Privacy Policy
Effective date: 2026-05-26
Last updated: 2026-06-01
This privacy policy explains how Avro AI (“we”, “us”, “Avro”) collects, uses, stores, and discloses personal information. Avro is operated by Avro AI Pty Ltd (ACN 698 715 409, ABN 55 698 715 409), a proprietary company (Pty Ltd) with its principal place of business in Sydney, New South Wales, Australia.
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the General Data Protection Regulation (GDPR) where applicable to users in the European Union and the United Kingdom.
1. Who this policy applies to
Avro is a multi-tenant SaaS customer relationship management (CRM) platform for pest-control and trades businesses. Two categories of people interact with Avro:
- Operators — pest-control business owners and their staff, who sign up to use Avro to manage their business. We collect their account, business, and operational data.
- End customers — the customers of those operators (e.g. homeowners booking a pest treatment). We process their data on behalf of the operator, in our capacity as a data processor.
This policy describes what we do with both categories.
2. Information we collect
2.1 From operators (when you sign up and use Avro)
- Account details: name, email address, password (stored as a one-way hash), phone number.
- Business details: firm name, ABN, business address, business phone and email, GST registration status, operating region.
- Team and role information: team-member invitations, role assignments (owner / admin / tech).
- Authentication: if you sign in with Google OAuth, the basic profile information Google provides (email + name + avatar URL). We do not receive your Google password.
- Payment details: if you connect Stripe Connect for invoicing, we receive your Stripe account ID. We do not store credit card numbers or bank account details — those live with Stripe.
- Subscription details: plan tier, billing email, billing history.
- Usage telemetry: session timestamps, feature usage counts, error reports. We use this to improve the product.
- Optional connected accounts: if you connect your Google Calendar, Gmail, Microsoft Outlook, or Apple iCloud account, we receive an OAuth access token and refresh token. These tokens are encrypted at rest and used only to read the data you have authorised us to read.
2.2 From operators' end customers (data the operator imports or enters about their customers)
- Customer records: customer name, contact email, phone number, billing address, site address, ABN (if commercial), notes the operator enters.
- Job history: scheduled appointments, completed jobs, services performed, time-stamps, technician notes, photos uploaded as part of a job, signature captures.
- Quotes, invoices, payments: quote line items, invoice line items, payment status, payment intent references via Stripe.
- Communications: SMS messages between the operator and the customer (when the operator chooses to use Avro's SMS bridge or imports SMS history), email messages between the operator and the customer (when the operator chooses to connect their email account), notification logs.
- Geolocation: geocoded latitude/longitude derived from the customer's site address, used to power our geographic-proximity recommendation engine. We do not collect real-time GPS data from any device in the course of providing the core CRM. (Where an operator separately enables technician location-sharing features, that is governed by a distinct in-app notice and consent flow and is described there, not here.)
2.3 Cookies and similar technologies
We use first-party cookies to maintain session state and remember user preferences (e.g. calendar view, dashboard layout). We do not use third-party advertising or tracking cookies.
3. How we use information
We use the data described above to:
- Provide and operate the Avro service — show your calendar, list your jobs, generate invoices, send reminders, etc.
- Process payments via Stripe.
- Send transactional communications you have configured (reminders, follow-ups, review requests).
- Arrival-time messages: if a customer opts in, their operator's technician can send a one-off SMS or email with an estimated arrival time on the day of a booked job. This is a manual message sent by the technician — Avro does not track the technician's location. Customers can opt out at any time (reply STOP).
- Improve and develop the product (aggregate, anonymised analytics; debug error reports).
- Comply with our legal obligations (tax records, accounting records, lawful requests from authorities).
- Provide customer support when you contact us.
We do not sell personal information, and we do not use your data for third-party advertising.
4. Automated decision-making and AI features
Avro uses artificial-intelligence services (currently Anthropic's Claude models) to power a number of assistive features. We are transparent about this because we think you should know when AI is involved in handling your data.
What our AI features do. Examples include: classifying the intent of an inbound SMS or email (e.g. “this looks like a reschedule request”), proposing a follow-up cadence or draft reply for the operator to review, generating digest summaries of activity, and summarising notes. The data sent to the AI service is limited to what the specific feature needs (for example, the text of one inbound message for classification).
These features are assistive, not autonomous. An Avro AI feature does not, on its own, make a decision that produces a legal or similarly significant effect about any individual. AI outputs are suggestions presented to the operator, who decides what to do. There is always a human in the loop. We do not use AI to make automated decisions about credit, employment, pricing to consumers, or eligibility.
Training. We do not permit these AI service providers to train their models on your data.
Overseas processing. AI inference currently runs on infrastructure in the United States — see §6.
Your control. Where an AI-assisted feature is optional, you can disable it in settings. If you have a question about how a particular AI feature handled your data, contact us at the address in §14.
