Privacy

How HeyAvo handles your data

This policy explains what we collect, why we collect it, how your data is protected, and the controls you have over it.

Last updated: February 22, 2026

Information We Collect

We collect only what is needed to deliver the service, protect your account, and keep the platform reliable.

•Account profile information: name, email address, and authentication metadata from your sign-in provider.
•Workspace content: notes, tasks, journal entries, documents, calendar items, project data, and anything else you create in HeyAvo apps.
•Diagnostic data: limited device and usage telemetry used for reliability monitoring, abuse prevention, and debugging. This is never used for ad targeting.

How We Use Your Data

Data is processed to deliver features you request, protect your account, and improve the platform.

•Service delivery: syncing content across devices, account management, and cross-app AI context when you initiate it.
•Security: session verification, fraud prevention, abuse detection, and incident response.
•Analytics: aggregate and de-identified usage data to improve reliability and inform product decisions. We do not build advertising profiles.

Sharing and Processors

HeyAvo does not sell personal information. We do not run ad targeting.

•Infrastructure partners (Google Cloud, Firebase, Vercel) operate under restricted processing terms with contractual data protection obligations.
•AI processing providers receive only the content you explicitly send through HeyAvo's AI features, scoped to that request.
•Data sharing is limited to what is required to operate the service or comply with legal obligations. No data is sold or used for advertising.

How we protect your data

Security is built into every layer of the platform, from the browser to the database. Here is how each layer works.

Encryption

TLS in transit, GCP-managed encryption at rest

Authentication

Firebase Auth with HttpOnly, Secure, SameSite session cookies

CSRF Protection

SHA-256 derived tokens with timing-safe comparison on every state-changing request

Content Security Policy

Strict CSP headers controlling allowed scripts, styles, and connections to block XSS and injection

Database Rules

Firestore security rules enforce per-user data isolation with admin-only escalation via JWT custom claims

Server Hardening

HSTS (1-year max-age), X-Frame-Options DENY, nosniff, restrictive Permissions-Policy, and referrer controls

Rate Limiting

AI and sensitive endpoints are rate-limited with fail-closed behavior on protected routes

CI/CD Validation

Automated checks validate auth gates, admin route access, and dependency vulnerabilities on every deploy

Request lifecycle

Your Browser

TLS encrypted connection

Security Headers (CSP, HSTS, X-Frame-Options)

CSRF token validated (SHA-256, timing-safe)

Session Verification (HttpOnly cookie + Firebase Admin SDK)

Rate limit check

Firestore Rules (per-user data isolation, admin via JWT claims)

Encrypted at rest (GCP platform-managed)

Your Data

Your Controls

You are in control of your account data and privacy choices.

•Export, correct, or delete your data at any time by contacting privacy@heyavo.ai from your account email.
•GDPR rights (access, rectification, erasure, portability, restriction, objection) are fully supported for users in the EU/EEA.
•Cookie behavior can be reviewed and managed through browser settings and the Cookie Policy page.
•AI features process your content only when you explicitly initiate a request. No background scraping or profiling occurs.

Privacy Contact

Questions about how your data is handled or requests to exercise your privacy rights.

For data export, deletion, correction, or any privacy-related inquiry, email us from the address associated with your HeyAvo account. Include your request type and any relevant workspace or date range details so we can respond efficiently.

For privacy questions or requests, contact privacy@heyavo.ai.

Information We Collect

We collect only what is needed to deliver the service, protect your account, and keep the platform reliable.

•Account profile information: name, email address, and authentication metadata from your sign-in provider.

•Workspace content: notes, tasks, journal entries, documents, calendar items, project data, and anything else you create in HeyAvo apps.

•Diagnostic data: limited device and usage telemetry used for reliability monitoring, abuse prevention, and debugging. This is never used for ad targeting.

How We Use Your Data

Data is processed to deliver features you request, protect your account, and improve the platform.

•Service delivery: syncing content across devices, account management, and cross-app AI context when you initiate it.

•Security: session verification, fraud prevention, abuse detection, and incident response.

•Analytics: aggregate and de-identified usage data to improve reliability and inform product decisions. We do not build advertising profiles.

Sharing and Processors

HeyAvo does not sell personal information. We do not run ad targeting.

•Infrastructure partners (Google Cloud, Firebase, Vercel) operate under restricted processing terms with contractual data protection obligations.

•AI processing providers receive only the content you explicitly send through HeyAvo's AI features, scoped to that request.

•Data sharing is limited to what is required to operate the service or comply with legal obligations. No data is sold or used for advertising.

Your Controls

You are in control of your account data and privacy choices.

•Export, correct, or delete your data at any time by contacting privacy@heyavo.ai from your account email.

•GDPR rights (access, rectification, erasure, portability, restriction, objection) are fully supported for users in the EU/EEA.

•Cookie behavior can be reviewed and managed through browser settings and the Cookie Policy page.

•AI features process your content only when you explicitly initiate a request. No background scraping or profiling occurs.

Privacy Contact

Questions about how your data is handled or requests to exercise your privacy rights.

For privacy questions or requests, contact privacy@heyavo.ai.