Privacy Policy
Last updated: June 2026
Last updated: June 2026
- Data controller: Kyvora Inc. (“Kyvora,” “we,” “us,” or “our”), a Delaware corporation, provider of the tavara service
- Principal place of business: 14460 Falls of Neuse Road, Ste 149, Raleigh, NC 27614, United States
- Registered office (Delaware): c/o GKL Registered Agents of DE, Inc., 9 East Lockerman Street, Suite 311, Dover, DE 19901, United States
- Privacy contact: help@tavara.ai
- Related documents: Terms of Service · Cookie Policy
01Introduction and scope
1.1. Kyvora Inc., provider of the tavara service (the “Service” or “Services”), places great importance on the privacy of the individuals who access and use its Services. This Privacy Policy (the “Policy”) describes how we collect, use, share and protect personal data through our website tavara.ai, our applications and any associated service, tool or communication channel. It also sets out the rights and choices available to you regarding your data.
1.2. By accessing or using the Services, you acknowledge that you are aware of the practices described in this Policy. It is incorporated by reference into our Terms of Service and supplements them. If you disagree with our practices, please do not use the Services.
1.3. We process your data in compliance with applicable data-protection laws, in particular the EU General Data Protection Regulation (“GDPR”), the Swiss Federal Act on Data Protection (“FADP,” revised), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable US state privacy laws.
1.4. This Policy applies to all Users of the Services, wherever they reside. Certain sections (notably Sections 8, 15, 16 and 17) contain provisions specific to particular jurisdictions; in the event of a conflict, the provision specific to your jurisdiction prevails.
1.5. For any question about this Policy or our data practices, you may contact us using the details in Section 20 “Contact us.”
02Data controller and contact details
2.1. The controller of your personal data is Kyvora Inc., a Delaware corporation (United States) whose principal place of business appears in the header of this Policy. Kyvora Inc. determines the purposes and means of the processing described below.
2.2. Where required by applicable law, Kyvora Inc. will designate a local data-protection representative and publish the relevant contact details.
2.3. For any request regarding your data, including the exercise of your rights, you may write to our privacy contact at help@tavara.ai.
03Information we collect
3.1. In the course of providing the Services, we collect personal and non-personal data. The nature of the data depends on your interactions with us and with the Services. We apply a principle of minimization: we collect only what is necessary, relevant and proportionate to the purposes described in this Policy.
3.2. Information you provide directly:
- Account and profile. When creating or updating your account: name, email address, login identifier and other registration details.
- Billing and payment. For a purchase or subscription: transaction history and payment-method information. Payments are processed by our third-party providers (for example Stripe, PayPal, Apple Pay, Google Pay); we do not store your full card number on our servers.
- Inputs and conversations. The content of the prompts, questions, messages, files and images you submit to the Service, along with associated metadata (timestamps, session identifiers). This content may include personal or even sensitive data if you choose to include it; we recommend that you not include information you would not want processed.
- Support communications. When you contact us: your contact details and the content of your communications (including attachments and history).
3.3. Information we collect automatically:
- Technical and device data. IP address, browser type and version, operating system, device type and identifiers, screen resolution, language settings.
- Usage and interaction data. Access times, features used, pages viewed, session duration, navigation paths, error logs.
- Logs and diagnostic data. System-generated logs used for debugging, performance monitoring, fraud detection and technical administration.
- Approximate geolocation. Location inferred from your IP address, for language localization and security. We do not collect precise geolocation.
3.4. Cookies and trackers. See Section 9. We limit cookie use to those that are strictly necessary and functional; we do not use advertising cookies.
3.5. Information from third parties. We may receive a limited amount of data from:
- our payment providers (transaction status, failed payments, billing disputes);
- where applicable, third-party authentication providers (“Sign in with Google, Apple, Microsoft or Facebook”), limited to the data needed to create your account.
3.6. Aggregated or anonymized data. We may produce and use aggregated, anonymized or de-identified data that does not identify any individual and does not constitute personal data under applicable law, for example for statistical reporting or Service improvement.
3.7. We do not sell your personal data and do not share it for cross-context behavioral advertising, within the meaning of applicable law.
04How we use your information
4.1. We use your data for specified, explicit and legitimate purposes, guided by the principles of transparency, necessity and proportionality:
- Provide and operate the Services: give you access to the platform, process your requests, generate AI responses, manage your account and deliver requested features.
