1. Introduction

PVAI Consulting, Inc. (“PVAI”, “we”, “us”, “our”, “Auggie”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use Auggie™ – our AI-powered market research and dynamic persona platform – as well as our website and related services (collectively, the “Services”). It also describes your rights and choices regarding your personal information and how you can contact us about our privacy practices. 

This Policy applies to personal data we process in providing the Services to our business clients (“Customer”) and individual users. If you do not agree with our practices, please do not access or use the Services. By using Auggie, you acknowledge that you have read and understood this Privacy Policy. We handle personal data in accordance with applicable data protection laws, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

If you have any questions or wish to exercise any of your rights described in this Policy, please contact us at privacy@auggietalk.ai. Our contact details and any appointed Data Protection Officer or EU/UK representative are listed in the “Contact Us” section of this Policy.

2. What Data We Collect

We collect only the personal data that we need to provide and improve our Services. The types of information we collect (and later process) include:

• Account and Contact Information: When you sign up or a Customer organization creates an Auggie account, we collect information such as your name, email address, password, phone number, job title, and company/organization name. We use this to identify you, provide access to the Services, and communicate with you.

  
  

• Professional Information: We may also collect business contact details like your department or industry, and any profile information you choose to provide (for example, a profile photo or description). Providing a profile photo or other optional info is your choice, and it can be deleted or changed by you at any time.

  
  

• Service Usage and Content Data: We collect data that you or your organization input into Auggie’s platform. This includes research prompts, survey questions, persona descriptions, transcripts, or any other content you submit for analysis. If you participate in simulated focus groups or AI-driven interviews within Auggie, we will process the information and responses involved. Any personal information contained in that content about you or third parties is part of this category. We also generate outputs (such as persona profiles, summaries, or analytic reports) based on your input – these outputs may incorporate your input data and are treated as personal data where applicable.

  
  

• Device and Technical Data: When you interact with our Services, we automatically collect certain information about your device and usage of the platform. This includes your device’s Internet Protocol (IP address), device identifiers, browser type, operating system, referring website (the page that led you to our site), pages or features of Auggie you access, the dates/times of access, and performance logs (such as errors or load times). We use this data to ensure the Service functions properly, to troubleshoot issues, and to analyze usage patterns.

  
  

• Cookies and Tracking Information: We use cookies and similar technologies (like web beacons and local storage) to collect information about how you use our website and application. This may include your preferences and other identifiers. For instance, cookies help keep you logged in during a session and track aggregate usage metrics. Our use of cookies and tracking is explained further in Section 7 below.

  
  

• Payment and Transaction Data: If you purchase a subscription or pay for a premium feature, our third-party payment processor will collect your payment card details and billing information. We receive limited payment information from them, such as a transaction ID, your billing name and address, and the last four digits of your card (but not the full card number). We maintain records of your subscription plan and payment history for invoicing and accounting purposes.

  
  

• Prospective Customer Data: If you reach out to us for a demo or information about Auggie (for example, via our website contact form or at an industry event), we may collect your name, business contact information, company name, and anything you choose to share in your inquiry. We use this to respond to your request and, if lawful, to send you relevant marketing about our Services.

  
  

Information We Do Not Intend to Collect: We do not require you to provide any sensitive personal data (such as government ID numbers, financial account passwords, health information, or biometric identifiers) to use Auggie. We ask that you refrain from uploading sensitive personal data into the platform unless necessary. Auggie is designed for business-related research data, not private individual consumer data. Additionally, our Services are not directed to children, and we do not knowingly collect personal data from anyone under 13 (see Section 11). If you believe someone has provided us a child’s information or any other sensitive data improperly, please contact us so we can address it.

3. How We Use Your Data

We use personal data for the following purposes, relying on the legal bases noted in parentheses for users in the EU, UK, and other jurisdictions that require this disclosure:

• Providing and Improving the Service: We process your personal data to operate Auggie’s core functionalities. This includes authenticating you when you log in, processing the content you input to generate AI-driven personas or insights, and delivering results back to you. We also use data to maintain and enhance the Service – for example, troubleshooting issues, analyzing performance, and making user interface improvements. (Legal bases: performance of our contract with you (or your organization) to provide the Service; and our legitimate interests in improving and ensuring the availability of our Services).

  
  

• Personalizing User Experience: We may use your data to tailor the Service to you. For instance, remembering your preferences or previously used settings, and suggesting relevant project templates. (Legal basis: legitimate interests in providing a relevant user experience).

  
  

• Responding to Inquiries and Providing Support: If you contact us with a question, feedback, or support request, we use your contact and any problem description to assist you. This may involve accessing your account information or logs with your permission to resolve technical issues. (Legal bases: performance of contract for support obligations; and legitimate interests in customer service).

  
  

• Communications and Updates: We use contact information (email, phone as applicable) to send service-related communications. These include confirmations of sign-up, billing invoices, technical alerts (like security or performance notices), and important updates about the Services (e.g. changes to features or this policy). You cannot opt out of essential service communications. We also send product updates, newsletters or marketing communications to the extent you have opted in or as permitted by law. For example, we may email a monthly update about new Auggie features or industry insights. You can opt out of marketing emails at any time (see Section 9 on your rights). (Legal bases: contract performance for essential notices; consent or legitimate interests for marketing as appropriate).

  
  

• AI-Driven Analysis (Your Instructions): Auggie processes the content and data you provide solely to fulfill the purpose of the Service – i.e., to generate synthetic user research, persona profiles, or other analytical outputs that you request. We do not use your content for any unrelated purpose. See Section 4 (“AI and Data Usage”) for more on this. (Legal basis: performance of contract).

