Privacy Policy

Aviy is the data controller for personal data processed through the Services. For enquiries about how we handle your data, contact us at dpo@aviy.ai.

When our customers (businesses with an Aviy account) collect personal data from their own clients through invoices, estimates, or payment links, the customer acts as the data controller and Aviy acts as the data processor on their behalf.

Account Information: When you create an Aviy account, we collect your name and email address. If you sign in via Google, we receive your name and email from Google.

Business Information: Company name, address, phone number, logo, email, tax rates, currency preferences, and bank account details you choose to add to your profile.

Invoice & Document Data: Client names, email addresses, postal addresses, invoice amounts, line items, payment terms, and any notes you include in invoices, estimates, quotes, credit notes, receipts and purchase orders.

Payment Information: When you connect Stripe or PayPal, we store your merchant account ID and connection status. We do not store credit card numbers. Payment processing is handled entirely by Stripe and PayPal under their respective privacy policies.

Email Delivery Data: When invoices are sent via email, we track delivery status, bounces, opens, and clicks through Amazon SES to provide delivery reports and ensure deliverability.

Messaging Channel Data: When you send a document over WhatsApp, Telegram, Slack, Discord, Messenger, or iMessage, the recipient’s identifier (phone number, channel ID, or handle) is shared with the relevant messaging provider for delivery. Aviy does not retain message contents beyond what is required to record that the document was sent.

Mobile App Data: If you install our iOS or Android apps, we collect device identifiers and push-notification tokens needed to deliver notifications about views, payments, and reminders. Push tokens are revocable from the app or your device settings.

Usage & Location Data: Pages visited, features used, browser type, device information, IP address, country (derived from your IP at our content-delivery edge), and timestamps. We collect this to improve our Services, support multi-region delivery, and for security purposes. The country signal is stored at country-level granularity only and is not used to infer city or precise location.

AI Input Data: Text prompts you provide to our AI invoice generator. These are processed to generate documents and are not used to train AI models.

Cookies: We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. See our Cookie section below for details.

We process your personal data for the following purposes and legal bases under the UK/EU GDPR:

• Contract performance (Article 6(1)(b)): To provide the Services you requested - creating, storing, and sending invoices, estimates, quotes, credit notes, receipts and purchase orders; processing payments; managing your account.
• Legitimate interests (Article 6(1)(f)): To improve our Services, provide customer support, detect fraud, ensure security, send transactional emails (delivery confirmations, password resets), and generate anonymised analytics.
• Legal obligation (Article 6(1)(c)): To comply with applicable laws, regulations, and legal processes, including tax reporting requirements and responding to lawful requests from authorities.
• Consent (Article 6(1)(a)): To send marketing communications where you have opted in. You can withdraw consent at any time.

We do not sell your personal data. We share data only in the following circumstances:

• Service Providers: Each provider processes data under strict contractual obligations and appropriate safeguards.
• Your Clients: When you send an invoice or estimate, the recipient receives the document content including your business details.
• Legal Requirements: We may disclose data to comply with legal obligations, enforce our terms, or protect the rights, safety, or property of Aviy, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change.

Aviy is based in the United Kingdom. Your data may be processed in the UK, European Economic Area, and the United States.

For transfers outside the UK/EEA, we rely on:

• The UK’s adequacy regulations for the EEA
• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner’s Office (ICO) for transfers to the US and other countries
• The EU-US Data Privacy Framework where applicable

We retain your personal data for as long as necessary to provide the Services and fulfil the purposes described in this policy:

• Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
• Invoice and document data: Retained while your account is active. Deleted documents are permanently removed after 30 days in trash.
• Email delivery logs: Retained for 12 months for deliverability monitoring.
• Audit logs: Retained for 24 months for security and compliance purposes.
• No-account usage: If you use the free generator without an account, we do not retain your invoice data after the session ends.

Under the UK GDPR, EU GDPR, and CCPA, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format (CSV export is available in the dashboard).
• Objection: Object to processing based on legitimate interests, including direct marketing.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Automated Decision-Making: Our AI invoice generator assists document creation but does not make automated decisions with legal or significant effects on you.

To exercise your rights, email dpo@aviy.ai. We will respond within 30 days (extendable by 60 days for complex requests). You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local supervisory authority.

If you are a California resident, you have additional rights under the CCPA:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected.
• Right to Delete: You may request deletion of your personal information.
• Right to Opt-Out: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We use cookies in two categories: essential cookies required for the Services to function (authentication, session, security tokens), and marketing cookies that may be set by third-party services we use for outreach and customer-support tooling. See our Cookie Policy for category-level detail and how to manage your preferences.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Industry-standard encryption for data in transit and at rest
• Modern password-hashing for stored credentials
• Restricted, audited access to production systems
• Encrypted cloud storage for documents
• Two-factor authentication available on all accounts

Specific cryptographic configurations and operational controls are reviewed regularly and are not published in detail. No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to dpo@aviy.ai immediately.

The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or a prominent notice on our website. The “Last modified” date at the top indicates when the policy was last revised. Continued use of the Services after changes constitutes acceptance.

For any questions about this Privacy Policy or to exercise your data protection rights:

Aviy
182 High Street, North East Ham
London E6 2JA, United Kingdom
Email: dpo@aviy.ai