Privacy Policy
This Privacy Policy explains what personal data Auvaco collects, why we collect it, how we use it, who we share it with, and the rights you have over it. We are committed to processing personal data only where there is a lawful basis to do so, and to telling you plainly what we do — without legalese where we can avoid it.
This policy is written in compliance with the EU General Data Protection Regulation (Reg. (EU) 2016/679 — "GDPR"), the German Federal Data Protection Act (BDSG), and the data protection law of Curaçao (Landsverordening bescherming persoonsgegevens).
On this page
1. Controller & EU Representative
The data controller responsible for processing your personal data is:
Controller Johannes Pfeiffer, trading as AuvacoCorosolweg 8, Villapark Zurzaak
Willemstad, Curaçao
Email: contact@auvaco.ai
Because the controller is established outside the European Economic Area, an EU representative has been designated pursuant to Article 27 GDPR:
EU Representative (Art. 27 GDPR) TIM Company GmbHc/o Factory Berlin
Rheinsberger Str. 76/77
10115 Berlin, Germany
Email: info@timcompany.de
Data subjects in the EU/EEA may contact either the controller or the EU representative on any matter relating to the processing of their personal data.
We have not appointed a Data Protection Officer (DPO). Under Art. 37 GDPR / § 38 BDSG this is not required: we are a sole proprietor without employees regularly processing personal data on a large scale.
2. What We Collect
Auvaco is a marketing operating system. Customers connect their third-party marketing accounts (e.g. Google Ads, Meta Ads, LinkedIn, Zoho CRM), and our agents observe, draft, and — where explicitly authorised — execute actions on those accounts. The categories of personal data we process are listed below.
2.1 Account & profile data
- Name, business email address, and chosen display name
- Workspace name, role, and account type (solo, agency, etc.)
- Authentication metadata (login timestamps, IP address of last login)
2.2 OAuth tokens for connected providers
When you authorise Auvaco to connect to a third-party marketing
platform (Google Ads, Meta, LinkedIn, Zoho), we receive and store
OAuth refresh and access tokens that allow us to query that
platform on your behalf. These tokens are encrypted at rest using
symmetric Fernet encryption and stored in our database in a
table separate from your account profile (account_secrets).
We never share these tokens with any party other than the issuing
provider themselves.
2.3 Synced marketing data
On your explicit instruction, Auvaco fetches data from your connected marketing platforms and stores it in our database so our agents can analyse it. Depending on the platforms you connect, this may include:
- Google Ads: campaigns, ad groups, keywords, search terms, ads, ad assets, audience reports, Quality Score snapshots, click-view (gclid) records, change history, and Google-issued recommendations.
- Meta Ads (Facebook / Instagram): campaigns, ad sets, ads, creative metadata, and daily insight metrics (impressions, clicks, spend, conversions, demographics).
- LinkedIn: posts you choose to draft and publish via Auvaco; the publishing member's URN and display name; post receipts after publishing.
- Zoho CRM: deals, leads, accounts, contacts and the custom fields you explicitly map; status transitions; deal amounts and dates.
This data may contain personal data of third parties (e.g. names of leads or contacts in your CRM, demographic segments from your ad accounts). You remain the controller of that data; Auvaco is the processor. A Data Processing Agreement (DPA) is available on request at contact@auvaco.ai.
2.4 Agent & product usage data
- Chat messages you send to Auvaco's agents and the responses generated
- Content drafts produced by our drafter agents (LinkedIn posts, Meta ads, email sequences, creative briefs)
- Audit log entries (
audit_events): a structured trail of agent runs, observations, approvals, and write actions executed against connected providers - Brand Core: the structured representation of your business — positioning, ICP, offers, performance signals — that you and our agents collaboratively build
2.5 Marketing-site & analytics data
- Server log files (IP address, user agent, requested URL, referrer, timestamp) — kept short-term for security and abuse prevention
- Google Analytics measurements (only if you have consented via the cookie banner) — anonymised page-view, session, and device data
3. How We Use Your Data
- To provide the service: authenticate you, render your workspace, run the agents you have activated against the data you have connected.
- To execute approved actions on connected providers:
e.g. add negative keywords to Google Ads, pause an
underperforming Meta ad, publish an approved LinkedIn post.
Every such action is logged in
audit_eventswith the actor, asset reference, and outcome. - To improve the product: aggregate usage signals to understand which agents are most valuable, where users get stuck. We do not train AI models on your data (see §5 on Anthropic).
- To support and communicate with you: respond to support requests, send transactional emails (account confirmations, security alerts).
- To comply with legal obligations where applicable.
4. Lawful Basis (Art. 6 GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR): for everything required to provide the Auvaco service to you — account creation, agent runs, executing actions you've authorised.
- Legitimate interest (Art. 6(1)(f) GDPR): for security, anti-abuse measures, basic server logs, and product improvement signals. Our legitimate interest is the secure and reliable operation of the service.
- Consent (Art. 6(1)(a) GDPR): for non-essential cookies, Google Analytics, and any future product communications you opt into. You may withdraw consent at any time.
- Compliance with legal obligations (Art. 6(1)(c) GDPR): where applicable.
5. Sub-processors
Auvaco is built on a small set of trusted infrastructure and AI providers. Each of these processes some category of data on our behalf. We have appropriate data processing terms in place with each (e.g. Standard Contractual Clauses where the provider is outside the EU/EEA).