  
  

• Security and Fraud Prevention: We process certain data (like IP addresses, device info, and usage logs) to secure our platform, prevent unauthorized access, and detect fraud or malicious activities. This includes monitoring login locations to detect account compromise, using CAPTCHA challenges to block bots, and measuring usage to prevent abuse of the Service. We also may use aggregated data about how the Service is used to improve security features. (Legal bases: legitimate interests in protecting our Service and users; and compliance with legal obligations to implement appropriate security measures).

  
  

• Compliance with Legal Obligations: We will use or disclose personal data where necessary to comply with applicable laws, regulations, legal processes or enforceable governmental requests. For example, keeping transaction records for financial regulations, or responding to a court order (see Section 5 on disclosures). We also use data to enforce our agreements and terms (for instance, to investigate potential violations of our Terms of Service). (Legal basis: compliance with legal obligations and our legitimate interests in enforcing our rights).

  
  

• Aggregated and Anonymized Insights: We may aggregate or de-identify personal data so that it can no longer be linked to any individual, and use that data for purposes such as machine learning improvements, analytics, and overall platform improvement. For example, we might analyze anonymized usage patterns to improve our AI algorithms or to publish trend insights. These aggregated insights contain no personal identifiers. (Legal basis: not applicable once data is anonymized; prior to anonymization, legitimate interests in improving the service, with minimal privacy impact due to the de-identification process.)

  
  

• Other Purposes with Notice/Consent: If we intend to use your personal data for a purpose not described in this Policy, we will obtain your consent or provide you with an opportunity to opt out, as required by law.

  
  

We do not engage in any fully automated decision-making that produces legal or similarly significant effects concerning individuals, without human involvement. The outputs Auggie provides (e.g., persona simulations or analysis) are used by humans (our customers) to inform decisions, but Auggie itself does not autonomously make decisions about natural persons that would impact their rights.

We analyze user interactions, including messages, responses, and associated metadata (such as session IDs, timestamps, and persona configurations), to evaluate the performance of our AI personas and continuously improve the accuracy, realism, and brand alignment of our platform. These evaluations may involve algorithmic scoring or human-in-the-loop assessments but are never used to train third-party AI models without explicit authorization.

4. AI and Data Usage

This section addresses how our AI algorithms interact with your data, and assurances regarding model training and output usage.

• No Secondary Use for AI Training: We do not use your personal data or your clients’ personal data to train our general machine learning models in a way that would incorporate your data into features for other customers. All AI model training or tuning that might occur with your data is done in-session to serve your specific queries and outputs. In other words, your data and Auggie’s AI outputs derived from it are confined to your account and organization. We will not pool the content of your research sessions with other customers’ data to improve our AI’s performance generally, unless we have applied an anonymization process and obtained any necessary rights or consents.

  
  

• AI Output and Privacy: The outputs Auggie generates (e.g., synthetic user personas, summaries, charts) are based on the input data and the AI’s pattern recognition. These outputs might sometimes incidentally reflect personal data contained in the input (for example, if you input a transcript that has a person’s name or opinion, the summary might paraphrase that). We treat outputs containing personal data with the same level of care as the input data. They remain your (and your organization’s) confidential information. We do not claim ownership of your raw inputs or outputs; you retain any rights to your data. We simply process it to provide the service results. We may aggregate and anonymize data across clients for the purpose of improving our services, conducting internal research, or generating general insights. Aggregated data does not identify any individual or client and is not used in a way that would re-identify source data.

  
  

• Model Improvements: Our team continuously works to improve Auggie’s underlying AI models. We may internally analyze aggregated usage data or patterns (e.g., common phrasing of questions, average lengths of sessions) to help refine our algorithms. However, this analysis does not involve reviewing the specific content of your data or incorporating any personal information from your datasets into the general model. In cases where we might want to use snippets of customer interaction data to debug or enhance the AI, we will anonymize the data or obtain your consent.

  
  

• Your Control: You control what data is fed into Auggie’s AI. We encourage you to avoid inputting personal data about individuals unless necessary for the research scenario. If you choose to input any personal data (for example, using real customer quotes or profiles), ensure you have the proper authority or consent to do so. If you would like us to delete specific data that was input into the AI system, you may request deletion of your data by contacting us for assistance (see Sections 9 and 10). We will ensure the data is removed from active systems and will not be used in any further processing.

  
  

• Automated Profiling: Auggie’s purpose is to create simulated personas and insights which might be considered “profiling” (automated processing to evaluate certain things about a person) in the broad sense. However, these personas are synthetic and used for research, not to make decisions about real individuals. If you use Auggie to analyze data about real individuals (e.g., survey responses), the output is still a tool for you – PVAI is not making determinations about those individuals. We provide you the means; you interpret and apply the insights. This distinction is important for compliance with GDPR’s provisions on profiling – Auggie’s profiling is in-service of research simulation, not to circumvent human judgement in decisions impacting people.

  
  

We use your data to deliver high-quality, brand-specific insights through our AI personas. Your interaction data remains isolated to your account and is not used to train third-party models. We may use anonymized and aggregated system usage patterns to improve persona realism and system-wide performance—never in ways that expose brand content or user inputs to others.

​​We may also incorporate publicly available information from third-party sources (such as product reviews, social sentiment data, or search trends) to inform persona behavior and enhance the relevance of insights generated by the platform. This enrichment is performed using aggregated data and is never linked to any identifiable user or customer.

5. How We Share Your Data

We do not sell your personal information to third parties for monetary consideration. We also do not share your personal data with third parties for their own direct marketing purposes. However, we do share certain data with trusted third parties under strict conditions, as outlined below:

• Service Providers (Processors): We employ third-party companies to perform functions on our behalf in order to operate and support the Services. These service providers act under our instructions and are bound by contractual obligations to protect personal data and use it only for the purposes of providing their specific services to us. Key categories of service providers include:

  
  

  • Cloud Hosting and Infrastructure: We use reputable cloud infrastructure providers (for example, Amazon Web Services) to host our application, databases, and files. Personal data is stored and processed on their secure servers.

