Last updated: 15 June 2026
Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how Azava Limited ("Azava", "we", "us") handles personal information. We are a company registered in England and Wales (company number 13682817), registered office Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, United Kingdom.
If you have any questions, contact us at privacy@azava.com.
[HENRY: remaining inline
[HENRY: …]notes flag the few things to confirm before publishing. If product analytics (e.g. PostHog) ever goes live, add a cookie table in §10 and a row in §6.]
1. The two roles we play — please read this first
Azava is a data-automation platform. Businesses ("Customers") connect their own systems and build automations that read, transform, enrich and move records. Because of this, we handle personal information in two distinct roles, and which role applies determines this policy's relevance:
As a controller — for a limited set of data that we decide how to use: information about visitors to our website, people who enquire about or sign up for Azava, the account users who log in, and the billing and operational data we need to run our business. This Privacy Policy covers that data.
As a processor — for the data our Customers route through the platform (their contacts, emails, messages, files and the records we derive from them). Here the Customer is the controller and decides what is processed and why; we act only on their documented instructions under a Data Processing Agreement (DPA). This Privacy Policy does not govern that data. If you are an individual whose data a Customer has put into Azava (for example, you are a contact in their CRM or a sender of an email they ingest), the Customer is responsible for your information — please contact them, and see §4 for how we support their obligations.
2. Information we collect as a controller
| What | Examples | Source |
|---|---|---|
| Account & identity | Name, work email, job title; sign-in via Google or Microsoft SSO, or email magic link | You, your SSO provider |
| Billing | Name, company, billing address, email, and subscription / transaction history. Card payments are processed by Stripe — we do not store full card numbers (we may see the card type and last 4 digits) | You / Stripe |
| Communications with us | Emails and support messages you send us | You |
| Technical & usage | Server logs, error traces and diagnostic data generated when you use the platform | Automatic |
| Website visitors | Limited data from essential cookies needed to operate the site and keep you signed in | Automatic |
We do not knowingly collect special-category (sensitive) data about our account users, we do not use your data for advertising, and we do not run analytics or marketing trackers.
3. How we use controller data, and our legal bases (UK/EU GDPR)
- To provide and administer the service — create and secure your account, deliver the platform, provide support. Legal basis: performance of a contract.
- To run our business — invoicing, record-keeping, securing and improving the platform, diagnosing problems, preventing fraud and abuse. Legal basis: legitimate interests.
- To communicate with you — service notices, changes to terms, responding to enquiries. Legal basis: legitimate interests / performance of a contract.
- To comply with law — tax, accounting and responding to lawful requests. Legal basis: legal obligation.
- Where you have consented — e.g. any optional communications. Legal basis: consent, which you can withdraw at any time.
4. Customer data we process on our Customers' behalf
When we act as a processor, we process whatever data a Customer chooses to route through Azava — which may include names, contact details, professional information, the contents of emails and messages, attached files, and structured records we derive from them. We do this only on the Customer's documented instructions, under a DPA that forms part of our customer agreement.
If you are a data subject in that data: the Customer (not Azava) is your data controller. To exercise your rights — access, correction, deletion and so on — please contact the relevant Customer. We will support the Customer in responding to your request as required by the DPA, but we cannot action it directly without their instruction.
For transparency, §6 lists the third parties involved when we process Customer data, and §5 explains our use of AI providers.
5. Artificial intelligence
The platform uses third-party large-language-model and document-processing services to extract and structure information. The providers that may receive data are:
- Anthropic (Claude) — text extraction and derivation
- OpenAI — text extraction and classification
- Google Cloud Document AI — document/text extraction
We do not train, and do not permit these providers to train, AI models on Customer Data, and we use these providers under their API terms, which provide that data sent via the API is not used to train their models.
The platform lets Customers build their own automations, including logic that branches on AI output. Any decision with legal or similarly significant effect that results from an automation is configured and controlled by the Customer as controller; Azava does not make such decisions about its own account users.
