Avallis

Privacy Policy

We are a privacy company. This document is a precise statement of what we do — and do not do — with your information.

Effective date: March 19, 2026
01

Overview

This Privacy Policy explains how Avallis LLC ("we", "us", "our") collects, uses, stores, and protects information in connection with the Avallis platform, available at www.avallis.io ("the Service"). This policy applies to all users of the Service, including visitors to our marketing website.

We are a privacy company. That means this document is not a formality — it is a precise statement of what we do and do not do with your data. If something is not in this policy, we do not do it.

If you have questions after reading this, contact us at privacy@avallis.io. We read every message.

02

Zero-Knowledge Architecture

Key commitment

The most important thing to understand about our Service is its technical architecture: your encryption key is generated in your browser and never transmitted to our servers. This is not a policy choice — it is a technical constraint.

What this means in practice: all data you store in your Personal Data Vault is encrypted with AES-256-GCM before it leaves your device. We receive and store only ciphertext — encrypted data that is mathematically meaningless without your key. We are structurally incapable of reading, decrypting, or sharing the contents of your vault.

If we receive a lawful demand for your data, we can produce only encrypted ciphertext. We cannot produce plaintext data because we do not have it. This is not a limitation we regret — it is the entire point.

03

Information We Collect

Account Information

When you register, we collect your email address and your Sovereign Key ID (if using MetaMask authentication) or OAuth provider identity (if using Google or GitHub). We use this to identify your account and send you transactional communications.

Encrypted Vault Data

Your Golden Record and any data you enter into your vault is encrypted in your browser and stored as ciphertext in our database. We do not have access to the plaintext contents. We store the encrypted payload, a cryptographic sentinel value used to verify your key on sign-in, and blockchain anchor hashes.

Consent Records

We store records of data-sharing consents you grant and revoke — who you shared with, what categories were shared, when, and for how long. These records are stored in plaintext because they are operational audit data, not sensitive personal data.

Usage and Technical Data

We collect standard server logs including IP addresses, browser type, pages visited, and timestamps for security monitoring, abuse prevention, and performance optimization. These logs are retained for 90 days and are not sold or shared with third parties.

Communications — Email

If you contact us by email or through our contact form, we retain that correspondence to respond to you and improve the Service.

Communications — SMS / Text Messages

If you provide your mobile phone number and opt in to SMS notifications, we use Azure Communication Services to send you transactional text messages. These messages include: data share approval requests (notifying you that a business or individual has requested access to your vault), one-time passcodes (OTP) for phone number verification, and security alerts for your account. Message frequency varies based on your activity. Standard carrier message and data rates may apply. You can opt out at any time by replying STOP to any message or by disabling SMS notifications in your account settings. For help, reply HELP or contact privacy@avallis.io. We do not send marketing or promotional SMS messages.

04

How We Use Your Information

  • To create and manage your account
  • To authenticate you on sign-in via encrypted sentinel verification
  • To send transactional emails: invite links, security notifications, account confirmations
  • To send transactional SMS messages when you opt in: share approval notifications, one-time passcodes, and security alerts
  • To anchor vault record hashes to the Polygon blockchain for integrity verification
  • To detect and prevent fraud, abuse, and unauthorized access
  • To respond to support and legal inquiries
  • To comply with applicable laws and regulations

We do not use your data for advertising. We do not build behavioral profiles. We do not sell, rent, or license your data to third parties for marketing purposes.

05

Data We Do Not Sell

Key commitment

We do not sell your personal data. We do not share your personal data with data brokers, advertising networks, or analytics platforms that monetize user data.

Our business model is enterprise API access: organizations pay us for the ability to receive verified, consent-gated data packages from users who explicitly choose to share with them. When you share data through our platform, the receiving organization gets what you authorized — nothing more. We do not retain a copy of the shared data on their behalf.

This is a structural commitment, not just a policy. We are not building a data business that profits from aggregating your information.

06

When We Share Information

Service Providers

We use third-party service providers to operate the Service: Microsoft Azure (cloud infrastructure and database), Azure Communication Services (transactional email and SMS text messages), Stripe (payment processing), and Polygon (public blockchain for integrity anchoring). These providers process data only as directed by us under data processing agreements.

Legal Requirements

We may disclose information if required by law, court order, or governmental authority. Because of our zero-knowledge architecture, any such disclosure would include only ciphertext, account metadata (email, Sovereign Key ID), and server logs — not the contents of your vault.

Business Transfers

If we are acquired, merge with another company, or transfer our assets, your information may transfer as part of that transaction. We will notify you before your information is subject to a materially different privacy policy.

With Your Consent

We share data with third parties only when you explicitly instruct us to, through the consent grants in your vault. You can revoke these grants at any time.

