Privacy Policy · Avenora

1. Introduction

This Privacy Policy describes how Avenora LLC ("Avenora," "we," "us," or "our"), a Pennsylvania limited liability company, collects, uses, discloses, retains, and protects personal information in connection with the Avenora AI phone receptionist and outbound sales coach platform (the "Service") and the avenora.ai website.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

This Privacy Policy is incorporated into and forms part of our Terms of Service at avenora.ai/terms.

2. Definitions

"Account Holder" or "Customer" means a business or individual that holds a registered Avenora account.
"Caller" means an individual whose voice, telephone number, or other information is processed through inbound or outbound calls or SMS made via the Service.
"Personal Information" (or "PI") means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
"Process" means any operation performed on personal information, including collection, recording, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
"Sale" and "Share" have the meanings given under the CCPA/CPRA; we do not engage in either.
"Sensitive Personal Information" has the meaning given under the CCPA/CPRA and includes precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric identifiers, health information, sexual orientation, and contents of communications.
"Service Provider" means a third party that processes personal information on Avenora's behalf pursuant to a written contract limiting use to specified business purposes.
"Subprocessor" means a Service Provider engaged by Avenora to process personal information on behalf of Avenora's customers.

3. Scope

This Privacy Policy applies to:

Visitors to the avenora.ai website
HVAC businesses and other Account Holders who register for and use the Service
Callers and SMS recipients whose communications are processed through the Service on behalf of an Account Holder
Job applicants and individuals who contact Avenora

Important — Avenora's role.When the Service processes personal information about Callers on behalf of an Account Holder, the Account Holder is generally the "business" (CCPA), "controller" (GDPR), or analogous controller of that personal information, and Avenora acts as a "Service Provider" / "processor." The Account Holder is responsible for providing required notices and obtaining required consents from Callers. Avenora processes Account Holder data (registration, billing, configuration) as a business / controller in its own right.

4. Categories of Information We Collect

4.1 Information from Account Holders

When you register for or use the Service as an Account Holder, we collect:

Identifiers: business name, owner name, email address, phone number, business address
Commercial information: EIN, billing history, payment method details (last 4 digits and expiration date only; full card numbers are processed by Stripe and never seen by Avenora), product configuration, integration credentials granted via OAuth
Internet activity: log-in records, dashboard usage, IP address, user-agent, session duration
Professional information: business size, area of operation, licensing data you provide
Inferences: usage patterns and engagement metrics derived from your interaction with the Service

4.2 Information from Callers (inbound and outbound)

When the Service processes calls on behalf of an Account Holder, we collect:

Identifiers: Caller phone number, name (if provided), street address (if provided), email (if provided)
Audio recordings of the call, retained per the schedule in Section 13
Transcripts of the call, generated by speech-to-text models
Summaries and metadata generated by AI processing of the call
Call metadata: direction, start time, end time, duration, telephony provider IDs, sentiment classification, intent classification
Sensitive Personal Information potentially conveyed during the call: content of communications (sensitive by definition under CPRA), and any information the Caller voluntarily provides during conversation (which could include health context for HVAC calls about elderly residents, financial context for payment discussion, etc.)

4.3 Information from SMS recipients

Identifiers: recipient phone number, opt-in evidence (timestamp, method)
Message content we send and any replies
Delivery metadata: delivery status, opt-out timestamps

4.4 Information from website visitors (avenora.ai)

Internet activity: IP address, user-agent, referring URL, pages visited, time spent
Form submissions: name, email, phone, business name (when you submit a contact form or ROI calculator)
Cookies and similar: see Section 6

4.5 Information we generate

We generate the following from inputs above:

Transcripts (speech-to-text output)
Summaries (AI-generated narrative summaries)
Intent and emergency classifications (AI-generated labels)
Conversation analytics and trends (aggregated, anonymized)
Booking records (proposed appointments)
Quality scores and operator-coaching feedback

4.6 Information from third parties

Telephony providers (Twilio): call routing metadata, recording storage, SMS delivery status
Integrations (when you connect them): calendar availability, CRM customer data per OAuth scope
Payment processor (Stripe): payment success/failure, dispute status
Email service (Postmark): email delivery / bounce data
Analytics (anonymized web analytics if used): aggregate visitor patterns

5. Sources of Information

We obtain personal information from:

Directly from you (account registration, account configuration, support inquiries, communications)
Automatically through your use of the Service (logs, telephony metadata, analytics)
From Callers and SMS recipients on your behalf (call content, replies)
From your Account Holder (if you are a Caller, from the Account Holder who routed your call to the Service)
From third-party Service Providers and integrations
From public sources or business directories (for outbound calling lists you upload)

