AVENOR

Privacy notice

Last updated: 2026-05-17

This notice explains how AVENOR (“we”, “us”) collects, uses, stores, and discloses personal data. We are the controller for the data described below. This notice is provided under the EU General Data Protection Regulation (GDPR) and the revised Swiss Data Protection Act (nFADP).

1. Who we are

AVENOR — automated tax & reporting infrastructure for private markets and tokenized assets. Operator: [Legal entity, registered address]. Privacy contact: privacy@avenor.app.

2. What we collect

Account data

  • Email address (sign-in identifier)
  • Full name and avatar URL (optional, supplied by you)
  • Locale preference
  • Authentication metadata (last sign-in time, session tokens)

Organization data

  • Organization name, slug, brand color, logo
  • Selected jurisdictions (e.g. CH, DE, US)

SPV / fund data you upload

  • Investor records (name, email, tax residency, optional tax ID, metadata)
  • Transactions and events (capital calls, distributions, income, expenses, valuations)
  • Allocation percentages between investors and SPVs
  • Calculation snapshots and generated reports

Payment data

When you pay through AVENOR, the transaction is processed by Stripe. We store the resulting Stripe customer ID and Checkout session IDs on the organization and job records. We do not store full card numbers; Stripe is the controller for card and payment-instrument data.

Operational data

  • Audit log entries describing actions you take (creating an SPV, uploading data, running a calculation, completing a job, etc.)
  • Standard server logs (IP, user-agent, timing) for security and abuse detection

3. Why we use it (purposes and legal bases)

PurposeLegal basis (GDPR)
Provide the service you signed up forPerformance of a contract (Art. 6(1)(b))
Audit trail, anti-abuse, securityLegitimate interests (Art. 6(1)(f))
Comply with tax, accounting, and AML obligationsLegal obligation (Art. 6(1)(c))
Process payments via StripePerformance of a contract (Art. 6(1)(b))
Improve the product (analytics on aggregated metrics)Legitimate interests (Art. 6(1)(f))

We do not sell personal data. We do not engage in advertising profiling.

4. Where data is stored

AVENOR runs on the following sub-processors:

  • Supabase — primary database, authentication, object storage. EU region.
  • Vercel — application hosting, CDN, edge runtime. Region preference: EU.
  • Stripe — payment processing. EEA/US.

Transfers outside the EEA are made under appropriate safeguards (Standard Contractual Clauses where applicable).

5. How long we keep it

  • Audit logs, calculation snapshots, and generated reports are retained for the lifetime of your organization and for a reasonable archival period thereafter, consistent with statutory retention requirements for tax and accounting records.
  • Account and operational data are kept until you delete your organization, except where law requires longer retention.
  • Session tokens expire automatically (typically within 1 hour for magic-link tokens; up to 30 days for active sessions).

6. Your rights

You have the right to:

  • access the personal data we hold about you,
  • have inaccurate data corrected,
  • have your data erased (subject to legal retention exceptions),
  • restrict or object to processing,
  • port your data to another controller,
  • withdraw consent at any time where processing is based on consent.

To exercise any of these rights, write to privacy@avenor.app. You also have the right to lodge a complaint with your local supervisory authority.

7. Security

Every tenant table in our database is protected by row-level security: a query for one organization can never return another organization's rows. Authentication uses signed JWTs in HTTP-only cookies. Storage buckets are private with path-prefix tenant isolation. Webhooks from Stripe are verified by signature. Service-role keys are server-only and never exposed to the browser.

8. Cookies

AVENOR uses strictly-necessary cookies to keep you signed in and to remember your locale. We do not use advertising or analytics cookies by default. If we add product analytics, we will update this notice and (where required) ask for your consent.

9. Changes to this notice

We may update this notice as the product evolves. Material changes are communicated by email and reflected in the “last updated” date above.

10. Disclaimer

AVENOR is tax & reporting infrastructure, not a substitute for a qualified tax advisor. Calculations and reports produced through the service are automated outputs based on the data you upload and the rule sets you select. Review with your accountant or tax advisor before any filing.