Privacy Policy

Plain Language Summary

We know privacy policies can be dense. Here's what you need to know:

• What we collect: Your email, password (encrypted), payment info (handled by Stripe), and your conversations with our AI advisors.
• The AI part: Your conversations are sent to Anthropic (our AI provider) to generate responses. Anthropic does NOT use your conversations to train their models.
• Your control: You can access, download, or delete your data anytime. Email us at privacy@advizo.app.
• Your rights: You have extensive privacy rights under both EU (GDPR) and US law (including California CCPA). See details below.

1. Introduction

1.1 Who We Are

Advizo ("we," "us," or "our") operates the website advizo.app and provides AI-powered advisory services for first-time managers.

Data Protection Officer: Not required for our business size

1.2 Scope of This Policy

This Privacy Policy describes how we collect, use, share, and protect your personal information when you:

• Visit our website
• Create an account
• Subscribe to our service
• Communicate with us

This policy applies to all users regardless of location, with additional rights for EU/EEA residents (GDPR) and California residents (CCPA/CPRA).

2. Information We Collect

2.1 Information You Provide Directly

Account Information

• Email address
• Password (encrypted using industry-standard bcrypt hashing - we never see your actual password)
• Name (if you choose to provide it)

Plain Language: We need your email to create your account and send you important updates. Your password is encrypted - even we can't see it.

Payment Information

• Credit card details (collected and processed by Stripe - we never see your full card number)
• Billing address (if required by your payment method)

Plain Language: Stripe handles all payment processing. We never see your full credit card number - only the last 4 digits.

Conversation Content

• All messages you send to our AI advisors
• Context you provide about workplace situations
• Any feedback you submit

Plain Language: This is the core of our service - your conversations about management challenges. See Section 3.2 for critical information about how AI processing works.

2.2 Information Collected Automatically

Usage Data

• Pages you visit on our site
• Features you use
• Time spent in conversations
• Device and browser information (type, version, operating system)
• IP address
• Referring website

Cookies and Similar Technologies

We use cookies for:

• Essential cookies: Keeping you logged in, remembering your consent choices (always active)
• Analytics cookies: Google Ads conversion tracking (only with your consent)

You can manage cookie preferences via the "Cookie Settings" link in our footer.

Plain Language: We track basic usage to improve the product and measure our advertising effectiveness. You control whether we can use marketing cookies.

3. How We Use Your Information

3.1 Primary Purposes

We use your personal information to:

1. Provide the Service (Legal basis: Contract performance - GDPR Art. 6(1)(b))

• Authenticate your account
• Process your subscription payments
• Generate AI advisor responses to your questions
• Save your conversation history
• Send transactional emails (signup confirmation, password resets, billing notifications)

2. Improve the Service (Legal basis: Legitimate interests - GDPR Art. 6(1)(f))

• Analyze usage patterns
• Identify bugs and technical issues
• Develop new features

3. Comply with Legal Obligations (Legal basis: Legal compliance - GDPR Art. 6(1)(c))

• Maintain records required by law
• Respond to law enforcement requests
• Process data subject rights requests

4. Marketing (Legal basis: Consent - GDPR Art. 6(1)(a))

• Track Google Ads conversions (only with cookie consent)
• Measure advertising effectiveness

3.2 AI Processing - Critical Information

How AI Processing Works:

When you send a message to one of our AI advisors, your message and conversation history are sent to Anthropic (our AI provider) via their Claude API. Anthropic's AI model processes your conversation context to generate a response, which we then display to you.

What This Means:

• Your conversation content leaves our systems and is sent to Anthropic's servers
• Encryption in transit: All data is encrypted using TLS when transmitted to Anthropic
• Data Processing Agreement: We have a Data Processing Agreement (Auftragsverarbeitungsvertrag/AVV) with Anthropic as required by GDPR Art. 28
• No AI training: Anthropic does NOT use your conversations to train their AI models (this is contractually guaranteed in our agreement with Anthropic)
• Retention by Anthropic: 30 days
• Location of processing: Anthropic processes data in the United States (see Section 5 on international transfers)

Legal Basis: Contract performance (GDPR Art. 6(1)(b)) - AI processing is essential to provide the advisory service you subscribed to.