6. Cookies, Pixels, SDKs & Tracking Technologies

On avenora.ai we use a minimal set of first-party cookies and standard server logs. We do not use third-party cross-site advertising tags, pixels, or remarketing trackers. Cookies we use are limited to:

Strictly necessary cookies for site security and form-state management
Functional cookies for user preferences (e.g., theme selection)
Analytics aggregated and anonymized (no individual visitor tracking)

Within the authenticated dashboard, additional functional cookies and local-storage are used for session management, preferences, and security. You can control cookies through your browser settings; doing so may impair Service functionality.

We honor the Global Privacy Control (GPC) browser signal as an opt-out from sharing where applicable; because we do not sell or share, no further action is required.

7. Purposes & Legal Bases

We use personal information for the following purposes:

To provide the Service: answer inbound calls, support outbound calls, transcribe, summarize, route to appropriate parties, send SMS to opted-in recipients, update CRMs
To bill you and process payments
To provide customer support and respond to inquiries
To monitor, debug, secure, and improve the Service
To prevent and investigate fraud, abuse, spam, security incidents, and TCPA / CAN-SPAM violations
To send service-related communications (account notifications, billing, security alerts, policy updates)
To comply with legal obligations and respond to lawful requests
To enforce our Terms of Service
To develop new features and conduct internal product research using aggregated, anonymized data
For our legitimate business interests including marketing avenora.ai (subject to your right to opt out of marketing)

Legal bases (where GDPR/UK GDPR applies): contract performance (provision of Service), legitimate interests (security, fraud prevention, analytics, improvement), legal obligation (regulatory compliance), and consent (where required, including SMS to wireless numbers, marketing email, optional cookies).

8. AI & Automated Processing — Transparency

The Service uses Artificial Intelligence to process voice communications. This section describes what we want you to know:

Speech-to-text: Caller audio is transcribed by automated speech-recognition models (currently Deepgram, OpenAI Whisper, and similar providers).
Conversational AI: The receptionist's conversational responses are generated by large language models (currently OpenAI gpt-realtime-2 and Anthropic Claude family models) operating under prompts configured by Avenora and your Account Holder.
Text-to-speech: The receptionist's voice is synthesized; it is not a human voice.
Intent / emergency classification: AI classifiers label call segments (e.g., "emergency," "booking," "routine") to support routing.
Summarization: AI generates post-call summaries.
Limitations: AI output may be inaccurate, incomplete, or otherwise wrong. Decisions made by AI in routing or booking are best-effort. Bookings and routing should be reviewed by a human; emergency routing is not a substitute for life-safety services.
No automated decisions with legal effect: Avenora does not use AI to make decisions that produce legal effects concerning you or similarly significant effects (e.g., we do not use AI to determine credit, insurance, employment, or pricing on an individualized basis).
Model training: Avenora does not use unaggregated, identifiable Customer or Caller data to train publicly-available third-party large language models. We may use aggregated, anonymized data, and we may fine-tune our proprietary models using account data for the purpose of operating the Service.
Subprocessor AI providers' terms: Subprocessors are bound by data-processing agreements that prohibit them from training their public models on your data.

9. SMS / Text Messaging Disclosures (CTIA-required)

When the Service sends SMS on behalf of an Account Holder to a recipient who has provided opt-in consent:

Message types: transactional notifications, including post-call summaries with payment links, deposit and billing confirmations, onboarding and scheduling reminders, emergency call routing alerts to on-call technicians, and account status notifications.
Frequency: message frequency varies.
Cost: Msg & data rates may apply per the recipient's wireless plan. Avenora is not liable for any carrier charges.
Opt-out: Reply STOP, UNSUBSCRIBE, CANCEL, END, or QUIT to be removed. One final confirmation is sent.
Re-subscribe: Reply START.
Help: Reply HELP or email support@avenora.ai.
Mobile information policy: Mobile information will not be shared with third parties for marketing or promotional purposes. Information may be disclosed to subprocessors (telephony, AI, payment, hosting) and to lawful authorities, as described elsewhere in this Policy.

10. Voice Recording Practices

Inbound calls answered by the Service are recorded after a spoken disclosure played at the start of the call (such as "This call may be recorded for quality and training"). Recordings are stored in the Account Holder's dashboard and retained per Section 13.

