Privacy Policy

Last Updated: May 19, 2026

About This Policy

Second Spring Design Inc. (doing business as "Aventide") operates the Aventide platform, accessible at aventide.ai and related applications. "Second Spring Design," "Aventide," "we," "us," and "our" all refer to Second Spring Design Inc. The company website is located at secondspring.design.

This Privacy Policy describes how we collect, use, store, and protect your information when you use the Aventide platform and visit our websites.

1. Information We Collect

1.1 Account Information

When you create an account via Outseta (our subscription and billing provider), we collect:

• Email address

• Name (if provided)

• Account identifier (account_uid)

• Subscription and billing information (managed and stored by Outseta)

1.2 Business Information

Information you voluntarily enter into the Business Hub:

• Business Facts: Business name, core problem, target customer, offer description, pricing, brand elements, and other business context you provide

• Goals: Short-term and long-term business goals you define

• Planner Items: Tasks and action items you create

• Documents: AI-generated and user-edited business documents

1.3 Conversation Data

When you interact with AI strategy agents:

• Conversation history is managed and stored by OpenAI pursuant to your agreement with OpenAI and their privacy policy

• We store conversation metadata (session IDs, timestamps, associated business) but not the full conversation content in our own databases

• For execution and messaging features powered by Anthropic, conversation content is processed in real-time and not retained by Anthropic beyond the API call

1.4 Integration Credentials

If you connect external services (Google Calendar, Stripe, Instagram, Mailchimp, and others):

• OAuth access tokens and refresh tokens (stored encrypted in our database)

• Provider account metadata (display name, email, avatar) as returned by the provider

• Scopes granted

1.5 Communication Preferences

If you opt in to proactive messaging:

• Channel identifiers (Telegram chat ID, phone number, email address, push subscription)

• Notification preferences (reminder time, timezone, frequency)

• Message history (content, timestamps, delivery status)

1.6 Usage Data

Standard technical information collected automatically:

• Log data (IP addresses, browser type, pages visited, referring URLs)

• Feature usage patterns (anonymized and aggregated)

• Device information (operating system, screen resolution)

• Cookies and similar technologies (see our Cookie Policy)

1.7 Google Workspace Data

When you connect your Google account via OAuth:

• Calendar Data: Event titles, dates, times, and attendee information from Google Calendar (read-only access via the calendar.readonly scope)

• Google account metadata: Email address, display name, and profile picture as provided by Google's OAuth flow

Limited Use Disclosure: Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. We only use Google data to provide and improve the features you have explicitly authorized. We do not use Google data for advertising, and we do not sell Google data to third parties.

2. How We Store Your Information

• Database: All business data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure in the United States

• Encryption at rest: All data is encrypted at rest using AES-256

• Encryption in transit: All data is transmitted using TLS 1.2 or higher

• Integration credentials: OAuth tokens are stored encrypted; we never store credentials in plaintext

• Access control: Row-Level Security (RLS) ensures each user or team can only access their own data

• Serverless processing: API routes run on Vercel's serverless infrastructure; no persistent servers store your data in memory beyond request processing

• Backups: Database backups are maintained and encrypted; we retain daily backups for 30 days

3. How We Use Your Information

3.1 To Provide the Service

• Providing AI strategy agent context (business facts, goals, and documents are injected into agent conversations to personalize responses)

• Executing recipes that generate business documents based on your inputs

• Processing integration connections and OAuth flows

• Sending proactive reminders and notifications (only if you have opted in)

• Authenticating your identity and maintaining your session

3.2 To Improve the Platform

We use anonymized, aggregated data to improve our Knowledge Graph and agent recommendations:

• We extract patterns from business data (for example, "what strategies do businesses of type X commonly use?")

• All data used for the Knowledge Graph is fully anonymized - individual businesses cannot be identified

• No individual business names, owner names, revenue figures, or identifying information is stored in the Knowledge Graph

• Minimum aggregation threshold: patterns require contributions from at least 5 businesses before appearing in recommendations

3.3 To Communicate With You

• Sending service-related emails (account confirmation, billing receipts, security alerts)

• Sending product updates and announcements (you may opt out at any time)

• Responding to support requests

3.4 We Do NOT:

• Sell your individual data to third parties

• Use your business data to train AI models that are sold or shared externally

• Share identifiable business information with other users or businesses

• Use your data for advertising or ad targeting

• Allow third-party advertisers to access your data

• Share your data with data brokers

4. Data Sharing

4.1 Service Providers

We share data with trusted service providers who process data on our behalf under contractual obligations:

ProviderPurposeData SharedOpenAIAI conversation processingBusiness context sent during chat sessionsAnthropicAI execution and messagingBusiness context sent during recipe executionOutsetaAccount and billing managementEmail, name, subscription dataSupabaseDatabase hostingAll stored business data (encrypted)VercelApplication hostingRequest logs, serverless executionTwilioSMS and WhatsApp deliveryPhone number, message content (if opted in)SendGridEmail deliveryEmail address, message content (if opted in)TelegramMessaging via Bot APITelegram chat ID, message content (if opted in)

When you connect integrations (Google, Stripe, Instagram, Mailchimp, and others), data is shared with those providers as necessary to provide the connected features.

