AVA Digital ← Back to site

Draft v0.5 — pending legal review. Reviewed structurally against the live site and the current subprocessor list. Spanish abogado (Angel Javier D., Barcelona Bar) engaged 2026-05-26; redlines expected within 1–2 weeks — those will bump this to v1.0.

Legal

Privacy Policy

Version 0.5 · Last updated 27 May 2026

Controller: AVA Digital LLC, Wyoming, USA — trade name (EU): AVA Digital (operating from Marbella, Spain). Privacy contact: [email protected].

1. Who we are

AVA Digital LLC ("AVA", "we", "us") is a Wyoming-incorporated company operating from Spain. We provide the InTake conversational AI front-desk service to business customers ("Operators"). This policy explains how we handle personal data of visitors to avadigital.ai itself — prospective customers browsing our marketing site, signing up for InTake, or chatting with the AI assistant embedded on our site.

This policy is governed by the EU General Data Protection Regulation (GDPR), the Spanish LOPDGDD (Organic Law 3/2018), and the EU AI Act (Regulation 2024/1689) for the on-site AI assistant.

2. What personal data we collect, why, and on what legal basis

2.1 When you browse the site (always)

Data	Purpose	Legal basis (GDPR Art. 6)	Retention
IP address, browser user-agent, page-view timestamps	Security (rate-limit, abuse detection), infrastructure logs	6(1)(f) legitimate interests	30 days in raw logs; aggregated stats indefinitely
Strictly-necessary cookies (session, CSRF)	Make the site work	6(1)(f) + ePrivacy "strictly necessary" exception	session-scoped

2.2 Analytics

We do not currently use third-party web analytics on avadigital.ai. No Google Analytics, no Plausible, no Mixpanel, no Hotjar — nothing. If we add an analytics service in the future, it will be listed in §4 below, gated behind explicit cookie consent (and disabled by default), and announced on this page at least 30 days before deployment.

2.3 When you fill in the "Request a demo" / contact form

Data	Purpose	Legal basis	Retention
Name, work email, business name, message text	Reply to your enquiry, qualify the lead, propose a demo	6(1)(b) pre-contractual measures at your request	Up to 24 months from last contact; deleted on request

2.4 When you chat with the AI assistant on avadigital.ai

Data	Purpose	Legal basis	Retention
Your typed messages + the assistant's replies	Answer your questions about InTake; route you to sales	6(1)(b) pre-contractual measures + 6(1)(f) product improvement	90 days
Session identifier (HMAC pseudonym, not your IP)	De-duplicate, enforce rate limits	6(1)(f)	90 days

The AVA-site AI assistant is the same InTake conversational engine we sell to our Operators, configured here for AVA's own front-desk. Under EU AI Act Article 50, the first message always discloses you are talking to an AI. This is a limited-risk AI system — no automated decision-making with legal effects, no profiling for targeted advertising.

2.5 When you sign up for an InTake account

The account-signup flow collects, via Google sign-in, your name, email address, and profile picture from your Google account; if you connect a Google Calendar, the OAuth refresh token (encrypted at rest on AVA's infrastructure); and your operator allow-list status. Legal basis: 6(1)(b) contract / pre-contractual measures. From the moment you become an Operator, the Data Processing Agreement governs the controller–processor relationship for the personal data your end-customers send into your tenant — that flow is not covered by this policy.

3. Cookies and similar technologies

See the dedicated Cookie Policy for the per-cookie inventory, purposes, durations, and the consent UI. The Cookie Policy and this Privacy Policy are kept in lockstep — when one changes the other is reviewed in the same pass.

4. Who we share your data with

We do not sell your personal data. We share narrowly with the following recipients, each bound by a written contract and (for non-EU recipients) the EU Standard Contractual Clauses Module 2:

Recipient	Role	Location	Mechanism
Google LLC — Gemini API (Cloud, billing-enabled)	Process chat messages with the on-site AI assistant ("Lilou"); Google Calendar API for operator booking	US (with EU model routing where available)	SCC Module 2 + EU-US Data Privacy Framework + Google Cloud Data Processing Addendum + zero-retention configuration
Resend, Inc.	Send replies to contact-form submissions and booking confirmations	US	SCC Module 2 + signed Resend DPA
Cloudflare, Inc.	CDN, DDoS protection, TLS termination, Pages hosting; may process IP addresses + request metadata in transit	US HQ / global edge	SCC Module 2 + Cloudflare DPA
AVA Digital's own infrastructure (first-party — not a subprocessor)	Application servers + database for avadigital.ai itself	Marbella, Spain (EU)	N/A (controller's own systems)

The current authoritative list (with names + roles + jurisdictions) is published in our internal Subprocessors register and available on request. Material additions are announced on this page at least 30 days before they take effect.

