Privacy Policy

Privacy Policy

Effective Date: November 5, 2025
Entity: Parshva Corp (“Aavgo”, “we”, “our”, or “us”)

Introduction

This Privacy Policy explains how Parshva Corp (“Aavgo”) collects, uses, discloses, and protects personal information through our website www.aavgo.com, mobile applications, and associated online services (collectively referred to as the “Service”).

Aavgo is committed to protecting your privacy and complying with applicable global data protection laws, including the Digital Personal Data Protection Act, 2023 (India), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the California Online Privacy Protection Act (CalOPPA), the Children’s Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Scope and Applicability

This Privacy Policy applies to all personal information collected, processed, or otherwise handled by Parshva Corp (“Aavgo”) through its digital ecosystem, including but not limited to:

Websites: all pages under the domains aavgo.com, hotel.aavgo.com, *.aavgo.com, and any sub-domains or future web portals operated by Aavgo.
Mobile Applications: the Aavgo mobile app and any related software or interfaces made available through authorized app stores.
Connected Platforms and APIs: any integrations, third-party systems, or partner services that link to or display this Privacy Policy.

This Policy governs the collection, use, disclosure, storage, transfer, and protection of personal data belonging to:

End Users and Guests – individuals who access or use Aavgo’s digital check-in, communication, or guest-service platforms.
Hotel Partners and Property Operators – organizations and their authorized staff who use Aavgo’s systems for property management, front-desk automation, or guest-interaction services.
Corporate Clients and Business Associates – entities or representatives engaging with Aavgo for B2B solutions, demonstrations, integrations, or commercial relationships.
Employees, Contractors, and Authorized Personnel – individuals with controlled access to Aavgo’s systems for operational, administrative, or security purposes.

This Policy applies regardless of the user’s geographic location or device type, covering all processing activities performed by Aavgo in both online and offline digital environments.

It also applies when Aavgo acts as a data controller (deciding how and why personal data is processed) or as a data processor (processing personal data on behalf of hotel partners or clients).

All individuals or organizations who interact with Aavgo’s systems are expected to review and understand this Policy to ensure transparency and compliance with applicable privacy regulations, including the Digital Personal Data Protection Act (India), the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), and other relevant data-protection frameworks.

Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings assigned to them below. Any term not expressly defined here shall carry the meaning attributed to it under applicable data-protection or privacy legislation.

3.1. “Aavgo”, “we”, “our”, or “us”

Refers to Parshva Corp, the legal entity that owns and operates Aavgo’s products, websites, and mobile applications, and that determines the purposes and means of processing personal data as a Data Controller under applicable laws.

3.2. “Service”

Means the Aavgo platform and all its components, including but not limited to:

The websites under the domains aavgo.com, hotel.aavgo.com, and any sub-domains operated by Aavgo;
The Aavgo mobile applications and associated APIs; and
Any digital services, interfaces, or partner integrations where this Privacy Policy is referenced.

3.3. “Personal Data” / “Personal Information”

Refers to any information relating to an identified or identifiable natural person (“Data Subject”). This includes, but is not limited to, data such as:

Full name, email address, phone number, and identification details;
Account credentials, login IDs, and authentication information;
Device identifiers, network information, or online activity linked to a specific individual;
Any information combined with other data that enables identification of an individual.

Under applicable laws:

The GDPR defines Personal Data as “any information relating to an identified or identifiable natural person.”
The DPDPA 2023 (India) defines “personal data” as data about an individual who is identifiable by or in relation to such data.
The CCPA/CPRA (California) defines “personal information” as data that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.

3.4. “Sensitive Personal Data” or “Sensitive Personal Information”

Certain data categories may require enhanced protection, including but not limited to:

Payment-card or financial data;
Government-issued identification numbers;
Health-related, biometric, or genetic data;
Login credentials or authentication secrets.
Aavgo handles such data strictly in accordance with PCI DSS, DPDPA, CCPA/CPRA, and GDPR Article 9 standards, applying appropriate encryption and access controls.

