Avenai
LoginStart free trial
← Back to home

Privacy Policy

Last updated: January 2025

1. Introduction

Avenai ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered integration support service ("Service"). By using Avenai, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: API keys, tenant identifiers, and account credentials
  • Documentation: PDFs, text files, OpenAPI specifications, and other documents you upload
  • Queries and Interactions: Questions you ask to the copilot, feedback on responses, and usage patterns
  • Contact Information: Email addresses and communication preferences when you contact support

2.2 Automatically Collected Information

  • LocalStorage Data: We use browser localStorage to store your API key, selected dataset ID, onboarding preferences, and dismissed tips. This data remains on your device.
  • Usage Data: Analytics on queries, response times, confidence scores, and system performance metrics
  • Error Logs: Technical error information collected through error monitoring services (Sentry) to improve service reliability
  • Session Data: Session replay data (if enabled) for debugging and improving user experience

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service Delivery: To provide, maintain, and improve the Avenai integration support service
  • Document Processing: To index, chunk, and create embeddings from your uploaded documents
  • Query Processing: To generate answers to your questions using RAG (Retrieval Augmented Generation) technology
  • Security: To authenticate API requests using your API key and ensure tenant isolation
  • Analytics: To analyze usage patterns, improve accuracy, and optimize performance
  • Support: To respond to your inquiries and provide customer support
  • Compliance: To comply with legal obligations and protect against fraudulent or illegal activity

4. Data Storage and Security

4.1 Data Storage

Your data is stored securely in the following locations:

  • Primary Database: PostgreSQL database hosted on Neon. All data is encrypted in transit using SSL/TLS.
  • Multi-Tenant Architecture: Your data is isolated using tenant IDs. Each customer's data is strictly separated and cannot be accessed by other tenants.
  • Embeddings: Document embeddings are stored in the same PostgreSQL database with vector extensions (pgvector).

4.2 Security Measures

  • API keys are hashed using bcrypt before storage
  • All database connections use encrypted connections (SSL/TLS)
  • Strict tenant isolation to prevent cross-tenant data access
  • Regular security audits and monitoring
  • Access controls and authentication requirements for all API endpoints

5. Third-Party Services

5.1 OpenAI

We use OpenAI's API for generating text embeddings and AI responses. When processing your documents:

  • Text from your documents is sent to OpenAI to create embeddings (vector representations)
  • Your original documents are not sent to OpenAI for storage or training
  • OpenAI does not store your data or use it to train their models
  • We use OpenAI under their data processing terms that protect your information

5.2 Sentry (Error Monitoring)

We use Sentry for error monitoring and debugging:

  • Sentry collects error logs and technical debugging information
  • Session replay may be enabled (with text and media masking) for error diagnosis
  • This helps us identify and fix bugs to improve service reliability
  • Sentry's privacy practices are outlined in their own privacy policy

5.3 Hosting Providers

Our services are hosted on:

  • Railway: Backend API hosting
  • Vercel: Frontend application hosting
  • Neon: PostgreSQL database hosting

These providers maintain their own security and data protection practices compliant with industry standards.

6. Cookies and LocalStorage

6.1 Cookie Policy

We use cookies and similar tracking technologies to enhance your experience and monitor service reliability. This section explains what cookies we use, why we use them, and how you can manage them.

6.1.1 Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

  • Session Cookies:
    • Purpose: Maintain your authentication state and session across page loads
    • Type: HTTP cookies (session-based)
    • Duration: Session-only (deleted when you close your browser)
    • Consent Required: No (essential for service functionality)
  • Authentication Cookies:
    • Purpose: Verify your identity and authorize API requests
    • Type: HTTP cookies
    • Duration: Persistent (expires based on your session preferences)
    • Consent Required: No (essential for security and access control)

6.1.2 Analytics and Performance Cookies (Optional)

These cookies help us understand how the Service is used and identify issues. They require your consent:

