Legal

Privacy Policy

Last updated: June 22, 2026Effective: June 22, 2026

This Privacy Policy explains what personal data Avalon collects, how and why we use it, who we share it with, and the rights you have. It covers our obligations under the EU/UK GDPR, the CCPA/CPRA and other U.S. state laws, Colombia's Ley 1581 de 2012 and Decreto 1377 de 2013, and Brazil's LGPD. To exercise your rights, contact privacy@avaloncol.com.

1.Scope & our roles

This policy applies to personal data we process through our websites, applications, and the Avalon platform (the "Service"). It does not apply to third-party sites or services that we do not control.

We act in two different roles:

As a controller (responsable / controlador): when we decide how and why personal data is processed — for example, account registration, billing, support, marketing, and operating our websites.
As a processor (encargado / operador): when we process Customer Data, including data ingested from your Connected Platforms, on behalf of and under the instructions of a customer who is the controller. For that processing, our Data Processing Addendum and the customer's own privacy notice govern, and you should direct rights requests to that customer.

2.Who we are & how to contact us

The Service is operated by Avalon, Inc. (United States) and Avalon S.A.S. (Colombia), who are joint or separate controllers depending on your location. For privacy matters you can always reach our privacy team and Data Protection Officer / Oficial de Protección de Datos at privacy@avaloncol.com.

3.Personal data we collect

Category	Examples	Source
Account & identity	name, email, password (hashed), profile, organization, role	You; OAuth sign-in providers (Google, Facebook)
Authentication	login events, session tokens, two-factor settings, OAuth tokens for Connected Platforms	You; identity & Connected Platforms
Billing	plan, billing contact, transaction records (card data is held by our payment processor, not us)	You; payment processor
Customer Data	advertising and analytics metrics ingested from Connected Platforms (see Section 4)	Your Connected Platforms
Support & communications	messages, contact-form submissions, support tickets	You
Usage & device	IP address, device/browser type, pages viewed, feature usage, approximate location, diagnostics	Automatically, via cookies & analytics

We do not intentionally collect special categories of data (such as health, biometric, or precise geolocation) and ask that you not submit them to the Service.

4.Connected Platform data

When you connect an advertising or analytics account (such as Google Ads, Meta Ads, TikTok Ads, LinkedIn Ads, or Google Analytics 4), we access data through official OAuth authorization. We never receive or store your platform passwords. We store an access/refresh token to retrieve the data you authorize.

The data we ingest is primarily aggregated marketing performance data — campaigns, ad spend, impressions, clicks, conversions, and attribution metrics. To the extent this data includes personal data, we process it as a processor on your behalf and only to provide the Service. Our use of data from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements, and our use of data from Meta, TikTok, and LinkedIn complies with their respective platform terms.

You can disconnect a Connected Platform at any time from your settings, which revokes our ongoing access to that platform.

5.How & why we use data

provide, operate, maintain, and secure the Service;
authenticate users, connect platforms, and ingest and normalize your marketing data;
generate dashboards, insights, drill-downs, AI output, and reports;
process payments, manage subscriptions, and prevent fraud;
provide support, respond to requests, and send service and transactional communications;
monitor, troubleshoot, analyze usage, and improve and develop the Service (including aggregated/de-identified analytics);
send marketing communications where permitted (you can opt out at any time); and
comply with law, enforce our terms, and protect our rights and the rights of others.

6.Legal bases for processing

Where the GDPR, LGPD, or similar laws apply, we rely on these legal bases:

Performance of a contract — to provide the Service you signed up for.
Legitimate interests — to secure, analyze, and improve the Service, prevent fraud, and conduct direct marketing, balanced against your rights.
Consent — for certain cookies, marketing, and where otherwise required; you may withdraw consent at any time.
Legal obligation — to comply with applicable laws, including tax and accounting.

7.AI processing

Avalon's AI features process relevant Customer Data to generate summaries, answers, and suggestions. This may involve transferring data to AI subprocessors listed on our Subprocessors page, under contractual confidentiality and data-protection commitments. We do not authorize our AI subprocessors to use your Customer Data to train their general-purpose models. AI output may be inaccurate and should be reviewed before you rely on it.

8.Cookies & analytics

We use cookies and similar technologies for authentication, preferences, security, and analytics (including Vercel Analytics and Speed Insights). For details and choices, see our Cookie Policy.

10.International data transfers

We operate in the United States, Colombia, and elsewhere, and our subprocessors may process data in other countries. When we transfer personal data across borders, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), Colombia's rules on international transfers under Decreto 1377, and Brazil's ANPD-approved Standard Contractual Clauses, together with supplementary technical and organizational measures. You may request more information about these safeguards using the contact details below.

11.Data retention

We retain personal data for as long as needed to provide the Service and for the purposes described here, then delete or de-identify it, unless a longer period is required by law (for example, tax and accounting records). Customer Data is retained for the life of your account and is available for export for a limited period after termination (typically 30 days), after which it is deleted in the ordinary course, subject to routine backup cycles and legal holds.

12.Security

We implement technical and organizational measures to protect personal data, including encryption in transit and at rest, strict multi-tenant isolation, least-privilege access controls, and monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. See our Security page for details.

13.Your rights (general)

Depending on where you live, you may have rights to access, correct, update, delete, restrict, or object to processing of your personal data, to data portability, to withdraw consent, and to lodge a complaint with a regulator. We honor these rights as described in the regional sections below. To make a request, email privacy@avaloncol.com. We will verify your identity and respond within the time required by applicable law. You may use an authorized agent where the law allows, and we will not discriminate against you for exercising your rights.

14.EU / UK — your GDPR rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to: access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection (including to direct marketing and to processing based on legitimate interests); and not to be subject to solely automated decisions producing legal or similarly significant effects. You may withdraw consent at any time, and you may lodge a complaint with your local Data Protection Authority. Where required, we will maintain an EU/UK representative and will provide their details on request.

15.California — CCPA/CPRA notice

If you are a California resident, you have the right to: know and access the categories and specific pieces of personal information we collect, use, and disclose; delete personal information; correct inaccurate personal information; opt out of the "sale" or "sharing" of personal information; and limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.

In the preceding 12 months we collected the categories described in Section 3 (identifiers, customer records, commercial information, internet/usage activity, and inferences), for the business purposes in Section 5, and disclosed them to the recipients in Section 9. We do not sell or share personal information for cross-context behavioral advertising, and we do not knowingly sell or share the personal information of minors under 16. To exercise your rights, email privacy@avaloncol.com. You may use an authorized agent. We will verify requests and respond within the statutory timeframe (generally 45 days, extendable once).

16.Other US state privacy laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have similar rights to access, correct, delete, obtain a copy of, and opt out of certain processing (including targeted advertising, sale, and certain profiling) of their personal data. We honor these rights and offer an appeal process where required. Submit requests to privacy@avaloncol.com.

17.Colombia — Ley 1581 de 2012

For data subjects (titulares) in Colombia, we process personal data in accordance with Ley Estatutaria 1581 de 2012 and Decreto 1377 de 2013. Your rights (derechos del titular) include to:

know, update, and rectify your personal data (conocer, actualizar y rectificar);
request proof of the authorization granted for processing, except where the law makes it unnecessary;
be informed, on request, about how your data is used;
file complaints with the Superintendencia de Industria y Comercio (SIC) for breaches of the law; and
revoke the authorization and/or request deletion of your data where there is no legal or contractual duty to keep it.

We process personal data only with prior, express, and informed authorization, or under another legal basis recognized by Colombian law. To exercise your rights, or to consult our Política de Tratamiento de Datos Personales, contact our data protection officer at privacy@avaloncol.com. We respond to consultas within 10 business days and to reclamos within 15 business days, as required by law (extendable as the law permits).

18.Brazil — LGPD

For data subjects (titulares) in Brazil, we process personal data under the Lei Geral de Proteção de Dados (Lei nº 13.709/2018). Your rights under Article 18 include confirmation of processing; access; correction; anonymization, blocking, or deletion of unnecessary or excessive data; portability; deletion of data processed with consent; information about with whom we share data; and withdrawal of consent. We respond to requests within the timeframe set by the LGPD. International transfers from Brazil rely on ANPD-approved Standard Contractual Clauses or another permitted mechanism. Contact our encarregado (DPO) at privacy@avaloncol.com.

19.Children's privacy

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.

20.Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice. We review and update this policy at least every 12 months.

21.How to contact us

For any privacy question or to exercise your rights, contact our privacy team / Data Protection Officer at privacy@avaloncol.com. If you are not satisfied with our response, you may contact your local data protection authority — for example, the SIC in Colombia, the ANPD in Brazil, your EU/UK Data Protection Authority, or the California Privacy Protection Agency.