    
    

  • AI and Machine Learning Providers: We may integrate with third-party AI engines (such as OpenAI or Anthropic) to process certain natural language queries or generate text. When we do this, we transmit the necessary data securely and instruct the AI provider not to use the data for any purpose except to return the result to us. These providers are service providers to us and do not retain or use your data for their own training (consistent with their API policies).

    
    

  • Analytics and Performance Monitoring: We utilize analytics platforms (for instance, a self-hosted analytics solution or a tool like PostHog/Google Analytics with privacy controls) to understand how Auggie is used, diagnose technical issues, and improve the user experience. These tools may collect usage data and device identifiers (see “Cookies” section). Where feasible, we use first-party analytics or configure tools to minimize personal data (e.g., IP anonymization). Data shared with analytics providers does not include your input content, only usage metadata.

    
    

• Communication Tools: If we send emails, we may use an email delivery service to distribute those communications. They get access to your email address and the content of the email, but cannot use it for other purposes. Similarly, if we provide in-app chat support, the chat provider may process any data you type into the support chat.

  
  

• Payment Processors: As noted, a payment processing company (e.g., Stripe) will receive and process your credit card information if you pay for the Services. They are PCI-DSS compliant. We do not see your full card number, but the processor will inform us if a transaction was successful so we can activate your subscription.

  
  

• Other Vendors: This could include security service providers (for DDoS protection, etc.), backup storage providers, and professional advisors (IT consultants, auditors) who may incidentally have access to data when providing their services. All such parties are under appropriate contracts and/or professional obligations of confidentiality.

  
  

A current list of our major sub-processors is available upon request and in our Data Processing Addendum. We vet our vendors for strong privacy and security practices (many hold their own certifications like ISO 27001 or SOC 2), and we limit the data shared to what is necessary for their function.

• Within Our Corporate Group: If PVAI Consulting, Inc. has affiliates, subsidiaries, or a parent company in the future, we may share personal data with them if needed to operate the Service or for internal administration. Any such entities would follow this Privacy Policy and are under common control with us, so they are not considered “third parties” in the traditional sense. (As of the Last Updated date, PVAI does not have any corporate affiliates processing user data, but we include this for completeness.)

  
  

• Business Transfers: If PVAI engages in or is subject to a corporate transaction such as a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity or new owner as part of that transaction. For example, if another company acquires PVAI, your information would likely be one of the assets transferred so the service can continue under the new owner. In such an event, we will provide you with notice (e.g., via email and/or a prominent notice on our site) before your personal data is transferred and becomes subject to a different privacy policy. The new entity will be required to honor the commitments we’ve made in this Policy until it’s updated and you are notified of changes.

  
  

• Legal Compliance and Protection: We may disclose personal data to third parties (such as courts, law enforcement, or regulators) if we believe that such disclosure is legally required or necessary to:

  
  

  • Comply with a law, legal process, or governmental request (for example, a subpoena, warrant, or court order)]. If a government or law enforcement agency requests data, our policy is to scrutinize the request and only comply if legally obligated. Where allowed, we will inform the affected Customer of the request so they can seek to object. (Note: For data under EU/UK jurisdiction, we would follow procedures under GDPR and transfer mechanisms before disclosing to foreign authorities.)

    
    

  • Enforce our contractual rights or policies, including investigating potential violations of our Terms of Service or this Privacy Policy.

    
    

  • Detect, prevent, or address fraud, security, or technical issues (for example, exchanging information with other companies and organizations for cybersecurity protection or credit risk reduction).

    
    

• Protect the rights, property, or safety of PVAI, our customers, or others. For instance, we might disclose information to prevent harm or in the context of urgent incident response. These disclosures will be made only to the extent required or permitted by applicable law. We will never voluntarily give government authorities access to personal data without due process. We have policies in place to handle law enforcement requests – our default stance is to refuse or challenge requests that are overbroad and to require proper legal process (see “Law Enforcement” in Section 10 for more on our commitments here, aligned with Helpfull’s approach of protecting customer data from unauthorized access).

  
  

• With Your Consent or At Your Direction: There may be situations where you explicitly ask us to share your data with a third party, or you consent to a specific sharing. For example, if as a Customer you integrate Auggie with another tool or export data to a third-party service, we will share data at your direction. Or if we were to feature a case study involving your company, we’d only share personal info (like a quote with your name) with your permission. In such cases, we will only share the data you authorize and only with the designated parties.

  
  

No Selling of Personal Data: In plain terms, we do not sell or rent your personal information to data brokers or advertisers. We do not monetize personal data. If in the future we consider a data sharing arrangement that might be considered a “sale” or “share” under CCPA (for example, if we introduced third-party advertising cookies on a free tier of our site), we would update this Policy and honor opt-out requirements. As of the last update, all data sharing is limited to the service provision contexts above, which CCPA would classify as “disclosures for a business purpose” to service providers.

If you are an individual user of Auggie under a corporate account (i.e., your employer or organization is our Customer), please note that the primary Customer entity may have access to the data you put into the system (just like an email service at work). PVAI only shares data with the Customer’s authorized users as the Customer directs within the platform. For example, team admins may see projects created by team members. This is under the Customer’s control, not considered external data sharing by PVAI.

We strive to be transparent about all third parties that might handle your data. If you have any questions about third parties we use, feel free to contact us at privacy@auggietalk.ai. For details on our subprocessors (third-party processors), please refer to our DPA or request our current subprocessor list – we will gladly provide it.

6. International Data Transfers

PVAI is headquartered in the United States, and the majority of our infrastructure and data processing activities occur in the U.S. If you are accessing our Services from outside the United States, be aware that your personal data will likely be transferred to and stored on servers in the United States (and possibly other jurisdictions). Data protection laws in these countries may be different from those in your home country. However, we take steps to ensure that your personal information is given adequate protection in accordance with applicable privacy laws.

