Data Privacy Policy

Aviy
182 High Street, North East Ham
London E6 2JA, United Kingdom
Email: dpo@aviy.ai

Aviy is the data controller for personal data collected directly from users of our website and Services. When our customers use Aviy to create invoices and send them to their clients, Aviy acts as a data processor on behalf of the customer (who is the data controller for their client data).

This policy applies to all personal data processed through aviy.ai, including the free invoice generator (no account required), registered Aviy accounts, payment integrations, email delivery services, and any interactions with our website (contact forms, support enquiries, newsletter sign-ups).

We process the following categories of personal data:

• Identity Data: Name, email address, business name, job title
• Contact Data: Postal address, email address, phone number
• Financial Data: Invoice amounts, payment history, Stripe/PayPal merchant IDs (we do not store card numbers), bank-account details you choose to display on documents, plan and billing-interval selections (including App Store and Play Store subscription identifiers when you subscribe through a mobile app)
• Technical Data: IP address, browser type and version, operating system, device identifiers, mobile push-notification tokens, time zone, country (derived from IP at our content-delivery edge), login timestamps
• Usage Data: Pages viewed, features used, actions performed within the platform, AI prompts submitted
• Document Data: Content of invoices, estimates, quotes, credit notes, receipts, and purchase orders you create, including client details, line items, notes, and any uploaded logos or signatures
• Communication Data: Email delivery status, bounce reports, open/click tracking data from Amazon SES, and recipient identifiers (phone, channel ID, or handle) for documents sent via WhatsApp, Telegram, Slack, Discord, Messenger, or iMessage
• Marketing Data: Newsletter subscription preferences and communication consent records

We collect personal data from the following sources:

• Directly from you: When you create an account, build invoices, submit contact forms, or communicate with us
• Automatically: Through cookies, server logs, and Cloudflare’s edge headers (e.g. country code) when you visit our website or use our mobile apps
• Third-party integrations: From Stripe and PayPal (payment status, merchant details), Google (for Sign-in with Google), Apple and Google Play (for in-app subscription state), AWS (email delivery), and the messaging providers you opt into for document delivery
• CSV imports: When you upload client or invoice data via CSV files

We rely on the following legal bases under Article 6 of the UK/EU GDPR:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Services - account creation, invoice generation, document storage, payment processing, email delivery, and customer support.
• Legitimate Interests (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, anonymised analytics, transactional emails (delivery confirmations, security alerts), and enforcement of our Terms of Service. We have conducted a Legitimate Interest Assessment for each of these purposes.
• Legal Obligation (Art. 6(1)(c)): Compliance with UK tax laws, anti-money laundering regulations, and responding to lawful requests from regulators and law enforcement.
• Consent (Art. 6(1)(a)): Marketing emails and newsletters. You may withdraw consent at any time by clicking “unsubscribe” in any marketing email or contacting us.

Free Generator (No Account): When you use the AI invoice generator without an account, your text prompt is sent to our AI provider to generate invoice data. The generated document exists only in your browser session. We do not store invoice data from no-account sessions on our servers.

Registered Users: Invoices, estimates, quotes, credit notes, receipts, purchase orders, client records, and related data are stored in our database. This data is retained as long as your account is active.

Email Sending: When you send invoices via email, we record the message ID, recipient email, delivery status, bounce information, and open/click events for deliverability monitoring and delivery reports.

Payment Processing: Payment data flows directly between your client and Stripe/PayPal. We store only the transaction reference, amount, status, and timestamps - never card numbers or bank details.

AI Processing: Text prompts submitted to the AI invoice generator are sent to our AI provider for processing. Prompts are not stored by us or the AI provider for training purposes.

We do not sell personal data to any third party. We do not share data for advertising or marketing purposes with third parties.

Some of our sub-processors are located in the United States. For all transfers of personal data outside the UK and EEA, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) and adopted by the UK under the International Data Transfer Agreement (IDTA)
• The EU-US Data Privacy Framework for certified US organisations where applicable
• Supplementary measures including encryption in transit and at rest

You may request a copy of the safeguards in place by contacting dpo@aviy.ai.

We apply the following retention periods:

• Active accounts: Data retained while your account is active and the Services are in use
• Deleted accounts: Account data permanently deleted within 30 days of account deletion request
• Trashed documents: Permanently deleted 30 days after being moved to trash
• Email delivery logs: 12 months from the date of the email event
• Audit logs: 24 months for security and compliance
• Invoices and financial records: As required by applicable tax legislation (typically 6-7 years in the UK)
• No-account sessions: Not stored on our servers
• Marketing consent records: Retained for the duration of consent plus 3 years for compliance evidence

When data is no longer needed, it is securely deleted or anonymised.

Under the UK GDPR and EU GDPR, you have the following rights:

• Right of Access (Art. 15): Obtain a copy of your personal data and information about how it is processed. You can export your data as CSV from the dashboard.
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances (e.g., while we verify accuracy of disputed data).
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format. CSV export is available for invoices, estimates, clients, and other records.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Art. 22): Our AI features assist document creation but do not make automated decisions that produce legal or similarly significant effects. You always review and approve AI-generated documents before use.

To exercise any of these rights, email dpo@aviy.ai. We will verify your identity and respond within one month (extendable by two months for complex requests). There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom data is shared.
• Right to Delete: Request deletion of personal information collected from you.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact dpo@aviy.ai. We will verify your identity before processing your request.

We use cookies in two broad categories:

• Essential: Authentication, session, and security cookies required for the Services to function. Always set.
• Marketing: Cookies set by third-party services we use for outreach and customer-support tooling. Disclosed alongside the consent banner; see our Cookie Policy.

We do not currently set advertising or social-media tracking cookies. If we add new tracking categories in future, we will update the consent banner and re-prompt you for a fresh choice.

We implement appropriate technical and organisational measures in accordance with Article 32 of the UK/EU GDPR, including:

• Industry-standard encryption for data in transit and at rest
• Modern password-hashing for stored credentials
• Two-factor authentication available on all accounts
• Role-based access control for team accounts
• Append-only audit logging of significant actions
• Automated backup and disaster-recovery procedures
• Regular security reviews and dependency updates

Specific cryptographic configurations and operational controls are reviewed regularly and are not published in detail; they are available under NDA to enterprise customers and to regulators on request.

In the event of a personal data breach, we will:

• Notify the UK Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to individuals’ rights and freedoms (Article 33)
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
• Document the breach, its effects, and remedial actions taken
• For EU data subjects, notify the relevant lead supervisory authority

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will delete it within 30 days. If you believe a child has provided us with personal data, please contact us at dpo@aviy.ai.

We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to individuals, as required by Article 35 of the UK/EU GDPR. This includes assessments for new features involving AI processing, email tracking, and payment data handling.

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF, United Kingdom
Website: ico.org.uk
Helpline: 0303 123 1113

If you are located in the EEA, you may also contact your local data protection authority.

We may update this Data Privacy Policy periodically. Material changes will be communicated by email to registered users and by a prominent notice on our website. The “Last modified” date at the top indicates when the policy was last updated. We encourage you to review this policy regularly.

For questions about this policy, to exercise your data protection rights, or to raise a concern about how we handle your data:

Aviy
182 High Street, North East Ham
London E6 2JA, United Kingdom
Email: dpo@aviy.ai