07

Blockchain Data

When you create or update a vault record, we write a SHA-256 hash of your encrypted data to a smart contract on the Polygon blockchain. This hash is a cryptographic fingerprint — it cannot be reversed to reveal your underlying data.

Blockchain transactions are permanent and public by nature. The hash posted on-chain does not contain any personally identifiable information. It is a fixed-length string that proves your data existed in a particular state at a particular time.

Your wallet address, if used for blockchain interactions, is also public on-chain. This is inherent to how public blockchains operate and is why we designed the system so that no PII is included in on-chain data.

08

SMS / Text Message Policy

Avallis sends SMS text messages only to users who have explicitly provided their mobile phone number and opted in to SMS notifications within their account settings. We do not send unsolicited text messages.

Types of messages we send: (1) Data share approval notifications — alerting you when a business or individual requests access to your encrypted vault; (2) One-time passcodes (OTP) for phone number verification; (3) Security alerts for unusual account activity. We do not send marketing or promotional SMS messages.

Message frequency varies based on your activity. Most users receive fewer than 5 messages per month.

To opt out: reply STOP to any message, or disable SMS notifications in Account Settings. You will receive one final confirmation and no further messages.

To opt back in: re-enable SMS notifications in Account Settings or text START.

For help: reply HELP to any message or email privacy@avallis.io.

Standard message and data rates from your mobile carrier may apply.

SMS delivery provider: Azure Communication Services (Microsoft). Your phone number is not shared with any other third party for SMS purposes.

09

Data Retention

Active accounts

We retain your account data and encrypted vault for as long as your account is active or as needed to provide the Service.

Account deletion

When you delete your account, your encrypted vault, registration record, and session data are deleted from our active systems within 30 days. Encrypted data may persist in backups for up to 90 days, after which it is purged.

Blockchain anchors

Blockchain records are permanent by design. Deleting your account removes your data from our servers but does not remove hashes from the Polygon blockchain. Those hashes cannot be used to reconstruct your data.

Logs

Server logs are retained for 90 days for security and operational purposes.

09

Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request that inaccurate data be corrected
  • Deletion: request deletion of your account and associated data
  • Portability: export your encrypted vault data in a machine-readable format
  • Objection: object to certain processing of your personal data
  • Restriction: request that we restrict processing of your data in certain circumstances
  • Withdrawal of consent: revoke data-sharing consents at any time within the platform

To exercise any of these rights, contact us at privacy@avallis.io. We will respond within 30 days. Note that because of our zero-knowledge architecture, we cannot provide you with decrypted vault contents — only you hold the key that can decrypt that data.

10

Security

We implement industry-standard security measures to protect your information: AES-256-GCM encryption at rest for all vault data, TLS 1.3 in transit, Azure-managed infrastructure with access controls, and cryptographic sentinel verification for authentication.

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.

Because your vault contents are encrypted with a key we do not hold, a breach of our systems would expose only encrypted ciphertext — not your plaintext data. This is the security advantage of our zero-knowledge architecture.

11

Browser Storage and Tracking

We do not use advertising cookies, tracking pixels, behavioral analytics, or any third-party tracking tools (no Google Analytics, Meta Pixel, Mixpanel, Hotjar, or similar). Our server-side logs serve our operational needs without third-party data sharing.

We use the following browser storage to operate the Service:

sessionStorage (cleared when your browser tab closes)

avallis_oauth_session — preserves your OAuth login state across the Google or GitHub redirect cycle. Automatically cleared when the tab closes or login completes. oauth_provider and oauth_mode — track which OAuth provider you selected during login; cleared immediately after login completes.

localStorage (persists across visits)

avallis-theme — remembers your display preference (light or dark mode). avallis-theme-manual — stores your manual theme choice with a 24-hour expiry. avallis_idle_pref — remembers your session auto sign-out timeout setting. avallis_cookie_consent — stores your response to our cookie consent notice so we do not ask again.

Third-party OAuth providers

If you sign in with Google or GitHub, those providers may set their own cookies in your browser subject to their privacy policies. We do not control, read, or share those cookies.

Your encryption key

Your vault encryption key is held in JavaScript memory (React state) only — never written to localStorage, sessionStorage, cookies, or any server. It is gone when you close or reload the tab.

12

Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us at privacy@avallis.io and we will delete it promptly.

13

International Users

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers are located and our database is operated.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: we rely on your consent as the legal basis for processing your personal data. You have the rights described in Section 09, consistent with the GDPR. For California residents: you have rights under the CCPA as described in Section 09.

14

Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a notice on the Service at least 14 days before changes take effect.

Your continued use of the Service after a policy change takes effect constitutes your acceptance of the revised policy. If you disagree with the changes, you may delete your account before they take effect.

15

Contact

For privacy-related questions, requests, or complaints, contact us at:

CompanyAvallis LLC

Still have questions about your data?

We answer real emails from real people.