Legal
Privacy Policy and AI Notice
Last Updated: May 3, 2026
Effective Date: May 3, 2026
This Privacy Policy and AI Notice explains how AVOLAB, or Company, we, us, or our, collects, uses, discloses, retains, and protects personal information, including in connection with AI-enabled features of the Service.
If you are in the EEA, UK, or Switzerland, this notice is intended to satisfy GDPR and UK GDPR transparency requirements. If you are in Canada, this notice is intended to satisfy PIPEDA and applicable provincial law, including Quebec Law 25 where applicable.
1. Who We Are (Controller)
Data controller, or equivalent: AVOLAB.
Mailing address: Available upon request.
Email: info@newsltr.avolab.ca.
Privacy Officer / DPO: Privacy Officer, info@newsltr.avolab.ca.
If we process data solely on behalf of a customer, that customer is the controller or business and we are processor or service provider for that processing.
2. Scope
This notice applies to personal information we process through our website and application; account registration and administration; newsletter generation, delivery, analytics, and support; and AI features embedded in the Service.
It does not apply to third-party websites or services not controlled by us.
3. Personal Information We Collect
Information you provide may include account data, profile data, payment or billing contact information, support messages and attachments, newsletter content, prompts, source links, and campaign settings. Payment card details are handled by our payment processor.
Information collected automatically may include device and browser metadata, IP address, timestamps, log events, usage analytics, feature interactions, cookies, and identifiers.
Information from third parties may include authentication providers, payment processors, and integrations you connect, such as content, email, AI, or search providers.
Do not submit sensitive personal information unless strictly necessary and lawfully authorized. If you do, you represent you have a valid legal basis and required notices or consents.
4. Why We Process Personal Information (Purposes)
We process data to provide and maintain the Service; authenticate users and secure accounts; generate and send newsletters; provide AI-assisted drafting, summarization, and classification; process payments and prevent fraud; monitor reliability, performance, and abuse; provide customer support; comply with legal obligations; and improve Service quality and safety.
5. Legal Bases (GDPR/UK GDPR)
Where GDPR applies, legal bases include contract, legitimate interests, consent, and legal obligation.
Contract applies when processing is needed to provide the Service you request.
Legitimate interests include security, fraud prevention, product improvement, and abuse monitoring.
Consent applies where required, including certain cookies, marketing, or specific AI uses if applicable.
Legal obligation applies where processing is needed for compliance with law and lawful requests.
You may withdraw consent at any time where consent is the legal basis.
6. AI Notice (How We Use AI)
We may use AI models and providers to summarize, rewrite, classify, and generate newsletter drafts; extract topics and keywords; and rank and structure content candidates.
AI Input may include prompts, source text, and related metadata.
AI Output is probabilistic and may be inaccurate or incomplete.
We recommend and may require human review before publication or high-impact use of AI Output.
We do not intentionally use solely automated decision-making that produces legal or similarly significant effects on individuals without appropriate safeguards and legal compliance.
We do not permit third-party AI providers to use your customer content to train their general models, except where you explicitly enable such settings.
We implement controls such as access restrictions, logging, prompt and content filtering, abuse detection, and policy enforcement.
7. Cookies and Similar Technologies
We use essential cookies and, where applicable, analytics or marketing cookies.
Where required by law, we obtain consent before non-essential cookies.
You can manage preferences through your browser settings and any cookie controls we make available in the Service.
8. Sharing and Disclosure
We disclose personal information to cloud hosting and infrastructure providers; email delivery providers; payment processors; analytics and security vendors; AI model and search providers; professional advisors and auditors; and authorities when legally required.
We do not sell personal information in exchange for money.
If sale, share, or targeted advertising definitions apply in your jurisdiction, see the Regional Rights Addendum below.
9. International Data Transfers
Your data may be processed outside your province, state, or country.
Where required, we use lawful transfer mechanisms, including Standard Contractual Clauses, and supplementary safeguards.
For Quebec residents, transfers outside Quebec are subject to required assessments and protective measures.
10. Data Retention
We retain personal information only as long as needed for the purposes above, including legal, accounting, and security needs.
Typical periods: account data is retained while the account is active plus 2 years; billing records are retained for 7 years; logs and security records are retained for up to 18 months; support tickets are retained for up to 3 years; backup retention is up to 90 days.
After retention periods end, we delete, anonymize, or securely isolate data.
11. Security
We use administrative, technical, and organizational safeguards appropriate to risk, including encryption in transit, access controls and least privilege, logging and monitoring, vulnerability management, and incident response processes.
No method is 100% secure; report suspected incidents to info@newsltr.avolab.ca.
12. Your Privacy Rights
Depending on jurisdiction, you may have rights to access your personal information; correct inaccuracies; delete information; data portability; object to or restrict certain processing; withdraw consent; and lodge complaints with a supervisory authority or regulator.