5. Sharing of information
We share data only as follows:
- With service providers (sub-processors) we use to operate Avro: Supabase (database hosting + auth), Vercel (web hosting), Stripe (payments), Anthropic (AI inference), Google / Microsoft / Apple (only when you connect those accounts; only for the resources you've authorised), Bureau of Meteorology (weather data; only your work region is sent), Google Geocoding API (only customer addresses you enter, geocoded once and cached). See §6 for where these providers are located.
- With your customers if you choose to share an invoice, quote, report, or customer-portal link with them.
- To comply with the law — if compelled by a valid court order, subpoena, or other lawful process. We will notify you unless legally prohibited.
- In the event of a sale or merger of Avro's business. We will notify you in advance and you will retain the right to delete your data.
We do not sell personal information to anyone, ever. We do not use your data for third-party advertising.
6. Where data is stored, and overseas disclosure (APP 8)
Primary storage is in Australia. Avro's primary infrastructure is hosted on Supabase and Vercel, with database servers physically located in the Asia-Pacific (Sydney) region. Your operational data — customer records, jobs, invoices, communications logs — is stored in Australia.
Some data is disclosed to recipients overseas. To provide certain features we disclose limited personal information to service providers located outside Australia. Under Australian Privacy Principle 8 we remain accountable for how those overseas recipients handle that information, and we take reasonable steps to ensure they protect it consistently with the APPs. The overseas recipients and the countries they are likely to be located in are:
| Recipient | Purpose | Likely location |
|---|---|---|
| Anthropic (Claude AI inference) | The assistive AI features described in §4 — only the specific text/data a feature needs | United States |
| Vercel (web hosting / edge network) | Serving the application; edge caching may route requests through points of presence outside Australia | United States and global edge locations |
| Stripe | Payment processing (if you connect Stripe) | United States and other jurisdictions in Stripe's network |
| Google / Microsoft / Apple | Only when you connect those accounts, and only for the resources you authorise | United States and other jurisdictions |
We take reasonable steps to ensure overseas recipients comply with the APPs, including contractual data-protection terms with our sub-processors and limiting the data disclosed to the minimum each feature requires. Data may also be replicated to backup regions for disaster recovery. For customers who require Australian data sovereignty for AI processing, we are evaluating local-hosted inference alternatives.
7. How long we keep data
- Active accounts: for as long as your account is active.
- Cancelled accounts: customer records, jobs, invoices, and reports are retained for 7 years after account cancellation, to support tax and legal compliance for the operator. After 7 years, data is permanently deleted unless legally required otherwise.
- Communications logs (SMS, email): retained for 2 years from the most recent message in a thread, then archived.
- Telemetry / error logs: 90 days.
- Backups: standard 30-day rolling backup retention.
You can request immediate deletion at any time (see §9).
8. Security
We take security seriously. Measures include:
- Encryption in transit (TLS 1.2+) for all client-server connections.
- Encryption at rest for database backups and OAuth tokens.
- Row-Level Security (RLS) in Postgres ensures tenants cannot access each other's data.
- Multi-factor authentication available for operator accounts.
- Regular security reviews of code changes (
security-reviewprocess on every meaningful pull request). - Access to production data limited to a small number of named personnel under audit.
No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). We maintain a written data-breach response plan so that any notifiable breach is assessed and reported within the statutory timeframes.
9. Your rights
Under the Australian Privacy Principles and the GDPR, you have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out of date.
- Delete your account and all associated data, subject to the retention requirements in §7.
- Port your data — export your customer records, jobs, invoices in standard formats.
- Object to certain processing (e.g. analytics).
- Withdraw consent to optional features (e.g. disconnect your calendar / email accounts, or disable optional AI features) at any time, via settings.
- Complain to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au if you are not satisfied with our handling of your data.
To exercise any of these rights, email privacy@avro-ai.com.
10. End-customer rights (data processor capacity)
If you are an end customer of one of our operators (e.g. you received a quote, invoice, or service from a pest-control business that uses Avro), your data is processed on behalf of that operator. To exercise your rights — access, correction, deletion — please contact the operator directly. We will assist them in fulfilling your request as required by law.
If you cannot reach the operator or believe they have not responded appropriately, you may contact us at privacy@avro-ai.com and we will help facilitate.
11. Children
Avro is not intended for use by anyone under 18. We do not knowingly collect personal information from children. If we become aware that we have, we will delete it promptly.
12. International data transfers
If you are accessing Avro from outside Australia, your data may be transferred to and processed in Australia. By using Avro, you consent to this transfer. For disclosures to recipients outside Australia, see the APP 8 table in §6. We rely on Standard Contractual Clauses (SCCs) for transfers involving data subjects in the EU/UK.
13. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email to operators and through an in-app banner. The “Last updated” date at the top of this document reflects the most recent change.
14. How to contact us
- Email: privacy@avro-ai.com
- Postal: PO Box 38, Earlwood NSW 2206
- Privacy Officer: Lillyanne Brown (support@avro-ai.com)
For complaints not resolved by us, you may also contact the Office of the Australian Information Commissioner:
- Web: https://www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001