For personal data originating from the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we rely on approved legal mechanisms to transfer data internationally:

• Standard Contractual Clauses: We are in the process of implementing the European Commission’s Standard Contractual Clauses (SCCs) as a transfer safeguard for data we receive from the EEA/Switzerland. These are standard data protection clauses adopted by the EU Commission which contractually oblige us to protect European personal data even after it is transferred to a non-EU country. We also implement supplementary technical and organizational measures (such as encryption and access controls) as needed to ensure transferred data receives essentially equivalent protection to EU standards. Our Data Processing Addendum includes these SCCs by reference for all Customer data transfers.

  
  

• UK Addendum: For data from the UK, we will be implementing UK International Data Transfer Addendum (which supplements the SCCs) or other UK-approved transfer mechanisms, thereby complying with UK GDPR’s requirements for international transfers.

  
  

• Privacy Frameworks: PVAI endeavors to participate in relevant data transfer frameworks. Although the EU-U.S. Privacy Shield was invalidated in 2020, we are monitoring new EU-U.S. Data Privacy Frameworks. If certified under a new framework, we will note it here. In the meantime, SCCs remain our primary compliance mechanism for EU/UK data transfers. For Swiss data, we treat it under the EU SCCs with Swiss-specific adaptations (e.g., recognizing Swiss authorities).

  
  

• Data Location: Currently, personal data we process is stored on servers in the United States (specifically, in data centers operated by our cloud providers in regions such as US East/West). If we in future store data in other countries (e.g., an EU data center), we will update this policy. Regardless of storage location, our safeguards travel with the data.

  
  

• Government Requests: We are aware of the concerns regarding government access to data in certain countries. As outlined in Section 5, if we receive a government or law enforcement request for personal data, we will push back unless legally compelled, and will seek to redirect the request to the Customer or data owner when possible. We will also keep transparency reports of such requests if applicable.

  
  

By using Auggie or submitting personal data to us, you understand that your data may be transferred to our facilities in the United States and to those third parties with whom we share it as described in this Policy (who may be in other countries). We ensure all such transfers are done in compliance with applicable law and under contractual protections. If you would like more information about our international data transfer practices, including copies of the SCCs we use, please contact us.

7. Cookies and Similar Technologies

Like most online services, we use cookies and related tracking technologies to provide, personalize, and improve our Services. This section explains our use of these technologies and your choices.

• What are Cookies: Cookies are small text files placed on your device (computer, smartphone) when you visit a website. They allow the site to remember your actions or preferences over time. We also may use similar technologies like web beacons (tiny graphic images that monitor website engagement) and local storage (which stores data in your browser).

  
  

• How We Use Cookies: PVAI uses cookies and similar tools for several purposes:

  
  

  • Necessary Cookies: These are essential for the Service to function properly. For example, we use authentication cookies so you remain logged in as you navigate through Auggie’s interface, and so the Service can remember who you are between page loads. Without these cookies, the Service might not operate correctly (for instance, you’d have to log in repeatedly). We also use cookies to remember certain preferences or settings you’ve chosen, so you don’t have to set them each time (e.g., your language or time zone).

    
    

  • Analytics Cookies: We use analytics cookies to collect information about how users interact with our website and platform, so we can improve it. For example, we might use first-party analytics or tools like Google Analytics (with IP anonymization enabled) or others to see aggregated usage patterns – which features are used most, how long sessions last, which content is most viewed, etc. This helps us understand what parts of Auggie are valuable or where users might be encountering difficulties. The data collected may include your device type, browser, pages visited, time spent, and any errors encountered. We configure these tools not to collect unnecessary personal data and not to share data with third parties. Google Analytics, for instance, uses its own cookies; you can opt out by using the Google Analytics Opt-out Browser Add-on if you wish.

    
    

  • Functionality Cookies: These cookies remember choices you make to give you a more tailored experience (e.g., if you dismiss a one-time tutorial or pop-up, a cookie might record that so we don’t show it again).

    
    

• Advertising Cookies: We currently do not use advertising or targeting cookies on our platform. Since Auggie is a subscription B2B service, we don’t run third-party ads. On our marketing website, we might use tracking pixels from platforms like LinkedIn or Google Ads to measure the effectiveness of our own marketing campaigns (for instance, to see if someone who clicked an ad later signed up). If we do, those pixels may set cookies to track conversions. We will not use those unless allowed by law (e.g., with consent in the EU, or ensuring they don’t “sell” data under CCPA).

  
  

• Do Not Track: “Do Not Track” (DNT) is a browser setting that requests a website not to track you. The web industry has not yet adopted a uniform response to DNT signals. At this time, our sites and applications do not respond to Do Not Track signals sent by browsers. This is consistent with how most online services operate. Instead, we provide the controls described in this section for you to manage cookie preferences.

  
  

• Cookie Choices: You have several options to control or limit how we and third parties use cookies and similar technologies:

Browser Settings: Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies or alert you when a cookie is being placed. Check your browser’s help documentation for how to delete or disable cookies. Please note, if you disable cookies entirely, our website and Service may not function properly. For example, you might not be able to log in or use certain features that rely on cookies.

Cookie Banner & Preferences: If you are in a jurisdiction that requires consent for non-essential cookies (e.g., the EU/UK), you will see a cookie consent banner on our website when you first visit. This banner allows you to accept or reject certain categories of cookies (except strictly necessary ones). You can also update your preferences later via a “Cookie Settings” link in the site footer (if available).

Analytics Opt-Out: As mentioned, for Google Analytics you can install an opt-out extension. For other analytics, you can contact us to opt out if no automated means exists – however, we primarily use aggregated first-party analytics for our own use.

• Global Privacy Control: If you use the Global Privacy Control (GPC) signal (a setting or extension that communicates an opt-out of sale/sharing under CCPA), we interpret that as a signal to disable any third-party tracking cookies on our marketing site that could be considered a “sale/share”. Given our current practices, there are none such cookies by default, but we honor GPC signals in line with CPRA requirements.

