Privacy Policy

Aevos OS Ltd ("AevosOS," "we," "us," or "our") is a company registered in England & Wales with its registered office at 27 The Parkway, SS8 0AQ, United Kingdom. We operate the AevosOS Enterprise AI Operating System (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you access or use our Service, and the rights you have in relation to your personal data under the UK GDPR, the EU GDPR, and other applicable privacy laws.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Data Controller: Aevos OS Ltd is the data controller for personal data processed in connection with the Service, with the meanings set out in the UK GDPR and the EU GDPR.

• Account — your unique credential to access the Service.
• Service — the AevosOS application and any related websites, APIs, and tools we provide.
• Company (or "we," "us," "our") — Aevos OS Ltd, the data controller.
• Personal Data — any information relating to an identified or identifiable natural person.
• Service Provider — a third party we engage to process personal data on our behalf (a "processor" under the GDPR).
• Usage Data — information collected automatically as you interact with the Service, such as IP address, browser type, and timestamps.
• You (or "User") — the individual or organisation accessing the Service.

Account Information: When you register, we collect your name, email address, and any profile information you provide (title, company, preferences).

Third-Party Communication Data: With your explicit OAuth authorization, AevosOS connects to third-party messaging and email platforms — including Google Gmail, Meta WhatsApp, Telegram, SMS (via Twilio), and Slack — solely to retrieve, aggregate, and prioritize your incoming communications within the Service. We access only the minimum data necessary ("least privilege") to render the Service. We store short snippets (up to 500 characters) needed to display each message in your inbox; we do not store full message bodies, and we purge all stored snippets when you disconnect a service or delete your account.

Help & Support Conversations: If you contact us through the in-app help-chat or by email, we retain those transcripts for up to 12 months from the last interaction so we can resolve disputes, investigate abuse, and improve the Service. These conversations are not used to train any AI model.

OAuth Tokens: Access tokens for all connected services are encrypted at rest using AES-256-GCM and are never shared with third parties outside the scope of delivering the Service.

Usage Data: We may collect standard server logs including IP address, browser type, pages visited, and timestamps to operate and improve the Service.

We do not collect: social-login credentials beyond Google (Gmail) and Meta (WhatsApp Business). We do not offer Facebook, Instagram, X (Twitter), or LinkedIn login. If you see a third-party login button, it is for one of the integrations listed above and not for authenticating to AevosOS.

AevosOS uses artificial intelligence — including third-party large language model APIs — to analyze, score, summarize, and prioritize your messages. This processing occurs on a per-request basis to deliver the Service.

Data sent to our AI providers is never used for model training, but may be retained by them for up to 30 days strictly for trust, safety, and abuse-monitoring purposes. We do not retain message content within AevosOS beyond what is required to display it in your inbox, and we do not retain message content after you disconnect a service or delete your account.

We use the information we collect to:

• Provide, operate, and improve the Service;
• Connect to third-party platforms on your behalf to retrieve and aggregate your communications;
• Apply AI-based gravity scoring to rank and surface high-priority messages;
• Authenticate you and maintain the security of your account;
• Send you operational communications (e.g., account alerts, security notices);
• Resolve disputes and investigate abuse using help-chat transcripts;
• Comply with legal obligations.

We do not sell your personal information or your communications data to any third party. We do not train any AI model on your data, and our third-party AI providers are contractually prohibited from using it for training (see Section 4 for the retention period they apply for trust and safety purposes).

Where the UK GDPR or the EU GDPR applies, we rely on the following legal bases under Article 6:

• Performance of a contract (Art 6(1)(b)) — processing required to deliver the Service you have signed up for, including OAuth ingestion and AI prioritization.
• Legitimate interests (Art 6(1)(f)) — keeping the Service secure, preventing fraud and abuse, retaining help-chat transcripts for dispute resolution, and improving the Service. We balance these interests against your rights and freedoms before relying on this basis.
• Legal obligation (Art 6(1)(c)) — retaining financial and tax records, responding to lawful access requests, and meeting our regulatory duties.
• Consent (Art 6(1)(a)) — granting OAuth access to third-party platforms and any optional marketing communications. You may withdraw consent at any time.

The Service integrates with third-party platforms including Google (Gmail), Meta (WhatsApp), Twilio (SMS), Telegram, and Slack. Your use of these integrations is subject to those platforms' respective terms of service and privacy policies. We access these services solely via their official APIs and only with your explicit OAuth authorization.

