← Back to home

Draft notice: this Privacy Policy is a working draft built from a standard SaaS template. Replace with lawyer-reviewed text (Termly, Iubenda, or counsel) before public launch. Confirm: sub-processor list, retention windows, jurisdiction, contact address.

Privacy Policy

Last updated 2026-04-25 · Version 1

1. Introduction

IAVA Productions (“we”, “us”, “IAVA”) operates the IAVA one platform at iava.one. This Privacy Policy explains what personal information we collect when you use IAVA one, how we use it, who we share it with, and the choices you have.

By creating an account, you accept this Privacy Policy and our Terms of Service. If you do not agree, do not use the service.

2. Information we collect

We collect three categories of personal information:

  • Account information: name, email, password (hashed), and optional profile details you provide.
  • Customer content: data you upload or generate inside IAVA one — clients, leads, projects, invoices, emails (when you connect Gmail), calendar events (when you connect Google Calendar), files, deliverables, notes, AI-extracted facts about your clients.
  • Usage data: page views, feature interactions, error reports (via Sentry), AI-token usage. No cross-site tracking; no advertising identifiers.

We do not knowingly collect data from children under 13. We do not use your customer content to train external AI models.

3. How we use your information

  • Service operation: render dashboards, send emails on your behalf, sync calendars, process invoices, run AI-assisted features (drafts, summaries, scope extraction).
  • AI features: untrusted external content (email bodies, public form input) is wrapped in delimiters and passed to our AI provider (OpenRouter) on a per-request basis. AI providers do not retain or train on your data — see our sub-processor list below.
  • Support: when you contact us, we use your email and any details you share to respond.
  • Security: detect abuse, rate-limit, audit access. OAuth refresh tokens are encrypted at rest with AES-256-GCM.
  • Legal compliance: respond to lawful requests, comply with tax / accounting / GDPR obligations.

4. Sharing & sub-processors

We share data with these sub-processors only to operate the service. We do not sell your data.

  • Supabase (database hosting, auth) — Postgres, encrypted at rest with row-level security.
  • Vercel (web hosting) — application server.
  • Stripe (payment processing) — for invoicing your clients and your subscription to IAVA one.
  • OpenRouter (AI API gateway) — per-request AI calls; no retention or training.
  • Resend (transactional email) — sending emails on your behalf when you compose them.
  • Google (Gmail / Calendar OAuth) — when you connect your account; we only use the scopes you grant.
  • Sentry (error monitoring, production only) — anonymized error reports, no customer content.

We will never share your data with advertisers or marketing partners.

5. Retention

We retain your data for as long as your account is active, plus a short window after deletion for backups and legal obligations. When you delete your account or request erasure, we delete your customer content within 30 days from active systems and within 90 days from backups. Audit logs are retained for up to one year.

6. Your rights

You have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you.
  • Erasure: request deletion of your account and customer content.
  • Portability: export your data in a machine-readable format.
  • Rectification: correct inaccurate data.
  • Object / restrict: object to certain processing or restrict it.
  • Withdraw consent: where processing is based on consent, withdraw at any time.

To exercise these rights, email anton@iava.one. We respond within 30 days. EU residents may also lodge a complaint with their local data protection authority.

7. International data transfers

IAVA one is operated from Canada with sub-processors located in the United States, European Union, and other regions. When data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) and the safeguards required under GDPR / UK GDPR / Swiss FADP. EU business customers can countersign our Data Processing Addendum.

8. Cookies

We use only essential cookies required to keep you signed in (Supabase auth session). We do not use advertising, analytics, or third-party tracking cookies.

9. Security

We protect your data with industry-standard measures: TLS in transit, AES-256-GCM encryption for OAuth refresh tokens at rest, row-level security (RLS) on all customer-scoped tables, HMAC-signed OAuth state parameters, rate limits on public endpoints, and HTTPS-only cookies. No system is perfectly secure; please report vulnerabilities to anton@iava.one.

10. Children

IAVA one is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from minors. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app prompt before the changes take effect. The version number and last-updated date at the top of this page reflect the current version.

12. Contact

IAVA Productions, Ontario, Canada
Email: anton@iava.one