AvalaAvala
Book a Demo

Privacy Policy

Effective date: October 3, 2023Last updated: March 8, 2026

Thank you for choosing to be part of our community at Avala AI, Inc. ("Avala," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this policy or our practices with regard to your personal information, please contact us at privacy@avala.ai.

This privacy policy applies to all information collected through our websites (including avala.ai), mobile applications ("Apps"), platform services (including Mission Control, our annotation platform, APIs, and SDKs), and any related services, sales, marketing, or events (collectively, the "Services").

Please read this privacy policy carefully — it will help you make informed decisions about sharing your personal information with us.

1. What Information Do We Collect?

In Short: We collect personal information that you provide to us, information generated automatically when you use our Services, and limited information from third-party sources.

Information You Provide

We collect personal information that you voluntarily provide when you register for or use our Services, request information, participate in activities on the Services, or contact us. This includes:

  • Account Information. Full name, email address, phone number, company name, job title, and similar contact data.
  • Payment Information. Billing address and payment method details. Payment processing is handled by our third-party payment processors — we do not store full credit card numbers.
  • Mobile Wallet Information. If applicable, the telephone numbers associated with your mobile wallet (e.g., M-PESA) or other payment provider addresses.
  • Profile Information. If you provide it, we may store your date of birth, national identification number (or equivalent), and other identifying information required for coworker onboarding and compliance purposes.
  • Credentials. Passwords and similar security information used for authentication and account access.
  • Content You Submit. Annotations, comments, feedback, support requests, and other content you create or upload through the Services.
  • Social Login Data. If you register using a third-party account (such as Google, Apple, or GitHub), we receive certain profile information from that provider. See Section 6 below.

All personal information you provide must be true, complete, and accurate. You must notify us of any changes.

Information Collected Automatically

When you visit or use our Services, we automatically collect certain technical and usage information:

  • Device and Browser Data. IP address, browser type and version, operating system, device identifiers, language preferences, and device characteristics.
  • Usage Data. Pages visited, features used, referring URLs, click patterns, session duration, and other interaction data.
  • Location Data. Approximate location derived from your IP address. For our mobile Apps, we may request access to precise geolocation — you can manage this in your device settings.
  • Cookies and Similar Technologies. We use cookies, web beacons, pixels, and similar tracking technologies. See Section 5.

Information Collected Through Our Apps

If you use our Apps, we may also collect:

  • Mobile Device Access. With your permission, we may access your camera, microphone, storage, and other device features necessary for annotation tasks. You can manage these permissions in your device settings.
  • Mobile Device Data. Device model, manufacturer, operating system version, and unique device identifiers.
  • Push Notifications. We may send push notifications regarding your account or tasks. You can opt out via your device settings.

Information From Other Sources

We may receive information about you from third-party sources such as public databases, marketing partners, analytics providers, and social media platforms. We will inform you about the source and type of information collected within a reasonable period, and no later than one month after obtaining the data.

2. How Do We Use Your Information?

In Short: We process your information based on legitimate business interests, contractual obligations, legal compliance, and/or your consent.

We use the information we collect to:

  • Provide and operate the Services, including account creation, authentication, task delivery, annotation workflows, and customer support.
  • Process payments and manage billing for your account.
  • Deliver targeted work and training opportunities to coworkers, tailored to skills, interests, location, and prior performance.
  • Communicate with you, including service updates, security alerts, administrative messages, and responses to your inquiries.
  • Improve and develop our Services, including usage analysis, identifying trends, evaluating feature effectiveness, and training our internal systems.
  • Train and improve AI models. We may use aggregated, anonymized, or de-identified annotation data and platform usage patterns to improve our AI-assisted annotation tools, quality assurance models, and platform features. We do not use your personal information (name, email, etc.) for AI model training. See Section 7 for details on how Customer Materials are handled.
  • Ensure safety and security, including fraud detection, abuse prevention, and enforcing our terms.
  • Comply with legal obligations, including responding to lawful requests from public authorities.
  • Conduct research and analytics using aggregated or anonymized data that cannot be linked back to you.

3. Will Your Information Be Shared With Anyone?

In Short: We share information only with your consent, to comply with law, to provide Services, to protect rights, or to fulfill business obligations.

We may share your data based on the following legal grounds:

  • Consent. Where you have given specific consent for a particular purpose.
  • Legitimate Interests. Where reasonably necessary to achieve our legitimate business interests, provided your rights do not override those interests.
  • Performance of a Contract. To fulfill our contractual obligations to you.
  • Legal Obligations. Where required by applicable law, regulation, court order, or governmental request, including to meet national security or law enforcement requirements.
  • Vital Interests. Where necessary to investigate potential violations, suspected fraud, threats to safety, or illegal activity.

