Legal index

Legal · Privacy Policy

Privacy Policy

This Privacy Policy explains how Advi Systems (the 'Service') collects, uses, and protects personal data. It is written to be readable while satisfying our obligations under the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG). It applies to all users of the dashboard and all visitors interacting with embedded Advi Agents widgets.

1. Controller

The controller responsible for personal data processed through this Service within the meaning of Art. 4 No. 7 GDPR is:

Vazghen Vardanian (Einzelunternehmen)
Morsestraße 1, 50769 Köln, Germany
iamvazghen@gmail.com

2. Data Protection Officer

A Data Protection Officer has not been appointed because the legal thresholds of § 38 BDSG are not met (fewer than twenty persons regularly engaged in automated processing of personal data, no large-scale processing under Art. 35(3) GDPR, no commercial transfer or market-research processing of personal data). All privacy enquiries and data-subject requests are handled directly by the controller at the address above.

3. Data we collect from authenticated users

When you create an account on the Service, we collect and process:

  • Account identity — name, email, and authentication state (via Clerk, our authentication processor).
  • Organization membership — if you create or join an organization workspace, we store the organization name and your role.
  • Product data — prompts you generate (goal, inputs, outputs), agents you create (settings, system prompts, knowledge items), and the conversations those agents have with website visitors.
  • Billing data — for paid plans: invoicing name, billing address, VAT identification (where applicable), and payment-method metadata returned by the payment processor. Card numbers themselves never reach our infrastructure; they are tokenised by the payment processor.
  • Operational metadata — IP address, browser user-agent, and timestamps on requests for security, abuse prevention, and basic diagnostics.

4. Data we collect from Advi Agents widget visitors

When an Advi Agents widget is embedded on a third-party website and a visitor interacts with it, the following data is collected and processed by Advi Systems on behalf of the website operator. In this configuration, the website operator is the controller for the visitor interaction and Advi Systems acts as a processor under Art. 28 GDPR:

  • Conversation content — the visitor's messages and the agent's replies.
  • Browser metadata — page URL, page title, referrer, user-agent.
  • Optional contact details — if the visitor voluntarily provides email, phone, or name, those values are stored as a contact record for the agent's workspace.
  • A locally-stored visitor and conversation identifier — see the Cookie Policy.

A standard Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) compliant with Art. 28 GDPR is available to business customers. Email iamvazghen@gmail.com to receive the countersigned document.

5. Legal bases

  • Performance of contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for, fulfil paid subscriptions, and process payments.
  • Legitimate interests (Art. 6(1)(f) GDPR) — for security, abuse prevention, fraud detection, network and application diagnostics, and to defend or assert legal claims. Our legitimate interest in these activities outweighs the data-subject interests because the processing is limited to what is strictly necessary.
  • Consent (Art. 6(1)(a) GDPR) — where explicitly requested (for example, optional marketing communications). Consent may be withdrawn at any time with effect for the future.
  • Legal obligation (Art. 6(1)(c) GDPR) — to retain invoicing and transactional records for the periods prescribed by §§ 147 AO and 257 HGB (six to ten years, depending on document type).

6. Sub-processors

Advi Systems engages the following sub-processors. The list is current as of the "Last updated" date at the bottom of this policy. Material changes are announced in the changelog at least 30 days before activation; business customers under a signed DPA are notified by email.