4.2 Aggregate Insights

We may publish or share aggregate, anonymized industry insights (for example, "70% of coaching businesses use email as their primary channel") for platform improvement and research. This data cannot be linked to any individual business.

4.3 Legal Requirements

We may disclose information if required by law, court order, subpoena, or government authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or prominent notice before your data becomes subject to a different privacy policy.

4.5 Google API Services

Aventide's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account, Aventide accesses only the scopes you authorize (which may include Google Calendar, Gmail, and/or Google Drive). We use this data solely to:

• Display your calendar events, email summaries, or drive files within the Aventide Business Hub

• Provide AI-generated business insights based on your connected data

• Execute recipes and workflows you explicitly initiate

We do NOT:

• Allow humans to read your Google data unless you provide explicit consent, it is needed for security purposes, or it is required by law

• Use Google data for advertising or serving ads

• Transfer Google data to third parties except as necessary to provide and improve the Service, or as required by law

• Use Google data to train AI models that are shared externally

You can revoke Aventide's access to your Google account at any time via the Integrations section in the Business Hub or through your Google Account permissions.

5. Your Rights

Regardless of where you are located, you have the right to:

• Access: Request a copy of all personal data we hold about you and your business

• Correction: Update or correct inaccurate information at any time via the Business Hub, or by contacting us

• Deletion: Request deletion of your account and all associated business data

• Export: Request an export of your business data in a portable format (JSON or CSV)

• Withdraw Consent: Opt out of communications at any time; disable or revoke integration connections at any time

• Object: Object to processing of your data for the Knowledge Graph (contact us to opt out)

• Restrict Processing: Request that we limit the processing of your data under certain circumstances

• Data Portability: Receive your data in a structured, commonly used, machine-readable format

To exercise these rights, contact us at support@secondspring.design. We will respond to all requests within 30 days.

6. Data Retention

Data TypeRetention PeriodAccount and business dataRetained while your account is active, plus 90 days after cancellationConversation metadata12 monthsExecution history24 monthsCommunication messages12 monthsGoogle Workspace dataCached for up to 24 hours; deleted immediately when integration is disconnectedUsage logs90 daysKnowledge Graph contributionsRetained indefinitely (fully anonymized; cannot be linked to individuals)

Upon account deletion, all personally identifiable data is permanently deleted within 30 days. Anonymized contributions to the Knowledge Graph are irrevocably anonymized and cannot be removed, as they contain no identifying information.

7. Communication and Opt-Out

All proactive communications (Telegram, WhatsApp, SMS, email, push notifications) require explicit opt-in. You can:

• Disable any channel at any time via the Connect page in the app

• Send /stop to the Aventide Telegram bot to unsubscribe immediately

• Reply STOP to any SMS message

• Click unsubscribe in any email

We will honor all opt-out requests immediately. Service-critical communications (such as security alerts and billing confirmations) may still be sent regardless of marketing preferences.

8. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how the Service is used. For full details, please see our separate Cookie Policy.

We do not use third-party advertising cookies. We do not participate in cross-site tracking or retargeting networks.

9. International Data Transfers

Your data is stored and processed in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take appropriate safeguards to ensure your data remains protected in accordance with this Privacy Policy.

10. GDPR (European Economic Area Users)

For users in the European Economic Area (EEA), our legal bases for processing are:

• Contract Performance: Processing necessary to provide the service you have subscribed to

• Legitimate Interests: Anonymized analytics and knowledge graph improvements, fraud prevention, and service security

• Consent: Proactive communications, optional integrations, and non-essential cookies

You have additional rights under the GDPR, including the right to lodge a complaint with your local supervisory authority. If you believe we have not adequately addressed your concerns, you may contact the data protection authority in your country of residence.

11. CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request details about the categories and specific pieces of personal information we collect

• Right to Delete: You may request deletion of your personal information

• Right to Opt-Out of Sale: We do not sell personal information

• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To make a request, contact us at support@secondspring.design. We will verify your identity before fulfilling requests.

12. Children's Privacy

The Aventide platform is intended for business owners aged 18 and older. It is not directed at children under 16. We do not knowingly collect personal information from anyone under the age of 16. If we discover that we have inadvertently collected information from a child under 16, we will delete it promptly.

13. Security

We implement industry-standard security measures to protect your data, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)

• Row-Level Security ensuring tenant isolation

• Regular security reviews and dependency updates

• Principle of least privilege for internal access

• Encrypted credential storage for all third-party integrations

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to support@secondspring.design.

14. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email or a prominent notice in the application at least 30 days before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact

For privacy questions, data requests, or concerns:

• Email: support@secondspring.design

• Company: Second Spring Design Inc.

• Website: secondspring.design

This Privacy Policy was last reviewed and updated on May 19, 2026.