Privacy Policy

Effective May 15, 2026 · Avalon Flow Inc., a subsidiary of Questili LLP · support@avalonflow.com

This Privacy Policy explains how Avalon collects, uses, discloses, stores, and protects information when you visit our website, create an account, connect your Google/Gmail account, Microsoft/Outlook account, or other services, or otherwise use Avalon.

Avalon is provided by Avalon Flow Inc., a subsidiary of Questili LLP. In this Privacy Policy, "Avalon," "we," "us," and "our" refer to Avalon Flow Inc. unless a separate signed agreement identifies a different Avalon contracting entity.

Avalon is an email and calendar work action layer for Gmail/Google Workspace and Outlook/Microsoft 365. It helps users organize, search, summarize, draft, remember, prioritize, and act on email, calendar, meetings, Flowboard cards, reminders, automations, analytics, and connected services.

1. Who this policy applies to

This policy applies to:

  • visitors to Avalon websites;
  • people who request a demo, join a waitlist, contact us, or receive Avalon communications;
  • Avalon account owners, administrators, and users;
  • people whose information appears in email, calendar, contact, Slack, CRM, MCP, custom endpoint, or other connected-service data processed through Avalon.

If you use Avalon on behalf of an organization, your organization may control parts of the data processed through Avalon. In those cases, privacy requests may need to be handled by your organization.

2. Information we collect and process

Account and administrative information

We may collect names, email addresses, organization names, roles, profile images from identity providers, account settings, workspace membership, onboarding responses, support messages, billing status, subscription metadata, and related administrative information.

Authentication and connection information

When you sign in or connect a service, Avalon may process authentication state, OAuth tokens, refresh tokens, account identifiers, tenant identifiers, permission scopes, connection status, webhook metadata, and related security information needed to keep the integration working.

Email, calendar, contact, and workflow data

When you connect Gmail, Google Workspace, Microsoft Outlook, Microsoft 365, Outlook.com, calendars, or other supported services, Avalon may process data needed to provide the features you enable, including:

  • email metadata such as sender, recipient, subject, timestamps, folders, categories, labels, message IDs, thread IDs, and read/action state;
  • message content, snippets, attachments, and thread context when needed for summaries, drafts, classification, search, Flowboard, meeting preparation, due dates, automations, or related features;
  • calendar events, availability, meeting metadata, participant information, titles, descriptions, locations, and meeting context;
  • contacts, people, relationship history, customer/account context, and communication history;
  • Flowboard cards, statuses, priorities, labels, corrections, approvals, audit receipts, rules, automations, and activity history.

AI prompts, outputs, memory, and feedback

Avalon may process prompts, instructions, edits, approvals, rejects, corrections, feedback, AI-generated summaries, drafts, classifications, meeting briefs, Daily Pulse items, search results, due dates, memory entries, workflow plans, and automation suggestions.

If Avalon AI memory is enabled, Avalon may store relationship facts, preferences, work context, and other memory entries to improve future interactions. Users or administrators should be able to manage memory according to the controls available in the product or through support.

Connected services and integrations

If enabled, Avalon may process information from or send information to connected services such as Google APIs/Gmail, Microsoft Graph/Outlook, Slack, Salesforce via MCP, MCP connectors, custom endpoints, customer-controlled AI endpoints, local/private models, and other integrations selected by you or your organization.

The exact data depends on the integration, permissions, admin settings, endpoint configuration, and user instructions.

Website, device, analytics, and support data

We may collect browser type, operating system, device information, IP address, approximate location derived from IP address, pages viewed, referral/source data, session metadata, diagnostic logs, crash data, performance data, feature usage events, and support/troubleshooting information.

We do not use normal analytics, telemetry, logs, or support bundles to intentionally collect raw email bodies, calendar descriptions, Slack message text, CRM notes, custom endpoint payloads, prompts containing customer content, model completions containing customer content, AI memory text, OAuth tokens, API keys, passwords, payment card numbers, or other secrets.

3. How we collect information

We collect information:

  • directly from you when you sign up, configure Avalon, write prompts, approve actions, contact support, or communicate with us;
  • from Google, Microsoft, and other connected services when you authorize Avalon to access those services;
  • automatically through product logs, cookies, similar technologies, telemetry, and analytics;
  • from service providers that help us operate infrastructure, support, billing, communications, security, and analytics.

4. How we use information

We use information to:

  • provide, operate, secure, maintain, troubleshoot, and improve Avalon;
  • authenticate users and manage sessions;
  • sync with Gmail, Google APIs, Outlook, Microsoft Graph, calendars, and other authorized services;
  • create and update Flowboard cards, summaries, drafts, meeting briefs, due dates, search results, rules, memory, analytics, and workflow suggestions;
  • route relevant context to approved AI providers, customer-selected AI providers, local/private models, or custom endpoints when configured;
  • prepare, approve, execute, and record configured workflows;
  • detect abuse, prevent unauthorized access, protect users, and enforce our Terms;
  • provide support, onboarding, service communications, billing, renewals, and customer-success assistance;
  • measure product reliability, usage, and performance using minimized or aggregated data where practical;
  • comply with legal obligations, resolve disputes, and protect rights, safety, and security.