- Maintain and improve the Services: analyze usage, error logs and aggregated data to diagnose incidents, strengthen stability and performance, and develop new features.
- Process payments and manage subscriptions: confirm transactions, issue invoices and receipts, handle failed payments and subscription status.
- Communicate with you: administrative, transactional or support messages, and information about changes to the Services or our policies.
- Provide customer support: answer your questions and resolve incidents, bugs or complaints.
- Secure the platform and enforce our rules: detect and prevent fraud and abuse, authenticate accounts, enforce the Terms and prevent unlawful activity.
- Comply with our legal obligations and assert our rights in legal proceedings.
4.2. We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR, without human involvement.
4.3. The content you input is used to produce the Service’s responses and to operate it; it is not used to train AI models (see Section 7).
05Legal bases for processing
5.1. We process your data only where we have a valid legal basis under the GDPR, the FADP and the UK GDPR. Depending on the context:
- Performance of a contract (Art. 6(1)(b) GDPR). Provide access to the Services, deliver features, manage subscriptions and your account.
- Legitimate interests (Art. 6(1)(f) GDPR). Improve and secure the Services, prevent fraud, understand platform usage and defend our rights, after balancing against your rights and freedoms.
- Consent (Art. 6(1)(a) GDPR). Non-essential cookies, promotional communications, or any processing for which the law requires it. You may withdraw consent at any time, without retroactive effect.
- Legal obligation (Art. 6(1)(c) GDPR). Accounting and tax obligations and legitimate requests from authorities.
- Vital interests (Art. 6(1)(d) GDPR). In exceptional cases, to protect your integrity or that of another person.
5.2. Where processing relies on legitimate interests, you have a right to object (Section 10). Where the provision of certain data is necessary to perform the contract (for example your email), its absence may prevent access to all or part of the Services.
06Sharing your information
6.1. We do not sell or rent your personal data. We share it only in the limited cases described below, with appropriate safeguards.
6.2. Service providers and processors. We use providers acting on our behalf and on our instructions: hosting and cloud infrastructure, AI model providers (see Section 7), payment providers, support tools, security and technical monitoring. They are bound by a data-processing agreement (DPA) and process your data only for the defined purposes.
6.3. AI model providers. To generate responses, the content you input is transmitted to third-party AI model providers acting as processors. These providers are required not to use your content to train their models and to process it only to deliver the requested feature (see Sections 7 and 8).
6.4. Legal obligations and protection of rights. We may disclose data where required by law or where necessary to comply with a legal obligation, protect our rights, prevent fraud, or protect the safety of individuals.
6.5. Corporate transactions. In the event of a merger, acquisition, reorganization or sale of assets, your data may be transferred as part of that transaction, with confidentiality preserved and notice given as required by law.
6.6. Aggregated or anonymized data. We may share data that does not identify you, for statistical, research or improvement purposes.
6.7. We do not allow any third party to access your personal data for its own marketing purposes.
07Artificial-intelligence technologies and no training
7.1. The Services rely on artificial-intelligence technologies, in particular large language models (LLMs) operated by tavara or by third-party providers. In accordance with Regulation (EU) 2024/1689 (the “AI Act”), you are informed that you are interacting with an AI system.
7.2. The content you input (prompts, questions, files) is processed to generate a response in real time, under strict security protocols.
7.3. No training on your content. We do not use the content you input to train, re-train, fine-tune or improve AI models, whether ours or third parties’. We select providers and offers (typically “enterprise” or “API” access) that contractually undertake not to use your content for training purposes.
7.4. We likewise do not use your name, contact details, payment data or any account identifier for model-training purposes.
7.5. The responses generated may be inaccurate, incomplete or erroneous. You agree not to rely on them alone for legal, medical, financial or critical decisions without independent human verification.
7.6. For any question about how your data is processed by our AI technologies, contact us at help@tavara.ai.
08Sub-processors and international data transfers
8.1. Kyvora Inc. is established in the United States, and some of our providers are also located there, including our hosting provider Vercel Inc. and the AI model providers, or operate from other countries outside the EU/EEA, the UK and Switzerland. Your data may therefore be transferred to and processed outside the EU/EEA, the UK and Switzerland, in particular in the United States.
