Avanor, Inc. (“Avanor,” “we,” “us”) builds an AI governance platform that helps companies enforce policies, monitor agent activity, and maintain compliance. This policy explains what data we collect, why, and how we protect it.
1. What We Collect
Website Visitors
When you visit avanor.ai, we set only functional cookies required for authentication. We use Vercel Web Analytics — a cookieless analytics tool — to measure aggregate pageviews. It collects no cookies, no PII, and no persistent identifiers; the visitor hash it uses rotates every 24 hours and cannot be linked across days or across sites. We do not use advertising pixels, persistent device fingerprinting, or cross-site tracking. See our Cookie Policy for details.
Demo Booking Submissions
When you book a demo or otherwise submit a contact form on avanor.ai, we collect:
- Your work email address
- Company name and the role you selected (CISO, Head of AI / CDO, Investor, or Other)
- Your IP address (for rate limiting and abuse prevention)
Authenticated Users (Platform)
When you create an account and use the Avanor platform, we collect:
- Account data: Name, email address, organization name, and role — managed by our authentication provider, Clerk.
- Agent telemetry: Event logs, traces, inputs/outputs, token usage, cost data, and errors sent to us via our ingestion API by your AI agents and automations.
- Governance data: Policies you create, violations detected, compliance framework assessments, and evidence you upload.
- Audit logs: A tamper-evident record of every action taken in your organization, including the actor, action, timestamp, IP address, and user agent. These logs use a SHA-256 hash chain for integrity verification.
- Integration credentials: OAuth tokens and API keys for connected services (e.g., Make.com). These are encrypted with AES-256-GCM before storage and are never logged or exposed after initial setup.
2. How We Use Your Data
- To provide the service: Enforce policies, monitor agent activity, generate compliance reports, and send alerts.
- To communicate with you: Respond to your demo booking, send service-related notifications, and provide support.
- To maintain security: Detect abuse, enforce rate limits, and maintain audit trails.
- To comply with law: Retain audit logs as required by regulations including the EU AI Act (Article 12).
We do not sell your data. We do not use your data for advertising. We do not train AI models on your data.
3. Third-Party Services
We share data with the following service providers, solely to operate the platform:
| Service | Purpose | Data Shared |
|---|
| Clerk | Authentication | Email, name, org membership, sessions |
| Neon | Database hosting | All application data (encrypted in transit) |
| Sentry | Error tracking | Error traces, user IDs (emails stripped) |
| Resend | Email notifications | Recipient email, message content |
| Notion | Sales pipeline tracking | Demo booking submissions (name, email, company, role) |
| Vercel | Hosting, CDN, and cookieless Web Analytics | Request logs, deployment metadata, aggregate pageview events with a daily-rotated visitor hash (no PII) |
All providers are US-based. If you are located in the EU, your data is transferred to the United States under standard contractual clauses maintained by each provider.
4. Data Retention
- Demo booking submissions: Retained until manually deleted or upon your request.
- Account data: Retained for the duration of your account. Managed by Clerk.
- Agent telemetry: Retained for the duration of your subscription.
- Audit logs: Retained indefinitely. These logs are required for regulatory compliance (EU AI Act Article 12) and cannot be selectively deleted without breaking the tamper-evident hash chain.
- Compliance evidence: Retained per the retention tier you configure (operational: 6 months minimum, documentation: up to 10 years).
- Error data (Sentry): Automatically deleted after 90 days.
5. Security
- All data is encrypted in transit (TLS) and at rest (database-level encryption via Neon).
- Integration credentials (OAuth tokens, API keys) are additionally encrypted with AES-256-GCM at the application layer before storage.
- Multi-tenant isolation is enforced via PostgreSQL row-level security policies. One organization cannot access another's data.
- Role-based access control (5 roles) restricts what actions users can perform within their organization.
- Audit logs maintain a tamper-evident SHA-256 hash chain. Any modification to a log entry is cryptographically detectable.
6. Your Rights
Depending on your jurisdiction (GDPR, CCPA, or equivalent), you may have the right to:
- Access the personal data we hold about you
- Export your data in a portable format (CSV exports are available in-platform)
- Request correction of inaccurate data
- Request deletion of your data (subject to legal retention requirements)
- Object to or restrict certain processing
To exercise any of these rights, email privacy@avanor.ai. We will respond within 30 days.
Note on audit logs: Due to regulatory requirements (EU AI Act Article 12), audit logs cannot be selectively deleted. If you request account deletion, we will remove all data except audit log entries, which will be retained in anonymized form.
7. Children
Avanor is a business-to-business platform. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it immediately.
8. Changes
We may update this policy as our practices evolve. We will post changes on this page with an updated date. For material changes, we will notify active users by email.
9. Contact
Questions about this policy or your data? Contact us at privacy@avanor.ai.
Avanor, Inc.