Your Control: You can request deletion of your conversations at any time (see Section 8).

Plain Language: Your conversations are sent to Anthropic (the company that makes the Claude AI) so they can generate helpful responses. They don't use your conversations to improve their AI, and you can delete your conversation history anytime.

3.3 Automated Decision-Making

Our AI advisors provide guidance and suggestions, but we do not use automated decision-making that produces legal effects or similarly significantly affects you without human intervention. The AI provides advice; you make all final decisions about your workplace situations.

Plain Language: The AI gives you advice, but you're always in control of what you do with that advice.

4. Information Sharing and Third-Party Services

4.1 Third-Party Service Providers

We share your information with the following third-party service providers who process data on our behalf:

Plain Language: These companies help us run Advizo. They only access your data to perform specific services for us, and we have contracts requiring them to protect your information.

4.2 No Selling of Personal Information

We do NOT sell your personal information to third parties. We do NOT sell your conversation content to anyone.

California Residents: We do not "sell" or "share" (as those terms are defined in the CCPA) your personal information. The Google Ads pixel may constitute "sharing" under CCPA - if you prefer to opt out, use our cookie settings to reject marketing cookies.

4.3 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights or property
• Prevent fraud or abuse
• Protect user safety

5. International Data Transfers

For EU/EEA Residents:

Our service involves transferring your personal data from the EU/EEA to the United States and potentially other countries. We ensure these transfers comply with GDPR Chapter V through:

1. Standard Contractual Clauses (SCCs): We have executed EU-approved Standard Contractual Clauses with:

• Anthropic (for AI processing)

2. EU-US Data Privacy Framework: The following service providers are certified under the EU-US Data Privacy Framework:

• Stripe
• Google

3. Supplementary Measures: We implement additional technical and organizational measures to protect data transferred to the US, including:

• Encryption of sensitive data at rest
• Contractual prohibitions on unlawful government access
• Regular security audits

Plain Language: Because we use US-based services, your data crosses the Atlantic. We use legally approved contracts and security measures to keep it protected.

6. Data Retention

6.1 Retention Periods

After Active Retention Period:

• Data is either securely deleted or fully anonymized (irreversibly stripped of personal identifiers)

Plain Language: We keep your data as long as you have an account or as long as the law requires. When you delete your account, most data is gone within 30 days.

6.2 Right to Request Earlier Deletion

You can request deletion of your data at any time (see Section 8.2). We will comply except where retention is required by law.

7. Security

7.1 Technical and Organizational Measures

We protect your personal information using industry-standard security measures:

Technical Measures:

• Encryption at rest: All database contents encrypted
• Encryption in transit: TLS 1.3 for all data transmission
• Password hashing: bcrypt with 12 salt rounds (one-way encryption - we cannot decrypt passwords)
• Secure sessions: Encrypted, signed HTTP-only cookies using iron-session
• HTTPS-only: All pages served over encrypted HTTPS

Organizational Measures:

• Limited employee access (access controls and audit logs)
• Regular security reviews
• Vendor security assessments
• Incident response procedures

Plain Language: We use strong encryption and limit who can access your data. Your password is encrypted in a way that even we can't see it.

7.2 No Absolute Security

Despite our efforts, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using reasonable and appropriate measures.

8. Your Privacy Rights

8.1 Rights for EU/EEA Residents (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

1. Right of Access (Art. 15)

• Request a copy of all personal data we hold about you
• Receive information about how we process your data

2. Right to Rectification (Art. 16)

• Correct inaccurate personal data
• Complete incomplete personal data

3. Right to Erasure / "Right to be Forgotten" (Art. 17)

• Request deletion of your personal data when:
  • No longer necessary for the purposes collected
  • You withdraw consent
  • You object to processing
  • Data processed unlawfully
• Exceptions: We may retain data when required by law or for legitimate legal claims

4. Right to Restriction of Processing (Art. 18)

• Request we limit how we use your data in certain circumstances

5. Right to Data Portability (Art. 20)

• Receive your data in a structured, machine-readable format (JSON)
• Transmit your data to another service provider

6. Right to Object (Art. 21)

• Object to processing based on legitimate interests
• Object to direct marketing (absolute right)

7. Right to Withdraw Consent

• Withdraw consent for processing based on consent at any time
• Does not affect lawfulness of processing before withdrawal

8. Right to Lodge a Complaint

• File a complaint with your national data protection authority
• German residents: You can contact the Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg

How to Exercise Your Rights:

Email: privacy@advizo.app

We will respond within 30 days (extended to 60 days for complex requests, with notification).