Specifically, we may share your data with:

  • Service Providers. Third-party vendors who perform services on our behalf (e.g., cloud hosting, payment processing, analytics, customer support, email delivery). These providers are contractually required to protect your data and may only use it for the purposes we specify.
  • Business Transfers. In connection with any merger, acquisition, sale of assets, or bankruptcy proceeding, your information may be transferred as a business asset.
  • Affiliates. Our parent company, subsidiaries, and joint venture partners, who are required to honor this privacy policy.
  • Business Partners. To offer you certain products, services, or promotions in collaboration with our partners.
  • Other Users. Information you share publicly on the Services (such as comments or profile information) may be visible to other users.

We do not sell your personal information.

4. Who Are Our Third-Party Service Providers?

In Short: We share data with a limited number of trusted third parties to deliver our Services.

  • Authentication: Google Sign-In, Apple Login, GitHub Login, Auth0
  • Cloud Infrastructure: Amazon Web Services (AWS)
  • Communication: Intercom
  • Payment Processing: Stripe, PayPal, Apple Pay, Google Pay, Wise, Workpay
  • Analytics: Google Analytics, Mixpanel, Vercel Analytics
  • Error Monitoring: Sentry, Firebase Crashlytics
  • Performance Monitoring: Firebase Performance Monitoring

If you wish to revoke consent for any data processing, please contact us at privacy@avala.ai.

5. Do We Use Cookies and Other Tracking Technologies?

In Short: Yes. We use cookies and similar technologies to collect and store information.

We use cookies, web beacons, pixels, and similar technologies to operate and improve our Services, remember your preferences, understand usage patterns, and deliver relevant content.

Types of cookies we use:

  • Essential Cookies. Required for the Services to function (e.g., authentication, security).
  • Analytics Cookies. Help us understand how you interact with the Services.
  • Preference Cookies. Remember your settings and choices.

Managing cookies: Most browsers allow you to control cookies through their settings. You can block or delete cookies, but this may affect your ability to use certain features of the Services. For full details on the cookies we use and how to manage them, see our Cookie Policy.

6. How Do We Handle Social and Third-Party Logins?

In Short: If you register or log in using a third-party account, we receive certain profile information from that provider.

Our Services allow you to register and log in using third-party accounts (such as Google, Apple, or GitHub). The profile information we receive varies by provider but typically includes your name, email address, and profile picture.

We use this information only for the purposes described in this privacy policy. We do not control how third-party providers use your data — we recommend reviewing their respective privacy policies.

Our App supports "Sign In With Apple," which may use Face ID or Touch ID for authentication. Our app has no access to biometric data that Apple processes. For details, see Apple's privacy policy.

7. AI Data Processing and Customer Materials

In Short: Customer annotation data remains your property. We may use anonymized and aggregated data to improve our platform.

Avala is an AI data infrastructure company. Our customers upload datasets and receive annotation services. Regarding data used in connection with our AI tools:

  • Customer Materials remain yours. All data you upload and all annotation work product created on your behalf are owned by you, subject to the licenses described in our Terms of Service.
  • No personal data in AI training. We do not use your personal information (name, email, etc.) to train AI models.
  • Aggregated and anonymized data. We may use anonymized, aggregated, or de-identified data derived from platform usage to improve our annotation tools, quality models, and platform features. This data cannot reasonably be used to identify you or your organization.
  • Opt-out. Enterprise customers may opt out of aggregated data usage through their service agreement. Contact your account representative or privacy@avala.ai for details.

8. Is Your Information Transferred Internationally?

In Short: We may transfer, store, and process your information in countries other than your own.

Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States and potentially other countries where our service providers operate.

For transfers from the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the Data Privacy Framework (see Section 18) and, where applicable, Standard Contractual Clauses approved by the European Commission.

9. What Is Our Stance on Third-Party Websites?

In Short: We are not responsible for the privacy practices of third-party websites linked from our Services.

Our Services may contain links to third-party websites, services, or applications not operated by us. We cannot guarantee the privacy or security of data you provide to third parties. We encourage you to review the privacy policies of any third-party services you interact with.

10. How Long Do We Keep Your Information?

In Short: We retain your information only as long as necessary for the purposes described in this policy, unless a longer period is required by law.

We retain personal information for as long as your account is active or as needed to provide the Services. After account termination, we will delete or anonymize your personal information within 90 days, except where retention is necessary for:

  • Legal, tax, or accounting obligations
  • Fraud prevention and security
  • Enforcement of our agreements
  • Backup archives (securely isolated until deletion is possible)

11. How Do We Keep Your Information Safe?

In Short: We implement industry-standard technical and organizational security measures.

We protect your data through encryption in transit (TLS) and at rest, access controls, regular security assessments, and employee training. Our infrastructure is hosted in SOC 2-certified data centers, and we maintain security certifications as described on our Security page.

