Privacy Policy

Last updated: April 3, 2026

1. Introduction

Ava | Supernova ("we", "us", "our") is an open-source AI assistant operated by Augmented Value Acceleration, a company registered in the United Kingdom. This Privacy Policy explains how we collect, use, and protect your information when you use our VS Code extension, Desktop IDE, CLI tool, Companion app (web and mobile), website, and managed API services (collectively, the "Service").

We are committed to protecting your privacy in accordance with the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and applicable data protection laws.

2. Data Controller

The data controller for your personal data is Augmented Value Acceleration, registered in England and Wales. For data protection enquiries, contact us at privacy@ava-supernova.com.

3. Information We Collect

3.1 Account Information

When you create an account, we collect your email address and display name. If you authenticate via GitHub OAuth, we store a hashed reference to your GitHub account — we never store your GitHub password.

3.2 Usage Data

For platform users (free and paid), we track token consumption, request counts, and model usage to enforce plan limits and provide usage dashboards. This data is tied to your account and is not shared with third parties.

3.3 API Keys

If you use your own API keys (BYOK mode), your keys are stored locally on your device in your operating system's secure keychain. We never transmit, store, or have access to your personal API keys. When using managed plans, API calls are routed through our infrastructure using our platform keys — your prompts pass through our proxy solely to reach the AI provider and are not stored or logged.

3.4 Conversation History, Memory, Tasks & Journal

By default, all conversation history, memory entries, tasks, and journal entries are stored locally on your device. If you opt in to cloud sync, this data is stored in our database (Supabase, hosted on AWS) and encrypted at rest. This data belongs to you and can be deleted at any time from your dashboard.

3.5 Computer Use (Desktop IDE)

The Desktop IDE includes an optional Computer Use feature that captures screenshots of your screen and sends them to a vision AI model (Holo3) for desktop automation. Screenshots are processed in real-time and are not stored on our servers. When using BYOK mode, screenshots are sent directly to the Holo3 API. When using platform mode, screenshots pass through our proxy. You control Computer Use permissions, allowed applications, and can disable this feature entirely in Settings.

3.6 Voice Input (Companion App)

The Companion app offers an optional voice input feature. When enabled, your device's microphone captures audio which is processed entirely by your browser's built-in speech recognition engine. No audio data is recorded, stored, transmitted, or sent to our servers or any third party. Only the resulting text is used. You can revoke microphone access at any time through your browser or app settings.

3.7 Payment Information

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full payment details. We receive a Stripe customer ID and subscription status to manage your plan.

4. How We Use Your Information

  • To provide and maintain the Service
  • To manage your account and subscription
  • To track token usage and enforce plan limits
  • To sync conversation history, memory, tasks, and journal across your devices (if enabled)
  • To process payments through Stripe
  • To communicate service updates, security notices, or support responses

We do not use your code, conversations, or prompts to train AI models. We do not sell your data to third parties. We do not run analytics or tracking on any of our client applications.

4a. Shared Learning (Opt-In)

Our client applications include an optional Contribute Shared Learning setting, which is disabled by default. When you choose to enable it, the following anonymised feedback data is shared when you rate messages:

  • Your rating (thumbs up/down) and selected reason (e.g., “Wrong”, “Incomplete”)
  • The AI model and mode used
  • Timestamp and message identifier

No code, no conversation content, and no personal data is shared. This data is used solely to improve response quality for all users. You can disable this setting at any time. When disabled, all feedback is stored locally on your device only.

Additionally, if you connect a platform account, basic usage metrics (token counts, model used) are reported for billing and fair-use enforcement. No code content is included in usage logs.

5. Legal Basis for Processing (UK GDPR)

We process your personal data on the following legal bases:

  • Contract — Processing necessary to provide the Service you have requested (account management, plan enforcement, cloud sync)
  • Legitimate interest — Service security, fraud prevention, and abuse detection
  • Consent — Optional features such as cloud sync, voice input, Computer Use, and Shared Learning (you can withdraw consent at any time)

6. Third-Party Services

We use the following third-party services:

  • Supabase — Authentication and database hosting (AWS, EU region)
  • Stripe — Payment processing
  • Vercel — Website and API hosting
  • AI Providers — When using managed plans, your prompts are sent to third-party AI providers for inference. Current providers include: Alibaba Cloud (Qwen), Moonshot AI (Kimi), MiniMax, DeepSeek, Zhipu AI (GLM), Mistral AI, Anthropic (Claude), and H Company (Holo3 for Computer Use). Each provider operates under their own terms and privacy policies. When using BYOK mode, prompts go directly from your device to the provider you choose.

7. International Data Transfers

Some of our third-party providers process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions recognised by the UK Information Commissioner's Office (ICO).

8. Data Storage & Security

Your data is stored in Supabase (hosted on AWS) with encryption at rest and in transit. We use row-level security policies to ensure users can only access their own data. API keys for platform routing are stored as environment variables and never exposed to clients. All client-to-server communication uses HTTPS/TLS.

9. Data Retention & Deletion

You can delete your conversation history, memory, tasks, journal, and API keys from your dashboard at any time. If you delete your account, all associated data is permanently removed from our database within 30 days. Usage logs are retained for billing reconciliation for up to 90 days after account deletion.

10. Your Rights

Under the UK GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate personal data
  • Erasure — Request deletion of your personal data
  • Restriction — Request restriction of processing of your personal data
  • Portability — Request transfer of your data in a machine-readable format
  • Object — Object to processing based on legitimate interest
  • Withdraw consent — Withdraw consent for optional features at any time

To exercise any of these rights, contact us at privacy@ava-supernova.com. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

11. Open-Source Transparency

Ava | Supernova is open-source under the Apache 2.0 licence. The extension, CLI, and Desktop IDE source code are publicly auditable on GitHub. The local-only mode (BYOK with your own keys) makes no network requests to our servers — you can verify this in the source code.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will provide 30 days' notice to registered users. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy, contact us at privacy@ava-supernova.com or open an issue on our GitHub repository.

Augmented Value Acceleration
Registered in England and Wales