
Privacy Policy
We are a privacy company. This document is a precise statement of what we do — and do not do — with your information.
Contents
Overview
This Privacy Policy explains how Avallis LLC ("we", "us", "our") collects, uses, stores, and protects information in connection with the Avallis platform, available at www.avallis.io ("the Service"). This policy applies to all users of the Service, including visitors to our marketing website.
We are a privacy company. That means this document is not a formality — it is a precise statement of what we do and do not do with your data. If something is not in this policy, we do not do it.
If you have questions after reading this, contact us at privacy@avallis.io. We read every message.
Zero-Knowledge Architecture
The most important thing to understand about our Service is its technical architecture: your encryption key is generated in your browser and never transmitted to our servers. This is not a policy choice — it is a technical constraint.
What this means in practice: all data you store in your Personal Data Vault is encrypted with AES-256-GCM before it leaves your device. We receive and store only ciphertext — encrypted data that is mathematically meaningless without your key. We are structurally incapable of reading, decrypting, or sharing the contents of your vault.
If we receive a lawful demand for your data, we can produce only encrypted ciphertext. We cannot produce plaintext data because we do not have it. This is not a limitation we regret — it is the entire point.
Information We Collect
Account Information
When you register, we collect your email address and your Sovereign Key ID (if using MetaMask authentication) or OAuth provider identity (if using Google or GitHub). We use this to identify your account and send you transactional communications.
Encrypted Vault Data
Your Golden Record and any data you enter into your vault is encrypted in your browser and stored as ciphertext in our database. We do not have access to the plaintext contents. We store the encrypted payload, a cryptographic sentinel value used to verify your key on sign-in, and blockchain anchor hashes.
Consent Records
We store records of data-sharing consents you grant and revoke — who you shared with, what categories were shared, when, and for how long. These records are stored in plaintext because they are operational audit data, not sensitive personal data.
Usage and Technical Data
We collect standard server logs including IP addresses, browser type, pages visited, and timestamps for security monitoring, abuse prevention, and performance optimization. These logs are retained for 90 days and are not sold or shared with third parties.
Communications — Email
If you contact us by email or through our contact form, we retain that correspondence to respond to you and improve the Service.
Communications — SMS / Text Messages
If you provide your mobile phone number and opt in to SMS notifications, we use Azure Communication Services to send you transactional text messages. These messages include: data share approval requests (notifying you that a business or individual has requested access to your vault), one-time passcodes (OTP) for phone number verification, and security alerts for your account. Message frequency varies based on your activity. Standard carrier message and data rates may apply. You can opt out at any time by replying STOP to any message or by disabling SMS notifications in your account settings. For help, reply HELP or contact privacy@avallis.io. We do not send marketing or promotional SMS messages.
How We Use Your Information
- To create and manage your account
- To authenticate you on sign-in via encrypted sentinel verification
- To send transactional emails: invite links, security notifications, account confirmations
- To send transactional SMS messages when you opt in: share approval notifications, one-time passcodes, and security alerts
- To anchor vault record hashes to the Polygon blockchain for integrity verification
- To detect and prevent fraud, abuse, and unauthorized access
- To respond to support and legal inquiries
- To comply with applicable laws and regulations
We do not use your data for advertising. We do not build behavioral profiles. We do not sell, rent, or license your data to third parties for marketing purposes.
Data We Do Not Sell
We do not sell your personal data. We do not share your personal data with data brokers, advertising networks, or analytics platforms that monetize user data.
Our business model is enterprise API access: organizations pay us for the ability to receive verified, consent-gated data packages from users who explicitly choose to share with them. When you share data through our platform, the receiving organization gets what you authorized — nothing more. We do not retain a copy of the shared data on their behalf.
This is a structural commitment, not just a policy. We are not building a data business that profits from aggregating your information.
Blockchain Data
When you create or update a vault record, we write a SHA-256 hash of your encrypted data to a smart contract on the Polygon blockchain. This hash is a cryptographic fingerprint — it cannot be reversed to reveal your underlying data.
Blockchain transactions are permanent and public by nature. The hash posted on-chain does not contain any personally identifiable information. It is a fixed-length string that proves your data existed in a particular state at a particular time.
Your wallet address, if used for blockchain interactions, is also public on-chain. This is inherent to how public blockchains operate and is why we designed the system so that no PII is included in on-chain data.
SMS / Text Message Policy
Avallis sends SMS text messages only to users who have explicitly provided their mobile phone number and opted in to SMS notifications within their account settings. We do not send unsolicited text messages.
Types of messages we send: (1) Data share approval notifications — alerting you when a business or individual requests access to your encrypted vault; (2) One-time passcodes (OTP) for phone number verification; (3) Security alerts for unusual account activity. We do not send marketing or promotional SMS messages.
Message frequency varies based on your activity. Most users receive fewer than 5 messages per month.
To opt out: reply STOP to any message, or disable SMS notifications in Account Settings. You will receive one final confirmation and no further messages.
To opt back in: re-enable SMS notifications in Account Settings or text START.
For help: reply HELP to any message or email privacy@avallis.io.
Standard message and data rates from your mobile carrier may apply.
SMS delivery provider: Azure Communication Services (Microsoft). Your phone number is not shared with any other third party for SMS purposes.
Data Retention
Active accounts
We retain your account data and encrypted vault for as long as your account is active or as needed to provide the Service.
Account deletion
When you delete your account, your encrypted vault, registration record, and session data are deleted from our active systems within 30 days. Encrypted data may persist in backups for up to 90 days, after which it is purged.
Blockchain anchors
Blockchain records are permanent by design. Deleting your account removes your data from our servers but does not remove hashes from the Polygon blockchain. Those hashes cannot be used to reconstruct your data.
Logs
Server logs are retained for 90 days for security and operational purposes.
Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access: request a copy of the personal data we hold about you
- Correction: request that inaccurate data be corrected
- Deletion: request deletion of your account and associated data
- Portability: export your encrypted vault data in a machine-readable format
- Objection: object to certain processing of your personal data
- Restriction: request that we restrict processing of your data in certain circumstances
- Withdrawal of consent: revoke data-sharing consents at any time within the platform
To exercise any of these rights, contact us at privacy@avallis.io. We will respond within 30 days. Note that because of our zero-knowledge architecture, we cannot provide you with decrypted vault contents — only you hold the key that can decrypt that data.
Security
We implement industry-standard security measures to protect your information: AES-256-GCM encryption at rest for all vault data, TLS 1.3 in transit, Azure-managed infrastructure with access controls, and cryptographic sentinel verification for authentication.
No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.
Because your vault contents are encrypted with a key we do not hold, a breach of our systems would expose only encrypted ciphertext — not your plaintext data. This is the security advantage of our zero-knowledge architecture.
Children's Privacy
The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us at privacy@avallis.io and we will delete it promptly.
International Users
The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers are located and our database is operated.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland: we rely on your consent as the legal basis for processing your personal data. You have the rights described in Section 09, consistent with the GDPR. For California residents: you have rights under the CCPA as described in Section 09.
Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a notice on the Service at least 14 days before changes take effect.
Your continued use of the Service after a policy change takes effect constitutes your acceptance of the revised policy. If you disagree with the changes, you may delete your account before they take effect.
Contact
For privacy-related questions, requests, or complaints, contact us at:
Still have questions about your data?
We answer real emails from real people.