Plain Language: You can see what data we have, fix errors, delete your account, download your data, or object to how we use it. Just email us.

8.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

1. Right to Know

• Categories of personal information collected
• Categories of sources
• Business purposes for collection
• Categories of third parties we share with
• Specific pieces of personal information we've collected

2. Right to Delete

• Request deletion of personal information we collected from you
• Exceptions: We may retain data when necessary for legal compliance, fraud detection, or completing transactions

3. Right to Correct

• Request correction of inaccurate personal information

4. Right to Opt-Out of Sale/Sharing

• We do NOT sell your personal information
• The Google Ads pixel may constitute "sharing" - you can opt out via Cookie Settings

5. Right to Limit Use of Sensitive Personal Information

• We do not use sensitive personal information (as defined by CPRA) for purposes other than providing the service

6. Right to Non-Discrimination

• We will not discriminate against you for exercising your privacy rights

Categories of Personal Information We Collect (CCPA):

• Identifiers (email, IP address)
• Commercial information (subscription records, payment history)
• Internet activity (usage data, pages visited)
• Professional information (workplace situations you describe in conversations - used only to provide advisory service)

How to Exercise Your Rights:

Email: privacy@advizo.app

Phone: +49 761 8879 6611

We will verify your identity and respond within 45 days.

Plain Language: California law gives you strong privacy rights. You can see, correct, or delete your data, and we won't penalize you for asking.

8.3 Rights for All Users

Regardless of location, you can:

• Access your conversation history in the app
• Delete individual conversations
• Update your email address in account settings
• Request account deletion via email

9. Account Deletion and Data Export

9.1 How to Delete Your Account

To delete your account, email privacy@advizo.app with subject line "Account Deletion Request."

What happens:

1. We verify your identity
2. We cancel your subscription (you will not be billed further)
3. We delete your account data within 30 days, except:
   • Payment records (retained 7 years for tax/fraud prevention)
   • Consent records (retained 3 years per California law)
4. You receive confirmation via email

Plain Language: Email us to delete your account. Most data is gone in 30 days; some financial records are kept longer for legal compliance.

9.2 How to Export Your Data

To receive a copy of your data, email privacy@advizo.app with subject line "Data Export Request."

You will receive:

• JSON file with all conversation history
• Account information
• Subscription history

We provide exports within 30 days of your request.

Plain Language: Want a copy of your conversations? Email us and we'll send you a file you can download.

10. Children's Privacy

Our service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us immediately at privacy@advizo.app and we will delete it.

11. Email Communications

11.1 Types of Emails We Send

Transactional Emails (required for service):

• Signup confirmation with subscription details (California Automatic Renewal Law requirement)
• Password reset links
• Payment receipts and billing notifications
• Trial expiration reminders
• Annual subscription reminders (California Automatic Renewal Law requirement)
• Critical service updates

Marketing Emails (optional):

• We do not currently send marketing emails
• If we introduce marketing emails in the future, they will include an unsubscribe link

11.2 CAN-SPAM Act Compliance

Our emails comply with the CAN-SPAM Act:

• Accurate sender information
• Truthful subject lines
• Physical mailing address in email footer: Netopyr GmbH, Maxim-Gorkij-Straße 15, 79111 Freiburg im Breisgau, Germany
• Clear unsubscribe mechanism (for marketing emails)
• Opt-out honored within 10 business days

Plain Language: We only email you about your account and subscription. No spam.

12. Cookie Policy

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences and understand how you use our service.

