Privacy Policy — Avina

Welcome to Avina (hereinafter: "the System", "we", "us", "our"). This Privacy Policy describes how we collect, use, store, disclose, and delete personal information — particularly insurance and vehicle data — in connection with our services, and your rights as a data subject.

1. Who We Are & Role in Data Processing

We act as the Data Controller and process data under agreements and instructions from insurance agencies / companies that provide us with data.

When we use third-party service providers (e.g., storage, computational processing), they act as Data Processors and are bound by contractual obligations to process data only per our instructions.

2. Types of Data Collected & Purposes of Processing

We receive insurance and personal data from insurance agencies, such as:

• Identifying information: name, age, national ID, contact details
• Insurance data: policy history, renewal dates, coverage details, claims history
• Vehicle data: vehicle registration number, model, ownership history
• Communication data: email correspondence relevant to insurance renewals
• Technical / usage data: IP addresses, system logs, metadata for security and operational purposes

Purpose: to automate insurance renewal processes, provide analytical support to agents, and present insights per agreement with the supplying insurance agencies.

We commit to collecting only the minimal data required to fulfill these purposes and refraining from unnecessary or excessive collection.

3. Legal Bases for Processing

Processing is based on one or more of the following legal bases (in accordance with Israeli law and Amendment 13, when applicable):

• Explicit consent of the data subject, when required
• Execution of an agreement or service between us and the insurance agency / client
• Compliance with legal or regulatory obligations
• Legitimate interest — only when balanced against the privacy rights of the data subject

If processing is based on consent, the consent may be withdrawn at any time. Upon withdrawal, we will cease processing or delete the data, in accordance with our retention and deletion policy.

4. Geographical Storage & Data Residency

All personal and insurance data we process is hosted on Google Cloud servers located in Israel (Region: Tel Aviv, "me-west1"). We use Google's "Israel Data Boundary and Support" to help ensure that data does not cross outside the country as part of storage or routine processing.

If in the future cross-border data transfer becomes necessary (for example, to a third-party service outside Israel), such transfer will only occur under strong encryption, binding agreements, and with explicit consent from the data subject where required.

5. Data Security

We adopt technical and organizational measures to protect data security, including:

• Encryption in transit (TLS) and at rest
• Key management via Google Cloud KMS (customer-managed keys), with periodic key rotation
• Strict access control — only authorized personnel may access data
• Audit logs of access and modifications
• Secure backups with defined deletion policies
• Security reviews, penetration testing, internal security procedures
• Privacy by Design / Default — embedding protections into system architecture

6. Data Retention & Deletion

Our retention and deletion policy is structured as follows:

• We retain sensitive data only for the minimal time necessary to complete the renewal process and maintain system operations
• Once data is no longer needed, we delete it permanently from active resources
• Backup copies are deleted in accordance with backup retention policies; any residual data becomes inaccessible
• Destruction or revocation of encryption keys serves as a de facto deletion — data without keys is unreadable
• We keep precise records of deletion actions: who, when, what was deleted
• Upon a valid request for deletion by a data subject, we verify identity and then remove data from all relevant resources

7. Data Subject Rights

As a user / data subject, you have the following rights (to the extent permitted by law):

• Right of Access — to see the personal information we hold about you
• Right to Rectification — to correct inaccurate or incomplete information
• Right to Deletion — in cases permitted by law
• Right to Object — to certain processing based on valid grounds
• Right to Data Portability — to receive your data in a structured, commonly used format (when applicable)
• Right to Withdraw Consent — if processing is based on consent, you may withdraw it at any time

We will respond to requests without undue delay, subject to legal and security constraints.

8. Security Breach Notification

If a security breach or unauthorized disclosure occurs and presents a high risk to privacy, we will:

• Perform an immediate risk assessment
• Notify the Israel Privacy Protection Authority (or relevant authority) in accordance with legal obligations
• Notify affected data subjects / insurance agencies as required by law
• Take measures to mitigate the breach, prevent recurrence, and learn from the incident
• Maintain full documentation of the incident: timeline, decisions, actions taken

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time (e.g., due to legal changes or technical improvements). For material changes, we will notify users in advance and allow them time to review revisions.

11. Contact & Inquiries

If you have questions, complaints, or requests regarding privacy, contact us at: privacy@quamm.ai. We will respond in good faith and with due diligence.

12. Privacy Requests Page

You may submit privacy-related requests (access, deletion, correction, objections) through our dedicated privacy requests page: Privacy Requests Page.