8.2. These jurisdictions do not necessarily offer a level of protection equivalent to that of your country of residence. Where we carry out such transfers, we implement the appropriate safeguards provided by law:
- the Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where applicable by the Swiss addendum (FDPIC) and the UK addendum / IDTA;
- where the provider is certified, the EU-US Data Privacy Framework (and its Swiss and UK extensions);
- a Transfer Impact Assessment (TIA) and additional measures (encryption, minimization) where necessary.
8.3. You may request a copy of the safeguards in place by writing to help@tavara.ai.
09Cookies and trackers
9.1. We use cookies and similar technologies to operate the Services, secure them and remember your preferences. We deliberately limit this use and do not use advertising cookies or behavioral-advertising trackers.
9.2. Categories used:
- Strictly necessary cookies: authentication, session management, security, load balancing. Essential to the operation of the Service, they do not require consent.
- Functional cookies: remembering language and display preferences.
9.3. We do not use third-party advertising, ad-measurement, or session-recording tools (“session replay,” heatmaps).
9.4. Consent. Where required by law (EU/EEA, United Kingdom, Switzerland), non-essential cookies are set only after your consent via our cookie-management banner. You may change your choices at any time.
9.5. Browser settings. You may also block or delete cookies via your browser or device settings; certain features may then be degraded.
9.6. “Do Not Track” signals. Absent a uniform standard, our Services do not currently respond to “Do Not Track” signals.
9.7. For details of each cookie, see our Cookie Policy.
10Your rights and choices
10.1. Depending on where you live, you have rights over your data. These rights may be subject to legal limits (for example our obligation to retain certain data).
10.2. Rights available to data subjects (GDPR / FADP / UK GDPR):
- Access: confirmation of processing and a copy of your data.
- Rectification: correction of inaccurate or incomplete data.
- Erasure: deletion in the cases provided by law.
- Restriction: suspension of processing in certain cases.
- Objection: to processing based on legitimate interests, or to direct marketing.
- Portability: to receive your data in a structured, machine-readable format, or have it transmitted to a third party, where technically feasible.
- Withdrawal of consent: at any time, without retroactive effect.
- Automated decisions: not to be subject to a decision based solely on automated processing producing significant effects (Section 4.2).
10.3. Promotional communications. You may unsubscribe at any time via the link in our emails or by contacting us. We may continue to send you non-promotional messages relating to your account.
10.4. Exercising your rights. Write to us at help@tavara.ai. To protect your privacy, we may need to verify your identity. We respond within the timeframes set by law.
10.5. Complaints. You may lodge a complaint with the competent authority, notably the CNIL (France) or any EEA supervisory authority, the FDPIC (Switzerland), or the ICO (United Kingdom).
11Data retention
11.1. We retain your data for as long as necessary for the purposes for which it was collected: providing the Services, maintaining and improving the platform, complying with our legal obligations, resolving disputes and asserting our rights.
11.2. As a guide, we apply the following periods:
- Account data (name, identifiers, preferences): for the life of the account, then up to 3 years after closure;
- Billing data (invoices, transactions): up to 10 years, in accordance with our accounting and tax obligations;
- Technical and connection logs: approximately 12 months;
- Conversation content (prompts, files): until you delete it or your account is deleted; backup copies are purged within 30 to 90 days.
These periods may be extended where required by law or to establish, exercise or defend legal claims.
11.3. When we no longer have a legitimate need to retain data, we delete, anonymize or aggregate it. Where immediate deletion is not feasible (backups), we isolate the data from any further processing until effective deletion.
11.4. We may retain aggregated or anonymized data, which no longer constitutes personal data, without limitation.
12Data security
12.1. We implement appropriate technical and organizational measures to protect the confidentiality, integrity and availability of your data, in accordance with Article 32 GDPR.
12.2. Data exchanged between your device and our systems is encrypted (TLS). Sensitive stored data is encrypted at rest, and passwords are protected by salted hashing.
12.3. We apply the principle of least privilege: only authorized personnel access the data; such access is logged and monitored. We maintain intrusion-detection, vulnerability-management and incident-response measures.
12.4. As no system is infallible, we cannot guarantee absolute security. Report any suspicious activity to help@tavara.ai.
12.5. Breach notification. In the event of a breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Article 33 GDPR) and, where the risk is high, the affected individuals without undue delay (Article 34 GDPR).
13Children’s privacy
13.1. The Service is accessible from the age of thirteen (13). We do not knowingly collect data concerning a child under 13, in accordance with, among others, the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) in the United States.
