Privacy policy.
Written in English, not in fear.
We do not sell data, run advertising trackers, or replay your sessions. Your operational records stay in Canada, isolated at the database, and are never read by us without your written authorisation.
- 01What this document covers
- 02Data controller
- 03Data we collect on this website
- 04Data we collect in the platform
- 05Where your data lives
- 06ICAO Annex-19 confidentiality
- 07Automated processing & AI
- 08How we store and protect data
- 09Legal basis (GDPR)
- 10Data retention
- 11Your rights & portability
- 12Sub-processors
- 13Changes to this policy
What this document covers
This policy describes how eAviora Inc. ("eAviora", "we", "our") handles personal data on our public marketing pages (this site) and in the eAviora platform (the product). It applies to visitors, prospects in early-access conversations, and users of the platform.
We version this policy transparently — the last-updated date above is load-bearing.
Data controller
The data controller is eAviora Inc., headquartered in Montreal, Quebec, Canada. For any privacy question, data-subject request, or complaint, contact us at contact@eaviora.com.
Data we collect on this website
We collect the minimum we need to run the site and respond to you:
- Form submissions. Name, work email, organisation, role, topic, and message you type into our contact form.
- Server logs. Standard HTTP access logs (IP, user agent, request path, timestamp) from our hosting provider (Vercel), used for security and abuse prevention.
- Essential cookies. A session token for the authenticated platform. No marketing cookies, no advertising trackers, no session replay.
We do not use Google Analytics, Facebook Pixel, Hotjar, or similar trackers.
Data we collect in the platform
When your organisation uses the eAviora platform, the data you enter is your operational data:
- Account data. Name, email, role, and authentication metadata via Supabase Auth.
- Operational records. Occurrences, hazards, findings, actions, documents, training records, and every other record your team creates. These are yours, held under database-enforced tenant isolation — your organisation's records are walled off at the database, not in application code — and never accessed by eAviora staff without your written authorisation.
- Audit log. Every change is recorded append-only in the same database transaction it belongs to and scoped to your tenant, so the trail is tamper-evident by construction.
Where your data lives
Your operational data resides in Canada (ca-central-1). It is encrypted with AES-256 at rest, and all communications travel over TLS 1.3 in transit.
A small number of sub-processor categories may process limited data outside Canada — for example, the Claude API used for AI analysis. Those transfers are governed by Standard Contractual Clauses where required. See the Trust & security page for the full posture.
ICAO Annex-19 confidentiality
Safety data is protected to a higher standard than ordinary records. Every record carries one of three sensitivity tiers — protected, restricted, or confidential — and access is governed by role allowlists plus explicit clearance grants. Those tiers are enforced everywhere the data surfaces: the work queue, notifications, and AI reads all inherit the same confidentiality rules.
When a closed occurrence becomes a shared bulletin, the reporter is never exposed. The transformation passes through three layers of de-identification — an automated data scrub, a mandatory instruction to the AI assistant, and a human approval step — before anything is published. This is just culture, enforced in the product.
Automated processing & AI
The platform uses the Claude API (an AI assistant) to draft classifications, analyses, and bulletins. The AI suggests; humans validate. Workflow and governance state cannot be set by the AI or through the API — an enforced workflow that can't skip a step keeps a person in the loop. Low-confidence outputs are queued for human review and never auto-write.
We send only the data required for a given analysis, and AI reads inherit the same Annex-19 confidentiality protection described above. Your operational data is not used to train AI models.
How we store and protect data
Tenant isolation is enforced at the database, not in application code: a query that arrives without your organisation's context returns zero rows. This is row-level security made mandatory — there is no application path that can read around it. Data is encrypted with AES-256 at rest and protected by TLS 1.3 in transit.
Sign-in supports WebAuthn passkeys and one-time-code (TOTP) multi-factor authentication, and enterprise identity via SAML 2.0 single sign-on and SCIM v2 provisioning. Access to production infrastructure is limited to authorised engineers and logged. SOC 2 attestation is in preparation. See the security one-pager for details.
Legal basis (GDPR)
We rely on the following legal bases under the EU General Data Protection Regulation:
- Contract. Processing necessary to provide the platform to your organisation.
- Legitimate interest. Security logging, fraud prevention, and improving the service. Balanced against your rights.
- Consent. For any optional marketing email (opt-in only — we have none at present).
- Legal obligation. When a regulator with lawful authority compels disclosure.
Data retention
Marketing-form submissions are kept for up to 24 months to respond to your inquiry and maintain conversation context. Operational records inside the platform are retained for the duration of your organisation's subscription plus any contractually-defined retention period. You can export and delete your data on request — see your rights and portability below.
Your rights & portability
You have the right to:
- Access the personal data we hold about you.
- Correct inaccuracies.
- Request deletion (subject to legal obligations to retain).
- Object to processing on legitimate-interest grounds.
- Port your data to another provider.
- Lodge a complaint with your supervisory authority.
Portability is backed by a real export engine, not just a manual request: your team can run a self-service bulk export in JSON, CSV, Parquet, or PDF with signed download links, and a versioned REST API is available for ongoing data portability.
Write to contact@eaviora.com and we will respond within 30 days.
Sub-processors
We use the following sub-processors to operate eAviora:
- Supabase — Managed Postgres, authentication, file storage. Data-processing agreement.
- Vercel — Application hosting, edge functions, build pipeline. Data-processing agreement.
- Cloudflare — Authoritative DNS, DDoS mitigation, web application firewall. Data-processing agreement.
- Anthropic — AI model API for classification, risk and analyst agents. Operator data is NOT used to train models. Data-processing agreement.
- Inngest — Durable background job runtime for notifications, retention and webhook delivery. Data-processing agreement.
- Resend — Transactional email delivery (notifications, magic-links, digests). Data-processing agreement.
- Stripe — Subscription billing for paid plans. eAviora never stores card data; Stripe is the cardholder data processor. Data-processing agreement.
- Sentry — Error tracking and observability. Stack traces + metadata only — operator records are never sent. Data-processing agreement.
Each sub-processor is bound by a data-processing agreement appropriate to the data it handles.
Changes to this policy
We update this policy as the product and our processing practices evolve. Material changes will be announced by email to platform administrators and visible on this page with a new last-updated date. Continued use after the update constitutes acceptance.