Privacy Policy

Last updated: March 2026

Who we are

Avokaado is a contract and document management platform operated by Avokaado.com OÜ, registered in Estonia. This policy explains how we collect, use, and protect your personal data when you use our services at avokaado.io and our Google Workspace Add-on.

Data we collect

We collect the following categories of personal data:

🥑Account data — name, email address, and password when you register.
🥑Usage data — pages visited, features used, and actions taken within the platform.
🥑Document data — contracts and documents you upload or create, including any personal data contained within them.
🥑Communication data — messages you send to our support team.
🥑Technical data — IP address, browser type, and device information collected automatically.

How we use your data

🥑To provide and maintain the Avokaado platform.
🥑To authenticate your identity and protect your account.
🥑To send transactional emails (invitations, document notifications, password resets).
🥑To provide customer support via Intercom.
🥑To comply with legal obligations.

Google user data

This section applies to users of our Google Workspace Add-on and the Google Drive connector in the Avokaado platform.

Data accessed

Google Workspace Add-on — When you use the Avokaado add-on inside Google Docs, we access:

🥑The full text content and structure of the Google Doc that is currently open (@OnlyCurrentDoc — access is strictly limited to the single document you have open at the time).
🥑The title, document ID, and revision ID of that document.
🥑A PDF export of the current document, generated via Google Drive export and used solely to perform the AI contract review.

The add-on does not read your Google account email or profile from Google directly. Your identity within the add-on is managed via your Avokaado account token.

Google Drive connector — When you connect a Google Drive account to your Avokaado workspace, we access:

🥑Metadata (name, ID, file type, size, last modified date) of files and folders within folders you explicitly navigate to in the Drive browser. We do not scan or index your entire Drive.
🥑Content of files you explicitly select for import into Avokaado.
🥑The email address of the connected Google account.

Data usage

Add-on — Document text and a PDF export of the current document are sent to the Avokaado API solely to perform AI-powered contract review. We do not use Google data for advertising or to build profiles unrelated to the service.

Drive connector — Metadata is fetched on demand as you navigate folders, solely to display the folder browser. We do not read metadata from folders you have not opened. File content is accessed only when you explicitly select a file to import, and is used only to create a copy inside your Avokaado workspace. Your connected Google email is stored so you can identify and manage the connection.

Data sharing

Google user data is not sold, rented, or shared with third parties for their own purposes. Document content sent via the add-on is processed by our AI review pipeline solely to generate the review result shown to you. OAuth tokens for the Drive connector are stored encrypted in our database and are never exposed to other users or third parties.

Data storage and protection

🥑OAuth access and refresh tokens for the Drive connector are encrypted at rest using AES-256 encryption before being stored in our database.
🥑Document content transmitted from the add-on to the Avokaado API is sent over HTTPS (TLS 1.2+).
🥑Access to production data is restricted to authorised Avokaado personnel only.
🥑We do not store raw document content from the add-on beyond what is required to complete the review request.

Data retention and deletion

Add-on — Document content is processed transiently and not retained after the review session is complete or deleted. Review sessions and their associated findings are deleted when you explicitly delete the session, or when your Avokaado account is deleted.

Drive connector — OAuth tokens are deleted immediately when you disconnect the Google Drive connector from your workspace. Imported documents are retained as part of your Avokaado workspace until you delete them.

To request deletion of your Google data or your entire account, contact us at security@avokaado.io. We will action deletion requests within 30 days.

AI processing

To power AI-assisted features, document content sent to the Avo API may be processed by third-party AI service providers. These providers act as data processors on behalf of Avokaado and are contractually bound to process data only for the purpose of delivering the requested functionality. They are not permitted to use your data for model training, advertising, or any other purpose. Avokaado evaluates all AI service providers against its security and data protection standards before engagement.

Google user data is not sold, rented, or shared with any third party for purposes other than those described in this policy.

Legal basis for processing

We process your personal data under the following legal bases as defined by the GDPR: contract performance (providing the service you signed up for), legitimate interests (security, fraud prevention, and platform improvement), and legal obligation (compliance with applicable law). Where we rely on consent (e.g. for functional cookies), you may withdraw it at any time.

Data sharing and sub-processors

We do not sell your personal data. We share data only with trusted sub-processors required to operate the platform, including cloud infrastructure providers, authentication services, and customer support tools. A full list of sub-processors is available on request at security@avokaado.io.

Data retention

We retain your data for as long as your account is active or as needed to provide the service. Upon account deletion, we will delete or anonymise your personal data in accordance with our data retention policy. To request deletion, contact us at security@avokaado.io.

Your rights

Under the GDPR you have the right to:

—Access the personal data we hold about you.
—Correct inaccurate or incomplete data.
—Request deletion of your data (“right to be forgotten”).
—Object to or restrict certain processing.
—Receive your data in a portable format.
—Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at security@avokaado.io.

Cookies

We use cookies to maintain sessions and provide support features. For full details on the cookies we set and how to manage your consent, see our Cookie Policy.

Business transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email or a prominent notice on our platform before your data becomes subject to a different privacy policy.

Children

Avokaado is a B2B service intended for use by individuals who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us at security@avokaado.io and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top of the page. Continued use of the platform after changes constitutes acceptance of the updated policy.

Contact

For any privacy-related questions, contact our data protection team at security@avokaado.io.

← Back to Avokaado