Privacy Policy

Avathorize is a licensing-infrastructure platform connecting KOLs (creators) with Merchants (brands) to license AI-generated avatar content. This Privacy Policy explains what personal information we collect through the platform, how we use it, and what rights you have over it.

This Policy is written to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Avathorize is based in British Columbia, Canada.

We collect only what we need to operate the platform:

• Account information. Email address, password (stored hashed), role (KOL or Merchant), and legal / display name as you provide them at registration or in your profile.
• Profile content. KOL bio, content style, voice languages, sample clips, licensing terms, Stripe Connect status. Merchant company name, brand description, logo, website / social link.
• Brief and license content. The campaign descriptions, storyboards, videos, and license agreements created on the platform.
• Payment metadata. The fact that a payment occurred, the amount, and the Stripe identifiers (e.g. payment_intent_id) returned by Stripe. We do not see, store, or process card numbers, CVCs, or banking credentials — those go directly to Stripe under their privacy policy.
• Operational logs. Standard server logs (IP address, timestamps, browser type) retained for security and abuse-prevention.

We use personal information only to:

• Operate the platform — show your profile to counterparties, route briefs, generate storyboards, and produce License Agreement records.
• Generate verifiable License Agreement PDFs and host the public verification page at /verify/[licenseId] (which displays only non-sensitive license fields — never the agreed fee, audit trail, or video content).
• Send transactional emails (e.g. brief delivered, payment confirmed) tied to actions you take on the platform.
• Protect the platform from abuse and comply with our legal obligations.

We do not sell, rent, or trade personal data to third parties for their own marketing, ever.

Under PIPEDA you have the right to:

• Access the personal information we hold about you and ask for a copy.
• Ask us to correct information that is inaccurate or out of date.
• Withdraw your consent for processing (note: this may end your ability to use the platform).
• Lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise any of these rights, email privacy@avathorize.com. We'll respond within 30 days.

We keep data only as long as we need it. Specifically:

• License records and verification pages are retained indefinitely while your account is active — they are the operative record of agreements made on the platform.
• Account data (email, profile fields, brief content) is retained while your account is active and for up to 12 months after you delete your account, for legal and audit purposes.
• Operational logs are retained for 90 days.
• Payment metadata is retained for at least 7 years to comply with Canadian tax / financial-records law.

After these retention periods, data is deleted or fully anonymized so it can no longer be linked to you.

We use a small number of trusted third-party providers to run the platform. None of them are given personal data for their own marketing.

• Supabase — database and storage hosting (data stored in their managed Postgres + storage buckets).
• Stripe — payment processing. Stripe receives the minimum data needed to process a transaction; card and banking details flow directly between you and Stripe, never through us.
• Anthropic — AI providers used to draft brief summaries and storyboards. We send the relevant brief content; we do not send credentials or payment information.
• HeyGen — used by KOLs in their own HeyGen accounts to produce videos. Avathorize does not transmit your data to HeyGen.

We follow accepted industry practice: passwords are hashed, database access is restricted to a server-side service role, Row-Level Security is enabled on every table, and storage buckets are private. We use HTTPS for all traffic. No system is perfectly secure — if we ever learn of a breach affecting your data, we will notify you within 72 hours as required by PIPEDA.

We may update this Policy from time to time. Material changes will be notified by email to the address on file and posted to this page with an updated effective date.

Privacy requests: privacy@avathorize.com.
All other legal enquiries: legal@avathorize.com.