Bean & Bug Inc. DBA Ava Privacy Policy

Last updated: June 11 2025

Plain‑English promise (non‑binding summary)
• We minimize what we collect, encrypt what we keep, and never sell personal data.
• Ava acts only when you tell it to. No surprise messages, purchases, or data shares.
• Health information is outside our scope—please don’t put medical details into Ava.

1. Introduction & Scope — Who and what this policy covers

Bean & Bug Inc. (“Ava,” “we,” “us,” or “our”) provides an AI‑powered household concierge application and related websites, mobile/OTT apps, APIs, and services (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and safeguard information relating to users of the Services (“you”) and applies wherever it is displayed or referenced. By accessing or using the Services, you acknowledge that you have read and understood this Policy.

2. Information We Collect

Category	Examples	Source	Required?
Account Identifiers	Name, email address, third‑party SSO ID	You / SSO provider	Yes
Household Context	Family member names, routines, schedules, shopping lists, images you upload	You	Only if you supply it
Usage Data	Logs of tasks requested, device/browser metadata, timestamps, diagnostics	Automated	Yes (service & security)
Payment Data	Encrypted tokenized payment identifiers (no raw card numbers)	Payment processor	Only for paid features
Support & Feedback	Messages to support, bug reports	You	Optional
Aggregated/De‑identified Data	Statistical insights, model‑training telemetry stripped of personal identifiers	Generated by Ava	Yes (non‑personal)

We do not intentionally collect: Protected Health Information under HIPAA; information about children under 13 without verified parental consent; precise biometric identifiers.

3. How & Why We Use Information

Purpose	Lawful Basis (GDPR)	Typical Examples
Provide and improve the Services	Contractual necessity	Executing a grocery order you requested; refining voice recognition
Personalize user experience	Consent	Remembering nicknames you explicitly save
Secure the platform & prevent fraud	Legitimate interests	Rate‑limiting abusive login attempts
Comply with law	Legal obligation	Responding to valid subpoenas
Research & analytics using de‑identified data	Legitimate interests	Measuring feature adoption trends

No automated decisions with legal or similarly significant effects are made about you without your explicit opt‑in.

4. Data Minimization & Retention

Minimal viable retention. We keep raw personal data only as long as (i) you maintain an account, (ii) it is reasonably necessary to perform the task or meet legal duties, or (iii) you have given separate consent for longer storage.
Periodic deletion routines remove stale logs and expired memories.
You may request deletion at any time (§9).

5. Sharing & Disclosure

We never sell your personal information. We disclose it only:

Service Providers. Cloud hosting, payment processors, vector‑database vendors, and fulfillment partners under written contracts requiring confidentiality and processor‑style limitations.
User‑initiated Integrations. When you link Ava to platforms such as Amazon, Instacart, or Google Calendar, we transmit only the fields necessary to perform the requested action and only after your explicit consent.
Corporate Events. In connection with a merger, acquisition, or asset sale. Any successor entity will honor this Policy or provide you notice & choice.
Legal Requirements & Safety. Where required by law or to protect rights, property, or safety of Ava or users.
Aggregated/De‑identified Data. Usage statistics that cannot reasonably be linked back to an individual.

6. Security Measures

Encryption. TLS 1.3 in transit; AES‑256 at rest.
Trusted Execution Environments (TEEs). Sensitive transformations run inside hardware‑isolated enclaves.
Role‑Based Access Control (RBAC). Least‑privilege internal access.
Continuous Monitoring. Real‑time observability and immutable audit trails.

7. International Transfers

We are headquartered in the United States. Information may be processed in the U.S. and other countries with differing privacy laws. Where required, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

8. Your Rights & Choices

Jurisdiction	Key Rights
EEA / UK (GDPR)	Access, rectification, erasure, restrict/oppose processing, data portability, lodge a complaint with a Supervisory Authority
California (CCPA/CPRA)	Know, delete, correct, opt‑out of “sale” or “sharing” (which we do not perform), limit use of Sensitive PI
CO / CT / VA / UT	Comparable access/correction/deletion and opt‑out rights

Email legal@hiava.xyz or use in‑app controls to exercise rights.

9. Children’s Privacy

Ava is not directed to children under 13. Parents who believe we have inadvertently collected a child’s data should contact us for deletion.

10. Health & Medical Information Disclaimer

Ava is not a medical device or covered entity under HIPAA. Do not input medical diagnoses, prescriptions, or other PHI.

11. Automated Decision‑Making & Profiling

Ava’s AI only generates suggestions when prompted by you. We do not unilaterally take actions that create legal effects without your opt‑in.

12. Third‑Party Services & Integrations

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

We are not responsible for external platforms linked or integrated.

13. Changes to This Policy

We will post material changes at least 15 days before they take effect.

14. Contact Us

Bean & Bug Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
Email: legal@hiava.xyz

15. Jurisdiction‑Specific Disclosures

California “Shine the Light.” We do not share personal information with third parties for their direct marketing.
Nevada SB 220. We do not sell covered information as defined by Nevada law.
Brazil LGPD. Data subjects may exercise LGPD rights via §8.
EU DPO. legal@hiava.xyz

Your home deserves an assistant that is secure, respectful, and always on your side. That’s Ava—privacy by default, trust by design.