Two-party-consent jurisdictions: Recording laws differ by jurisdiction. As of the Effective Date, the following U.S. states require consent from all parties to a recorded conversation (or have analogous wiretap or eavesdropping statutes): California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon (in part), Pennsylvania, Vermont (in part), and Washington. Account Holders bear primary responsibility for ensuring the disclosure played by the Service satisfies all applicable requirements for any jurisdiction in which Callers are located. If you are a Caller and do not consent to recording, you may decline to continue the call.

11. How We Share Information

We do not sell personal information. We disclose personal information only as described below.

11.1 Service Providers / Subprocessors

We engage Service Providers under contracts limiting their use of personal information to providing services to Avenora. Categories of current Subprocessors:

Category	Provider	Purpose
Telephony	Twilio Inc.	Call routing, SMS delivery, recording storage
Conversational AI	OpenAI, OpenAI, LLC	Voice realtime AI, speech-to-text
Conversational AI	Anthropic PBC	Post-call analysis, summarization
Speech-to-text	Deepgram Inc.	Operator speech transcription
Payments	Stripe, Inc.	Subscription billing, payment processing
Email	ActiveCampaign LLC d/b/a Postmark	Transactional email delivery
Database / Auth	Supabase Inc.	Database, authentication, storage
Hosting (web)	Vercel Inc.	Web application hosting
Hosting (voice)	Railway Corp.	Voice service hosting
Observability	Sentry (Functional Software, Inc.), Axiom Solutions Ltd.	Error tracking, log management
Domain & DNS	GoDaddy.com LLC	Domain registration and DNS

We may engage additional or alternative Subprocessors at our discretion. Material changes to the Subprocessor list affecting how personal information is processed will be reflected in updates to this Policy.

11.2 Integrations connected by you

When you (as an Account Holder) connect a third-party integration via OAuth or API (e.g., Google Calendar, Jobber, HousecallPro), Avenora sends or receives data within the scope you grant. The third party's handling of the data is governed by its own privacy policy.

11.3 Legal compliance

We may disclose personal information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, court order, subpoena, or other legal process; (b) cooperate with law enforcement; (c) enforce our Terms of Service; (d) prevent or investigate fraud, security incidents, or violations of applicable law; or (e) protect the rights, property, or safety of Avenora, our customers, Callers, or the public. Where legally permitted and reasonable, we will give the affected party notice.

11.4 Business transfers

If Avenora is involved in a merger, acquisition, financing, reorganization, bankruptcy, dissolution, or sale of all or a portion of its assets, personal information may be transferred to the acquiring entity with continued protection under this Policy (or an updated policy of the acquirer that provides at least equivalent protection). We will provide notice of any such transfer.

11.5 With your consent or at your direction

We may share personal information with third parties when you specifically direct us to do so or provide consent.

11.6 Aggregated and de-identified data

We may use, disclose, and commercialize aggregated and de-identified data that cannot reasonably be used to identify any individual or household. We commit not to attempt to re-identify such data, and we contractually prohibit recipients from re-identifying it.

12. International Data Transfers

Avenora is based in the United States. Personal information is processed and stored in the United States and other jurisdictions where our Subprocessors operate. If you access the Service from outside the United States, you acknowledge that your personal information is being transferred to and processed in the United States. For EU/UK data subjects, the United States may not provide the same level of data protection as your home jurisdiction; by using the Service you consent to such transfer.

13. Data Retention

We retain personal information for the following periods, unless a longer period is required by law or a legal hold:

Data type	Retention	Basis
Outbound coach call recordings	4 years	TCPA / regulatory recordkeeping
Inbound receptionist call recordings	90 days (default; Account Holder configurable)	Operational
Call transcripts	Same as corresponding recording	Operational
SMS message logs (sent, replies, delivery)	18 months	TCPA / carrier defense
Opt-in / opt-out records	4 years (or longer if required by law)	TCPA defense
Account registration and billing records	7 years	Tax / audit compliance
Support inquiries	3 years	Operational
Web analytics (anonymized)	Indefinite	Aggregate trend analysis
Server logs	90 days (operational), up to 1 year (security)	Operational / security

Upon closure of an Account, personal information is deleted or anonymized in accordance with the retention schedule above, except as required to be retained by law, contract, or to support a legal hold.

