Avestris Privacy Policy

Effective date: 2026-05-10

Organization: Avestris Systems

Contact: [email protected]

Overview

Avestris Systems provides technical consulting, systems recovery, secure file intake, legacy software modernization, accounting workflow support, and operational analysis services. This Privacy Policy explains what information Avestris collects, how it is used, how it is protected, and how deletion or correction requests may be made.

Information We Collect

Avestris may collect the following information:

• Contact information such as name, email address, phone number, company, and project details.
• Customer-submitted files, screenshots, logs, exports, database extracts, source code, configuration files, or other artifacts needed for consulting work.
• Communications sent through email, phone, SMS, website intake forms, or project channels.
• Billing and invoice records.
• Website and service logs such as IP address, request path, timestamp, browser metadata, and error logs.
• For internal accounting only, read-only financial account metadata, balances, and transactions imported through Plaid.

Avestris does not intentionally collect bank login credentials. When Plaid is used, financial institution credentials are entered into Plaid-controlled flows and are not received by Avestris.

How We Use Information

Avestris uses collected information to:

• Respond to inquiries and provide consulting services.
• Diagnose, recover, migrate, or modernize customer systems.
• Prepare estimates, invoices, reports, and project documentation.
• Maintain service security, auditability, and operational continuity.
• Operate internal accounting, cash-flow projection, and reconciliation workflows.
• Comply with legal, tax, accounting, and contractual obligations.

Avestris does not sell personal information.

Plaid and Financial Data

Avestris may use Plaid to connect internal Avestris financial accounts for accounting automation. Plaid is used as a read-only financial data provider. Avestris does not use Plaid to initiate payments, transfers, ACH activity, wires, or other money movement.

Plaid Link is used so credentials are handled by Plaid, not by Avestris. Avestris receives a public token from Plaid Link and exchanges it server-side for an access token. Stored access tokens are treated as restricted secrets and are not exposed through browser-facing APIs.

Sharing and Third Parties

Avestris shares information only when necessary to provide services, operate infrastructure, comply with law, or use approved service providers. Relevant third parties may include hosting providers, DNS providers, email providers, source repository hosting, accounting/banking integration providers, and security/operations tooling.

Avestris does not disclose customer artifacts to unrelated third parties except with customer authorization, as required by law, or as necessary for security incident response.

Security

Avestris uses administrative, technical, and operational safeguards appropriate for a small technical consulting business, including HTTPS, network segmentation, restricted internal systems, service account separation, least-privilege access, server-side secret storage, logging, backups, and version-controlled change management.

No system can be guaranteed perfectly secure, but Avestris works to reduce unauthorized access, disclosure, alteration, or destruction of information.

Retention and Deletion

Avestris retains information only as long as needed for service delivery, accounting, legal compliance, security, operational continuity, or legitimate business purposes. Customers may request deletion of information by contacting [email protected]. Some records may be retained where required for tax, accounting, legal, audit, backup, or dispute-resolution reasons.

More detailed retention targets are described in the Avestris Data Use and Retention Policy.

Privacy Rights and Regional Notices

Avestris is based in the United States and primarily serves technical consulting customers. Some privacy laws, including the EU/UK GDPR, the Colorado Privacy Act, the California Consumer Privacy Act, and similar U.S. state privacy laws, may provide rights depending on where you live, what data is involved, and whether the law applies to Avestris for the relevant activity.

Where applicable, those rights may include access, correction, deletion, portability, objection or restriction of certain processing, opt-out from sale, targeted advertising, or certain profiling where those concepts apply, and non-discrimination for exercising privacy rights.

Avestris does not sell personal information and does not use customer-submitted artifacts for targeted advertising. Requests may be sent to [email protected]. Avestris may need to verify identity and authority before responding.

International Users

Avestris's initial public self-service intake is focused on United States customers. International requests may be considered manually, but should not be treated as accepted until Avestris has explicitly agreed in writing.

If you are located outside the United States, you should assume that information you submit to Avestris may be processed in the United States. Do not submit regulated, highly sensitive, or cross-border restricted data unless Avestris has explicitly agreed in writing to an appropriate handling process.

Your Choices

You may contact Avestris to request access, correction, deletion, or limitation of information associated with you or your organization. Avestris will respond according to applicable law and operational constraints.

Changes

Avestris may update this Privacy Policy as services, infrastructure, or legal requirements change. Material changes should be reflected in the effective date and version-controlled policy history.