  • Sentry Error Monitoring Cookies:
    • Purpose: Monitor application errors, track performance issues, and capture debugging information to improve service reliability
    • Type: HTTP cookies (e.g., `sentry_trace`, `sentry_replay_session`)
    • Third Party: Sentry (sentry.io)
    • Duration: Persistent (varies by cookie type, typically 30 days)
    • Consent Required: Yes (for GDPR compliance)
    • What We Collect: Error messages, stack traces, browser information, and (if enabled) session replay data with text and media masking enabled
    • Data Sharing: Data is sent to Sentry's servers for analysis. Sentry's privacy practices are outlined in their privacy policy
    • How to Control: You can accept or reject these cookies using the cookie consent banner. You can change your preference at any time by clearing your browser cookies or localStorage
  • Sentry Session Replay:
    • Purpose: Record user interactions (clicks, scrolls, navigation) to diagnose errors and improve user experience
    • Type: HTTP cookies and local storage
    • Privacy Protection: All text content is masked, all media (images, videos) is blocked, and sensitive form fields are excluded
    • Duration: Session-based or up to 30 days
    • Consent Required: Yes (only enabled if you consent to analytics cookies)
    • What We Collect: UI interactions, mouse movements, clicks, scrolls, and page navigation patterns (text and media are masked)

6.1.3 Cookie Consent

If you are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), we are required by GDPR to obtain your consent before placing non-essential cookies. When you first visit Avenai, you will see a cookie consent banner where you can:

  • Accept: Consent to analytics cookies (Sentry error monitoring and session replay)
  • Reject: Only essential cookies will be used

Your consent preference is stored in your browser's localStorage and will be remembered for future visits. You can change your preference at any time by:

  • Clearing your browser's cookies and localStorage (the consent banner will appear again)
  • Using your browser settings to block or delete specific cookies

6.1.4 Managing Cookies

You can control cookies through your browser settings:

  • Browser Settings: Most browsers allow you to block, delete, or restrict cookies. However, disabling essential cookies will prevent the Service from functioning properly.
  • Third-Party Cookies: You can specifically block third-party cookies (like Sentry) while allowing first-party cookies
  • Do Not Track: We respect browser "Do Not Track" signals, though this does not override your explicit consent choices

Note: Disabling essential cookies may prevent you from logging in or using the Service. Disabling analytics cookies will not affect core functionality but will prevent us from identifying and fixing errors automatically.

6.2 LocalStorage

We use browser localStorage (not cookies) to store:

  • Your API key (encrypted/stored locally)
  • Selected dataset ID
  • Onboarding completion status
  • Dismissed help tips

This data remains on your device and is not transmitted to our servers except when used in API requests (API key).

7. Data Retention and Deletion

7.1 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Analytics and aggregated usage data may be retained longer for service improvement purposes.

7.2 Data Deletion

You can delete your data at any time:

  • Documents: Delete individual documents or entire datasets through the dashboard
  • Hard Delete: Permanently removes all associated data including documents, chunks, embeddings, metadata, settings, feedback, and analytics
  • Account Deletion: Contact support to request complete account deletion. All your data will be permanently removed from our systems.

Note: Hard deletes are irreversible. Once data is deleted, it cannot be recovered.

8. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: With third-party service providers (OpenAI, Sentry, hosting providers) who assist us in operating our service, subject to confidentiality obligations
  • Legal Requirements: When required by law, court order, or government regulation
  • Protection of Rights: To protect our rights, property, or safety, or that of our users
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)

9. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request access to your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (as described in Section 7)
  • Export: Request export of your data in a portable format
  • Objection: Object to processing of your data for certain purposes
  • Withdrawal of Consent: Withdraw consent for data processing where applicable

To exercise these rights, contact us at privacy@avenai.io.

10. International Data Transfers

Your data may be processed and stored in servers located outside your country of residence. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

11. Children's Privacy

Avenai is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. Compliance

We strive to comply with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR) for EU users
  • California Consumer Privacy Act (CCPA) for California residents
  • Other applicable regional data protection regulations

For specific compliance requirements (SOC 2, HIPAA, etc.), please contact us to discuss enterprise agreements and data processing agreements.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: