Privacy Policy
Last updated: June 29, 2026
Avatier Task Command Center (“Avatier TCC”, “we”, “us”) is an AI-assisted task command center that captures action items from Microsoft Outlook and Microsoft Teams. This policy explains what we collect, why, how long we keep it, and the choices and rights you have. We collect the minimum needed to run the product and we do not sell your data.
1. Data we collect
- Account data — your name, email, organization (tenant), role, and authentication identifiers from Microsoft or email sign-up.
- Connected-source content — the Outlook mail and Teams messages we read through Microsoft Graph (see Section 2) in order to detect tasks. We store the captured task and a short source excerpt for context, not a full copy of your mailbox.
- Task data you create — tasks, subtasks, priorities, notes, completion status, and activity timeline.
- Usage and billing data — AI credits consumed, plan and seat information, and payment records (handled by our payment processor; we do not store full card numbers).
- Operational logs — security and audit logs of state-changing actions, plus error diagnostics, used to keep the service safe and reliable.
2. Microsoft Graph access and why
When you connect Microsoft, we request the least-privilege, read-only scopes below. You grant these during Microsoft’s own consent screen and can revoke them at any time from your Microsoft account or from within Avatier TCC.
| Scope | Why we request it |
|---|---|
| User.Read | Read your basic profile (name, email, tenant) to create your account and label captured tasks. |
| Mail.Read | Read your Outlook mail so the assistant can detect genuine action items addressed to you. We do not send, delete, or modify mail. |
| Chat.Read | Read your Microsoft Teams 1:1 and group chats to capture requests and commitments. We do not post on your behalf without an explicit action. |
| ChannelMessage.Read.All | Read Teams channel messages in teams you belong to, to capture action items raised in channels you participate in. |
| offline_access | Obtain a refresh token so background capture can run on your schedule without asking you to sign in repeatedly. Tokens are encrypted and stored server-side only. |
We never request write or send scopes for capture. Completion notices are sent only when you explicitly mark a task done, and only on the channel the request arrived on.
3. AI processing of message content
To detect tasks, we send the relevant message text to our AI sub-processor (Anthropic) for parsing and paraphrasing into an English task summary. We send only the content needed for the job and we do not use your content to train any model. Each AI job is metered in credits and recorded in a usage ledger you can inspect. If your AI credit allowance is exhausted, AI capture pauses (fails closed) while your manual tasks keep working — we never run up surprise AI charges.
4. How we use your data
- Provide the service: capture, triage, complete, notify, and report on tasks.
- Authenticate you and enforce per-tenant isolation and access control.
- Meter AI usage, manage subscriptions, and prevent abuse and fraud.
- Maintain security, audit, and operational integrity.
- Communicate service and account notices.
We do not sell your personal data and we do not use connected-source content for advertising.
5. Sub-processors
We rely on a small set of vetted sub-processors to operate the service. The list below is a placeholder pending publication of our formal sub-processor register; categories reflect current intent.
- Cloud hosting & database — application hosting and managed Postgres / authentication storage.
- AI processing — Anthropic (Claude API), for task parsing and paraphrasing.
- Payments — our payment processor, for subscriptions and metered billing.
- Identity & integrations — Microsoft, for sign-in and Microsoft Graph access to Outlook and Teams.
- Error monitoring — a diagnostics provider for crash and error reporting.
We will maintain an up-to-date register and notify customers of material changes per applicable agreements.
Data processing & compliance
For business and team customers, we maintain internal documents that describe, in detail, how Avatier TCC processes data and which controls are actually in place. These are available to customers and prospects on request (we do not publish them at public web addresses):
- Data Processing Addendum (DPA) — a controller / processor agreement template covering roles, data categories (including that message content is processed for task capture), our sub-processors, the security measures we have implemented, data-subject rights, breach notice, and deletion on termination.
- SOC 2 control matrix — our security, availability, processing-integrity, confidentiality, and privacy controls mapped to the features that implement them, with an honest note on which controls are designed but not yet independently audited.
- Data retention & deletion policy — how long we keep each class of data and how the export and deletion flows below fulfil your portability and erasure rights.
To request any of these documents, contact privacy@avatier.com.
6. Data retention
- Tasks and activity — kept while your account is active. On the Free plan, activity history is limited; paid plans retain it until you delete it or close your account.
- Source excerpts — retained only as long as needed for task context, then minimized.
- Audit and security logs — retained for a limited period for security and compliance, then deleted.
- After account deletion — we delete or anonymize your personal data within 30 days, except where we must retain limited records to meet legal, tax, or security obligations.
7. Your rights (including GDPR)
Depending on where you live, you may have the right to access, correct, export, restrict, or delete your personal data, to object to certain processing, and to withdraw consent. For users in the EEA/UK, we process connected-source content to provide the service you requested (contract) and on the basis of your explicit consent granted during Microsoft sign-in, which you can withdraw at any time.
- Export — request a machine-readable copy of your tasks and account data.
- Delete — request deletion of your account and associated personal data.
- Revoke source access — disconnect Microsoft at any time to stop further capture.
To exercise any right, contact us at privacy@avatier.com. We respond within the timeframes required by applicable law.
8. Security
We isolate every tenant’s data, enforce row-level security on all data tables, encrypt access and refresh tokens at rest, keep service credentials server-side only, and log every state-changing and denied action. Access decisions fail closed.
9. International transfers
Your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers out of the EEA/UK.
10. Changes to this policy
We may update this policy as the product evolves. We will revise the “Last updated” date and, for material changes, provide additional notice.
11. Contact
Questions or privacy requests: privacy@avatier.com.