PRIVACY POLICY

At Avyra, we aim for transparency and minimal data collection. We process only what is needed to operate a secure avatar and world platform, enforce policies, and fulfill purchases—consistent with our “privacy-by-design” approach and limited retention for sensitive processing steps.

Controller: Avyra (operator of avyra.cc) is the data controller for personal data described here, except where third parties process data under their own policies (e.g., payment processors).

We limit collection to what is reasonably necessary:

• Account data: Email address, username or display name, hashed password, optional Discord identifier, premium or role flags, token balances, and MFA settings when enabled.
• IP addresses and device data: Logged for security, rate limiting, abuse prevention, and enforcement of bans (including entries in our blocked-IP list).
• Session and authentication data: Essential cookies or tokens to keep you signed in and protect against CSRF or session hijacking.
• Transaction data: Purchase history, licenses, and records needed for billing disputes—processed in part by Sellauth and related payment infrastructure.
• User content: Avatars, worlds, images, metadata, and queue-related records you submit for hosting, hotswap, or gallery display.
• VRChat credentials (hotswap): When you use queue features, username/password or related fields may be stored temporarily in encrypted or access-controlled form for the duration of processing, then removed or invalidated when the job completes, fails, or is cancelled.
• Support and DMCA submissions: Information you provide in tickets, Discord, or copyright notices.
• Security logs: Sanitized event records (e.g., failed logins, rate limits) without storing passwords in logs.

We apply strict handling for high-sensitivity flows, and we enforce specific retention periods:

• Passwords: Stored only as one-way hashes for authentication—not in plain text and not written to application logs.
• IP logs: Retained for 90 days from the date of collection. After that, IP addresses are aggregated, anonymized, or deleted, except where needed for ongoing legal or security investigations.
• Queue / upload processing credentials: Temporary files and in-memory credentials used during automated processing are deleted or purged within 24 hours of job completion, failure, or cancellation, unless a longer retention is required for fraud investigation or legal compliance (in which case they are kept no longer than 30 days and only under access controls).
• Raw processor uploads: Source images or temporary bundles used only for ingestion are removed from active processing systems within 7 days after metadata extraction and publication, unless needed for debugging with your consent.
• Account email and profile data: Remain while your account is active so you can sign in and use the Services. Upon account deletion, we delete or anonymize this data within 30 days, except for transaction records required for tax or legal compliance (retained up to 7 years) and security logs (retained as above).

We have documented these retention limits in our internal data retention schedule, which is available for inspection by supervisory authorities upon request.

We process personal data for:

• Contract performance — providing accounts, downloads, tokens, hotswap, and premium features you request.
• Legitimate interests — security monitoring, IP blocking, fraud prevention, improving stability, and defending legal claims. We have conducted a balancing test under GDPR Article 6(1)(f) and determined that our legitimate interests are not overridden by your privacy rights, given the limited nature of the data and the retention safeguards described in Section 2. You may object to this processing at any time by contacting us.
• Legal obligation — responding to lawful requests, tax or record-keeping where applicable, and copyright law compliance.
• Consent — where required (e.g., optional marketing if offered, or non-essential cookies if enabled in the future).

We do not sell your personal information for money. We do not build advertising profiles from your activity on Avyra.

We may share data with:

• Infrastructure providers — hosting (e.g., Vercel), database (e.g., Neon), object storage (e.g., Cloudflare R2), CDN, and security vendors under contractual confidentiality and security obligations.
• Payment processors — Sellauth and payment networks to complete purchases; their use of data is governed by their policies. We have confirmed with Sellauth that our integration meets PCI DSS requirements for our transaction volume (Level 4 SAQ).
• Discord — if you link or authenticate via Discord, subject to Discord’s policy.
• Law enforcement or courts — when required by valid legal process or to protect rights, safety, and integrity of users and the platform.

We do not rent or sell personal information to data brokers.

Third‑party responsibility: We are not responsible for the independent security failures or data practices of these third‑party providers, except as required by data protection law.

Data may be processed in the United States and other countries where our providers operate. Where required by law (e.g., EEA, UK, Switzerland), we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms offered by our vendors.

We retain data only as long as needed for the purposes above, with specific timeframes (see Section 2). Summary:

• Account data — until you delete your account or we delete it after prolonged inactivity (12 months of non‑use), subject to legal holds.
• Security / IP ban records — as needed to enforce bans and prevent abuse, but IP logs are rotated every 90 days.
• Transaction records — for at least 7 years as required for accounting, tax, and chargeback defense.
• Queue credentials — for a maximum of 24 hours after job completion.

Depending on your location, you may have the right to:

• Access and receive a copy of personal data we hold about you;
• Correct inaccurate data;
• Delete your account and associated data (subject to legal exceptions);
• Restrict or object to certain processing (including our legitimate interests processing);
• Data portability where technically feasible;
• Withdraw consent where processing is consent-based;
• Lodge a complaint with a supervisory authority (EEA/UK) or your local privacy regulator.

To exercise rights, contact us via Settings, FAQ, or Discord support. We will verify your identity before responding. We aim to respond within timelines required by law (e.g., 30–45 days under many U.S. state laws, one month under GDPR subject to extension).

California residents may request: (1) categories of personal information collected; (2) deletion, subject to exceptions; (3) correction; and (4) information on sharing. We do not sell personal information as defined by the CPRA. We do not use sensitive personal information for purposes requiring a “limit” opt-out beyond what is necessary to provide the Services. Authorized agents may submit requests with proof of authority. We will not discriminate against you for exercising privacy rights.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing. Contact us to exercise applicable rights. Where a global privacy control is legally required and technically supported, we will honor it for targeted advertising if we ever engage in it (we do not today).

If you are in the EEA, UK, or Switzerland, our legal bases are listed in Section 3 (including our legitimate interests balancing test). You have GDPR/UK GDPR rights described in Section 7. Our representative contact for privacy requests is the support channel on the site until a designated EU representative is appointed, if required by scale of processing.

We comply with applicable local privacy principles (including PIPEDA-style access rights in Canada and Australian Privacy Act principles) to the extent they apply to our operations. Nothing in this policy overrides non-waivable rights under your local consumer or privacy laws.

The Services are not directed to children under 16. We do not knowingly collect personal data from children under 13 (or under 16 in the EEA without parental consent). If you believe we have collected such data, contact us and we will delete it promptly. For users in the UK/EU, we may implement age‑assurance measures as required by law.

We use essential cookies and similar technologies for authentication and security. Non-essential analytics or marketing cookies, if introduced later, will be disclosed with consent options where required by law.

We use industry-standard measures including encryption in transit (HTTPS), hashed passwords, access controls, and monitoring. No method of transmission or storage is 100% secure; you use the Services at your own risk and should use strong, unique passwords and MFA when available.

We are committed to making our public‑facing website accessible to individuals with disabilities. We strive to conform to WCAG 2.1 Level AA. If you encounter accessibility barriers, please contact us, and we will make reasonable efforts to resolve the issue.

We may update this Privacy Policy with a new “Last Updated” date. Material changes will be communicated as appropriate. Continued use after the effective date constitutes notice of the update where permitted by law.

Privacy requests and questions: support via the site (Settings, FAQ), public Discord ticket, or DMCA/legal channels linked on the site.