Privacy Policy
Effective Date: June 9, 2026
Serverless Inc. (“we,” “us,” “our,” or the “Company”) respects your privacy and is committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and protect information through the Avi service (as defined in our Terms of Service, available at avi.run/terms and incorporated herein by reference). This Policy applies to all users of the Service but does not apply to information collected offline or through other channels.
Capitalized terms not defined here have the meanings in our Terms of Service. By using the Service, you consent to the practices described herein. If you do not agree, do not use the Service.
We are a U.S.-based company and store and process customer data primarily in the United States. We reserve the right to update this Policy at any time; see Section 13 for details.
We Do Not Share Your Data with AI Model Providers
All AI processing — chat, embeddings, and background Automation runs — happens inside our own cloud account. Inputs and outputs are not shared with foundation- model providers and are not used to train foundation models. We do not provide your data to any other AI provider.
About Avi
Avi is a cloud-hosted AI agent platform. Your conversations, tasks, notes, contacts, interactions, updates, and files are stored on our servers so the agent can work across sessions, schedule recurring tasks, run background Automations, and collaborate with your team. The optional desktop application bridges local tools (terminal, filesystem) to the cloud backend.
Applicability
This Privacy Policy explains our practices regarding the collection, use, disclosure, and processing of your information when you:
- Visit our website at avi.run and affiliated sites, blogs, or social media platforms (collectively, our “Sites”);
- Access or use the Avi web application, desktop application, APIs, or any related software or services;
- Interact with us for support, marketing, or other purposes.
This Privacy Policy does not apply to third-party products, services, or integrations accessible via the Service. Contact those third parties directly for their privacy practices.
1. Information We Collect
Information You Provide Directly
- Account Information. Name, email address, and profile photo when you sign in via Google OAuth.
- Transactional Information. Payment details are handled by Stripe; we receive only tokenized references, not raw card data. Billing address may be collected for tax purposes.
- Support Information. Messages, attachments, and preferences you share when contacting support.
- Feedback. Suggestions, bug reports, or other voluntary submissions.
Content You Create or That the Agent Creates on Your Behalf
Because Avi is a cloud-hosted platform, content created by you and content created by the agent on your behalf is stored on our servers so the agent can operate across sessions and devices:
- Conversations and Messages. Your chat messages and the agent's responses are stored in our database to maintain conversation history, support rolling summarization, and enable continuity across sessions.
- Tasks and Schedules. Tasks you create, including recurring schedules and per-run instructions.
- Notes. Notes you create in any project.
- Contacts. Contact records stored in your organization's contact pool. Each contact may include name, email, phone, company, title, website, addresses, social and messaging identities (e.g., Slack user IDs, other cross-platform handles), tags, and an AI-generated context summary (see “Agent-Generated Content” below). Contacts may be created directly by you or automatically populated by Avi from your connected integrations (see Section 7).
- Interactions. A log of communications ingested from connected integrations (e.g., Slack DMs and mentioned messages, Gmail threads), including sender and recipient identifiers, timestamps, channel/thread metadata, and message content extracted to markdown. Interactions are stored so the agent can reason over your communications.
- Updates and Beats. Mutable “updates” that the agent creates and edits to track ongoing concerns, together with their append-only activity timelines (“beats”).
- Files. Files you upload, stored in our object storage.
- Skills. Named prompt templates you create at the org level.
- Integration Credentials. OAuth tokens for third-party integrations (e.g., GitHub, HubSpot, Freshdesk, Google services, Slack, MongoDB, Google Sheets) that you authorize are stored encrypted in our database.
- Secrets. API secrets you store for use by the agent are encrypted at rest.
- Custom App Data. If you or your organization deploys a Custom App (see our Terms of Service), the App may store JSON state, files, and queryable records in namespaces scoped to that App.
- Agent-Generated Content. Some fields are written by the agent rather than by you — for example, AI-generated summaries on contact records (the “context” field), update bodies and beats, and triage classifications. These are produced by AI models and may be inaccurate; you should review them before relying on them.
- Vector Embeddings. To power semantic search, we generate embeddings of your tasks, notes, contacts, interactions, and updates using our in-cloud AI infrastructure (see Section 5) and store them alongside the source record.
If your Content includes personal data of third parties (for example, contact records or data retrieved from third-party services), you are responsible for having a lawful basis to collect and process that data and to share it with us for service delivery purposes. This includes contact records automatically populated by Avi from your Google Contacts, Gmail recipients, or Slack workspace members when you enable those integrations.
