Privacy Policy

1. Introduction

Welcome to aivaux ("aivaux", "we", "us", or "our"). aivaux is an AI-powered secure file storage service that lets you upload, organise, search, and understand your files through a private cloud vault.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it. It applies to all users of the aivaux website and application (collectively, the "Service").

We are committed to processing your personal data fairly, lawfully, and transparently in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), Quebec's Law 25 (Bill 64), and other applicable privacy laws worldwide.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use the Service.

Effective date: March 1, 2026.

2. Information We Collect

We collect only the information that is necessary to provide the Service. We do not collect more than we need.

2.1 Account Data

Username: the display name you choose when you register.
Email address: used for account recovery, service notifications, and (if you opt in) marketing communications.
Password hash: we store a one-way bcrypt hash of your password. We never store, log, or transmit your plaintext password. Even we cannot read your password.
Account metadata: account creation date, subscription tier (Free or Premium), and account status.

2.2 Files & Content

The files you upload to your vault, including the file contents, file names, file types (MIME types), file sizes, and upload timestamps.
Folder names and folder structure you create within the Service.
Share link settings you configure (e.g., expiry dates, passwords on shared links).

2.3 AI-Generated Metadata

When you use AI-powered features (available on the Premium plan), we process your files to generate and store the following derived data in order to provide those features:

Auto-tags: category and keyword labels automatically assigned to your files (e.g., "invoice", "photo", "code").
OCR text: text extracted from images and scanned documents using optical character recognition.
Semantic embeddings: numerical vector representations of file content used to power semantic search and similarity matching. These embeddings are mathematical representations and are not human-readable; they are used solely to provide the search feature within your vault.
Sensitive data scan results: flags or alerts generated when the privacy/sensitive data scanner detects potentially sensitive information (e.g., identification numbers, credentials) within your files.
Duplicate scan results: information identifying files in your vault that appear to be duplicates of one another.
Smart reminder data: reminders and notes linked to specific files that you configure.
Storage report data: aggregated statistics about your storage usage derived from your file metadata.

All AI-generated metadata is associated with your account and used exclusively to provide the features you request. It is not used for advertising or shared with third parties.

2.4 Usage Data

Session tokens: encrypted tokens stored in your browser to maintain your logged-in session. These expire automatically after 30 minutes of inactivity.
Approximate activity timestamps: we log approximate timestamps of major actions (e.g., last login, last upload) for account security and service integrity purposes.
No persistent IP logging: we do not persistently log or store your IP address. Your IP address may pass through our web server logs transiently for operational purposes, but these logs are not retained or associated with your account profile.

2.5 Payment Data

Payment and billing for the Premium plan is handled entirely by Stripe, Inc. When you subscribe to Premium, you are redirected to a Stripe-hosted checkout page. aivaux never sees, receives, or stores your credit card number, card verification code (CVV), or full billing address. We receive from Stripe only a customer identifier, subscription status, and billing event notifications (e.g., payment succeeded, subscription cancelled) that are necessary to manage your subscription.

3. How We Use Your Information

Under the GDPR, we must have a lawful basis for every purpose for which we process personal data. The following describes our purposes and the lawful basis for each (GDPR Article 6).

3.1 Performance of a Contract (Art. 6(1)(b))

We process your data to fulfil our contractual obligations to you under the Terms of Service:

Creating and maintaining your account.
Authenticating you when you log in and maintaining your session.
Storing, organising, displaying, and delivering your uploaded files.
Providing AI-powered features (OCR, semantic search, auto-tagging, duplicate scanning, file chat, auto-organise, smart reminders, storage reports, privacy scanning) on the Premium plan.
Processing your subscription payments via Stripe.
Sending you transactional communications such as password reset emails and billing receipts.

3.2 Legitimate Interests (Art. 6(1)(f))

We process certain data where we have a legitimate interest, provided that interest is not overridden by your rights and freedoms:

Security and fraud prevention: monitoring for suspicious activity, enforcing rate limits, and protecting the Service and its users from abuse.
Service stability and improvement: using aggregated, anonymised usage patterns to identify bugs, improve performance, and develop new features. This does not involve analysing the content of your files.
Legal compliance and enforcement: maintaining records as required by law and enforcing our Terms of Service.

3.3 Consent (Art. 6(1)(a))

Marketing communications: we may send you promotional emails about new features or offers if you have explicitly opted in to receive them. We do not currently send marketing emails. If we introduce them in the future, you will be asked for consent first and will always be able to unsubscribe.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Data Sharing & Third Parties

We do not sell, rent, trade, or otherwise transfer your personal data to third parties, except in the limited circumstances described below.

