Privacy Policy

Last updated: May 23, 2026

Avena Flow LLC ("Avena Flow," "we," "us," "our") operates the Avena Flow platform (avenaflow.com), the Aria AI Concierge service, and related embeddable widgets and integrations. This policy explains what information we collect, how we use it, and the choices you have.

1. Who this policy applies to

• Tenants — business owners and their staff who subscribe to Avena Flow / Aria.
• Clients — end customers of our tenants who book appointments, chat with Aria, or interact with a tenant's booking page.
• Visitors — anyone who visits avenaflow.com without an account.

2. What we collect

From tenants (account holders)

• Name, business name, email, phone, billing address.
• Stripe customer + payment method details (handled by Stripe — we never store full card numbers).
• Business configuration (services, staff, branding, booking policies, automation preferences).
• Usage data (logins, feature interactions, dashboard activity).

From clients (your customers)

• Name, email, phone, optional birthday — provided by them at booking or chat.
• Appointment history, package balances, gift card balances tied to your business.
• Chat transcripts with the Aria AI Concierge for your business.
• Photos / files they upload during booking or intake (if your business uses intake forms).

From visitors

• Standard web analytics (page views, referrer, device type).
• Cookies for session management + analytics. No third-party advertising cookies.

3. How we use information

• To operate the booking system, AI Concierge, marketing automations, POS, and reporting features tenants subscribe to.
• To process payments (via Stripe) and send transactional emails / SMS (via Resend and Twilio).
• To train Aria on tenant-provided content so the bot can answer questions about that specific business.
• To monitor service health, prevent abuse, and protect against fraud.
• To communicate with tenants about their account, billing, and feature updates.

4. Multi-tenant data isolation

Every piece of data is scoped to a single tenant. We never share, mix, or expose one tenant's data (clients, bookings, AI chats, payments) to another tenant. Public booking pages and chat widgets identify each tenant by a unique slug, and our backend enforces tenant isolation on every query. A tenant's clients are that tenant's clients — Avena Flow does not market to them on behalf of other tenants.

5. How we share information

We share data with a small set of trusted service providers, each bound by their own privacy commitments:

• Stripe — payment processing and Stripe Connect for tenant payouts.
• Supabase — database and authentication hosting.
• Vercel — application hosting.
• Anthropic — the AI model that powers Aria's responses (transcripts may be processed for the duration of a conversation).
• Resend — transactional and marketing email delivery.
• Twilio — SMS delivery.
• Meta — when tenants connect Instagram or Messenger to Aria.

We do not sell personal data, share it with advertising networks, or rent client lists to other businesses.

6. Marketing communications

Tenants control which automated messages go out from their account (welcome, post-visit follow-up, birthday, re-engagement, review requests). Every marketing email includes a one-click unsubscribe link that removes the recipient from marketing messages only. Transactional messages (appointment confirmations, payment receipts, password resets) are required for the service and cannot be unsubscribed.

SMS recipients can text STOPto opt out of SMS from a specific tenant. This works per-tenant — opting out of one business doesn't affect SMS from a different business.

7. Retention

• Tenant account data: retained while the account is active + up to 12 months after cancellation for tax / dispute purposes.
• Client data: retained as long as the tenant's account is active. Tenants can delete individual client records anytime.
• Aria conversation logs: retained for at least 90 days for safety / debugging. Tenants on paid tiers can request deletion sooner.
• Free Aria agents are automatically deleted after 14 days of inactivity along with associated conversation history.

8. Your rights

Depending on where you live, you may have rights under laws such as GDPR (EU/UK) and CCPA (California), including the right to access, correct, delete, or export your data. To exercise any of these rights, email privacy@avenaflow.com. We respond within 30 days.

Clients of our tenants should contact the business directly for their data (since that business is the data controller). We will assist the tenant in fulfilling any verified request.

9. Security

All traffic is TLS-encrypted. Passwords are hashed with industry-standard algorithms via Supabase Auth. Payment card details are tokenized through Stripe and never touch our servers. Service-role database access is restricted to backend systems, and Row Level Security policies enforce per-tenant isolation on top of that.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of confirmation.

10. Children

Avena Flow is not intended for children under 13. We don't knowingly collect personal information from children. If you believe a child has provided us information, please email us and we will delete it.

11. Changes to this policy

We update this policy when material changes happen. The "Last updated" date at the top reflects the most recent revision. We notify active tenants by email when changes are material.

12. Contact

Avena Flow LLC
45 Jasper Street, Providence, RI 02904
Email: privacy@avenaflow.com
General: hello@avenaflow.com