Privacy Policy

Effective Date: 2026-01-01
Last Updated: 2026-01-01

AvvA ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, and safeguard your data when you use the AvvA app and related services focused on personal and travel support for aviation professionals.

Legal Entity: AvvA, Inc.
Contact: support@avva.aero

1. Information We Collect

• Personal Information: Name, email address, phone number, billing and mailing addresses.
• Travel Data: Flight schedules, hotel reservations, ground transportation details, and other travel information provided by you or others authorized by you to provide such details on your behalf.
• Account Information: Email and password you create for account access.
• Location Data: We collect location data only for geo-referenced locations (geofencing) and only with your explicit authorization. This helps us provide location-aware services and notifications.

We collect this information to provide personalized travel coordination and logistics support services.

2. How We Use Your Information

• Provide, maintain, and improve the AvvA personal and travel assistant service.
• Generate and update itineraries, reservations, and task tracking on your behalf.
• Communicate about your account, Wingmate coverage, and service updates.

We do not sell, rent, or share your information with third parties.

3. Data Retention

We retain information only as long as needed to deliver the service or as required by law. You can request deletion at any time.

4. Data Deletion Requests

Email support@avva.aero. We typically process requests within 30 days.

5. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Authentication: Passwords are hashed using bcrypt with 12 rounds.
• Access Control: Role-based access with principle of least privilege.
• Audit Logging: Security events are logged and monitored for 7 years.
• Error Tracking: Real-time monitoring with privacy-safe error reporting (Sentry).
• Infrastructure: Hosted on enterprise-grade cloud providers (Supabase on AWS).

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you within 72 hours as required by applicable data protection laws.

6. Your Choices

• Location Services: You can enable or disable location-based services (geofencing) at any time through your device settings or app preferences.
• Data Sharing: Control who is authorized to provide travel details on your behalf.
• Account Information: Update your personal information, billing address, and contact details in the app.
• Notifications: Manage notification preferences for travel updates and service communications.

7. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies to operate our service:

• Essential Cookies: Authentication session cookies required for login functionality.
• Analytics: We use privacy-respecting error tracking (Sentry) with automatic data sanitization. Personal data like passwords, tokens, and API keys are automatically filtered before transmission.
• No Third-Party Advertising: We do not use advertising cookies or sell your data to advertisers.

You can control cookies through your browser settings. Note that disabling essential cookies may limit functionality.

8. Subprocessors and Data Transfers

We work with trusted vendors to deliver the AvvA service. Each provider signs confidentiality agreements and meets our security baseline. Your data may be processed in the United States and other jurisdictions where our service providers operate.

• Supabase (AWS US-West-1): Database and authentication infrastructure
• OpenPhone / Twilio: Telephony and SMS messaging services
• Make.com: Workflow automation and email parsing
• Stripe: Payment processing (when applicable)
• Sentry: Error tracking and performance monitoring
• Netlify: Web hosting and content delivery

International Data Transfers: For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure adequate safeguards through Standard Contractual Clauses (SCCs) and our subprocessors' compliance with applicable data protection frameworks.

9. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of your personal data we hold.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• Right to Restriction: Request that we limit processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing of your data for direct marketing or legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time (e.g., disable location services, remove data sharing authorizations).
• Right to Lodge a Complaint: File a complaint with your local data protection authority.

Legal Basis for Processing: We process your data based on: (1) Contract performance (to provide our services), (2) Legitimate interests (to improve and secure our services), and (3) Consent (for optional features like location services and data sharing authorizations).

To exercise any of these rights, contact us at support@avva.aero. We will respond within 30 days.

10. CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and share.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out: We do not sell personal information, so no opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, email support@avva.aero with "CCPA Request" in the subject line.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Data Retention Policy

We retain your data based on the following criteria:

• Active Accounts: Data retained while your account is active and for 90 days after account closure.
• Audit Logs: Security and access logs retained for 7 years for compliance and security purposes.
• Legal Requirements: Some data may be retained longer if required by law (e.g., financial records for tax purposes).
• Anonymized Data: We may retain anonymized, aggregated data indefinitely for analytics and service improvement.

After the retention period, data is securely deleted or anonymized.

13. Changes to This Policy

We may update this Privacy Policy as regulations or our services evolve. Material changes will be posted on this page with an updated "Last Updated" date. For significant changes, we will notify you via email or through the app at least 30 days before the changes take effect.

14. Contact Us

For privacy-related questions, data subject requests, or concerns:

• Email: support@avva.aero
• Subject Line: "Privacy Request" or "GDPR Request"
• Response Time: We typically respond within 5 business days and fulfill requests within 30 days.

For EU/EEA data protection inquiries, you may also contact your local supervisory authority.