Avo
FeaturesPricing
Sign InSign Up
Privacy

How Avo handles your data

This policy explains what we collect, why we collect it, how your data is protected, and the controls you have over it.

Last updated: February 22, 2026

Information We Collect

We collect only what is needed to deliver the service, protect your account, and keep the platform reliable.

  • •Account profile information: name, email address, and authentication metadata from your sign-in provider.
  • •Workspace content: notes, tasks, journal entries, documents, calendar items, project data, and anything else you create in Avo apps.
  • •AI-generated content: images and videos you create through AI features, stored temporarily in your account.
  • •Usage data: subscription tier, token consumption, image and video generation counts, and voice session duration for billing and limit enforcement.
  • •Diagnostic data: limited device and usage telemetry used for reliability monitoring, abuse prevention, and debugging. This is never used for ad targeting.

How We Use Your Data

Data is processed to deliver features you request, protect your account, and improve the platform.

  • •Service delivery: syncing content across devices, account management, and cross-app AI context when you initiate it.
  • •Security: session verification, fraud prevention, abuse detection, and incident response.
  • •Analytics: aggregate and de-identified usage data to improve reliability and inform product decisions. We do not build advertising profiles.

Sharing and Processors

Avo does not sell personal information. We do not run ad targeting.

  • •Infrastructure partners (Google Cloud, Firebase, Vercel) operate under restricted processing terms with contractual data protection obligations.
  • •AI chat and image generation is processed by Google (Gemini API). Only the content you send in a specific request is transmitted, scoped to that interaction.
  • •AI video generation is processed by PiAPI (Seedance models). Only your text prompt and optional reference media are transmitted for that generation request.
  • •Data sharing is limited to what is required to operate the service or comply with legal obligations. No data is sold or used for advertising.

How we protect your data

Security is built into every layer of the platform, from the browser to the database. Here is how each layer works.

Encryption

TLS in transit, GCP-managed encryption at rest

Authentication

Firebase Auth with HttpOnly, Secure, SameSite session cookies

CSRF Protection

SHA-256 derived tokens with timing-safe comparison on every state-changing request

Content Security Policy

Strict CSP headers controlling allowed scripts, styles, and connections to block XSS and injection

Database Rules

Firestore security rules enforce per-user data isolation with admin-only escalation via JWT custom claims

Server Hardening

HSTS (1-year max-age), X-Frame-Options DENY, nosniff, restrictive Permissions-Policy, and referrer controls

Rate Limiting

AI and sensitive endpoints are rate-limited with fail-closed behavior on protected routes

CI/CD Validation

Automated checks validate auth gates, admin route access, and dependency vulnerabilities on every deploy

Request lifecycle

Your Browser
|
TLS encrypted connection
|
Security Headers (CSP, HSTS, X-Frame-Options)
|
CSRF token validated (SHA-256, timing-safe)
|
Session Verification (HttpOnly cookie + Firebase Admin SDK)
|
Rate limit check
|
Firestore Rules (per-user data isolation, admin via JWT claims)
|
Encrypted at rest (GCP platform-managed)
|
Your Data

AI Training and Your Data

Your content is never used to train AI models.

  • •Your notes, conversations, images, videos, and other content are never used to train, fine-tune, or improve any AI model.
  • •AI requests are processed in real-time and are not stored by third-party AI providers beyond what is needed to complete your request.
  • •Your AI conversation history is stored only in your Avo account and is not shared with model providers.
  • •Memory and personalization features are computed within Avo's infrastructure, not by external AI providers.

Data Retention and Deletion

We retain your data only as long as needed to provide the service.

  • •Active subscribers: data is retained for the duration of your subscription and for 30 days after cancellation.
  • •Starter (trial) users: data is retained for 4 months (120 days) after the trial ends, then permanently deleted.
  • •AI-generated media (images, videos): stored for 60 days after creation, then automatically removed from storage. Generation metadata is retained for your history.
  • •Account deletion: you may request full account deletion at any time. All data is permanently removed within 30 days of the request.

Your Controls

You are in control of your account data and privacy choices.

  • •Export, correct, or delete your data at any time by contacting privacy@heyavo.ai from your account email.
  • •GDPR rights (access, rectification, erasure, portability, restriction, objection) are fully supported for users in the EU/EEA.
  • •Cookie behavior can be reviewed and managed through browser settings and the Cookie Policy page.
  • •AI features process your content only when you explicitly initiate a request. No background scraping or profiling occurs.

Privacy Contact

Questions about how your data is handled or requests to exercise your privacy rights.

For data export, deletion, correction, or any privacy-related inquiry, email us from the address associated with your Avo account. Include your request type and any relevant workspace or date range details so we can respond efficiently.

For privacy questions or requests, contact privacy@heyavo.ai.

Product

  • Features
  • Pricing

Company

  • About
  • Contact

Resources

  • FAQ

Trust

  • Security & Privacy
  • Security Contact

Legal

  • Terms of Service
  • Cookie Policy
  • Acceptable Use Policy
  • GDPR

© 2026 Avo. All rights reserved.

Built with ❤️ for productivity and growth

Questions? Contact us at support@heyavo.ai