How We Handle Your Data.

1. Scope & effective date

This Privacy Policy applies to the AVNIR platform and all associated services, websites, and applications operated by AVNIR (“AVNIR,” “we,” “our,” or “us”), headquartered in Atlanta, Georgia, USA. It describes how we collect, use, disclose, and protect personal information, and how you can exercise your rights under applicable privacy laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other applicable US state privacy laws.

This policy applies to all users of the AVNIR platform, including Early Access founding cohort members, and to visitors to our public websites. By accessing or using AVNIR, you acknowledge this policy. If you do not agree, do not use the platform.

AVNIR generally acts as a data controller for information collected through our websites, account administration, support, and direct communications. For customer-authorised relationship data connected to the platform, AVNIR generally acts as a data processor or service provider acting on the customer’s instructions, subject to our Terms, Privacy Policy, and any applicable Data Processing Agreement.

2. Information we collect

Account & profile information

When you register for AVNIR or request Early Access, we collect your name, professional email address, company name, title, and other information you voluntarily provide. During onboarding you may provide additional profile details.

First-party communication & relationship signals

The core of AVNIR’s intelligence is derived from first-party sources you explicitly authorise. Depending on which integrations you connect, we may access and process:

• Email metadata — sender, recipients, timestamp, subject, preview, and thread identifiers from your connected email account (Google Workspace or Microsoft 365). By default, AVNIR uses this limited metadata and does not use full email body content or attachments. If you enable the optional Contextual Understanding mode, AVNIR processes additional email context to deliver enhanced relationship insights.
• Calendar data — event titles, participants, organizer, timestamps, location, and event descriptions (used for meeting context) from your connected calendar.
• LinkedIn connection data — your first-degree connections and the metadata you authorise through LinkedIn’s integration. AVNIR does not scrape LinkedIn or bypass its API.
• CRM records — contact identifiers, relationship stage, and interaction history from CRM platforms you connect (e.g. HubSpot). You control what AVNIR reads via the CRM’s own OAuth permission scope.
• Meeting-note tool signals — attendee lists and meeting metadata from tools such as Fellow, if authorised.

AVNIR does not purchase contact data from third-party data brokers, external enrichment providers, or list vendors. Every relationship signal is derived from data you generate and connect.

Usage & technical data

We automatically collect information about how you interact with the AVNIR platform, including pages visited, features used, actions taken, session duration, error events, and performance data. We also collect standard technical data such as IP address, browser type, operating system, and device identifiers.

Communications

If you contact us by email or through the platform, we retain those communications and any information you include in them, in order to respond to your inquiry and improve our support.

3. How we collect it

• Directly from you — when you register, request Early Access, fill out forms, or contact us.
• Through connected integrations you authorise — when you connect email, calendar, LinkedIn, CRM, or other sources via OAuth 2.0 flows. You must explicitly grant permission. AVNIR does not access a source until you authorise it and will not store your third-party passwords or credentials.
• Automatically — through cookies, server logs, and platform telemetry when you use the AVNIR application or visit our websites. See Section 11 (Cookies & tracking) for detail.

4. How we use your information

We use the information we collect for the following purposes, on the lawful bases noted (where GDPR applies):

• Provide the AVNIR platform — including relationship intelligence, Magellan AI recommendations, Relationship Strength Index scoring, warm-path mapping, and all core features. Lawful basis: performance of contract(Art. 6(1)(b) GDPR).
• Improve and develop the service — analysing aggregate usage patterns, diagnosing performance issues, and informing product decisions. We use aggregated and de-identified data where possible. Lawful basis: legitimate interests(Art. 6(1)(f) GDPR) — our interest in improving the platform does not override your rights where data is minimised.
• Security and fraud prevention — detecting, investigating, and preventing unauthorised access, abuse, or security incidents. Lawful basis: legitimate interests.
• Communications — sending product updates, Early Access announcements, and support responses. Lawful basis: contract for transactional messages;consent (Art. 6(1)(a)) for marketing communications where required.
• Legal compliance — meeting our obligations under applicable law, responding to lawful requests, and enforcing our Terms of Service. Lawful basis: legal obligation (Art. 6(1)(c)) or legitimate interests.

We do not sell your personal information. We do not share your relationship data for cross-context behavioural advertising. We do not use your relationship data to train general-purpose AI models that are shared with other customers.

5. AI & automated processing transparency

AVNIR’s Magellan intelligence layer analyses the relationship signals from your connected first-party sources to surface insights: relationship strength scores, warm-path recommendations, suggested next actions, and contact-level intelligence. This processing is automated.

No solely-automated decisions with legal or similarly significant effects. Magellan outputs are intended to inform and assist your decisions — not to replace human judgment. No AVNIR process produces a decision that has a legal effect on a natural person, or a similarly significant effect, without human review. If we introduce any such process in the future, we will update this policy and provide appropriate mechanisms for you to contest outcomes, as required under GDPR Article 22 and applicable US state privacy laws.

Your first-party relationship data is not used to train shared AI models that power other customers’ accounts. Models and embeddings derived from your data are scoped to your workspace.

6. Data sharing & disclosure

We do not sell your personal information and do not share it for cross-context behavioural advertising. We share information only in the following circumstances:

Service providers & subprocessors

We engage trusted third-party service providers to operate the AVNIR platform — including cloud infrastructure, database hosting, authentication, monitoring, and communications tools. These providers act as data processors under our instructions and are bound by data processing agreements requiring them to maintain confidentiality and security. We do not permit subprocessors to use your data for their own purposes.

Legal requirements

We may disclose information if required by law, subpoena, court order, or other governmental authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of AVNIR, our users, or the public.

Business transfers

If AVNIR is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

With your consent

We may share information with third parties when you have given explicit consent for a specific purpose.

No third-party data brokers

AVNIR does not share personal information with data brokers, contact enrichment companies, or advertising networks. This is a foundational principle of our privacy-first architecture.

7. International transfers

AVNIR is headquartered in the United States. If you are located outside the US, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on appropriate transfer mechanisms including Standard Contractual Clauses (SCCs) as approved by the European Commission, and the UK International Data Transfer Agreement (IDTA) where applicable. These contractual safeguards are designed to support lawful cross-border transfers where GDPR, UK GDPR, or Swiss data protection law applies. You may request a copy of the applicable safeguards by contacting us at info@avnir.com.

8. Data retention & deletion

We retain your personal information for as long as your account is active or as needed to provide the AVNIR service. Relationship signals and derived intelligence (RSI scores, warm-path data, Magellan outputs) are retained while your account is active.

When you close your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by applicable law, or where retention is necessary for legitimate purposes such as resolving disputes or enforcing our agreements. Certain internal metadata and system-level structures may be retained as part of AVNIR’s underlying platform architecture; these are not used to provide your account-facing service after closure.

Disconnecting a data source stops new data from being ingested from that source. Existing derived data may be retained until account closure or a deletion request is fulfilled. To request deletion of your data or all data derived from a specific source, contact us at info@avnir.com.

Technical logs and usage records may be retained for up to 12 months for security and debugging purposes, after which they are deleted or aggregated into non-identifiable form.

9. Security

AVNIR is built to SOC 2 standards with enterprise-grade security; formal SOC 2 certification is in progress. We apply the following security measures as baseline practice:

• Encryption in transit — all data transmitted between your browser or app and AVNIR’s infrastructure is encrypted using TLS 1.2 or higher.
• Encryption at rest — stored data is encrypted at rest using industry-standard encryption.
• Access controls — principle of least privilege; internal access to production data is restricted and audited.
• Authentication — all third-party integrations use OAuth 2.0 flows. We do not store your third-party passwords or credentials.
• Security monitoring — continuous monitoring for anomalous access patterns and security events.

No method of transmission over the internet or electronic storage is 100% secure. While we implement commercially reasonable measures, we cannot guarantee absolute security. In the event of a data breach that requires notification under applicable law, we will notify affected users and relevant authorities as required.

10. Your rights

Depending on where you are located, you may have the following rights regarding your personal information. AVNIR supports privacy requests consistent with these rights, subject to identity verification, legal exceptions, and applicable law.

Rights for EEA, UK, and Swiss residents (GDPR / UK GDPR)

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (if consent was the basis).
• Right to restriction of processing — request that we limit how we process your data in certain circumstances.
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object — object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — you have the right to lodge a complaint with your local supervisory authority (e.g. your national Data Protection Authority in the EEA, or the ICO in the UK).

Rights for California residents (CCPA/CPRA)

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
• Right to delete — request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — AVNIR does not sell personal information and does not share personal information for cross-context behavioural advertising. No opt-out action is required, but you may confirm our practices at any time.
• Right to limit use of sensitive personal information — you may request that we limit our use of sensitive personal information to what is necessary to provide the service.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights.

Rights for residents of Virginia, Colorado, and other US states

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut, Texas, Oregon, and other states with comprehensive privacy laws have rights including access, correction, deletion, portability, and opt-out of targeted advertising and profiling in furtherance of decisions with significant legal effects. AVNIR honours these rights. Contact us to exercise any of them.

How to exercise your rights

To exercise any of the rights above, contact us at info@avnir.com with the subject line “Privacy Request.” We will respond within the timeframe required by applicable law (typically 30 days, extendable by an additional 30 days where permitted with notice). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

11. Cookies & tracking

AVNIR uses cookies and similar technologies to operate the platform, remember your preferences, and understand how the service is used. We do not use cookies for cross-site behavioural advertising.

Cookie categories

• Strictly necessary — required for the platform to function (authentication tokens, session management, security). These cannot be disabled without breaking core functionality.
• Functional — remember your preferences and settings (e.g. theme, language). Disabling these may affect your experience.
• Analytics — help us understand how users interact with the platform in aggregate (page views, feature usage, error rates). We use privacy-respecting analytics tools. Where required by law, we obtain consent before dropping analytics cookies.

You can control cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from logging in or using the platform. For EU/UK visitors, we comply with ePrivacy Directive and GDPR requirements for consent-based cookies.

12. Children's privacy

AVNIR is a professional B2B platform and is not directed to individuals under 18 years of age (or 16 where applicable under GDPR). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without parental consent, we will promptly delete it. If you believe we may have such information, contact us at info@avnir.com.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by a prominent notice within the AVNIR platform at least 14 days before the changes take effect. Your continued use of AVNIR after the effective date constitutes acceptance of the revised policy.

For non-material changes (such as correcting typographical errors or clarifying language without changing our practices), we will update the “Last updated” date at the top of this policy. We recommend reviewing this policy periodically.

14. Contact

For privacy-related questions, data subject requests, or concerns about this policy:

We take privacy inquiries seriously and respond within two business days. For unresolved complaints, EEA residents may contact their national Data Protection Authority; UK residents may contact the ICO (ico.org.uk).