  
  

• Third-Party Websites and Cookies: If you go to third-party websites from links on our Service (for example, a link to an article or a partner’s site), those sites will have their own cookie and tracking practices, governed by their privacy policies. Our Privacy Policy and cookie practices do not apply to third-party sites. For example, if you watch an embedded YouTube video on our site, YouTube may set its own cookies; or if you click to our profiles on social media, those platforms will track your interactions. We encourage you to review the privacy and cookie policies of any external sites you visit.

  
  

Overall, we use cookies in a way that is intended to be minimally intrusive and only to support your use of Auggie and help us improve our service. We do not use them to secretly gather personal details or to advertise unrelated products to you. You have control over cookies, and we strive to honor users’ preferences as technology allows.

If you have any questions about our use of cookies or how to adjust your preferences, you can contact us at privacy@auggietalk.ai.

8. Data Retention

We retain personal data for only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. How long we keep information depends on the type of information and the purposes for which we collected it.

• Active Account Data: If you have an active account with Auggie, we will retain your account information, profile details, and content stored in the platform for as long as your account is in use or as needed to provide you the Services. This ensures continuity – for example, you can return to see past project results or reuse saved personas.

  
  

• Inactive Accounts: If your account becomes inactive (e.g., your subscription ends and you do not renew), we may retain your data for a limited period in case you reactivate. Our standard practice is to retain core account data for 90 days after an account lapses, to enable easy reactivation and to satisfy any record-keeping needs. After that period, we will either delete or anonymize the personal data associated with the account, barring any legal requirements to keep it longer. We may send a reminder before deletion of an inactive account.

  
  

• Customer-Provided Content: Data that you or your organization have uploaded to Auggie (e.g. research inputs, persona configurations, transcripts, etc.) can typically be deleted by you at any time via the platform interface. When you delete content, we move it to a “trash” state that is not accessible within the app. We keep deleted content in that state for up to 30 days in case you remove something by accident and need it restored. After ~30 days, the trashed content is permanently deleted from our active databases. It may persist in our encrypted backups for another 30-60 days and will be overwritten in the normal backup rotation shortly thereafter. Thus, within approximately 90 days, deleted content should be fully purged from all systems and backups.

  
  

• Account Deletion: If you (or your organization’s admin) delete your account, we will begin the process of deleting personal data associated with your account. We aim to complete such deletions within 60 days following the closure of the account. This includes removing personal data from our live systems. As noted, residual copies may remain in backups for a brief period beyond that, but will be expunged according to our backup retention schedule (which is no longer than 90 additional days). During that interim, your data remains protected under this Policy and our DPA. Once backups expire, no personal data should remain.

  
  

• Communication Records: If you contact us via email or support chat, we may retain those communications (including the email address and correspondence) for our records as long as needed to address your issue and to have an audit trail of support interactions (often 24 months, unless you request deletion sooner). This helps us in training and in understanding any history if you have future inquiries.

  
  

• Billing and Transaction Data: We retain financial transaction records (invoices, payments, etc.) for at least the duration required by tax and accounting laws – typically 7 years in many jurisdictions. This data is limited (we keep records of payment amounts, date, and method, and the billing contact info). It is kept secure and only used for financial administration.

  
  

• Analytics Data: Aggregated analytics data (which does not directly identify individuals) may be retained longer for historical analysis. However, usage logs that contain personal identifiers (like IP addresses) are typically rotated and deleted or anonymized after a shorter period (often within 12 months or less), unless needed longer for security analysis. For instance, we keep comprehensive login logs (IP, time, user) for about a year to support security audits and fraud investigations, and then either delete or anonymize them. If we use any third-party analytics, their retention of data is governed by their policies (Google Analytics, for example, can be set to retain user-level data for 14 months; we ensure it’s not indefinite).

  
  

• Legal Holds and Requirements: Notwithstanding the above, we might need to retain certain personal data for a longer period if required by law or if the data is subject to an active legal hold (for example, if involved in litigation or investigation). In that case, we keep the data until the hold is lifted or the requirement is satisfied. We also keep server logs and backup snapshots as part of our secure archival for a short period beyond active use, as mentioned, which might incidentally contain personal data until they are deleted in the normal course.

  
  

After the retention periods expire, we will either securely delete the personal data or anonymize it (so it can no longer be associated with an identified individual). For example, we might retain aggregated usage statistics with personal identifiers removed, in order to continue improving the Service or understanding trends.

If you are a Customer (organization) and our services act as a processor of data you control, you may have specific requirements for us to delete data. Our Data Processing Addendum sets out that we will comply with our Customers’ instructions regarding deletion or return of personal data at contract termination. We provide admin users in the platform the tools to delete content, and you can also request account-wide deletion through our support.

Your Deletion Rights: If you (or your organization) wish to delete your data sooner or have specific retention preferences, you can exercise your rights as described in Section 9. For instance, an individual user can request deletion of their personal data (and we will comply as required by law, as detailed in Section 9 under “Right to Erasure”). There are some instances where we cannot fully comply – e.g., we cannot delete data that is required for our ongoing contract performance unless the account is closed, and we cannot immediately delete data required by legal obligation – but we will inform you of any such limitations in our response.

In summary, we align with the principle of storage limitation – keeping personal data for no longer than necessary. The timelines provided above are our general practices, and we continually review what data we hold and purge what is no longer needed. If you have any questions about our retention practices or want a specific piece of data removed, please contact us.

9. Your Rights and Choices

You have rights and choices regarding your personal data. PVAI is committed to honoring these rights and facilitating your exercise of them. Because we serve customers globally, this section includes rights under various privacy laws. We extend many of these rights to all users, regardless of jurisdiction (to the extent practicable), as a matter of transparency and fairness.

