Named prompt templates you create at the org level.
• Integration Credentials. OAuth tokens for third-party integrations (e.g., GitHub, HubSpot, Freshdesk) that you authorize are stored encrypted in our database.
• Secrets. API secrets you store for use by the agent are encrypted at rest.

If your Content includes personal data of third parties (for example, contact records or data retrieved from third-party services), you are responsible for having a lawful basis to collect and process that data and to share it with us for service delivery purposes.

Information We Collect Automatically

• Usage and Event Data. Actions taken within the Service — such as messages sent, tasks created, modules enabled, members added, and AI model usage — are logged in our events system for analytics, billing, and service improvement.
• AI Usage Metrics. Token counts and cost data per conversation and model, used for credit tracking and billing.
• Device Information. For registered desktop devices, we store the device name, platform (macOS, Windows, Linux), and last connection timestamp.
• Technical Logs. Server logs including HTTP request metadata, IP addresses, error traces, and response times. Logs are stored in AWS CloudWatch and retained for a period determined at our discretion.
• Site Analytics. Pages viewed, browser type, response times, and timestamps on our marketing site (avi.run).
• Location Information. City and country derived from IP address; we do not collect precise location.
• Cookies. Browser cookies on our Sites for session management. Manage these via your browser settings.

2. How We Use Information

We use information to:

• Operate the Service. Store and retrieve your conversations, tasks, notes, files, and other content so the agent can work on your behalf across sessions.
• Run AI requests. Send your conversation messages to AWS Bedrock to generate agent responses. We do not use this content for any other purpose.
• Execute scheduled tasks. Use stored task instructions to invoke the agent automatically on recurring or one-time schedules.
• Billing and credits. Track AI usage, manage credit balances, and process payments via Stripe.
• Provide support. Respond to inquiries and resolve issues.
• Communicate. Send transactional notices, invoices, and updates. We do not use your email for marketing without your consent, where required by applicable law.
• Security. Detect and prevent fraud, unauthorized access, and abuse.
• Improve the Service. Analyze aggregated, anonymized usage patterns to improve reliability and features.
• Legal and compliance. Comply with applicable laws and enforce our Terms of Service.

3. How We Retain Your Information

We retain your content (conversations, tasks, notes, files, contacts) for as long as your account is active. When you delete your account, we permanently delete your content. We retain minimal records (email address, billing history) as required for tax, legal, and accounting compliance.

If deletion is not immediately possible (e.g., data in backup snapshots), we isolate and protect it until deletion is feasible. Retention periods for backups and logs are determined at our discretion and may change.

4. How We Share Information

We do not sell your personal information. We share information only as follows:

• Service Providers (Subprocessors). Vendors we use to operate the Service, as described in Section 5 below. These providers are authorized only to use your information as necessary to provide services to us.
• AI Infrastructure. Your conversation messages are sent to AWS Bedrock to generate agent responses. Per AWS's usage policies, API inputs are not used to train foundation models. We do not send your data to any other AI provider.
• Your Organization. Content you create in shared projects within an organization is accessible to other members of that organization per the access controls you configure.
• Third-Party Integrations. When you connect a third-party service (e.g., GitHub, HubSpot), the agent may send and receive data from that service on your behalf using the credentials you provide. Those transmissions are subject to the third party's own terms and privacy policies.
• Corporate Affiliates. Entities under common control with Serverless Inc., subject to this Policy.
• Corporate Transactions. In connection with a merger, sale, or acquisition, your information may be transferred as a business asset.
• Legal or Public Authorities. When required by law, court order, or to protect the security and integrity of the Service or the rights of others.
• With Your Consent. For any other purpose with your explicit consent.

5. Subprocessors

We use the following service providers to operate the Service. We may update this list at any time; the current version is always available at avi.run/privacy.

• Amazon Web Services (AWS) — Cloud infrastructure, compute (ECS Fargate), database (Aurora Serverless v2 / PostgreSQL), file storage (S3), caching (ElastiCache), task scheduling (EventBridge), and AI model routing (Bedrock). All data processed in the United States.
• Vercel — Hosting and deployment for the web application and marketing site.
• Stripe — Payment processing and subscription management.
• Resend — Transactional email delivery (e.g., org invitations).
• Exa — Web search API used when the agent performs web searches on your behalf. Only the search query is transmitted.

6. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect information from unauthorized access, use, modification, or disclosure, including:

• TLS encryption for all data in transit;
• AES-256 encryption at rest for stored secrets and OAuth tokens;
• Database encryption at rest via AWS Aurora;
• S3 server-side encryption for stored files;
• JWT-based authentication with 30-day expiry;
• Row-level org and project access controls enforced at the database layer.

No security measure is absolute and we do not guarantee the security of your information. In the event of a security incident, we will take appropriate steps and provide notifications as required by applicable law. If you discover a security vulnerability, please report it to support@avi.run before public disclosure.

7. Third-Party Integrations

The Service allows you to connect third-party applications (such as GitHub, HubSpot, Freshdesk, and Google services). When you authorize an integration, OAuth tokens are stored encrypted in our database and used by the agent to act on your behalf. We are not responsible for the privacy practices or availability of those third-party services. Review their terms and privacy policies before connecting them to Avi.

8. International Users and GDPR

The Service is operated from the United States and all data is processed there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those in your country.

EU and UK Users — Lawful Basis. For users in the European Economic Area (EEA) or United Kingdom (UK), we process personal data on the following lawful bases under GDPR and UK GDPR:

• Contract performance — to create and manage your account, process payments, and deliver the Service;
• Legitimate interests — for security, fraud prevention, and aggregated service analytics; and
• Legal obligation — to comply with applicable laws.

EU and UK Users — Your Rights. Subject to applicable law, you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise these rights, contact us at support@avi.run with “GDPR Request” in the subject line. We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local data protection authority.

International Transfers. When we transfer personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms. Business customers who require a Data Processing Agreement (DPA) may request one at support@avi.run.

9. Your Rights and Choices

• Opt-Out of Marketing. Use unsubscribe links in emails or contact us. You will still receive transactional communications.
• Account Data. Update or correct account information via your settings or by contacting support. You may delete your account at any time; see Section 3 for retention details.
• Content Deletion. You may delete individual conversations, tasks, notes, contacts, and files within the Service at any time.
• Integration Revocation. You may disconnect third-party integrations at any time via your project settings, which removes stored OAuth tokens.
• Cookies. Manage cookies via your browser settings; doing so may affect certain Site functionality.
• Do Not Track. We do not respond to Do Not Track signals.
• U.S. State Privacy Rights. If applicable U.S. state privacy law grants you additional rights regarding your personal information — including the right to know, access, delete, correct, or opt out of certain processing — you may exercise those rights by contacting us at support@avi.run. We do not sell personal information. We will respond as required by applicable law.
• California Residents (CCPA/CPRA). In addition to the above, California residents may submit requests by contacting support@avi.run with “CCPA Request” in the subject line. We will respond within the timeframe required by applicable law.

10. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact support@avi.run and we will take steps to delete it.

11. Changes to This Policy

We may update this Policy at any time by posting a revised version on our Site. Changes are effective upon posting. We may, but are not obligated to, provide notice of changes via email or in-app notification. Your continued use of the Service after any change constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.

12. Contact Us

For privacy questions or to exercise your rights:

Serverless Inc.
522 San Anselmo Ave
San Anselmo, CA 94960
support@avi.run

California residents should include “CCPA Request” in the subject line. EU/UK residents should include “GDPR Request.”