Privacy Policy

AvairAI, Inc. ("AvairAI," "Company," "we," "us," "our") is committed to protecting privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website and platform and services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read and understand this Privacy Policy.

1. Scope and Roles

AvairAI operates in two primary roles:

1. AvairAI Prospect Database (Controller / Business): AvairAI acts as a data controller (or "business" under certain U.S. laws) for the professional contact database we make available within the Services (the "AvairAI Database").
2. Customer Data Processing (Processor / Service Provider): For data uploaded, synced, or otherwise provided by our customers (including Customer-uploaded contacts and CRM sync data), AvairAI generally acts as a data processor (or "service provider/processor" under certain U.S. laws), processing such data on the customer's behalf.

Customers may also act as independent controllers for their own outreach activities.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you provide directly, including:

• Account information: name, email address, password, company name, job title, phone number.
• Payment information: billing address and payment details (processed by our payment processor, e.g., Stripe).
• Campaign content / Customer Content: website URLs, case studies, messaging content, email templates, and call scripts (including edits).
• Contact lists: contact information you upload for campaigns (names, business emails, phone numbers, titles, companies).
• Communications: messages you send to us (support requests, feedback).
• CRM data (if enabled): contact and deal information synced from connected CRMs (e.g., HubSpot, Salesforce, Pipedrive).

2.2 Information We Collect Automatically

When you access or use the Services, we may collect:

• Usage information: pages viewed, features used, campaigns created, actions taken.
• Device/log information: browser type, OS, device identifiers, IP address, access times, referring URLs, error logs.
• Cookies and similar technologies: to provide functionality, analytics, and security.

2.3 Information from Third Parties

We may receive information from third parties, including:

• Authentication providers (e.g., Auth0) when you sign in.
• CRM platforms when you enable integrations.
• Analytics providers (e.g., PostHog, Google Analytics) in aggregated or event form.

3. AvairAI Prospect Database (105M Professional Contacts)

3.1 Data Sources

AvairAI maintains a database of approximately 105 million professional contacts. This data may be sourced from:

• Licensed third-party data providers (e.g., Surmountify) with redistribution rights for B2B outbound marketing use within our platform;
• Other lawful sources (e.g., public business contexts, professional directories), as permitted by our vendor agreements and applicable law.

3.2 Controller/Processor Roles

• AvairAI as Controller: AvairAI determines the purposes and means of processing for the AvairAI Database.
• Customer as Controller (for Outreach): When a customer selects and uses contacts for outreach, the customer typically becomes a separate controller for their outreach activities and is responsible for lawful basis/consent.
• AvairAI as Processor (for Execution): Where AvairAI executes campaigns on a customer's behalf, AvairAI may act as a processor for that execution.

3.3 Legal Basis (EU/UK/EEA)

Where GDPR/UK GDPR applies, AvairAI processes AvairAI Database data generally under legitimate interests in enabling B2B professional communications, balanced with individuals' rights. Individuals can object and request removal.

3.4 Data Accuracy Disclaimer

We do not guarantee the accuracy, completeness, or currency of data in the AvairAI Database. Verification and classification results are informational aids only and do not guarantee accuracy, deliverability, or current employment.

4. How We Use Information

We use information we collect to:

• Provide, maintain, and improve the Services;
• Process transactions and manage accounts;
• Execute campaigns on customers' behalf (including sending emails and initiating AI-powered phone calls where enabled);
• Generate AI-powered content (email templates, call scripts, campaign recommendations);
• Provide contact verification and phone classification services;
• Synchronize data with connected CRMs;
• Send technical notices, updates, security alerts, and support messages;
• Monitor and analyze usage and trends;
• Detect, investigate, and prevent fraud, abuse, and illegal activity;
• Comply with legal obligations.

5. AI Processing and Automated Features

5.1 AI Technologies Used

AvairAI may use AI technologies to provide features such as:

• Google Gemini (or other LLMs): generating messaging, email templates, call scripts, and recommendations;
• ElevenLabs: powering AI Call Agents and storing call recordings/transcripts;
• Internal models: predictions, optimizations, and verification-related logic.

5.2 AI-Generated Content

Customers can review and edit AI-generated content before use. AI outputs may contain errors or inaccuracies; customers remain responsible for review and for complying with applicable laws.

5.3 AI Voice Communications

AI Call Agents generate artificial voice communications. Customers are responsible for ensuring required consent (including PEWC where required) and other legal requirements before initiating AI voice calls. AvairAI may enforce gating in-product based on customer markings and compliance checks.

5.4 Call Recording and Transcription

Calls may be recorded and transcribed for service operation, quality assurance, dispute defense, and service improvement. Call recordings and transcripts are retained for 30 days by default. Customers are responsible for complying with applicable recording consent laws.

6. How We Share Information

6.1 Service Providers (Subprocessors)

We use third-party service providers ("subprocessors") to help us operate the Services. A current list is maintained at https://www.avair.ai/subprocessors.

6.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

6.3 Legal Requirements and Protection of Rights

We may disclose information to comply with law, respond to lawful requests, and protect rights, safety, and security.

7. Third-Party Integrations

7.1 Microsoft 365 Integration

When you connect your Microsoft 365 account to AvairAI, we access certain data through Microsoft Graph API to provide email integration services.