Rights for Individuals in the European Economic Area (EEA), United Kingdom (UK), Switzerland, and other GDPR jurisdictions: If you are in the EEA, UK, or a jurisdiction with similar laws, you have the following data subject rights under GDPR (General Data Protection Regulation) and equivalent laws:

• Right to Access: You can request confirmation whether we are processing personal data about you, and if so, request access to the personal data (commonly known as a “Data Subject Access Request”). This allows you to receive a copy of the personal data we hold about you and information about how we process it.

  
  

• Right to Rectification: If any of your personal data we hold is inaccurate or incomplete, you have the right to request that we correct or update it. For example, you can correct your profile information via your account settings, or ask us to correct an error in your contact details.

  
  

• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (the “right to be forgotten”). We will erase your data upon request if: the data is no longer necessary for the purposes it was collected; you withdraw consent (if consent was the basis) and no other legal basis exists; you object to processing and we have no overriding legitimate grounds; or if we processed your data unlawfully or must delete it to comply with law. Note there are exemptions – we may retain data if needed for legal obligations or establishment/exercise/defense of legal claims, etc. We describe our retention practices in Section 8; if your deletion request falls under an exemption, we will inform you.

  
  

• Right to Restrict Processing: You can ask us to restrict (pause) the processing of your personal data under certain conditions – for example, while we verify the accuracy of data you contest, or if processing is unlawful and you prefer restriction over deletion. When processing is restricted, we will store your data securely and not actively process it (except for storage) until the restriction is lifted.

  
  

• Right to Object to Processing: You have the right to object to our processing of your personal data when the processing is based on our legitimate interests or on public interest tasks. If you object, we must stop processing unless we demonstrate compelling legitimate grounds that override your interests, or if processing is needed for legal claims. You also have an unconditional right to object to processing of your personal data for direct marketing purposes at any time. (Note: We generally only send marketing with consent or permissible soft opt-in, but you can object/opt-out regardless, as described below.)

  
  

• Right to Data Portability: To the extent we process your personal data by automated means and on the basis of your consent or a contract, you have the right to request a copy of that data in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller. Where technically feasible, you can also request that we transfer the data directly to another company if you so choose. (For example, if you wanted to export your data from Auggie to upload into another service, we will assist with a CSV or JSON export of your content upon request.)

  
  

• Right to Withdraw Consent: In situations where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other bases. If you withdraw consent for a certain feature or use (e.g., optional analytics cookies or marketing emails), we will stop that processing. For example, you can withdraw your consent to our marketing emails by clicking “unsubscribe” in any such email or adjusting your account email preferences.

  
  

• Right not to be subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects on you, unless it’s necessary for a contract, authorized by law, or based on your explicit consent (and with safeguards). As noted, PVAI does not engage in such automated decision-making without human involvement, so this right is typically not triggered by our Services. Auggie’s AI outputs support human decision-making; they do not by themselves determine outcomes affecting individuals’ rights.

  
  

To exercise any of these rights, please contact us at privacy@auggietalk.ai or use the contact information in Section 13. We may need to verify your identity and residency to process certain requests, especially for access, deletion, or portability (to ensure the person making the request is entitled to do so). We will try to respond to your request within one month of receipt. If needed due to complexity or number of requests, we can extend by an additional two months, but will inform you of the extension and the reason within the initial one-month period. There is no fee for making a request, except that we reserve the right to charge a reasonable fee or refuse to act if requests are manifestly unfounded or excessive/repetitive, per GDPR guidelines.

If you believe we have not addressed your rights adequately, you also have the right to lodge a complaint with a Data Protection Supervisory Authority, particularly in the country of your habitual residence, place of work, or where an alleged infringement occurred. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please consider reaching out to us first.

Rights for California Residents: If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), in addition to the general rights above (many overlap). These include:

• Right to Know: You have the right to request that we disclose the following information covering the 12 months prior to your request: (1) the categories of personal information we collected about you; (2) the categories of sources from which the personal information was collected; (3) our business or commercial purposes for collecting (or selling/sharing, if applicable) that personal info; (4) the categories of third parties to whom we disclosed personal info; and (5) the specific pieces of personal information we collected about you. Essentially, this is a more detailed breakdown of information largely provided in this Privacy Policy. We have made an effort in this Policy to outline those details (see especially Sections 2, 3, 5, 7 for categories collected and shared). If you request it, we will provide an individualized report.

  
  

• Right to Access: Similar to the “Right to Know,” you may request a copy of the personal information we have collected and maintain about you. Upon verifying your request, we will provide this in a portable and (if technically feasible) readily usable format, typically within the timeframes required by law (generally 45 days, with possibility of a 45-day extension).

  
  

• Right to Delete: You have the right to request that we delete personal information we collected from you and retained, subject to certain exceptions. Note that the CCPA recognizes several instances where we may deny deletion, such as if the information is needed to complete a transaction or provide a service you requested, to detect security incidents, to comply with a legal obligation, or other reasons listed in CCPA §1798.105(d). If we must deny a deletion request under an exception, we will inform you of the basis for the denial. Otherwise, we will delete (and direct our service providers to delete) your personal information from our records.

  
  

• Right to Correct: Under CPRA, you have the right to request correction of any inaccurate personal information we hold about you. Upon verification and consideration of the nature of the information and purpose of processing, we will use commercially reasonable efforts to correct the inaccuracies as directed by you. (For many things, you can also self-correct by editing your profile or settings).

  
  

• Right to Opt-Out of Sale or Sharing: We do not sell California residents’ personal information for monetary value, and we also do not share it for cross-context behavioral advertising, as those terms are defined. In other words, we have not sold or shared personal information to third parties for their own use. Nonetheless, the law entitles you to opt-out of the sale of personal info. Should our practices change, we will provide a “Do Not Sell or Share My Personal Information” link or mechanism on our website to facilitate opt-outs. Currently, because we don’t sell/share data in this manner, there is no need to opt-out – but you can still contact us to confirm this or to register an opt-out preference, which we will honor. (If, for example, you consider our use of any analytics or cookie data to be a “share,” you can instruct us to opt you out – we address cookies in Section 7, including how to opt-out). We also recognize Global Privacy Control signals as a valid opt-out of sale/sharing signal for California residents using our website.

