PRIVACY
Privacy Policy
Last updated: 2026-04-29
This Privacy Policy explains how AI Avatar Platform ("we," "us," "our") collects, uses, stores, and discloses information when you use avataraisdk.com and the related services (the "Service"). It is written for a global audience: regardless of where you live, the practices below apply to your data.
1. Who Is Responsible for Your Data
The party responsible for personal information collected through the Service is the operator of avataraisdk.com. For any privacy question, including requests to access, correct, export, or delete your data, contact hello@avataraisdk.com. We aim to respond within 30 days, or sooner where shorter response times are required by your local law.
2. Information We Collect
Account data: email address, display name, identifiers from third-party sign-in providers (e.g. GitHub, Google) when you sign in through them, and password hashes when you register directly. Configuration data: project names, API key metadata (we never store the secret portion in plaintext), embed allowlists, and avatar settings. Operational data: API call logs (timestamp, agent ID, success/error code, request size), TTS usage volume, and aggregate session data used for rate limiting and billing. Technical data: IP address, User-Agent, browser language, and referrer header collected automatically when you visit the website or call the API. We do not knowingly collect the content of conversations beyond what is required for service delivery and abuse prevention.
3. Why We Process Your Data
We only process personal data on lawful grounds. Depending on the activity, those grounds include: (a) performing the contract — processing necessary to provide the Service you have signed up for; (b) legitimate interests — security monitoring, fraud prevention, and product improvement, balanced against your rights and freedoms; (c) your consent — for any processing that goes beyond what is necessary to operate the Service, where we will ask you explicitly and you may withdraw consent at any time; (d) legal obligations — retention or disclosure required by law applicable to us or to you.
4. How We Use Your Information
We use collected data solely to: deliver and operate the Service; authenticate users and prevent abuse; calculate usage for billing or quota enforcement; provide customer and technical support; communicate service changes, security advisories, and policy updates; and improve platform stability and feature design. We do not use your conversation content or generated outputs to train AI models without your explicit consent. We do not sell or rent your personal information to third parties.
5. Data Sharing and Service Providers
We share information only with vetted third parties strictly necessary to operate the Service: cloud infrastructure providers (compute, database, object storage); authentication providers when you choose third-party sign-in; speech synthesis (TTS) providers used to generate audio; CDN and DNS providers for content delivery; and email delivery providers for transactional notifications. Each provider is bound by a written agreement requiring confidentiality and at-least-equivalent security standards. A current list of providers is available on request. We may also disclose information to comply with valid legal process, enforce our terms, or protect the rights, property, or safety of our users and the public.
6. International Data Transfers
We operate globally. Your data may be processed in a country other than where you live, including by the providers listed above. Where the law of your country requires safeguards for cross-border transfers, we put in place a recognized legal mechanism (such as standard contractual clauses, an adequacy decision, or your explicit consent) and apply technical safeguards including encryption in transit and at rest.
7. Cookies
We use only strictly necessary and preference cookies: a session cookie to keep you signed in, a CSRF token for form security, a language preference cookie, and SSO signal cookies shared across our subdomains so the website and console recognize the same login. We do not deploy advertising or third-party tracking cookies. Disabling necessary cookies may break sign-in.
8. Data Retention
Account data is retained while your account is active. After you delete your account, personally identifiable account data is removed from production systems within 30 days; encrypted backups are purged within an additional 60 days. Operational logs are retained for up to 180 days for security investigation, abuse prevention, and audit obligations, after which they are deleted or anonymized. Billing and tax records may be retained longer where applicable law requires it.
9. Your Rights
Subject to your local law, you may have the right to: access the personal information we hold about you; request correction of inaccurate data; request deletion; obtain a portable copy of your data in a machine-readable format; object to or restrict certain processing; and withdraw consent where processing is based on consent. You may also have the right to opt out of any sale or sharing of personal information — note that we do not sell or share personal information for advertising or cross-context behavioral advertising. Most of these can be exercised directly from the console (account settings → data); you may also email hello@avataraisdk.com. We will not discriminate against you for exercising these rights. Where your local law provides for it, you may also lodge a complaint with the competent supervisory authority. We do not make decisions that have legal or similarly significant effects on you solely by automated means.
10. Children
The Service is not directed to children, and we do not knowingly collect personal information from anyone under the minimum age of digital consent that applies in their location. If you believe a child has provided us personal information, contact hello@avataraisdk.com and we will promptly delete it.
11. Security
We apply industry-standard safeguards: TLS 1.2 or higher for all network traffic, encryption at rest for credentials and sensitive fields, scoped database access, and audit logging on administrative actions. No system is perfectly secure; in the event of a personal data breach affecting your rights, we will notify affected users and any competent authority without undue delay, as required by the law applicable to the incident.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes to the Service, technology, or law. The "Last updated" date at the top of this page reflects the latest revision. Material changes will be communicated by email or in-console announcement at least 14 days before they take effect, where feasible. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.