Privacy policy.
Written in English, not in fear.

This policy describes how eAviora Technologies Inc. ("eAviora", "we", "our") handles personal data on our public marketing pages (this site) and in the eAviora platform (the product). It applies to visitors, prospects in early-access conversations, and users of the platform.

eAviora is pre-launch. This policy will be revised when the first production tenant goes live. We version it transparently — the last-updated date above is load-bearing.

The data controller is eAviora Technologies Inc., headquartered in Montreal, Quebec, Canada. For any privacy question, data-subject request, or complaint, contact us at contact@eaviora.com.

We collect the minimum we need to run the site and respond to you:

• Form submissions. Name, work email, organisation, role, topic, and message you type into our contact form.
• Server logs. Standard HTTP access logs (IP, user agent, request path, timestamp) from our hosting provider (Vercel), used for security and abuse prevention.
• Essential cookies. A session token for the authenticated platform. No marketing cookies, no advertising trackers, no session replay.

We do not use Google Analytics, Facebook Pixel, Hotjar, or similar trackers.

When your organisation uses the eAviora platform, the data you enter is your operational data:

• Account data. Name, email, role, and authentication metadata via Supabase Auth.
• Operational records. Occurrences, hazards, findings, actions, documents, training records, and all other records your team creates. These are yours, held under Row-Level Security per tenant, and never accessed by eAviora staff without your written authorisation.
• Audit log. Every mutation in the platform is recorded in an append-only auditLog table scoped to your tenant.

We rely on the following legal bases under the EU General Data Protection Regulation:

• Contract. Processing necessary to provide the platform to your organisation.
• Legitimate interest. Security logging, fraud prevention, and improving the service. Balanced against your rights.
• Consent. For any optional marketing email (opt-in only — we have none at present).
• Legal obligation. When a regulator with lawful authority compels disclosure.

Platform data is stored in Supabase (Postgres) with Row-Level Security enforced at the database layer. Communications use TLS 1.3. Access to production infrastructure is limited to authorised engineers and logged. We do not ship to your data to third-party analytics processors.

Organisations that require it can request a database-per-tenant deployment. Regulators can audit your tenant directly.

Marketing-form submissions are kept for up to 24 months to respond to your inquiry and maintain conversation context. Operational records inside the platform are retained for the duration of your organisation's subscription plus any contractually-defined retention period. You can export and delete your data on request.

You have the right to:

• Access the personal data we hold about you.
• Correct inaccuracies.
• Request deletion (subject to legal obligations to retain).
• Object to processing on legitimate-interest grounds.
• Port your data to another provider.
• Lodge a complaint with your supervisory authority.

Write to contact@eaviora.com and we will respond within 30 days.

We use the following sub-processors to operate eAviora:

• Supabase — Postgres, Auth, Storage.
• Vercel — hosting, CDN.
• Resend — transactional email.
• Inngest — background job execution.
• Anthropic — the Claude API for classification and analysis. We send only the data required for a given analysis, with deterministic settings against enumerated outputs (same input gives the same output).
• Cloudflare — DNS and DDoS protection.

Each sub-processor is bound by a data-processing agreement appropriate to the data it handles.

Your operational data is stored in the region you select (EU, US, or elsewhere depending on your Supabase project location). Transfers to processors outside the storage region are governed by Standard Contractual Clauses where required.

We update this policy as the product and our processing practices evolve. Material changes will be announced by email to platform administrators and visible on this page with a new last-updated date. Continued use after the update constitutes acceptance.