14. Security Measures

We employ administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

Encryption of data in transit (TLS 1.2 or higher) and at rest (per-Subprocessor encryption)
Row-level security in our database, with tenant-isolation enforced at the database layer
Role-based access controls, least-privilege provisioning, and access auditing
Secret rotation, secure credential storage (managed vaults), and revocation procedures
Multi-factor authentication for personnel accessing production systems
Subprocessor due diligence, contractual data-protection commitments, and SOC 2 reliance where available
Vulnerability monitoring and patching
Incident response procedures including timely notification of affected parties and authorities as required by law

No method of transmission or storage is 100% secure. We cannot guarantee absolute security. You use the Service at your own risk and should not transmit information you do not want to be subject to the inherent risks of internet transmission.

15. Your Rights — General

Subject to your jurisdiction and the type of relationship you have with us, you may have rights to:

Access the personal information we hold about you
Correct inaccurate personal information
Delete personal information (subject to legal retention exceptions)
Restrict or object to certain processing
Portability — receive your data in a machine-readable format
Withdraw consent for processing based on consent (including SMS opt-out, account closure)
Non-discrimination for exercising privacy rights
Appeal a denial of any rights request (state laws below)
Lodge a complaint with a supervisory or data-protection authority

16. How to Submit a Privacy Request (DSAR Process)

How to submit: email privacy@avenora.aiwith subject line "Privacy Request" and include: (a) the right you wish to exercise; (b) sufficient information to verify your identity (your account email if an Account Holder; the phone number associated with your call records and approximate call date if a Caller; or such other information as we reasonably request); (c) your jurisdiction of residence (so we can apply the correct framework); and (d) a clear, specific description of the request.

Verification: we may ask for additional information or a sworn declaration to verify your identity, particularly for sensitive requests like deletion. We will not make decisions based on automated processing of your verification information.

Authorized agents:California consumers may use an authorized agent. We require written, signed authorization, verification of the agent's identity, and verification of the consumer's identity.

Timing: we will acknowledge your request within 10 business days and substantively respond within 45 calendar days (extendable by another 45 days with notice).

Fees: there is no fee for the first request in a 12-month period; subsequent requests in the same period that are excessive, repetitive, or unfounded may incur a reasonable administrative fee or be denied.

Appeals:if we deny a request, you may appeal by replying to our response email with the subject line "Privacy Request — Appeal." We will respond to the appeal within 60 days.

Caller requests:if you are a Caller (not an Account Holder), your communications and recordings reside in the Account Holder's account. We will route your request to the Account Holder where reasonable; the Account Holder, not Avenora, is responsible for substantive response, with Avenora's cooperation as a Service Provider.

17. California Residents — Notice (CCPA / CPRA)

This Section applies to California residents and supplements Section 15.

17.1 Categories of personal information collected and disclosed

In the 12 months preceding the Effective Date, we have collected the following categories of personal information (as enumerated under Cal. Civ. Code § 1798.140):

Identifiers (name, email, phone, address)
Commercial information (transactions)
Internet or other electronic network activity
Audio, electronic, or similar information (voice recordings, transcripts)
Professional or employment-related information (business affiliation)
Inferences drawn from the above to create a profile reflecting preferences and characteristics
Sensitive personal information: contents of communications (voice content, SMS content)

We have disclosed these categories to the categories of Service Providers and third parties described in Section 11 of this Policy for the business purposes described in Section 7.

17.2 California rights

You have the right to:

Know the categories of personal information collected, the categories of sources, the business or commercial purposes, the categories of third parties with whom the information is shared, and the specific pieces of personal information collected about you
Delete personal information collected from you (subject to retention exceptions)
Correct inaccurate personal information
Limit use of sensitive personal information to specified purposes (e.g., to provide the Service requested)
Opt out of sale or sharing for cross-context behavioral advertising
Non-discrimination — we will not deny goods or services, charge different prices, or provide different quality because you exercised a CCPA right
Authorized agent — you may designate an agent to submit requests on your behalf
Appeal a denial — see Section 16

17.3 "Do Not Sell or Share My Personal Information"

Avenora does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. No action by you is required to opt out, because opt-out is the default.

17.4 Sensitive Personal Information limitation

Avenora uses sensitive personal information (such as the contents of communications captured in call recordings and transcripts) only as reasonably necessary to perform the Service and for the limited purposes permitted by CPRA § 1798.121(a). We do not use sensitive personal information to infer characteristics about you for marketing or for any purpose outside those permitted business purposes.

17.5 Submission method

California residents may submit requests by emailing privacy@avenora.aiwith subject line "California Privacy Request" following the procedure in Section 16.

17.6 California Shine the Light

California Civil Code § 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for the third parties' direct marketing purposes in the preceding calendar year. Avenora does not disclose personal information to third parties for their direct marketing purposes. California residents may still email privacy@avenora.aiwith subject line "Shine the Light" to confirm.

18. Other U.S. State Privacy Rights

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), Florida (FDBR), or another U.S. state with a comprehensive consumer-privacy law, you may have rights similar to the California rights described in Section 17, including (subject to state-specific scope and exceptions): right to access, right to correct, right to delete, right to portability, right to opt out of sale, right to opt out of targeted advertising, right to opt out of profiling with legal or significant effects, and right to appeal a denial.

Avenora does not sell personal information, does not engage in targeted advertising, and does not engage in profiling with legal or similarly significant effects. No action is required for these opt-outs.

To exercise other rights, email privacy@avenora.aiwith the subject line "[Your State] Privacy Request" per the procedure in Section 16. We will apply the framework most protective of your rights where state laws overlap.

19. EU / UK Residents (GDPR / UK GDPR)

Avenora is a U.S.-based business targeting U.S. HVAC contractors and does not intentionally market to or solicit data from EU or UK residents. If we receive personal data from EU or UK data subjects in the ordinary course (for example, a Caller traveling abroad), we process it on the legal bases described in Section 7. You have rights under the GDPR or UK GDPR including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may exercise these rights by emailing privacy@avenora.ai or by lodging a complaint with your local supervisory authority.

Personal data is transferred to the United States. We rely on (where required) Standard Contractual Clauses or other appropriate safeguards with our Subprocessors. You may request more information at the email above.

20. Canadian Residents (PIPEDA)

If you are a Canadian resident, you have rights under PIPEDA including access and correction. We do not sell personal information. To exercise rights, email privacy@avenora.ai. Complaints may be directed to the Office of the Privacy Commissioner of Canada.

21. Children's Privacy (COPPA / GDPR-K)

The Service is a B2B platform and is not directed at children under 16. We do not knowingly collect personal information from children under 13 (the U.S. COPPA threshold) or under 16 (the GDPR-K threshold). If you believe a child has provided personal information to the Service, please contact privacy@avenora.ai and we will delete it promptly upon verification.

22. Sensitive Personal Information

We may incidentally collect Sensitive Personal Information when a Caller discusses health, financial, or other sensitive matters during a call. We use Sensitive Personal Information only for the limited business purposes permitted by applicable law (operating the Service requested by the Account Holder, preventing fraud, ensuring security, and complying with law), and we do not use it to infer characteristics for marketing.

Avenora is not HIPAA-compliant. The Service is not designed for the processing of Protected Health Information (PHI). Account Holders must not use the Service for PHI processing.

23. Automated Decision-Making

Avenora does not make solely-automated decisions that produce legal effects or similarly significant effects concerning you. Where AI assists in routing (e.g., emergency classification) or scheduling (e.g., proposed appointment slots), the AI output is a recommendation reviewed by a human (the Account Holder, on-call technician, or your representative) before any consequential action is taken.

24. Notice of Financial Incentive

Avenora does not offer any financial incentive program (such as discounts in exchange for personal information) within the meaning of CCPA § 1798.125(b).

25. Do Not Track Signals

Avenora does not track users across third-party websites and does not use third-party advertising trackers. We honor the Global Privacy Control browser signal as an opt-out where applicable.

26. Third-Party Links

The Service and avenora.ai may contain links to or integrate with third-party websites and services. Avenora is not responsible for the privacy practices of third parties. Review their privacy policies before providing personal information.

27. Disability Accommodations

If you have a disability and need assistance with privacy choices, contact privacy@avenora.ai for reasonable accommodation.

28. Workplace Privacy

If you are an employee or contractor of an Account Holder and interact with the Service in that capacity, your use of the dashboard is subject to your employer's policies, which we are not responsible for.

29. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date will change. For material changes affecting how we use personal information, we will provide notice via email or in-app at least 14 days before the change takes effect, where reasonably practical. Continued use of the Service after the effective date indicates acceptance.

30. Privacy Officer; Contact

Avenora LLC
Attention: Privacy Officer
502 W 7th St STE 100
Erie, PA 16502, USA

Email: privacy@avenora.ai
Support: support@avenora.ai
Legal: legal@avenora.ai

31. Metrics & Annual Report (where required)

Where required by state law (e.g., California for businesses meeting certain thresholds), Avenora will publish annual metrics regarding privacy-request volume in this Section. Avenora is below applicable thresholds for the current reporting period.