Critical Privacy Notice
Do not submit personal information. Your messages are processed by third-party AI services. This Service is a prototype and not designed for handling sensitive or personal data.
1. Introduction
This Privacy Policy explains how AVA·ASSIST (the "Service") collects, uses, and shares information when you use our experimental AI avatar prototype.
Service Operator: Duncan Sweetland
Contact: linkedin.com/in/duncansweetland
2. Information We Collect
2.1 Information You Provide
- Message Content: The text enquiries you submit to the Service
- Disclaimer Acceptance: Timestamp of when you accepted the usage disclaimer (stored locally in your browser)
2.2 Automatically Collected Information
- IP Address: Used for rate limiting and abuse prevention
- Request Metadata: Timestamps, error logs, processing status
- Technical Data: Browser type, device information (collected by hosting providers)
2.3 Information We Do NOT Collect
- We do not require registration or accounts
- We do not collect names, email addresses, or contact information
- We do not use cookies (except for the disclaimer acceptance stored locally)
- We do not track you across other websites
3. How We Use Your Information
| Data Type |
Purpose |
Legal Basis |
| Message Content |
Process through AI models to generate responses |
Consent (implied by use) |
| IP Address |
Rate limiting, abuse prevention |
Legitimate interest |
| Request Logs |
Debug errors, monitor service health |
Legitimate interest |
4. Third-Party Data Processing
Your messages are processed by the following third-party services:
4.1 OpenAI (ChatGPT)
- Purpose: Generate text responses to your enquiries
- Data Sent: Your message content
- Location: United States
- Privacy Policy: openai.com/policies/privacy-policy
- Retention: OpenAI retains API data for 30 days (as of Feb 2026)
4.2 D-ID (Video Synthesis)
- Purpose: Generate video avatar responses
- Data Sent: Text responses from OpenAI (not your original message)
- Location: Israel / United States
- Privacy Policy: d-id.com/privacy-policy
4.3 Railway (Hosting)
- Purpose: Backend server hosting
- Data: Server logs, IP addresses, request metadata
- Location: United States
- Privacy Policy: railway.app/legal/privacy
- Retention: Logs retained for approximately 7 days
4.4 Netlify (Frontend Hosting)
- Purpose: Website hosting and delivery
- Data: IP address, browser metadata
- Location: United States
- Privacy Policy: netlify.com/privacy
Important: International Data Transfers
By using this Service, you consent to your data being processed by U.S.-based companies. If you are located in the EU/UK, your data will be transferred outside the European Economic Area.
5. Data Retention
- Messages: Not permanently stored by us; retained temporarily by third-party APIs (see above)
- Server Logs: Retained for approximately 7 days by Railway
- Generated Videos: Hosted temporarily by D-ID; URLs expire after viewing
- Local Storage: Disclaimer acceptance stored indefinitely in your browser (can be cleared)
6. Data Security
We implement reasonable security measures:
- HTTPS encryption for all data transmission
- Content moderation to block harmful submissions
- Rate limiting to prevent abuse
- CORS restrictions to limit unauthorized access
However: This is an experimental prototype. We cannot guarantee absolute security. Do not submit sensitive information.
7. Your Rights (GDPR / CCPA)
If you are located in the EU, UK, or California, you have certain privacy rights:
7.1 Right to Access
You can request confirmation of what data we process about you. Since we don't collect identifiable information beyond temporary logs, we may not be able to link data to you specifically.
7.2 Right to Deletion
Server logs are automatically deleted after ~7 days. You can clear your local disclaimer acceptance by clearing browser storage.
7.3 Right to Object
You can object to processing by simply not using the Service.
7.4 Right to Lodge a Complaint
EU/UK users can lodge complaints with their local data protection authority.
7.5 Limitations
Since this is a prototype with no user accounts or persistent data storage, many rights are difficult to exercise. We recommend treating any data you submit as publicly accessible.
8. Children's Privacy
The Service is not intended for users under 18 years old. We do not knowingly collect data from minors. If you are a parent and believe your child has used the Service, please contact us.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date will reflect the most recent revision. Continued use of the Service constitutes acceptance of the updated policy.
10. Do Not Track
We do not track users across websites. We do not respond to Do Not Track signals because we do not track users in the first place.
11. Your Responsibilities
By using the Service, you are responsible for:
- Not submitting personal information (yours or anyone else's)
- Not submitting confidential or proprietary information
- Understanding that your messages are processed by third parties
- Using the Service at your own risk
12. Contact Us
For privacy questions or to exercise your rights:
Contact: Duncan Sweetland via LinkedIn
Response Time: We aim to respond within 30 days (as required by GDPR).