Privacy Policy

Avirt is a sector-native operating system that turns customer conversations into verified business outcomes. To do that, we process data you and your customers generate — messages, records, payments, and the activity of the operating loop. This policy describes what we collect, why, and the controls you have. We align our handling with applicable data-protection regimes, including the Nigeria Data Protection Regulation (NDPR) and comparable frameworks in the markets we serve.

• Account data — your name, work email, business name, and role, provided when you create a workspace.
• Customer Memory — the records, messages, and contact details you bring into Avirt to run your business.
• Operational data — the actions the operating loop perceives, decides, and takes, plus the outcomes it observes.
• Payment metadata — verification status and references from supported rails. Avirt does not store full card or bank credentials.
• Usage data — device, log, and diagnostic information used to keep the service reliable and secure.

• To operate your workspace — capturing intent, creating records, and surfacing the Daily Briefing.
• To verify outcomes — confirming payment, delivery, booking, and approval states through supported rails.
• To improve routing, timing, and prioritization from confirmed outcomes, with guardrails for risk and human accountability.
• To secure the service, prevent abuse, and meet legal obligations.

We do not sell your data, and we do not use your customers’ private business data to train models for other companies.

We share data only with the processors needed to run Avirt — payment rails (such as Paystack and Flutterwave), identity and KYB anchors (such as NIBSS), infrastructure providers, and, where you enable them, licensed partners for regulated workflows. Each processor is bound by contract to protect your data. Regulated actions may require customer-held licenses or licensed partners before activation.

• Access & export — your records and Customer Memory are yours to export at any time, on any plan.
• Correction & deletion — request changes or removal of your personal data, subject to legal retention duties.
• Consent — where processing relies on consent, you can withdraw it.
• Objection — object to certain processing, including automated actions, which always remain reversible and human-accountable.

Data is encrypted in transit and at rest. We keep data only as long as needed to provide the service or meet legal obligations, then delete or anonymize it. AI activity stays visible in audit timelines so a decision can be reconstructed when it matters. See our Security page for more.

Where local law grants additional rights — for example under the NDPR in Nigeria, the Data Protection Act in Kenya, or Ghana’s Data Protection Act — those rights apply to you in addition to this policy. Billing and data residency follow the market in which you operate.