Data We Access

When you authorize AvairAI to connect to your Microsoft 365 account, we request the following permissions:

• Email Sending (Mail.Send): To send emails on your behalf through your connected Microsoft 365 mailbox for campaign communications.
• Email Read/Write (Mail.ReadWrite): To verify sent emails and track delivery status in your sent items folder.
• User Profile (User.Read): To read your email address for mailbox identification.
• Offline Access (offline_access): To maintain the connection and refresh access tokens without requiring frequent re-authentication.

How We Use Microsoft 365 Data

• Sending campaign emails from your connected Microsoft 365 mailbox
• Verifying email delivery status
• Displaying your email address in mailbox settings
• Maintaining the authenticated connection

Data We Do NOT Access

• Your existing emails, inbox content, or email history
• Your contacts, address book, or contact lists
• Your calendar, events, or scheduling information
• Your files, documents, or OneDrive content
• Your Microsoft Teams messages or chats

Data Storage and Security

• OAuth Tokens: Encrypted at rest using AES-256 encryption.
• No Password Storage: We never store your Microsoft password; authentication uses Microsoft's secure OAuth 2.0 flow.
• Automatic Token Refresh: Access tokens are refreshed automatically as needed.

Revoking Access

You can disconnect your Microsoft 365 account at any time:

• Within AvairAI: Account Settings → Email Settings → Click "Disconnect"
• Within Microsoft: Visit https://account.microsoft.com/privacy/app-access and remove "AvairAI Email Integration"

When you revoke access, we immediately delete the stored OAuth tokens.

Microsoft 365 Data Retention

• OAuth tokens are deleted immediately when you disconnect your mailbox.
• Email sending logs (metadata only) are retained per our general data retention policies.
• We do not retain copies of email content sent through Microsoft 365.

Your use of Microsoft 365 is also subject to Microsoft's Privacy Statement.

7.2 Google Sign-In

We offer Google Sign-In as an authentication option for your convenience. When you choose to sign in with Google, we only access basic profile information to create and personalize your AvairAI account:

• Basic Profile: Your name and email address from your Google account
• Authentication: Secure sign-in without creating another password
• Account Creation: Using your Google profile to set up your account

Important Notes About Google Sign-In

• We do not access your Gmail, Google Drive, Calendar, or any other Google services
• Google Sign-In is optional - you can also create an account with email/password
• We never use your Google profile data for advertising or sale to third parties
• Your Google profile information is stored securely with encryption
• You can manage your Google permissions at https://myaccount.google.com/permissions
• Revoking Google access will require you to sign in with email/password on next visit

7.3 Google API Services

AvairAI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. International Data Transfers

AvairAI is based in the United States and processes data primarily in the United States. If you access the Services from outside the U.S., your information may be transferred to and processed in the U.S. and other countries where we or our providers operate.

For transfers of personal data from the EU/UK/Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and the UK Addendum/IDTA where applicable.

9. Your Rights and Choices

9.1 General Rights

Depending on your location, you may have rights to access, correct, delete, or obtain a copy of your information, and to opt out of certain processing.

9.2 Rights for Individuals in the AvairAI Database

If your professional contact information appears in the AvairAI Database, you may request:

• Access (confirmation and copy)
• Correction
• Deletion
• Objection / Opt-out (including objection to processing for direct marketing)

We respond to verified requests within timelines required by applicable law (typically 30 days for GDPR and 45 days for CCPA, with extensions where permitted).

9.3 Privacy Rights Portal and Verification

Requests are handled via our Privacy Rights Portal and/or by email. Verification is via email-only: we send a verification link to the email address on record.

9.4 Effect of Opt-Out (AvairAI Database Suppression)

If you opt out of the AvairAI Database, we will suppress your record from being provided via the AvairAI Database going forward.

A customer may still contact you through AvairAI if the customer independently obtained your information and has its own lawful basis/permission to contact you (for example, you directly provided your information to that customer). In such cases, the customer acts as an independent controller for their outreach.

10. Additional Information for Europe/UK/EEA

Where GDPR/UK GDPR applies, you may have rights including access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority.

If and when required under GDPR Article 27 (e.g., where we are not established in the EU/UK but are subject to GDPR/UK GDPR), we will appoint an EU/UK representative and provide contact details in this Policy or on our website.

11. Additional Information for California (CCPA/CPRA)

California residents may have rights to know, delete, correct, and opt out of certain disclosures characterized as "sale" or "sharing" under California law. We do not sell personal information for money. If our disclosures are characterized as "sharing," we provide opt-out mechanisms through our Privacy Rights Portal.

12. Data Security

We implement appropriate technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is 100% secure.

13. Data Retention

We retain information for as long as necessary to provide the Services and fulfill the purposes described in this Policy, including:

• Account data: while your account is active and for a reasonable period thereafter.
• Campaign data: for the duration of your subscription and for a limited period thereafter (recommended default: 12 months) unless a longer period is required for dispute defense or compliance.
• Call recordings/transcripts: 30 days by default.
• Compliance and audit records (e.g., consent attestation logs, suppression logs): retained for a period consistent with legal defense needs (recommended default: 5 years).
• Suppression: opt-outs are maintained to prevent reintroduction.

We delete or anonymize data when it is no longer needed, subject to backups and legal holds.

14. Children's Privacy

The Services are not intended for individuals under 18. We do not knowingly collect personal information from children.

15. Changes to this Privacy Policy

We may update this Policy from time to time. We will post the updated Policy and change the "Last Updated" date. If changes are material, we will provide additional notice via email or within the Services.