However, no electronic transmission or storage method is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

12. What Are Your Privacy Rights?

Your Rights Under GDPR (EEA, UK, and Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

  1. Access — Request a copy of the personal data we hold about you
  2. Rectification — Request correction of inaccurate or incomplete data
  3. Erasure — Request deletion of your personal data, subject to legal retention requirements
  4. Restriction — Request restricted processing of your data
  5. Portability — Request your data in a structured, machine-readable format
  6. Objection — Object to processing based on legitimate interests
  7. Withdraw Consent — Withdraw consent at any time (without affecting the lawfulness of prior processing)

As described in Section 18, we comply with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

To exercise these rights, contact privacy@avala.ai. You may also lodge a complaint with your local data protection supervisory authority: EEA authorities, UK ICO, or Swiss FDPIC.

Your Rights Under CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights:

  1. Right to Know — Request disclosure of the categories and specific pieces of personal information we collect, use, and share
  2. Right to Delete — Request deletion of your personal information
  3. Right to Correct — Request correction of inaccurate personal information
  4. Right to Opt Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising
  5. Right to Non-Discrimination — We will not discriminate against you for exercising your rights

To exercise these rights, contact privacy@avala.ai or submit a request through our platform. We will verify your identity before processing any request.

If you are under 18, reside in California, and have a registered account, you may request removal of content you have publicly posted. Contact us with the email associated with your account and a statement that you reside in California.

Your Rights Under Kenyan Data Protection Law

Users in Kenya have the following rights:

  1. The right to be informed about collection of your personal data
  2. The right to access your personal data and information about how we process it
  3. The right to request correction of inaccurate or incomplete data
  4. The right to request erasure, subject to legal retention obligations
  5. The right to object to or withdraw consent for processing
  6. The right to request restricted processing
  7. The right to data portability
  8. The right to lodge a complaint with the Office of the Data Protection Commissioner

To exercise these rights, contact privacy@avala.ai.

Account Information

You may review, update, or terminate your account at any time by contacting us. Upon termination, we will deactivate or delete your account and information from active databases, subject to the retention requirements in Section 10.

Cookies and Tracking

Most browsers allow you to manage cookie preferences. You can also opt out of interest-based advertising at www.aboutads.info/choices.

Email Marketing: You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in our emails or contacting us. Service-related communications necessary for account administration will continue.

13. Global Privacy Control

We recognize the Global Privacy Control (GPC) signal as a valid opt-out preference signal where required by applicable law. If your browser or device sends a GPC signal, we will treat it as a request to opt out of the sale or sharing of personal information (where applicable) and limit non-essential tracking.

14. What Is Our Policy on Minors?

In Short: We do not knowingly collect data from or market to individuals under 18.

The Services are not directed to individuals under 18 years of age (or a higher age where required by local law). If we become aware that we have collected personal information from a minor, we will promptly delete it. If you believe we hold information from a minor, please contact privacy@avala.ai.

15. Do We Make Updates to This Policy?

In Short: Yes. We will update this policy as necessary to remain compliant with applicable laws.

We may update this privacy policy from time to time. The updated version will be indicated by a revised "Last Updated" date. If we make material changes, we will notify you by email or prominent notice on our Services. Your continued use of the Services following such changes constitutes acceptance of the updated policy.

16. How Can You Contact Us?

If you have questions about this policy, you may contact us at:

Email: privacy@avala.ai

Data Protection Officer: Emal Alwis — dataprotectionofficer@avala.ai

We aim to respond to all legitimate requests within 30 days. If your request is complex or you have made multiple requests, we may take up to 60 days and will notify you of the extension.

17. How Can You Access, Update, or Delete Your Data?

To request access to, correction of, or deletion of your personal information, please email privacy@avala.ai.

We retain personal data only as long as necessary for the purposes described in this policy. We will also retain and use your data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

18. Data Privacy Framework Certification

Avala AI, Inc. has self-certified its commitment to comply with the Data Privacy Framework Principles (DPF Principles) as established by the U.S. Department of Commerce:

  • EU-U.S. DPF for personal data transfers from the European Union and EEA
  • UK Extension to the EU-U.S. DPF for personal data transfers from the United Kingdom and Gibraltar
  • Swiss-U.S. DPF for personal data transfers from Switzerland

In cases of conflict between this privacy policy and the DPF Principles, the DPF Principles shall prevail. To view our certification, visit dataprivacyframework.gov.

Complaints: EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data under the DPF should contact privacy@avala.ai with the subject "Data Privacy Framework."

We commit to cooperate with the panel established by EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding unresolved complaints.

Independent Dispute Resolution: If we have not satisfactorily addressed your DPF complaint, you may submit it to the JAMS Data Privacy Dispute Resolution Program, which is provided at no cost to you.

Binding Arbitration: Under certain conditions described on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution options have been exhausted.

Onward Transfers: If Avala transfers personal data to a third-party agent, we remain liable under the DPF Principles if the agent processes that data in a manner inconsistent with the Principles, unless we can prove we are not responsible for the event giving rise to the damage.

Avala AI, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).