5. International transfers

The three subprocessors listed in §4 (Google, Resend, Cloudflare) are based in the United States. We rely on the following safeguards, layered:

EU Standard Contractual Clauses (SCCs) — Module 2 (controller→processor), adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, signed with each of the three providers via their respective Data Processing Addenda.
EU-US Data Privacy Framework (DPF) — Google LLC is certified under the DPF, providing an additional adequacy basis for transfers to the United States.
Supplementary technical measures — TLS 1.2+ in transit; encryption at rest; zero-retention configuration with the Gemini API (chat content is not used to train Google's foundation models and is not retained on Google's side beyond the request); IP and request-metadata access at Cloudflare is limited to routing + security purposes.

A copy of the relevant SCCs and our transfer impact assessment is available on request to [email protected].

6. Your rights

Under GDPR Articles 15–22 you have the right to:

Access the personal data we hold about you (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data ("right to be forgotten" — Art. 17)
Restrict processing (Art. 18)
Object to processing based on legitimate interests (Art. 21)
Receive your data in a portable format (Art. 20)
Withdraw consent for any consent-based processing — free, anytime, without prejudice to processing already carried out (Art. 7(3))
Lodge a complaint with the Spanish data-protection authority AEPD (www.aepd.es) or your EU country's lead supervisory authority

To exercise any of these, email [email protected]. We respond within 30 days as required by Art. 12(3).

7. Automated decision-making and profiling

The AVA-site AI assistant does not make automated decisions that produce legal or similarly significant effects about you under GDPR Art. 22. It answers questions, routes you to a human in sales, and offers to book a demo. There is no profiling for targeted advertising and no scoring of visitors.

8. Children

avadigital.ai is not directed at children and we do not knowingly collect data from anyone under 16. If you believe a child has used the site, contact us and we will delete the relevant data.

9. Security

We protect data with encryption in transit (HTTPS) and at rest, strict access controls, audit logging, and the technical measures set out in Annex II of our Data Processing Agreement. Our incident-response process notifies the AEPD within 72 hours of becoming aware of a notifiable breach (GDPR Art. 33).

10. Changes to this policy

We may update this policy as the site, the AI assistant, or our subprocessor mix changes. Material changes are announced at the top of this page at least 30 days before they take effect; minor clarifications are made silently with an updated "Last updated" date. The current version is always available at avadigital.ai/privacy.

Change log

v0.5 · 27 May 2026 — F-03: corrected cookie disclosure to accurately reflect intk:ava:lang set by the Intake widget. Bumped CC_VERSION to re-prompt consent.
v0.4 · 26 May 2026 — Filled controller identity (D-U-N-S, WY address, Marbella operations); tightened §4 subprocessor table (Google Gemini, Resend, Cloudflare); expanded §5 transfers with SCC Module 2 + EU-US DPF + zero-retention Gemini config; added §6 AEPD postal address; documented Art. 27 EU Rep exemption (Art. 3(1) establishment).

11. Contact

Data Controller	AVA Digital LLC
Email	[email protected]
EU Representative (Art. 27 GDPR)	Not required. AVA Digital LLC's principal resides and operates from Spain, which constitutes a stable arrangement in the EU under GDPR Article 3(1) establishment criterion (per EDPB Guidelines 3/2018 on the territorial scope of the GDPR). Processing is therefore directly subject to GDPR Art. 3(1) and Art. 27 representative appointment is not applicable. Subject to confirmation by external counsel during the v1.0 review.
Postal address (US)	1603 Capitol Ave, Ste 415, Cheyenne, WY 82001, USA (D-U-N-S 136864260)
Postal address (Spain operations)	Marbella, Spain (EU)
Lead supervisory authority	AEPD — Agencia Española de Protección de Datos · C/ Jorge Juan, 6 · 28001 Madrid · www.aepd.es