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase, Inc. | Primary database, authentication, file storage | All application data (encrypted at rest) | United States (us-east-2) |
| Anthropic PBC | LLM API (Claude Sonnet / Haiku) for agent reasoning + content drafting | Chat messages, Brand Core context, drafter prompts. Anthropic does not train on data submitted via the API. | United States |
| Perplexity AI, Inc. | Web research (Sonar API) used during strategy generation | Research prompts derived from your workspace (e.g. competitor names, market questions) | United States |
| Google LLC | Google Ads API (sync + execute), Google Fonts (DM Sans) | Google Ads OAuth tokens; campaign / search-term data on read; mutate operations on write (e.g. negative keywords) — only on your explicit approval | United States & EU |
| Meta Platforms, Inc. | Meta Marketing API (Facebook / Instagram ads) | Meta OAuth tokens; campaigns, ad sets, ads, insights on read; ad / creative creation + pause on write (write capability enabled only after Meta's Marketing API Access Tier approval and your explicit step-by-step approval) | United States & Ireland |
| LinkedIn Corporation | LinkedIn API (publish to personal timeline) | LinkedIn OAuth tokens; post drafts that you have approved for publishing; published-post receipts | United States & Ireland |
| Zoho Corporation | Zoho CRM API (read CRM records) | Zoho OAuth tokens; CRM records (deals, leads, accounts, contacts) on read only — Auvaco does not write back to Zoho in this release | Region depends on your Zoho data centre (EU / US / IN / AU) |
| Google Analytics (Google Ireland Ltd.) | Marketing-site analytics on auvaco.ai (consent-gated) | Anonymised page-view, session, device data — only with your consent via the cookie banner | Ireland & United States |
A current, dated list of sub-processors is available on request. We notify customers in advance of any material change to this list (typically 30 days).
6. International Transfers
Several of our sub-processors are located in the United States. Where personal data of EU/EEA data subjects is transferred to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs, Decision (EU) 2021/914) and, where applicable, the EU-US Data Privacy Framework, as concluded between the relevant sub-processor and Auvaco.
The controller itself (Johannes Pfeiffer / Auvaco) is established in Curaçao. Curaçao is not currently the subject of an EU adequacy decision under Art. 45 GDPR. However, the operational processing of your data takes place in the US-East-2 region of Supabase and in the data centres of our other sub-processors as listed above. The controller's physical location in Curaçao does not in itself involve a cross-border transfer of your data outside those processor locations. For accountability and the exercise of GDPR rights, our EU representative (TIM Company GmbH, Berlin) serves as your point of contact.
7. Retention
We retain personal data only as long as we need it:
- Account & profile data: for as long as your workspace exists; deleted within 30 days of account deletion.
- OAuth tokens: until you disconnect the provider in Auvaco (which triggers immediate token deletion in our database) or for 60 days after the underlying token's natural expiry, whichever comes first.
- Synced marketing data: for as long as the connection is active; deleted within 30 days of disconnecting the provider or deleting the workspace.
- Audit events: 12 months from creation, then deleted.
- Server logs: 14 days.
- Google Analytics data: 14 months (GA default).
- Backups: our database provider maintains rolling backups for up to 30 days, after which deletion is irreversible.
Some data must be retained longer to comply with legal obligations (e.g. tax-relevant records). Where this is the case, that data is restricted from further processing.
8. Your Rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15): request confirmation whether and what personal data we hold about you, and receive a copy.
- Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17, "right to be forgotten"): have your personal data deleted, subject to limited exceptions. See our Data Deletion page for the practical process.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on our legitimate interests.
- Right to withdraw consent (Art. 7(3)): where processing is based on consent (e.g. analytics), withdraw it at any time.
- Right to lodge a complaint (Art. 77): with a supervisory authority. In Germany this is the data protection authority of the federal state in which you reside; in other EU/EEA member states, the equivalent national authority.
To exercise any of these rights, please email contact@auvaco.ai or contact our EU representative TIM Company GmbH at info@timcompany.de. We respond within one month, as required by Art. 12(3) GDPR.
9. Cookies & Analytics
Auvaco uses two kinds of cookies on its marketing site (auvaco.ai) and inside the product:
- Strictly necessary cookies: required for the service to function (session authentication, CSRF protection, workspace selection). These are set without consent because they are essential to the service you requested.
- Analytics cookies (Google Analytics): used to measure how visitors find and use the marketing site. These are only set if you grant consent via our cookie banner. You may withdraw consent at any time by reopening the banner from the footer.
We do not use third-party advertising cookies, retargeting pixels, or social-tracking pixels on auvaco.ai.
10. Children
Auvaco is a B2B service intended for business users. It is not directed at, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Security
We take technical and organisational measures appropriate to the risk, including:
- TLS encryption for all data in transit.
- Symmetric encryption (Fernet) of all OAuth tokens at rest.
- Row-level security in the application database scoping every query to the authenticated workspace.
- Per-workspace daily rate limits on outbound API calls to connected providers, with provider-specific cool-off enforcement on 429 responses.
- Audit logging of every agent run, observation, and write action.
- Use of reputable infrastructure providers (Supabase, Anthropic) with their own SOC 2 / ISO 27001 attestations.
No system is perfectly secure. In the event of a personal-data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay (within 72 hours where feasible), as required by Art. 33 / 34 GDPR.
12. Changes to This Policy
We may update this Privacy Policy as the product evolves or to reflect legal changes. Material changes will be communicated by email to active workspace owners and through a notice in the product. The "Last updated" date at the top of this page always reflects the current version.
Contact
Questions about this Privacy Policy or how we handle your data:
contact@auvaco.ai.
EU representative (Art. 27 GDPR):
info@timcompany.de —
TIM Company GmbH, c/o Factory Berlin, Rheinsberger Str. 76/77,
10115 Berlin, Germany.