Privacy Policy

Data Controller

Ava – Innovation Companion is operated by Digital Creative Academy, Switzerland. For privacy inquiries, please use the contact form. If required under GDPR, we will publish the contact details of our EU representative in this policy.

Age Requirement

The Service is available only to individuals aged 18 and above who are pursuing business, product, or creative innovation projects. We do not knowingly collect personal data from minors. If you believe a minor has provided personal information, contact us so we can delete it.

What Data We Process

• Account Credentials: Username, encrypted email, and hashed password required to operate the Service securely.
• Session Usage: Allowance counters, timestamps, and entitlement status so we can enforce trial limits, bundle validity, and innovation workflow availability.
• Payment References: Stripe customer IDs, payment intent IDs, and bundle purchase metadata. We do not receive or store full card numbers or billing addresses.
• Support Messages: Messages you send via the contact form along with your contact details so we can respond.
• Security Logs: Minimal technical logs (hashed IP, user agent fingerprint, error traces) retained briefly to prevent abuse.

We intentionally do not store conversation transcripts. AI conversations are processed in real time, delivered to you, and discarded immediately after the session. OpenAI temporarily retains API inputs for up to 30 days strictly for abuse monitoring in line with their policies. We do not opt in to OpenAI’s training programs.

Legal Basis for Processing

We process personal data under Swiss data protection law (FADP), GDPR, and other applicable regulations using the following bases:

• Consent: When you create an account you consent to processing your username, encrypted email, and password to deliver the Service. You may withdraw consent at any time by deleting your account.
• Contractual Necessity: Account data, session usage, and payment references are required to provide the Service you have requested or purchased.
• Legitimate Interest: We maintain security, prevent abuse, and gather aggregated analytics to improve the Service while respecting your privacy rights.
• Legal Obligations: Limited payment and accounting records may be processed to comply with tax, anti-fraud, or other legal requirements.

Payment Handling

• Processor: Stripe, Inc. processes all payments as a PCI DSS Level 1 provider.
• Tokenization: Stripe tokenizes card data. We see only payment status, amounts, and customer IDs.
• Saved Methods: Optional payment method storage is handled by Stripe Link. You can remove saved details through Stripe.
• Receipts: Stripe may send invoices or receipts to the email you provide. We do not send marketing emails.

Analytics & Tracking

We do not use third-party analytics services, advertising trackers, tracking pixels, or cookies beyond what is strictly necessary to maintain a secure session. Essential HTTPOnly cookies and signed tokens maintain your login state and protect against CSRF. Aggregated analytics (e.g., trial counts, session usage) are computed without persistent identifiers. We do not sell or share data with marketing services, social media platforms, or analytics providers.

Anonymous Payments

Payment processing does not require extensive personal information. You can complete purchases using only the information needed for transaction processing. We do not require identification documents or social security numbers for regular payments.

Data Retention

• Account Data: Retained while your account remains active. Deleting your account removes stored credentials, usage counters, and dormant session tokens immediately.
• Dormant Accounts: Accounts with no activity for 365 consecutive days are purged automatically along with associated tokens.
• Support Messages: Retained while we address your inquiry and for audit purposes for up to 12 months.
• Security Logs: Deleted within 30 days unless extended for an active investigation.
• Stripe Records: Stripe retains payment data in accordance with their legal obligations (typically up to 7 years). Contact Stripe directly to request deletion of payment data.
• Backups: Encrypted backups rotate on a 30-day schedule, after which deleted items fall out of backup sets.

International Data Transfers

Stripe, OpenAI, Render, and Google may process data in the United States or other jurisdictions. Transfers rely on Standard Contractual Clauses or equivalent safeguards. We periodically review these providers’ security commitments to ensure adequate protection.

Security Measures

• Encryption in transit (HTTPS/WSS) and at rest for stored data.
• Access control with multi-factor authentication for operational staff.
• Regular internal audits and vendor assessments.
• Breach notification procedures consistent with FADP/GDPR requirements.

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data; restrict or object to processing; withdraw consent; and lodge a complaint with a supervisory authority. Requests can be submitted via the authenticated account tools or the contact form. We may need to verify your identity before fulfilling a request.

Managing Your Data

• Account Deletion: Use the in-product account deletion option or contact us. Deletion removes stored credentials and session allowances.
• Stripe Data: To remove payment methods or customer profiles, use the Stripe Customer Portal link provided in receipts or contact Stripe support.
• Support Records: Request removal of support correspondence via the contact form.

Third-Party Providers

• Stripe: Payment processing and billing. Stripe Privacy Policy.
• OpenAI: AI inference. OpenAI Privacy Policy.
• Render: Hosting infrastructure. Render Privacy Policy.
• Google (Gmail): Email delivery. Google Privacy Policy.

Cookies

We use only essential HTTPOnly cookies and short-lived local storage entries required for authentication, session management, and security. No advertising or analytics cookies are set.

Automated Decision Making

Ava’s responses are generated by machine learning models provided by OpenAI. Automated outputs may be inaccurate or unsuitable for business, financial, or compliance decisions. We do not profile users or make legal/financial decisions based on automated processing.

Security Incidents

If we discover a breach affecting your personal data, we will notify affected users and relevant authorities in line with Swiss and EU legal requirements, including timelines mandated by FADP and GDPR.

Complaints

You may lodge complaints with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the supervisory authority in your EU member state of residence. We encourage you to contact us first so we can address your concerns promptly.

Records of Processing & Data Protection Officer

As a small enterprise with fewer than 250 employees and whose data processing poses negligible risk to data subjects, we are exempt from maintaining formal Records of Processing Activities under GDPR Article 30(5) and Swiss FADP Article 12(5).

Appointment of a Data Protection Officer is not required under GDPR Article 37 or Swiss FADP Article 10, as our core activities do not involve large-scale monitoring of individuals or large-scale processing of special category data. These exemptions are documented in the applicable legislation.

Updates

We may update this Privacy Policy to reflect legal or operational changes. We will post the revision date at the top of the page. Continued use after changes take effect signifies acceptance.

Effective Date: January 1, 2026

By using the Service you agree to this Privacy Policy and our Terms & Conditions.