Privacy Policy

This Privacy Policy describes how Chaos Digital ("Aevix," "we," "us," or "our") collects, uses, and shares information in connection with the Aevix platform ("Service"). By using the Service, you agree to the practices described in this policy.

1. Information We Collect

Information you provide

• Registration information: Name, email address, phone number, and password when you create an account.
• Profile information: Job title, certifications, rank, and other professional details you add to your profile.
• Organization information: Agency name, department details, and configuration settings provided by administrators.

Information generated through use

• Activity data: Schedules, vehicle check records, inventory transactions, training completions, timecard entries, and other operational data created through normal use of the Service.
• Survey responses: Responses to surveys created and distributed within the Service.
• AI interaction data: Prompts and responses when using the AI assistant feature (opt-in only).
• Cookies and session data: Session tokens, authentication cookies, and CSRF tokens necessary for secure operation.

2. How We Use Your Information

• Service delivery: To provide, maintain, and improve the Service and its features.
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
• AI features: To power optional AI-assisted features such as the in-app assistant and report generation.
• Analytics: To generate aggregated, anonymized analytics and insights for your Organization.
• Support: To respond to your support requests and communicate service updates.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Legal Bases for Processing

We process your information based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service under our Terms of Service.
• Legitimate interests: Processing for security, fraud prevention, and service improvement where your rights do not override our interests.
• Consent: Processing of AI interaction data and optional features that you affirmatively opt into.
• Legal obligation: Processing required to comply with applicable laws and regulations.

4. How We Share Your Information

We do not sell your personal information. We do not share your information with third parties for advertising purposes. We share information only with the following categories of service providers ("subprocessors") necessary to deliver the Service:

• Infrastructure and database hosting (Supabase)
• Payment processing (Stripe)
• AI processing (Anthropic)
• Application hosting and edge delivery (Vercel)
• Error monitoring (Sentry)
• Mapping services (Google Maps)

For a complete list, see our Subprocessor List.

5. AI and Automated Processing

• AI features are powered by Anthropic's Claude API and are opt-in at the Organization level.
• Per our data processing agreement with Anthropic, Customer Data sent to the AI is not used to train Anthropic's models.
• Organization administrators can enable or disable AI features at any time.
• Aevix does not use AI to make automated decisions that produce legal effects or similarly significant effects on individuals.

6. Cookies and Tracking Technologies

We use only essential cookies necessary for the operation of the Service:

• Session cookies: To maintain your authenticated session.
• CSRF tokens: To protect against cross-site request forgery attacks.
• Vercel Analytics: Privacy-focused, anonymized web analytics with no personal data collection.

We do not use advertising cookies, tracking pixels, or third-party analytics platforms that track individuals across websites.

7. Data Retention

• Active account data is retained for the duration of your subscription.
• Organization administrators can configure retention periods for operational data (typically 90 days to 2 years depending on data type).
• Upon account termination, Customer Data is retained for 90 days to allow retrieval, then permanently deleted.
• We may retain anonymized, aggregated data indefinitely for analytics purposes.

8. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Opt-out of AI processing: Disable AI features for your Organization at any time through settings.

To exercise these rights, contact us at privacy@aevix.app.

9. CCPA Disclosures

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Categories of personal information collected: Identifiers (name, email), professional information (job title, certifications), and internet activity (usage logs, session data).
• No sale of personal information: We do not sell or share personal information for cross-context behavioral advertising.
• Right to know: You may request details about the categories and specific pieces of personal information we have collected.
• Right to delete: You may request deletion of your personal information.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

10. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will promptly delete it.

11. Data Security

We implement industry-standard security measures to protect your information, including:

• Row-level security (RLS) policies ensuring tenant data isolation.
• Encryption of data in transit (TLS) and at rest.
• CSRF protection using double-submit cookie pattern.
• Secure session management with HttpOnly cookies and Content Security Policy headers.
• Regular security reviews and monitoring.

While we strive to protect your information, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. International Data

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email. The "Last Updated" date at the top of this policy indicates the most recent revision.

14. Contact

For questions about this Privacy Policy or to exercise your privacy rights, contact us at privacy@aevix.app.