Skip to content
Avelto

Legal

Privacy Policy

Last updated:

Who we are

Avelto Inc. — to be updated with legal entity. We provide an AI roleplay training and certification platform for sales and customer-support teams. This Privacy Policy explains how we process personal data on behalf of our customers (the controller of the employee data) and as a controller for our own administrative records.

What data we collect

  • Account data — your work email, full name, role, manager, and language preference.
  • Conversation transcripts — the messages you exchange with the AI persona during roleplay. Transcripts are encrypted at rest using envelope encryption (per-tenant data-encryption keys).
  • Scoring metadata — rubric scores, AI summaries, manager overrides, and certification records.
  • Behavioral telemetry — keystroke timing, paste events, and tab focus signals used to detect cheating during scored conversations.
  • Operational logs — audit log of admin/manager actions; HTTP and error telemetry for reliability.

Why we process it

  • Legitimate interest (Art. 6(1)(f) GDPR) for training and assessing employees in the context of the employment relationship.
  • Explicit consent for AI roleplay recording (banner shown on first chat) and for optional product analytics.
  • Contract necessity for account creation and authentication.
  • Legal obligation for audit-log retention.

Sub-processors

We rely on the following sub-processors. The full live list lives at /sub-processors.

  • Anthropic — Persona + Evaluator LLM (Claude).
  • OpenAI — optional Persona/Evaluator and content moderation.
  • Cloudflare — CDN and R2 object storage.
  • Resend — transactional email.
  • Sentry — error and performance monitoring.
  • PostHog — product analytics (only when you opt in).

All LLM providers are bound by Data Processing Agreements that prohibit using customer data to train their models.

Retention

Conversation transcripts and scores are retained for 12 months by default, configurable per organization. Audit-log entries are retained for 7 years to align with employment-records baselines. Soft-deleted user records are hard-deleted within 30 days; backups age out separately, typically within 90 days.

Your rights

Subject to GDPR Articles 15–22, you can:

  • Export your data via POST /me/export from your profile page. We email you a download link valid for 7 days.
  • Delete your account via POST /me/delete. We soft-delete immediately and cascade hard-delete within 30 days.
  • Correct your profile from your profile page; for fields you cannot edit, contact your admin or privacy@avelto.app.
  • Object to processing or lodge a complaint with your supervisory authority.

Data Protection Officer

DPO contact: to be appointed. Until then, reach our privacy function at privacy@avelto.app.

Changes to this policy

We will notify customers of material changes at least 30 days before they take effect. Minor clarifications may be made without notice.

Privacy Policy · Avelto