Information We Collect Automatically
- Usage and Event Data. Actions taken within the Service — such as messages sent, tasks created, apps enabled, members added, and AI model usage — are logged in our events system for analytics, billing, and service improvement.
- AI Usage Metrics. Token counts and cost data per conversation and model, used for credit tracking and billing.
- Device Information. For registered desktop devices, we store the device name, platform (macOS, Windows, Linux), and last connection timestamp.
- Technical Logs. Server logs including HTTP request metadata, IP addresses, error traces, and response times, retained for a period determined at our discretion.
- Edge Protection Data. Inbound requests pass through a web application firewall that inspects source IP, headers, and request bodies against rate-limit, IP-reputation, and bad-input rules to protect the Service from abuse.
- Site Analytics. Pages viewed, browser type, response times, and timestamps on our marketing site (avi.run).
- Location Information. City and country derived from IP address; we do not collect precise location.
- Cookies. Browser cookies on our Sites for session management. Manage these via your browser settings.
2. How We Use Information
We use information to:
- Operate the Service. Store and retrieve your content so the agent can work across sessions.
- Run AI requests. Process your messages and stored records with the AI infrastructure described in Section 5 to generate agent responses and produce embeddings for search. We do not use this content for advertising, to train generalized AI models, or for any purpose other than providing the Service.
- Execute scheduled tasks. Invoke the agent automatically on schedules you configure.
- Run background Automations. If you enable Automations, we invoke them on a recurring schedule. A run may read your stored content, ingest data from your connected integrations, process personal information from those services, call AI models, and create or edit records — without a per-run user prompt. You control which Automations are enabled, their cadence, model, and tools.
- Billing and credits. Track AI usage, manage credit balances, and process payments via Stripe.
- Provide support. Respond to inquiries and resolve issues.
- Communicate. Send transactional notices, invoices, and updates. We do not use your email for marketing without your consent, where required by applicable law.
- Security. Detect and prevent fraud, unauthorized access, and abuse.
- Improve the Service. Analyze aggregated, anonymized usage patterns to improve reliability and features.
- Legal and compliance. Comply with applicable laws and enforce our Terms of Service.
3. How We Retain Your Information
We retain your content (conversations, tasks, notes, contacts, interactions, updates, files) for as long as your account is active. When you delete your account, we permanently delete your content. We retain minimal records (email address, billing history) as required for tax, legal, and accounting compliance.
If deletion is not immediately possible (e.g., data in backup snapshots), we isolate and protect it until deletion is feasible. Retention periods for backups and logs are determined at our discretion and may change.
4. How We Share Information
We do not sell your personal information. We share information only as follows:
- Service Providers (Subprocessors). Vendors we use to operate the Service, as described in Section 5 below. These providers are authorized only to use your information as necessary to provide services to us.
- AI Infrastructure. Your messages and stored records are processed by the AI infrastructure described in Section 5 to generate responses, run Automations, and produce embeddings. Inputs and outputs stay within our cloud account, are not shared with foundation-model providers, and are not used to train foundation models. We do not send your data to any other AI provider.
- Your Organization. Content you create in shared projects within an organization is accessible to other members of that organization per the access controls you configure. Contacts are scoped to the organization's shared contact pool; updates, tasks, notes, and interactions are scoped to the project tree.
- Third-Party Integrations. When you connect a third-party service (e.g., GitHub, HubSpot, Freshdesk, Google services, Slack, MongoDB, Google Sheets), the agent and any enabled Automations may send and receive data from that service on your behalf using the credentials you provide. For some integrations, enabling an Automation causes Avi to invoke the third party's APIs on a recurring schedule without a per-call user prompt (for example, ingesting new Gmail messages and Slack DMs, or syncing your Google Contacts). Those transmissions are subject to the third party's own terms and privacy policies.
- Corporate Affiliates. Entities under common control with Serverless Inc., subject to this Policy.
- Corporate Transactions. In connection with a merger, sale, or acquisition, your information may be transferred as a business asset.
- Legal or Public Authorities. When required by law, court order, or to protect the security and integrity of the Service or the rights of others.
- With Your Consent. For any other purpose with your explicit consent.
5. Subprocessors
We use the following service providers to operate the Service. We may update this list at any time; the current version is always available at avi.run/privacy.