To exercise rights, contact info@newsltr.avolab.ca. We may verify identity before fulfilling requests.
EEA and UK residents may complain to their local data protection authority.
Canadian residents may contact the Office of the Privacy Commissioner of Canada or relevant provincial regulator where applicable.
13. Children
The Service is not directed to children under 16.
If you believe a child provided data without authorization, contact us and we will take appropriate action.
14. Confidentiality Incidents / Breach Notification
We maintain incident response procedures, including investigation, mitigation, record-keeping, and legally required notifications to regulators and affected individuals.
15. Data Processing Addendum (B2B Customers)
If you are a business customer and we process personal information on your behalf, our DPA governs that processing and includes processor obligations, subprocessors, security measures, and transfer terms.
16. Changes to this Notice
We may update this notice from time to time. Material changes will be communicated via appropriate channels, such as email or in-app notice, with a revised effective date.
17. Contact Us
AVOLAB
Privacy Officer / DPO: Privacy Officer
Email: info@newsltr.avolab.ca
Address: Available upon request.
Data Subject Requests: info@newsltr.avolab.ca
Required Schedules and Annexes
Annex A - Subprocessor List
Vercel: cloud hosting and infrastructure; account, usage, log, and application data; United States and other cloud regions; transfer mechanisms include contractual safeguards and Standard Contractual Clauses where required.
Vercel Blob and Vercel Postgres / Neon: storage and database services; content, account, newsletter, and operational data; United States and other cloud regions; transfer mechanisms include contractual safeguards and Standard Contractual Clauses where required.
Resend or email delivery providers: email delivery and transactional messaging; email addresses, message content, delivery metadata; United States and provider regions; transfer mechanisms include contractual safeguards and Standard Contractual Clauses where required.
OpenAI, Google, Anthropic, Gemini, DeepSeek, or other connected AI providers where enabled: AI drafting, summarization, classification, ranking, and extraction; prompts, source text, newsletter content, and metadata; provider regions; transfer mechanisms include provider data processing terms and Standard Contractual Clauses where required.
Analytics and security vendors, including Vercel Analytics and Meta Pixel where enabled: analytics, measurement, fraud prevention, security, and abuse monitoring; usage data, identifiers, browser metadata, and event data; provider regions; transfer mechanisms include contractual safeguards and Standard Contractual Clauses where required.
Annex B - Data Retention Schedule
Accounts and profiles: retained while the account is active plus 2 years; deletion trigger is account deletion, inactivity review, or verified deletion request.
Newsletter content, prompts, sources, and campaign settings: retained while needed to provide the Service and preserve customer history; deletion trigger is customer deletion, workspace deletion, or verified deletion request.
Billing records: retained for 7 years; deletion trigger is expiry of tax, accounting, and legal retention obligations.
Application logs and security records: retained for up to 18 months; deletion trigger is expiry of monitoring and security investigation need.
Support tickets: retained for up to 3 years; deletion trigger is expiry of support, quality, and dispute-resolution need.
Backups: retained for up to 90 days; deletion trigger is backup rotation and secure overwrite.
Annex C - Security Measures Summary
Encryption in transit using HTTPS/TLS for Service traffic.
Access controls, role separation, and least-privilege access for administrative functions.
Credential protection through provider-managed authentication and password hashing where passwords are used.
Logging and monitoring for reliability, abuse detection, and security investigation.
Backup, recovery, and incident response procedures appropriate to the risk and maturity of the Service.
Vendor review and subprocessor management for key infrastructure, AI, email, analytics, and payment providers.
Annex D - Regional Rights Addendum
EEA/UK/Switzerland: you may have GDPR or UK GDPR rights including access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and complaint to a supervisory authority.
Canada, including Quebec: you may have rights to access, correction, withdrawal of consent where applicable, information about automated decision-making where applicable, portability where legally effective, and complaint to the Office of the Privacy Commissioner of Canada or provincial regulator.
United States: depending on state law, you may have rights to know, access, correct, delete, obtain a copy, opt out of sale, sharing, targeted advertising, or certain profiling, and appeal denied requests. We do not sell personal information for money.
Annex E - AI Governance Addendum
Model inventory: AI providers may include OpenAI, Google/Gemini, Anthropic, DeepSeek, or customer-connected model providers depending on configuration.
Prohibited inputs: do not submit sensitive personal information, regulated health, financial, employment, child, biometric, government identifier, or confidential third-party data unless you have a lawful basis, authority, and safeguards.
Human oversight: newsletter drafts, summaries, classifications, and recommendations should be reviewed by a human before publication or reliance.
Evaluation cadence: AI workflows should be reviewed periodically for accuracy, bias, safety, source quality, and policy compliance, especially before material feature changes.
Risk controls: access restrictions, logging, abuse detection, prompt and content filtering, and escalation processes are used where appropriate.