12.2 Cookies We Use

Essential Cookies (always active):

• session_token - Keeps you logged in (expires when you close browser or log out)
• cookie_consent - Remembers your cookie preferences (expires after 13 months)

Analytics/Marketing Cookies (require your consent):

• Google Ads conversion tracking - Measures advertising effectiveness (expires after 90 days)
• Microsoft/Bing UET - Measures advertising effectiveness (expires after 180 days)
• LinkedIn Insight Tag - Measures advertising effectiveness (expires after 90 days)
• Meta Pixel - Measures advertising effectiveness (expires after 90 days)
• Reddit Pixel - Measures advertising effectiveness (expires after 90 days)
• Quora Pixel - Measures advertising effectiveness (expires after 90 days)

12.3 Managing Cookies

Change Settings: Click "Cookie Settings" in the website footer to review and update your preferences.

Browser Settings: You can configure your browser to reject all cookies, but this will prevent you from using our service (essential cookies are required for login).

Withdraw Consent: You can withdraw consent for analytics/marketing cookies at any time via Cookie Settings.

Plain Language: We use cookies to keep you logged in and measure our ads. You control the ad tracking cookies.

13. Links to Third-Party Websites

Our website may contain links to external websites (e.g., in help documentation or blog posts). We are not responsible for the privacy practices of third-party sites. We encourage you to read their privacy policies before providing any personal information.

14. Business Transfers

If we are acquired by or merged with another company, or if we sell substantially all of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent website notice before your information becomes subject to a different privacy policy.

Plain Language: If we're bought by another company, your data might transfer to them. We'll let you know before that happens.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in applicable law
• New features or services

How We Notify You:

• Material changes: Email notification + prominent website banner
• Minor changes: Updated "Last Updated" date at top of this page

Your Continued Use: Continued use of our service after changes constitutes acceptance of the updated policy.

Plain Language: We'll email you if we make big changes. Minor updates get posted here with a new date.

16. Contact Us

General Privacy Inquiries:

Data Protection Officer (if applicable): Not required

Response Time: We aim to respond to all privacy inquiries within 7 business days (legally required responses within 30-45 days depending on jurisdiction).

EU/EEA Residents - Supervisory Authority:

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.

German residents based in Baden-Württemberg can contact:

18. Legal Framework Summary

This Privacy Policy is designed to comply with:

• EU: General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
• Germany: Bundesdatenschutzgesetz (BDSG), Telemediengesetz (TMG), Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG)
• United States: California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), California Automatic Renewal Law (Business & Professions Code §17602), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
• Other US States: Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other state privacy laws with similar requirements

Plain Language: We follow privacy laws in both Europe and the United States to protect your information.

Appendix A: California-Specific Disclosures

A.1 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.

A.2 Do Not Track Signals

We do not currently respond to "Do Not Track" (DNT) browser signals. You can control tracking through our Cookie Settings.

A.3 California Automatic Renewal Law - Subscription Terms Summary

As required by California Business & Professions Code §17602:

Subscription Details:

• Service: Advizo AI Advisory Subscription
• Price: $29.00 per month
• Trial Period: 14 days free, then auto-renews at $29/month
• Billing Frequency: Monthly, charged automatically to your payment method
• Cancellation: Cancel anytime via your Account page → "Manage Subscription" → Stripe Customer Portal
• Cancellation Effect: Access continues until end of current billing period; no refunds for partial months
• Annual Reminder: You will receive an email reminder each year of your subscription containing this information and cancellation instructions

Plain Language: Your subscription auto-renews every month at $29 until you cancel. Cancel anytime through your account settings.

Appendix B: Glossary

Personal Information/Personal Data:

Information that identifies, relates to, or could reasonably be linked to you.

Processing:

Any operation performed on personal data (collection, storage, use, disclosure, deletion).

Data Controller:

The entity that determines why and how personal data is processed (that's us - Advizo).

Data Processor:

An entity that processes data on behalf of a controller (e.g., Anthropic, Stripe).

Data Subject:

An individual whose personal data is processed (that's you).

GDPR:

General Data Protection Regulation - EU privacy law.

CCPA/CPRA:

California Consumer Privacy Act / California Privacy Rights Act - California privacy laws.

Standard Contractual Clauses (SCCs):

EU-approved contract templates for international data transfers.

EU-US Data Privacy Framework:

A program allowing certified US companies to receive EU data with adequate protections.