- Amazon Web Services (AWS) — Cloud infrastructure for compute, database, object storage, caching, scheduling, edge protection, and AI inference and embeddings (via AWS Bedrock). AI inputs and outputs stay within our AWS account and are not shared with foundation-model providers or used to train them. Customer data in AWS is stored in U.S. regions.
- Vercel — Hosting and deployment for the web application and marketing site.
- Stripe — Payment processing and subscription management.
- Resend — Transactional email delivery (e.g., org invitations).
- Exa — Web search API used when the agent performs web searches on your behalf. Only the search query is transmitted.
When you authorize a third-party integration, Avi calls that service's APIs on your behalf, and may do so on a recurring schedule if you enable Automations that use it. Current integration targets include Google (Gmail, Calendar, Contacts, Drive), Slack, GitHub, HubSpot, Freshdesk, MongoDB, and Google Sheets. These are services you have independently authorized, not Avi subprocessors.
6. Data Security
We implement commercially reasonable administrative, technical, and physical safeguards to protect information from unauthorized access, use, modification, or disclosure, including:
- Encryption in transit and at rest;
- Encryption of secrets and OAuth tokens with industry-standard algorithms;
- Authenticated sessions and role-based access controls on all data.
Our security program is SOC 2 audited by an independent third-party assessor. Customers with a legitimate need may request a current report under a mutual non-disclosure agreement at support@avi.run.
No security measure is absolute and we do not guarantee the security of your information. In the event of a security incident, we will take appropriate steps and provide notifications as required by applicable law. If you discover a security vulnerability, please report it to support@avi.run before public disclosure.
7. Third-Party Integrations
You can connect third-party services (such as Google, Slack, GitHub, HubSpot, Freshdesk, MongoDB, and Google Sheets). OAuth tokens are stored encrypted and used by the agent and any enabled Automations to act on your behalf.
Automated access. Some integrations pair with Automations that Avi runs on a recurring schedule. Depending on what you enable, Avi may ingest messages (e.g., Slack DMs or mentions, Gmail), fetch contacts (e.g., Google Contacts) and store or enrich them locally, and invoke other connected services per your configuration.
Information received from any connected service is also subject to Section 8, which sets out the general principles that apply to all such data plus any vendor-specific terms.
You can disconnect any integration at any time from project settings, which removes the stored tokens and halts new automated calls (runs already in progress may complete). We are not responsible for the privacy practices or availability of third-party services; review their own terms before connecting them.
8. Connected Services and Third-Party User Data
This section governs information we receive from third-party services you connect to Avi (collectively, “Connected-Service Data”). It applies in addition to, and where stricter in place of, the general provisions of this Policy. Where a connected service imposes its own developer policies that we are required to follow (for example, Google's API Services User Data Policy), those policies apply on top of this section as described in the relevant per-vendor subsection below.
8.1 General Principles (All Connected Services)
The following apply to every type of Connected-Service Data, regardless of vendor:
- (a) Permitted use. We use Connected-Service Data only to provide and improve user-facing features of the Service that are prominent in our user interface — including displaying that data inside Avi, enabling the agent and any Automations you enable to read and reason over it, and acting on it at your direction. The specific scopes or permissions Avi uses for a given vendor, and how each is used, are described in the per-vendor subsection below.
- (b) No sale. We do not sell Connected-Service Data.
- (c) No advertising use. We do not use Connected-Service Data for advertising of any kind, including retargeting, personalized advertising, or interest-based advertising.
- (d) No generalized AI/ML training. We do not use Connected-Service Data to develop, improve, or train generalized or non-personalized AI/ML models. We process it with the AI infrastructure described in Section 5 (which keeps inputs and outputs within our cloud account and is not used to train foundation models) solely to power the user-facing features above.
- (e) Transfers. We do not transfer Connected-Service Data to third parties except: to the subprocessors listed in Section 5 as needed to operate the Service consistently with this Policy and any applicable vendor policy; for security purposes (for example, to investigate abuse); to comply with applicable law; or as part of a merger, acquisition, or sale of assets with appropriate notice.
- (f) Human access. Avi personnel do not read your Connected-Service Data except: (i) with your explicit consent (for example, when you share content with support to debug an issue); (ii) for security investigations; (iii) to comply with applicable law; or (iv) in anonymized or aggregated form for internal operations.