4.1 Stripe (Payment Processing)

We share data with Stripe, Inc. solely for the purpose of processing Premium subscription payments. When you subscribe, your name, email address, and payment information are provided directly to Stripe and governed by Stripe's Privacy Policy. aivaux does not store card details. Stripe is a certified PCI DSS Level 1 service provider.

4.2 No Other Third-Party Data Sharing

We do not use third-party analytics services, advertising networks, or tracking pixels. We do not share your files, account information, or AI-generated metadata with any third party other than Stripe as described above.

4.3 Legal Disclosures

We may disclose your personal data if we are required to do so by applicable law, regulation, or a valid and binding legal process (such as a court order, subpoena, or government request). Where permitted by law, we will attempt to notify you of such a request before disclosing your data. We will disclose only the minimum data necessary to comply with the legal obligation.

4.4 Business Transfers

If aivaux is involved in a merger, acquisition, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to your data being transferred and becoming subject to a different privacy policy.

5. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes described in this policy.

Active accounts: your account data, uploaded files, and all AI-generated metadata are retained for as long as your account remains active.
Account deletion: when you delete your account (via your account settings), all of your personal data — including your account information, uploaded files, file metadata, and AI-generated metadata — is permanently and irreversibly deleted from our systems within 30 days of the deletion request. You will not be able to recover your account or files after this point.
Billing records: Stripe retains billing and transaction records in accordance with their own data retention policy and applicable financial regulations. We do not control Stripe's retention periods.
Server logs: transient operational logs (which may contain IP addresses) are retained for a short period (typically no more than 30 days) for security and debugging purposes and are then deleted.
Backup systems: deleted data may persist in encrypted system backups for up to 30 days, after which backups are rotated and the data is permanently gone.

6. Data Security

We take the security of your personal data seriously and implement technical and organisational measures to protect it from unauthorised access, alteration, disclosure, or destruction.

Encryption in transit: all data transmitted between your browser and our servers is encrypted using HTTPS/TLS. We do not support unencrypted HTTP connections.
Password hashing: passwords are hashed using the bcrypt algorithm with an appropriate cost factor before being stored. Plain-text passwords are never written to disk, logs, or databases at any point.
Session-based authentication: authenticated sessions are managed via encrypted, server-side session tokens. Sessions expire automatically after 30 minutes of inactivity.
Access control: files stored in your vault are accessible only to authenticated users holding a valid session for your account. There is no public or anonymous access to stored files.
Infrastructure security: our servers are hosted in a controlled environment with access restricted to authorised personnel. We apply operating system and software updates on a regular basis.

While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. Accordingly, we advise users not to upload highly classified, government-sensitive, or extraordinarily sensitive material that would pose severe risk if disclosed. You use the Service at your own risk with respect to the sensitivity of content you choose to upload.

If you become aware of any security vulnerability or breach affecting the Service, please contact us immediately at [email protected].

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR (and equivalent legislation) with respect to your personal data. We will respond to all valid requests within one month, as required by GDPR Article 12.

Right of Access (Art. 15): you have the right to request a copy of the personal data we hold about you, along with information about how we process it. To make an access request, please email [email protected].
Right to Rectification (Art. 16): you have the right to have inaccurate personal data corrected. You can update your username and email address directly in your account settings. For other corrections, contact us at [email protected].
Right to Erasure / "Right to be Forgotten" (Art. 17): you have the right to request deletion of your personal data. The simplest way to exercise this right is to delete your account via your account settings — this permanently deletes all your data within 30 days. Alternatively, contact us at [email protected].
Right to Data Portability (Art. 20): you have the right to receive your personal data in a structured, commonly used, machine-readable format. Your uploaded files can be downloaded individually at any time from your vault. For a structured export of your account metadata, please contact [email protected].
Right to Restriction of Processing (Art. 18): you have the right to request that we restrict the processing of your personal data in certain circumstances (for example, while a dispute about accuracy is resolved). To request restriction, contact us at [email protected].
Right to Object (Art. 21): you have the right to object to processing based on our legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. To object, contact us at [email protected].
Right to Withdraw Consent: where we rely on your consent as the lawful basis for processing (e.g., marketing emails), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint: if you believe we have not handled your personal data in compliance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your supervisory authority at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.

To submit a GDPR-related request, please email our Data Protection contact at [email protected]. We may need to verify your identity before processing your request.

8. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information. This section supplements the rest of this Privacy Policy.

8.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information as defined by the CCPA:

Identifiers (username, email address)
Internet or other electronic network activity information (session tokens, activity timestamps)
User-generated content (uploaded files)
Commercial information (subscription status, billing events via Stripe)
Inferences drawn from personal information (AI-generated tags, embeddings, metadata)

8.2 Your California Privacy Rights

Right to Know: you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: you have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
Right to Correct: you have the right to request that we correct inaccurate personal information we maintain about you.
Right to Opt-Out of Sale or Sharing: we do not sell your personal information and we do not share your personal information for cross-context behavioural advertising purposes. Therefore, there is nothing to opt out of with respect to the sale or sharing of personal information.
Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information for purposes beyond those permitted under the CPRA.

8.3 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge different prices, provide a different level or quality of service, or suggest that you may receive a different level of service as a result of exercising your rights.

8.4 How to Submit a California Privacy Request

To exercise your California privacy rights, please email [email protected] with the subject line "California Privacy Request". We will verify your identity and respond within 45 days, as required by the CCPA. We do not charge a fee for processing verifiable consumer requests unless a request is excessive or repetitive.

9. Children's Privacy

The Service is not directed to, and is not intended for use by, children under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If you are under 13, please do not use the Service or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information and close the associated account. If you are a parent or guardian and believe that your child under 13 has provided us with personal information without your consent, please contact us at [email protected] and we will take prompt action.

This policy is intended to comply with the Children's Online Privacy Protection Act (COPPA). Users between the ages of 13 and 18 should review this policy with a parent or guardian.

10. Cookies & Sessions

We use cookies and similar technologies only to the minimum extent necessary to operate the Service. We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies.

10.1 Session Cookies

When you log in, we set a session cookie in your browser that contains an encrypted, server-side session identifier. This cookie is strictly necessary to keep you logged in while you use the Service. It is not used to track your behaviour across websites or to build a profile of you.

Type: HTTP-only, Secure, SameSite session cookie
Expiry: the session expires after 30 minutes of inactivity, or when you log out
Purpose: authentication — strictly necessary for the Service to function

10.2 No Tracking or Analytics Cookies

We do not use Google Analytics, Mixpanel, Segment, Facebook Pixel, or any other analytics, advertising, or tracking service. We do not place any third-party cookies on your device.

10.3 Your Cookie Choices

Because the only cookie we set is the session cookie that is strictly necessary to provide the Service, disabling it (via your browser settings) will prevent you from logging in. You can delete the session cookie at any time by logging out, which invalidates the session on the server side.

11. International Data Transfers

Your personal data is stored on servers located in the United States. If you are accessing the Service from outside the United States — including from the European Economic Area (EEA), Canada, or other jurisdictions — your data may be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

If you are located in the EEA, the United Kingdom, Switzerland, or Canada, by using the Service you acknowledge that your personal data will be transferred to our servers in the United States. We take steps to ensure that any such transfer complies with applicable data protection law. If you have questions about cross-border transfers, please contact us at [email protected].

Stripe, our payment processor, may process payment data in multiple countries in accordance with their own data transfer mechanisms and privacy policy.

12. Canadian Residents (PIPEDA)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws protect your personal information. This section explains your rights and our obligations under these laws.

12.1 Your PIPEDA Rights

You have the right to:

Access your personal information: You have the right to request access to and receive a copy of the personal information we hold about you. To make an access request, email [email protected] with the subject line "PIPEDA Access Request".
Request correction: If you believe any of your personal information is inaccurate or incomplete, you may request that we correct it. You can update your username and email directly in your account settings, or contact us for other corrections.
Request deletion: You may request the deletion of your personal information by deleting your account via account settings. All files, account data, and AI-generated metadata associated with your account will be permanently deleted within 30 days.
Withdraw consent: Where we rely on your consent for processing, you may withdraw that consent at any time by contacting us at [email protected].
Opt-out of marketing: We do not currently send marketing emails. If we begin to send promotional communications in the future, you will be able to opt out of receiving them.
Lodge a complaint: If you believe we have not complied with PIPEDA or applicable provincial privacy legislation, you may lodge a complaint with your provincial privacy commissioner or the Office of the Privacy Commissioner of Canada (OPCC). For federal complaints, visit priv.gc.ca.