  • Clerk Inc. (United States) — user authentication, session management, organization membership. Transfer mechanism: EU Standard Contractual Clauses (2021/914) + Schrems II supplementary measures. SOC 2 Type II.
  • Supabase Inc. (data hosted in Frankfurt, Germany / EU region) — product database (Postgres), object storage, embeddings via pgvector. Encrypted at rest by the provider.
  • OpenRouter Inc. (United States) — model-inference gateway routing prompts to selected LLM providers. Transfer mechanism: EU Standard Contractual Clauses.
  • LLM model providers reached via OpenRouter — depending on the model selected, these may include OpenAI L.L.C., Anthropic PBC, Google LLC, xAI Corp. (Grok), Meta Platforms Inc., Mistral AI SAS, and other model providers whose endpoints OpenRouter exposes (Arcee AI, Stepfun, Alibaba Cloud for Qwen, Z.AI, Liquid AI, NousResearch). Provider, region, and retention behaviour vary by model. Advi Systems configures requests to use zero-data-retention API modes wherever the provider offers them.
  • Hosting platform (Vercel Inc. and/or Railway Corp.) — Next.js application hosting, edge delivery, log aggregation. Transfer mechanism: EU Standard Contractual Clauses where data leaves the EU.
  • Payment processor — invoicing, subscription billing, dunning. Card data is tokenised at the processor and is not received by Advi Systems infrastructure.

7. Where personal data is stored

  • Product database — Supabase, Frankfurt region (eu-central-1 equivalent), Germany. Encrypted at rest.
  • Authentication — Clerk (US-based, SCCs in place, SOC 2 Type II).
  • LLM processing — requests are forwarded server-side via the OpenRouter gateway to the model provider you selected. Conversation content and prompts transit those providers for the duration of the request. We require zero-retention configuration where the provider supports it; where it does not, request and response content may be retained by the provider for the period stated in their own policy. Avoid pasting regulated personal data (health data, financial account credentials, government identifiers) into prompts.
  • Hosting and edge layer — managed Next.js platform with HTTPS enforced and standard infrastructure controls.

8. No selling, no advertising-driven sharing

We do not sell personal data. We do not share personal data with advertising networks, data brokers, or analytics vendors. Data is shared only with the sub-processors listed in section 6, strictly to the extent necessary to operate the Service. Customer content (prompts, knowledge base, conversation history) is never used to train models.

9. Retention

  • Account data — kept while your account is active. Deleted within 30 days of account closure, except where statutory retention obligations apply.
  • Prompt history — kept until you delete it or close your account.
  • Agent conversations — kept until the workspace owner deletes them or the agent is removed (cascade delete).
  • Server logs — retained for the deployment platform's default window (typically 7–30 days) for security and diagnostics.
  • Invoices and accounting records — retained for ten years under § 147 Abs. 1 Nr. 1, 4 AO and § 257 HGB.

10. Your rights under GDPR

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your data.
  • Right to restriction (Art. 18) — limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw any consent at any time with effect for the future.
  • Right to lodge a complaint — with a supervisory authority. The competent authority for Advi Systems is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf.

To exercise any of these rights, email iamvazghen@gmail.com. We respond within 30 days of receipt and confirm receipt within three business days.

11. International transfers

Where personal data is transferred to processors outside the European Economic Area (specifically Clerk, OpenRouter, certain LLM model providers, and the hosting platform), each transfer is governed by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the supplementary technical and organisational measures required following the Schrems II decision (C-311/18). We have assessed the recipient legal environment and consider the transfers lawful; a Transfer Impact Assessment is available to business customers on request.

12. Automated decision-making

The Service uses large language models to generate text outputs in response to user prompts. These outputs are content suggestions, not decisions that produce legal effects on, or similarly significantly affect, the data subject within the meaning of Art. 22 GDPR. We do not perform profiling or automated decision-making with legal effect on users or widget visitors.

13. Security

We use industry-standard technical and organisational measures: HTTPS in transit, provider-managed encryption at rest, scoped authentication via Clerk, server-only secrets, workspace-level data isolation, principle-of-least-privilege access to production data, and access logging. See the Security page for a code-level description.

14. Minors

The Service is offered to users aged 18 and over. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided personal data through the Service, contact the controller and the data will be erased.

15. Changes to this policy

We may update this Privacy Policy as the Service evolves. Material changes are flagged at the top of the page with a revision date and, for active account holders, communicated by email at least 30 days before they take effect. Continued use of the Service after a revision constitutes acceptance of the updated policy.

16. Contact

Privacy questions, data-subject requests, DPA requests, or processor enquiries: iamvazghen@gmail.com

Last updated: 2026-05-22