5. AI processing and model training

Avalon uses AI systems to power features such as summaries, drafts, classifications, semantic search, meeting briefs, Daily Pulse, memory, due-date suggestions, and automation assistance.

When these features are used, Avalon may send relevant Customer Content, prompts, metadata, and workflow context to AI infrastructure needed to provide the requested feature. We aim to send only the context reasonably necessary for that feature.

Avalon does not sell Customer Content for advertising. Avalon does not use Customer Content to train public third-party foundation models unless that use is explicitly disclosed and authorized through the applicable product setting or customer agreement.

AI outputs may be inaccurate, incomplete, outdated, unsafe, or unsuitable for a particular use. Users remain responsible for reviewing AI outputs before relying on them or sending/using them externally. Material external actions should be approval-first unless the customer has expressly configured an approved automation workflow.

If you or your organization configure a local model, private model, open-source model, BYO AI provider, or custom AI endpoint, that system may process Customer Content according to your configuration and that system's own terms, logs, retention, and security behavior. You are responsible for confirming that customer-controlled models and endpoints are authorized, secure, licensed, and appropriate for the data you route to them.

6. Google/Gmail and Microsoft data access

Avalon uses Google APIs, including Gmail, Google Calendar, Google Drive where enabled, OAuth, and Pub/Sub, only to provide the product features you enable. Depending on your configuration, this may include reading mailbox content and metadata, drafting or sending messages, organizing mail with labels, reading calendar information, checking availability, preparing meeting context, or handling selected Drive/file workflows.

Avalon uses Microsoft APIs, including Microsoft Graph, only to provide the product features you enable. Depending on your configuration, this may include reading mailbox content and metadata, drafting or sending messages, organizing mail with folders/categories, reading calendar information, checking availability, and preparing meeting context.

Avalon does not use Google or Microsoft account data for advertising. Avalon requests Google and Microsoft permissions to support the enabled product functions and should be configured using the least permissions appropriate for the customer workflow.

7. How we disclose information

We may disclose information to:

  • hosting, infrastructure, database, queue, observability, logging, support, security, analytics, email, and payment providers;
  • AI providers and model infrastructure used to deliver enabled AI features;
  • connected services you or your organization enable, such as Google APIs/Gmail, Microsoft Graph/Outlook, Slack, Salesforce via MCP, MCP connectors, custom endpoints, and customer-controlled AI systems;
  • organization administrators and authorized users according to account settings and product controls;
  • professional advisers, auditors, insurers, financing parties, acquirers, or successors under appropriate confidentiality obligations;
  • regulators, courts, law enforcement, or other parties when required by law or necessary to protect rights, security, or safety;
  • other parties with your consent or as described in a customer agreement.

We do not sell personal information for advertising purposes.

8. Customer and user controls

Depending on your configuration and available product controls, you may be able to:

  • connect or disconnect Google/Gmail, Microsoft/Outlook, Slack, Salesforce, MCP, model-provider, and custom endpoint accounts;
  • manage users, roles, scopes, permissions, and feature settings;
  • review, edit, approve, reject, delete, or correct drafts, summaries, Flowboard cards, due dates, memory entries, and automation outputs;
  • disable certain automations, integrations, memory, model routes, analytics, or telemetry options;
  • request export, deletion, correction, account closure, or support-assisted offboarding.

9. Retention

We retain information for as long as reasonably necessary to operate Avalon, provide the service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business operations.

Retention periods vary by data type. Account records, billing records, audit logs, security logs, support records, Flowboard history, memory entries, backups, and connected-service data may have different retention periods. When information is no longer needed, we delete it or de-identify it where reasonably possible.

10. Security

Avalon uses administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, alteration, and disclosure. These safeguards may include access controls, encryption, logging, monitoring, least-privilege permissions, secret management, backups, and incident-response processes.

No method of transmission or storage is completely secure. You are responsible for safeguarding your devices, credentials, connected accounts, authorized users, custom endpoints, and local/private model configurations.

11. International transfers

Avalon and its service providers may process information in countries other than where you are located. Where required, we use appropriate safeguards for cross-border transfers.

12. Cookies and similar technologies

Avalon may use cookies and similar technologies for authentication, security, preferences, analytics, performance, support, and marketing measurement. More detail is available in the Avalon Cookie Policy.

13. Privacy rights and requests

Depending on your location and role, you may have rights to access, correct, delete, restrict, object to, or receive a copy of certain personal information. You may also have rights to withdraw consent where processing is based on consent.

To submit a privacy request, contact support@avalonflow.com. We may need to verify your identity, authority, and relationship to the relevant organization before acting on a request. If your organization controls the relevant data, we may direct the request to that organization.

14. Children

Avalon is intended for business users and is not directed to children under 13. We do not knowingly collect personal information from children under 13.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and revise the effective date. If a change materially expands how Customer Content is used for AI training, third-party sharing, or materially different purposes, we will provide any notice, consent, or contractual process required by law or agreement.

16. Contact

For questions about this Privacy Policy or Avalon data practices, contact support@avalonflow.com.