12.2 How We Use Your Information (PIPEDA Basis)

Under PIPEDA, we may collect and use your personal information only for purposes that are reasonable and legitimate. We collect your information to:

Establish and maintain your account
Authenticate your identity when you log in
Store, organize, and deliver your files
Provide AI-powered features (on Premium)
Process payments via Stripe
Send transactional communications (password resets, receipts, service updates)
Detect and prevent fraud and abuse
Comply with legal obligations

12.3 Data Retention in Canada

We retain your personal information only as long as necessary for the identified purposes. When you delete your account, all personal information is permanently deleted within 30 days. Backups may retain data for up to 30 additional days before being rotated and deleted permanently.

12.4 Response Timeline

We will acknowledge receipt of your PIPEDA request within 10 business days and will respond to your request within 30 days unless additional time is required due to complexity.

13. Quebec Residents (Law 25 / Bill 64)

If you are a resident of Quebec, Law 25 (Bill 64) — An Act to modernize legislative provisions as regards the protection of personal information — provides you with enhanced privacy protections beyond PIPEDA. This section explains your additional rights under Quebec law.

13.1 Enhanced Quebec Privacy Rights

In addition to your PIPEDA rights, Quebec residents have the right to:

Explicit consent for sensitive personal information: We will not collect, use, or disclose sensitive personal information (health, financial, biometric, genetic, or racial/ethnic data) without your explicit, informed consent.
Easy withdrawal of consent: You may withdraw your consent at any time using a method that is as simple and accessible as the method we used to request consent. To withdraw consent, email [email protected].
Transparency regarding automated decision-making: If we use automated processes to make decisions that significantly affect you, we will inform you of this and provide the opportunity to review and challenge the decision.
Right to be forgotten (conditional): You may request deletion of personal information when it is no longer necessary for the identified purpose, except where retention is required by law.

13.2 Consent Management Under Law 25

For Quebec residents, we will obtain explicit consent before:

Sending marketing or promotional communications
Using your personal information for purposes beyond those stated when you provided it
Sharing your information with third parties (beyond Stripe for payment processing)

13.3 Lodging a Complaint (Quebec Commission)

If you believe we have violated your rights under Quebec's privacy laws, you may lodge a complaint with the Commission d'accès à l'information du Québec (CAI). Visit cai.gouv.qc.ca for more information.

14. Anti-Spam Compliance (CASL)

We comply with Canada's Anti-Spam Legislation (CASL), which applies to all electronic commercial messages sent to Canadian addresses, including emails and SMS.

14.1 Our Email Practices

Transactional emails: We send transactional emails (password resets, receipts, account notifications) without prior consent, as these are necessary for the Service to function. These emails include our sender identification and a contact method.
Marketing emails: We do not currently send marketing emails. If we begin to send promotional communications in the future, we will only do so to recipients who have provided explicit opt-in consent. All marketing emails will include a clear unsubscribe link and our identification information.
Unsubscribe mechanism: Any marketing email will include an easy, accessible method to unsubscribe. You can also manage your email preferences in your account settings or contact [email protected] to opt out.
Sender identification: All emails from aivaux are identified with the sender name "aivaux" and the sender address "[email protected]" or "[email protected]".

14.2 Compliance with CASL Requirements

All messages from aivaux comply with CASL requirements:

Clear identification of the sender
Valid contact information
Accurate subject lines (no deception)
Unsubscribe option for marketing communications

14.3 Reporting CASL Violations

If you receive promotional or unsolicited commercial messages from aivaux that you did not consent to, please report this to us immediately at [email protected]. You may also report suspected CASL violations to the Canadian Radio-television and Telecommunications Commission (CRTC) at crtc.gc.ca.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We distinguish between material and non-material changes:

Material changes — changes that significantly affect how we collect, use, or share your personal data — will be communicated to you by email to the address associated with your account at least 30 days before the change takes effect. We will also post a prominent notice on the Service.
Non-material changes — minor clarifications, formatting updates, or corrections — will be reflected by updating the "Last updated" date at the top of this page without prior notice.

Your continued use of the Service after any change to this Privacy Policy becomes effective constitutes your acceptance of the updated policy. If you do not agree with a material change, you may delete your account before the change takes effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact & Data Controller

aivaux is the data controller responsible for your personal data. If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General privacy enquiries: [email protected]
GDPR / data subject requests: [email protected]

We aim to acknowledge all privacy-related enquiries within 72 hours and to fully respond within 30 days (or within the statutory period required by applicable law, if shorter).

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, you can find your relevant authority at edpb.europa.eu.