Privacy Policy

Avaloka is an AI-native data intelligence platform. To deliver that service we process two categories of information: account data you provide directly and operational telemetry needed to run the platform reliably. We do not sell personal data — ever.

Account information: name, work email, company, role and authentication credentials.

Customer data: the data you choose to send to Avaloka for processing. You remain the controller of this data.

Usage telemetry: product events, error logs and performance metrics used to keep the platform reliable.

Billing information: handled by our PCI-compliant payment processors; we never store full card numbers.

To deliver, secure and improve the service; to provide customer support; to communicate about product updates; and to comply with legal obligations.

We never use your customer data to train shared or third-party AI models without your explicit, opt-in consent.

Where GDPR applies, we rely on contract performance (delivering the service you signed up for), legitimate interests (security, fraud prevention, product improvement), legal obligation (tax, accounting) and consent (for optional marketing or non-essential cookies).

We share data only with vetted sub-processors that help us run the service — cloud infrastructure, observability and customer support tooling. The current list is published and updated when it changes, with advance notice.

We do not sell or rent personal data to third parties.

AES-256 encryption at rest, TLS 1.2+ in transit, single sign-on, role-based access, network isolation, continuous monitoring and SOC 2 Type II controls audited annually by an independent firm. Vulnerability disclosure: security@avaloka.com.

Customer data is retained for the life of your workspace. After termination you have 30 days to export, after which data is deleted from active systems within 90 days. Telemetry is retained for up to 13 months in aggregated form.

You can access, export, correct or delete your personal information at any time. Email privacy@avaloka.com or use the in-app data request form — we respond within the timelines required by applicable law (typically 30 days).

You choose a hosting region at workspace creation (US, EU or APAC). Data stays in that region unless you explicitly enable cross-region replication. For transfers outside the EEA we rely on Standard Contractual Clauses.

Avaloka is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact privacy@avaloka.com and we will delete it.

Material changes are communicated to workspace admins at least 30 days in advance. The "Last updated" date at the top of this page always reflects the current version.