  
  

• Right to Limit Use of Sensitive Personal Information: We do not collect or use “sensitive personal information” (as defined by CPRA) for purposes beyond those allowed by law (e.g., we don’t use or disclose sensitive info to infer characteristics about you). The only possible sensitive data we might handle is account login credentials (username/password), which we use solely to provide the service (authentication), which is an exempt purpose. We do not collect Social Security numbers, driver’s license numbers, precise geolocation, racial or ethnic origin, or contents of mail, etc., from consumers in a way that triggers this right. Therefore, the right to limit use/disclosure of sensitive info is not applicable to our Service, as we do not use your sensitive info for any secondary purposes. If that ever changes, we will provide a mechanism to limit such use.

  
  

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you our Services, charge you different prices, provide a different level of quality, or suggest any penalty, just because you exercised your privacy rights. However, please note that if a deletion request or opt-out makes it impossible for us to continue providing you with some aspect of the Service (for example, if you ask us to delete all your data, we cannot provide the Service without data), we might need to close your account. That is considered a consequence of exercising rights (because the Service can’t function), not discrimination. We will inform you if such a situation arises. We do not offer financial incentives for your data that would require a notice and opt-in (like no “pay for data” scheme).

Submitting Requests (California and General): To exercise your rights to know, access, delete, or correct under CCPA or other laws, you (or an authorized agent acting on your behalf) can contact us by:

• Sending an email to privacy@auggietalk.ai with “California Privacy Rights Request” (or similar) in the subject line and letting us know which right you want to exercise.

  
  

• Or mailing us at the postal address listed in Section 13 with attention to “Privacy Request”.

  
  

We will need to verify your identity to a “reasonable degree of certainty” (or “high degree” for sensitive data requests) before fulfilling requests. This may involve matching information you provide with information we have on file. For instance, if you request data, we might ask you to confirm two or three pieces of information that we have (like last four digits of phone on account and last invoice amount, or some recent interaction detail). For deletion or highly sensitive requests, we might require a signed declaration under penalty of perjury that you are who you claim. If you have an account, generally logging in from an authenticated account and making the request through that channel is sufficient verification.

Authorized Agents: You can designate an authorized agent to make a request on your behalf. If you do, we will take steps to verify the agent’s authority (we may ask for written permission signed by you for that agent, or a power of attorney, and also attempt to verify you either directly or via the agent). This is to prevent fraud.

Response Timing and Format (California): We aim to respond to verifiable consumer requests within 45 days. If we need more time (up to another 45 days, totaling 90 days), we will inform you of the reason and extension in writing. Disclosures will cover at least the 12-month period preceding the request (and, starting in 2023, you can request beyond 12 months, and we will honor that to the extent feasible as required by CPRA regulations). If we deny a request, we will explain why. For portability requests, we will select a format that is readily usable, usually JSON or CSV files, and we will deliver it through your account or a secure method.

We hope the way we handle your data gives you confidence, but you do have these rights to hold us accountable and keep control of your information. Please note that if you are an employee or customer of one of our Business Customers using Auggie, and you want to exercise rights regarding data that your employer/client input about you, you may need to direct your request to that Business (as they are the controller of that data; we can help facilitate as their processor). For example, if Auggie is used to process survey responses from consumers, and you are one of those survey respondents wishing to delete your response, you would contact the company that collected your info. We will assist our Business Customers in responding to such requests as described in our DPA.

Marketing and Communication Preferences: Apart from formal rights, you have choices in how you interact with us: - You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link in the footer of such emails or by adjusting your email preferences in your account settings (if available). Even if you opt out of marketing, we will still send you essential service and account communications (e.g., billing info, security alerts). - If we ever send SMS or push notifications (not currently, but if we do), we will provide opt-out instructions (likely replying “STOP” for SMS, or disabling push in app settings or device settings). - You can choose not to provide certain information (like skipping optional profile fields or not entering unnecessary personal data into research content). Keep in mind this might limit functionality (if you don’t provide an email, we can’t create an account, etc.). - You may opt not to use certain features that involve data use you are not comfortable with. We aim to design features with privacy in mind and often provide in-product controls. For instance, if we offered an integration that sends data to a third-party service, you would have to enable it – if you don’t, your data stays within our system. - Global Privacy Control (GPC): As noted, we treat GPC signals received by our website as an opt-out of sale/sharing under CPRA. So if you have GPC enabled in your browser, our site should recognize it and automatically disable any non-essential third-party trackers.

10. Security Measures and Data Protection

We take the security of your personal data seriously. PVAI has implemented a comprehensive information security program with physical, technical, and administrative safeguards to protect your personal data from unauthorized access, use, loss, or disclosure. While no system is absolutely secure, we follow industry best practices to minimize risks. Here’s an overview of our security measures:

• Encryption: All data transmitted between your browser (or app) and our servers is encrypted using Transport Layer Security (TLS) (HTTPS). This means that personal data is protected from eavesdropping during transit over the internet. For particularly sensitive data at rest, we also employ encryption on our databases or storage systems (using strong encryption algorithms like AES-256). For example, passwords are hashed and salted (we never store plain passwords), and certain sensitive fields may be stored encrypted at rest.

  
  

• Access Controls: We restrict access to personal data to only those PVAI employees, contractors, and service providers who need to know that information in order to operate, develop, or support our Services. Access is granted on a least-privilege principle. All personnel with access are subject to confidentiality obligations. We use role-based access controls, unique user IDs, and strong password policies internally. Admin access to systems requires multi-factor authentication (where possible) and is logged.