6. Third parties we share data with (sub-processors)
We use a small set of service providers to run Azava. We have data processing terms with these providers, and where they are outside the UK/EEA we rely on appropriate safeguards (see §7).
| Provider | Purpose | Location |
|---|---|---|
| Render | Hosting, compute, database (Postgres), cache (Redis) | EU (Frankfurt) |
| Amazon Web Services (S3) | File and document storage | EU (Frankfurt) |
| Anthropic | AI text extraction / derivation | US |
| OpenAI | AI text extraction / classification | US |
| Google Cloud (Document AI, Cloud Storage) | Document/text extraction | US / global |
| Sentry | Error monitoring | US |
| Twilio | Inbound WhatsApp/SMS messaging (being phased out) | US |
| Cloudflare | DNS and image hosting | Global |
| Mailgun (Sinch) | Inbound email receipt and outbound transactional email (e.g. sign-in links, account and billing notices) | EU |
| Bright Data | Web data retrieval (entity enrichment) | Third countries |
| Google Custom Search | Web search (entity enrichment) | Global |
| Stripe | Payment processing and billing | US / EU (Ireland) |
We may also share personal information: with professional advisers (lawyers, accountants) where necessary; with authorities where required by law; and in connection with a sale, merger or reorganisation of our business (in which case we will tell you).
Your own connected systems are not our sub-processors. When a Customer connects a third-party system (e.g. Attio, Affinity, Airtable, Google Sheets / Drive / Gmail, Slack, Dropbox, LinkedIn, WhatsApp, or a webhook), the Customer chooses and instructs that integration. Azava is not responsible for how those third-party services process data; their own terms and privacy notices apply.
7. International transfers
We and some of our sub-processors are located outside the UK and the European Economic Area (EEA), notably in the United States. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards — principally the UK International Data Transfer Agreement / Addendum and the European Commission's Standard Contractual Clauses, as incorporated into each provider's data processing terms, and (where applicable) the providers' certification under the EU-US / UK-US Data Privacy Framework. You can request more detail at privacy@azava.com.
8. How long we keep data
| Data | Retention |
|---|---|
| Account and identity data | For as long as you have an account, then deleted |
| Billing and tax records | As required by law (typically 6 years) |
| System / processing logs | 14 days |
| Error-monitoring data (Sentry) | 90 days |
| Backups | Deleted within 30 days of a deletion request |
| Customer data (processor role) | Per the Customer's instructions and the DPA; deleted within 30 days of account closure or a deletion request, subject to legal retention requirements |
9. How we protect data
We use appropriate technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), encrypted storage of credentials and secrets (we do not store passwords — sign-in is via Google/Microsoft SSO or magic link), least-privilege role-based access controls, no public database access, and a documented incident-response process under which security incidents are investigated and mitigated, with affected Customers notified without undue delay. No system can be guaranteed perfectly secure, but we take these responsibilities seriously.
10. Cookies
We use only what is strictly necessary to keep you signed in. The current app stores your sign-in session in an essential authentication cookie; the older (legacy) site stores a sign-in token in your browser's local storage. We do not use advertising, analytics or marketing cookies or trackers.
11. Your rights
If you are in the UK or EEA, you have the right to access your personal data; to have inaccurate data corrected; to have data erased; to restrict or object to processing; to data portability; and to withdraw consent where we rely on it. To exercise any of these, email privacy@azava.com. We will respond within the time required by law (generally one month).
You also have the right to complain to a supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk); in the EEA it is your local data protection authority.
If your data is held by Azava in our processor role (see §1 and §4), please direct your request to the relevant Customer, who is the controller.
US residents. If you are a resident of California or another US state with a comprehensive privacy law, you may have rights to know what personal information we hold about you, to access, delete or correct it, and to opt out of any "sale" or "sharing" of it. We do not sell or share personal information for advertising. To exercise these rights, email privacy@azava.com; we will not discriminate against you for doing so. As above, where your data sits with us in our processor role, please contact the relevant Customer.
12. Children
Azava is a business tool not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@azava.com.
13. Changes to this policy
We may update this policy from time to time. We will change the "Last updated" date above and, for material changes, take reasonable steps to notify you.
14. Contact
Azava Limited Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, United Kingdom privacy@azava.com