Google API Services: AevosOS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. AevosOS does not use Google user data for serving advertisements, does not allow humans to read your Gmail data except with your express permission or as required by law, and does not use or transfer Google user data to train AI models.

Meta / WhatsApp: AevosOS accesses WhatsApp message data solely to display and prioritize your messages within the Service. We access only the minimum required scope. You may revoke this access at any time from the WhatsApp or Facebook app settings, or from within AevosOS Settings.

We engage the following processors to operate the Service. Each is bound by a written data processing agreement that requires equivalent or stronger protections than those in this policy:

• Anthropic, PBC — large-language-model API for gravity scoring, summaries, and the in-product Oracle and briefing features. privacy policy.
• OpenAI, L.L.C. — embeddings API for semantic search over your inbox. privacy policy.
• Supabase, Inc. — managed Postgres database, object storage, and authentication. privacy policy.
• Vercel Inc. — application hosting and edge network. privacy policy.
• Stripe, Inc. — subscription billing and payment processing. Card details go directly to Stripe under PCI-DSS. privacy policy.
• Resend, Inc. — transactional email delivery (e.g. the morning briefing). privacy policy.
• Functional Software, Inc. (Sentry) — error and performance monitoring. PII is scrubbed from error reports where reasonably possible. privacy policy.
• Twilio Inc. — SMS delivery for the SMS integration (only when you connect that integration). privacy policy.

We keep personal data only for as long as we need it for the purposes set out above, after which we delete or anonymise it.

• Account information & preferences — for the life of your account. Deleted within 30 days of an account-deletion request (in most cases immediately on in-app deletion).
• Message snippets & metadata — for the life of your account or until you disconnect the source integration, whichever comes first. Purged on account deletion via cascading database deletion.
• Full message bodies — not retained. We process content per-request to render the Service and discard it.
• OAuth tokens — deleted immediately when you disconnect an integration or delete your account.
• Help & support transcripts — up to 12 months from last interaction, for dispute resolution and abuse investigation. Never used for training.
• Server logs & diagnostics — up to 90 days, for security and operational troubleshooting.
• Billing & financial records — up to 7 years from the relevant transaction, as required by UK HMRC and analogous tax authorities.
• Backups — purged within 30 days of the originating deletion event.

You may request deletion of your account and all associated data at any time from the Settings → Danger Zone section of the application, or by contacting us at privacy@aevosos.com.

Several of our processors are based in the United States or other countries outside the United Kingdom and the European Economic Area. When we transfer personal data internationally, we rely on one of the following safeguards as required by Articles 44–49 of the UK GDPR / EU GDPR:

• The UK International Data Transfer Agreement (IDTA) and / or the UK Addendum to the EU Standard Contractual Clauses;
• The EU Standard Contractual Clauses (2021);
• An adequacy decision (e.g., the UK-US Data Bridge or the EU-US Data Privacy Framework) where the recipient is certified.

Copies of the relevant transfer mechanisms are available on request to privacy@aevosos.com.

We implement industry-standard technical and organizational measures to protect your information, including AES-256-GCM encryption of OAuth tokens at rest, TLS 1.2+ encryption in transit, and strict row-level access controls in our database. No system is 100% secure; we encourage you to use a strong, unique password and to notify us immediately at privacy@aevosos.com if you suspect unauthorized access.

Subject to applicable law, you have the following rights:

• Access — request a copy of the personal data we hold about you (UK/EU GDPR Art 15).
• Rectification — request correction of inaccurate data (Art 16).
• Erasure — request permanent deletion of your data (Art 17). See "Data Deletion Instructions" above.
• Restriction — request that we limit our processing in specified circumstances (Art 18).
• Portability — receive your data in a structured, commonly used, machine-readable format (Art 20).
• Objection — object to processing carried out under our legitimate interests (Art 21).
• Withdraw consent — for processing relying on consent, including OAuth grants. Revocation is available from within the Service or directly from the connected platform.
• Lodge a complaint — you may complain to your supervisory authority. In the UK, this is the Information Commissioner's Office (ICO); in the EEA, your local data protection authority.

To exercise any of these rights, contact us at privacy@aevosos.com. We respond within one month of receipt as required by the GDPR.

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. We do not perform cross-site tracking, and we do not sell your personal data, so the practical effect is the same as honouring DNT. You may further restrict tracking by adjusting your browser settings.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately at privacy@aevosos.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy, please contact us at: