Legal

Privacy Policy

Effective June 14, 2026 · Version 1.0

This Privacy Policy explains how AVora (“AVora,” “we,” “us”) collects, uses, discloses, and protects information when you visit avoraops.com (the “Site”), request a demo, or access the AVora platform as an authorized user of a customer tenant (the “Service”).

1. Who we are and our role

For information processed through the Site and our sales process, AVora acts as a data controller. For operational data processed inside a customer tenant workspace, AVora acts as a data processoron behalf of the customer (“Customer”), who is the controller. Processing of tenant data is governed by the customer’s master service agreement and Data Processing Addendum (“DPA”), which take precedence over this policy where they conflict.

2. Information we collect

  • Contact and demo-request data — name, work email, company, role, and any message text you voluntarily submit through our forms.
  • Operational telemetry (tenant data) — when your organization uses a tenant workspace, AVora ingests AV device, room, meeting, firmware, and network-evidence telemetry from the third-party integrations your organization has authorized.
  • Account and authentication metadata — sign-in timestamps, IP address, device/user-agent string, multi-factor authentication status, and session and audit records, used for security, fraud prevention, and compliance.
  • Support communications — records of correspondence when you contact us for support or sales.
  • Site usage data — aggregate, privacy-respecting analytics about traffic patterns on the Site. We do not use third-party advertising trackers or sell personal information.

3. How we use information

  • To provide, operate, secure, and improve the Service and Site.
  • To respond to inquiries and provide customer support.
  • To detect, investigate, prevent, and respond to security incidents and abuse.
  • To send transactional and service messages (for example, security alerts and account notices).
  • To comply with legal, regulatory, and contractual obligations.

4. Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases: performance of a contract (providing the Service); legitimate interests (securing and improving the Service, and B2B marketing to business contacts); consent (where required, such as certain cookies); and compliance with legal obligations.

5. Cookies and similar technologies

The Site uses strictly necessary cookies (for example, session and CSRF protection) and privacy-respecting analytics. The Service uses first-party cookies required for authentication and security. We do not use cross-site advertising cookies. Where required by law, we request consent before setting non-essential cookies.

6. How we share information

We do not sell personal information. We share information only with:

  • Subprocessors who provide infrastructure on our behalf under written data-protection terms (see Section 7).
  • The relevant Customer, for tenant data we process as a processor.
  • Authorities or third parties where required by law, legal process, or to protect the rights, safety, and security of AVora, our customers, or the public.
  • A successor entity in connection with a merger, acquisition, or asset sale, subject to this policy.

7. Subprocessors

We use a limited set of vetted infrastructure subprocessors — including cloud hosting, transactional email delivery, and observability — each bound by contractual confidentiality and security obligations. A current subprocessor list is available on request via privacy@avoraops.com. Customers under a DPA may subscribe to advance notice of subprocessor changes.

8. International data transfers

AVora may process information in countries other than where you are located. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an equivalent recognized mechanism.

9. Data isolation and security

AVora is a multi-tenant platform with strict isolation enforced at the database, application, and edge layers; tenant data is never shared across tenants. We apply defense-in-depth controls including encryption in transit (TLS) and at rest, AES-256-GCM encryption of connector and integration credentials, role-based access control, enforced multi-factor authentication, rate limiting, and comprehensive audit logging. No system is perfectly secure, but we work to protect information using industry-standard measures.

10. Data retention

Marketing and demo-request submissions are retained for up to 24 months unless you ask us to delete them sooner. Tenant operational data follows the retention policy configured by each tenant’s administrator and the applicable DPA. Audit and security records are retained as needed for security and legal compliance.

11. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict the processing of personal information about you, and to object to certain processing or withdraw consent. California residents have rights under the CCPA/CPRA, including the right to know, delete, and opt out of “sale” or “sharing” (we do neither). To exercise any right, email privacy@avoraops.com. If you are an authorized user of a Customer tenant, please direct requests to your organization, which controls that data; we will assist the Customer as their processor.

12. Children’s privacy

The Service is a business product not directed to children, and we do not knowingly collect personal information from anyone under 16.

13. Changes to this policy

We may update this policy from time to time. We will revise the “Effective” date and version above and, for material changes, provide notice to active tenant administrators.

14. Contact

Privacy questions or requests: privacy@avoraops.com. For legal notices, see our Terms of Use.