- (g) Disconnection. You can disconnect any integration from project settings at any time. Disconnecting removes the stored OAuth tokens (or equivalent credentials) and halts new automated calls; runs already in progress may complete. You may also revoke Avi's access through the vendor's own permissions page where applicable; per-vendor revocation links, if any, appear below.
- (h) Deletion on account termination. When you delete your Avi account, we permanently delete the Connected-Service Data we have stored — including ingested content, derived Interactions, and vendor-identity mappings on your records — subject to the backup-retention rules in Section 3.
8.2 Google
(a) Limited Use. Avi's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
(b) Permitted use — by scope. Subject to Section 8.1, we use the following Google scopes only as described:
- Gmail. To display your messages and threads inside Avi, store ingested message content as Interactions so the agent and any Automations you enable can read and reason over it, surface message context alongside the agent's responses, and (if you enable the relevant Automation) periodically ingest new messages so the agent can summarize and act on them.
- Google Contacts. To fetch your contacts and use the data to populate and enrich Avi's contact records (email, phone, company, title, addresses, social identities).
- Google Calendar. To read and create calendar events at your direction.
- Google Drive. To read and write Google Drive files at your direction.
You can review the exact OAuth scopes Avi requests on the Google consent screen at the time you connect your account.
(c) Revocation. In addition to disconnecting from Avi (see Section 8.1(g)), you can revoke Avi's access directly at https://myaccount.google.com/permissions.
Additional per-vendor subsections will be added here as we expand our integration catalog. The general principles in Section 8.1 apply to every connected service.
9. International Users and GDPR
The Service is operated from the United States and your information is processed primarily there. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those in your country.
EU and UK Users — Lawful Basis. For users in the European Economic Area (EEA) or United Kingdom (UK), we process personal data on the following lawful bases under GDPR and UK GDPR:
- Contract performance — to create and manage your account, process payments, and deliver the Service;
- Legitimate interests — for security, fraud prevention, and aggregated service analytics; and
- Legal obligation — to comply with applicable laws.
EU and UK Users — Your Rights. Subject to applicable law, you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise these rights, contact us at support@avi.run with “GDPR Request” in the subject line. We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local data protection authority.
International Transfers. When we transfer personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) or other applicable transfer mechanisms. Business customers who require a Data Processing Agreement (DPA) may request one at support@avi.run.
10. Your Rights and Choices
- Opt-Out of Marketing. Use unsubscribe links in emails or contact us. You will still receive transactional communications.
- Account Data. Update or correct account information via your settings or by contacting support. You may delete your account at any time; see Section 3 for retention details.
- Content Deletion. You may delete individual conversations, tasks, notes, contacts, interactions, updates, and files within the Service at any time.
- Integration Revocation. You may disconnect third-party integrations at any time via your project settings, which removes stored OAuth tokens.
- Cookies. Manage cookies via your browser settings; doing so may affect certain Site functionality.
- Do Not Track. We do not respond to Do Not Track signals.
- U.S. State Privacy Rights. If applicable U.S. state privacy law grants you additional rights regarding your personal information — including the right to know, access, delete, correct, or opt out of certain processing — you may exercise those rights by contacting us at support@avi.run. We do not sell personal information. We will respond as required by applicable law.
- California Residents (CCPA/CPRA). In addition to the above, California residents may submit requests by contacting support@avi.run with “CCPA Request” in the subject line. We will respond within the timeframe required by applicable law.
11. Administrative Access
Authorized Avi personnel may access account metadata and billing data through internal admin tools as needed to operate the Service, respond to support requests, investigate suspected abuse or security incidents, and perform billing operations (for example, granting promotional or compensatory credits to an account). Administrative actions that affect a billing balance — such as credit grants — are recorded with the acting staff member's identifier and an optional reason for audit purposes. Access is restricted to personnel with a legitimate need. Human access to Connected-Service Data (information received from third-party services you connect to Avi) is further restricted as described in Section 8.1(f).
12. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact support@avi.run and we will take steps to delete it.
13. Changes to This Policy
We may update this Policy at any time by posting a revised version on our Site. Changes are effective upon posting. We may, but are not obligated to, provide notice of changes via email or in-app notification. Your continued use of the Service after any change constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.
14. Contact Us
For privacy questions or to exercise your rights:
Serverless Inc.
522 San Anselmo Ave
San Anselmo, CA 94960
support@avi.run
California residents should include “CCPA Request” in the subject line. EU/UK residents should include “GDPR Request.”