  
  

• Personnel Practices: Our staff and contractors receive training on privacy and security. We conduct background checks on employees in sensitive positions as permitted by law. We have internal policies for handling customer data safely and respond quickly to potential misuse. Team members are instructed to never download or store customer personal data to unsecured devices.

  
  

• Network and System Security: Our production systems are hosted in secure, modern cloud environments with robust security certifications (like AWS, which is SOC 2, ISO 27001 certified and has strong physical and network security). We use firewalls and network segmentation to isolate databases and application servers. We employ monitoring solutions to track access and detect anomalies. For instance, we have intrusion detection and prevention systems and run regular vulnerability scans and penetration tests to find and fix potential weaknesses.

  
  

• Testing and Updates: We regularly update our software and systems to apply security patches. We maintain a secure development lifecycle – our engineers follow coding best practices to avoid common vulnerabilities (like SQL injection, XSS, etc.), and we review code for security issues. We may also engage independent security experts to audit our platform.

  
  

• Incident Response: PVAI is actively developing a formal incident response plan to guide our actions in the event of a security incident or data breach. In such cases, we are committed to containing, investigating, and remediating the issue promptly and responsibly. We will notify affected customers—and, where required, regulators or individuals—in accordance with applicable breach notification laws. Our goal is to provide timely notice of qualifying incidents, including within 72 hours under the GDPR, once we become aware of them. Our evolving response framework includes provisions for preserving evidence, engaging relevant experts, and communicating with transparency.

  
  

• Account Security: We urge you to also take precautions: use a strong, unique password for your Auggie account and do not share it. We will never ask you for your password via email. If you suspect any unauthorized access to your account, notify us immediately. 

  
  

• SOC 2 and Certifications: We are working towards relevant security certifications. PVAI is aligning its practices with SOC 2 Type II requirements and other frameworks (like ISO 27001). We know Synthetic Users and others highlight SOC 2 compliance. We either have completed or plan to complete a SOC 2 audit, and will make the results available to enterprise customers upon request (under NDA). Achieving certifications demonstrates our ongoing commitment to security and privacy best practices.

  
  

• Data Minimization: Part of security is collecting only what is needed. As described, we avoid collecting overly sensitive data that is not required, thus reducing risk exposure. And we anonymize data where feasible for analysis, further protecting individuals.

  
  

Despite all these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. Cyber threats continue to evolve. Therefore, we cannot guarantee absolute security of your information. However, we continuously evaluate new technologies and cyber defense strategies to update our protections. If you have reason to believe that your data is no longer secure with us or if you have detected a vulnerability, please immediately notify us at or privacy@auggietalk.ai). We welcome “white hat” responsible disclosure of any security issues and will address verified vulnerabilities promptly.

By using our Services, you acknowledge that you understand and accept the inherent risks of data transmission and storage. We promise to do our part by maintaining a robust security program and promptly dealing with any incidents in an open and responsible manner.

11. Children’s Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect or solicit personal information from anyone under 13 years old (or under 16 years old, in the case of data collected from the European Economic Area). Auggie is a business-oriented tool intended for use by professionals, not by minors in a personal context.

If you are under 13 (or under the age of consent in your jurisdiction), please do not attempt to register for or use the Services, and do not provide us with any personal information about yourself.

In the unlikely event that we have collected personal data from a child under 13 (or under 16 in Europe) without appropriate consent, we will delete that information as quickly as possible. For example, if we discover that a minor has created an account using false information, or a Customer has inadvertently uploaded a dataset containing children’s personal info, we will purge that data.

If you believe that we might have any information from or about a child under the relevant age, please contact us at privacy@auggietalk.ai so that we can take appropriate action. Parents or legal guardians who become aware that a child under their care has provided us with information should contact us and we will work to remove the data and (if applicable) terminate the child’s account.

We do not sell the personal information of minors under 16 years of age without affirmative authorization as per the CCPA (again, we don’t anticipate having any minor data at all, but we include this assurance for completeness).

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated Privacy Policy on this page and update the “Last Updated” date at the top.

If the changes are significant (material changes that affect your rights or how we use personal data), we will provide a prominent notice and/or notify you directly. For example, we might email account owners or show a notice within the service interface prior to the change becoming effective. For material changes, where required by law, we might also seek your consent.

Significant changes could include (for instance) expanding the types of personal data collected, changing how or why we use data in a way that you might not expect under the current policy, or if we were to begin engaging in new data sharing that would be considered a sale. Minor changes (like clarifications, grammar fixes, or slight reorganizations) might be effective immediately upon posting. We will indicate on the top of the policy when it was last updated so you know if it has changed since you last reviewed it.

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree to the updated terms, you should stop using the Services and may deactivate your account.

For any material changes, we will give advance notice if and as required. For example, if we plan to change our data retention or sharing practices in a significant way, we might email you 30 days in advance of the new policy and highlight the differences. We value your trust and will not surprise you with unexpected uses of your personal data.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us in the following ways:

Email: privacy@auggietalk.ai – This is our dedicated address for privacy inquiries and requests (rights requests, questions about your data, etc.).

Postal Mail: PVAI Consulting, Inc., Attn: Privacy Team, 454 Las Gallinas Ave #1135, San Rafael, CA 94903. (This is our registered mailing address for official correspondence. Please include Attn: Privacy or Data Protection Officer to ensure proper routing.)

We will respond to your inquiries as promptly as possible, typically within a few business days. If you are contacting us to exercise a privacy right, please see Section 9 about what information to include and verification steps.

Trust and transparency are core to PVAI’s values. We appreciate you reading our Privacy Policy. If anything is unclear or if you need further clarification, do not hesitate to reach out. Your feedback on our privacy practices is welcome – it helps us improve and address what matters to our users.

Thank you for entrusting PVAI (Auggie) with your information. We are dedicated to safeguarding it and using it responsibly