13.2. If you are a minor under the law of your country of residence, use of the Service requires the authorization and supervision of a holder of parental authority. Where required by law (in particular Article 8 GDPR, under which the age of digital consent ranges from 13 to 16 depending on the Member State), a minor’s registration is subject to the verifiable consent of a parent or guardian. Any paid subscription is reserved for an adult (see our Terms of Service).
13.3. We implement content filters and age-appropriate design measures (in particular the UK Age Appropriate Design Code and the California Age-Appropriate Design Code) to limit minors’ exposure to sensitive content.
13.4. If we become aware that we have inadvertently collected data from a child under 13, or from a minor without the required parental consent, we will delete it promptly. Parents or legal guardians may contact us at help@tavara.ai.
14Account deletion
14.1. You can delete your account and associated data at any time, directly from your account area (self-service deletion), or by contacting us using the details in Section 20. We may verify your identity before proceeding.
14.2. Account deletion is irreversible: you lose access to your data, content and purchase history. You may request an export of your data at any time at help@tavara.ai; we recommend doing so before any deletion.
14.3. Certain data may be retained for a limited time in our backups, or where required by law (accounting obligations, dispute handling, fraud prevention). It is then limited to what is strictly necessary and kept secure.
14.4. If your account was created via a third-party service (Google, Apple, Microsoft or Facebook), you may also need to revoke access from that platform. Uninstalling the app does not constitute an account-deletion request.
15International users
15.1. tavara is operated from the United States by Kyvora Inc. (a Delaware corporation). If you access the Services from another country, your data may be transferred to and processed in the United States or other jurisdictions where we or our providers operate, under the conditions of Section 8.
15.2. If you reside in the EEA, the United Kingdom or Switzerland, you have the rights described in Section 10 and may contact your local supervisory authority.
15.3. Residents of Canada, Australia, Brazil and other jurisdictions with specific laws may also have rights over their data; we handle such requests in accordance with applicable local law.
16California residents (CCPA/CPRA)
16.1. If you reside in California, the CCPA as amended by the CPRA grants you specific rights. This section supplements the rest of the Policy and applies only to California residents.
16.2. Categories collected. Over the past twelve (12) months: identifiers (name, email, IP address); internet activity information (usage, interactions); approximate geolocation; commercial information (transactions/subscription); and limited inferences. We do not collect sensitive personal information within the meaning of the CPRA (such as Social Security number or precise geolocation).
16.3. Purposes. See Sections 4 and 5. We do not sell or share your personal information for monetary consideration or for cross-context behavioral advertising, as defined under California law.
16.4. Your rights (CCPA/CPRA): the right to know, to delete, to correct, to opt out of sale/sharing (not applicable here), to limit the use of sensitive information (not applicable), and to non-discrimination.
16.5. To exercise these rights, contact us (Section 20). An authorized agent may act on your behalf following verification.
17Other US states
17.1. If you reside in a US state with a comprehensive privacy law, you may have comparable rights (access, correction, deletion, portability, opt-out of certain uses). In 2026, such laws are in effect in around twenty states, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia.
17.2. We handle such requests in accordance with the applicable state law (Section 20); identity verification may be required.
17.3. We do not currently respond to browser “Do Not Track” signals (see Section 9.6).
18Third-party links and services
18.1. The Services may contain links to third-party sites or services that we do not control.
18.2. We are not responsible for the privacy practices or content of those third parties; their own policy applies, and we encourage you to review it.
18.3. The inclusion of a link does not imply any partnership or endorsement, unless expressly stated.
19Changes to this Policy
19.1. We may update this Policy to reflect changes in our practices, our legal obligations or our Services. The “Last updated” date will then be revised.
19.2. In the event of a material change affecting your rights, we will inform you by reasonable means (email, in-app notice, or a notice on the site).
19.3. Your continued use of the Services after a revised version takes effect constitutes acknowledgment of it.
20Contact us
For any question, concern or request regarding this Policy or your data:
- Privacy contact: help@tavara.ai
- Exercise of your rights (GDPR / FADP / CCPA): help@tavara.ai
- Incidents and data breaches: help@tavara.ai
- Data controller: Kyvora Inc. — 14460 Falls of Neuse Road, Ste 149, Raleigh, NC 27614, United States
Please provide enough detail for us to handle your request. Identity verification may be required.