3.5. “Usage Data”

Information automatically collected when a user interacts with the Service, such as:

IP address, browser type, and version;
Device model and operating system;
Pages visited, time spent, clickstream, and referring URLs;
Log and diagnostic information used to maintain performance and security.

3.6. “Cookies” and “Tracking Technologies”

Small text files or similar technologies placed on your device to enable Service functionality, store preferences, analyze usage, and enhance security. Cookies may be session-based (deleted after closing the browser) or persistent (stored until expiration or manual deletion).

3.7. “Data Controller”

The natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
For the purposes of this Privacy Policy, Parshva Corp (Aavgo) acts as the primary Data Controller for all information it collects directly.

3.8. “Data Processor” / “Service Provider”

Any natural or legal person that processes personal data on behalf of a Data Controller.
Aavgo may engage verified third-party Service Providers-such as hosting partners, payment gateways, or communication vendors-under written agreements ensuring compliance with applicable privacy and security standards.

3.9. “Processing” / “Process”

Any operation performed on personal data, whether automated or not, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction.

3.10. “Data Subject” / “User” / “Consumer”

Refers to any living individual whose personal data is processed by Aavgo, including:

Guests and users of the Aavgo Service;
Hotel staff and administrators accessing Aavgo platforms; and
Business representatives or partners interacting with Aavgo.

3.11. “Consent”

A freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes, signifying agreement to the processing of their personal data.
Consent may be obtained electronically or through affirmative action (e.g., ticking a box, submitting a form).

3.12. “Breach” or “Data Breach”

Any unauthorized access, disclosure, alteration, loss, or destruction of personal data, whether accidental or unlawful, that compromises the confidentiality, integrity, or availability of such data.

3.13. “Applicable Law”

Collectively refers to all data-protection and privacy regulations relevant to Aavgo’s operations, including but not limited to the Digital Personal Data Protection Act (India 2023), the General Data Protection Regulation (GDPR 2016/679), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California Online Privacy Protection Act (CalOPPA), Children’s Online Privacy Protection Act (COPPA), and the Payment Card Industry Data Security Standard (PCI DSS).

Information We Collect

Aavgo collects and processes only the minimum personal information necessary to deliver, secure, and improve our Services. The data we collect falls into several categories, each serving a defined lawful purpose.

We do not collect or use information for profiling, advertising, or marketing analytics.

4.1 Information You Provide Directly

When you interact with Aavgo’s websites, mobile applications, or customer-support channels, you may voluntarily provide information including but not limited to:

Category	Examples of Data	Purpose of Collection
Account & Contact Information	Full name, email address, phone number, company name, hotel/property association	To create and manage user accounts, authenticate logins, and communicate about service usage.
Identity Verification Information	Employee ID, role designation, hotel code, or credentials provided by a partner organization	To verify authorized access for hotel or business partner users.
Operational Data	Room assignment, check-in/out details, guest preferences, task logs, and service requests	To facilitate hotel operations, manage guest experiences, and provide digital front-desk services.
Support and Communication Records	Messages, feedback, inquiries, or reports submitted via email or chat	To provide customer assistance, investigate issues, and enhance user support quality.
Payment or Transaction Information	Limited payment details such as last 4 digits of card, transaction ID, or billing reference	To process legitimate transactions through PCI DSS-certified payment processors; Aavgo itself does not store full card numbers, CVV, or sensitive payment data.

All information you voluntarily provide is treated as confidential and processed only for the stated purposes.

4.2 Information Collected Automatically (Usage Data)

When you access or use the Service, Aavgo’s systems automatically collect limited technical data to ensure functionality and security. This may include:

Device and Network Details: IP address, browser type, operating system, device model, network identifier, and time zone.
Access and Session Information: Date and time of access, pages viewed, interaction duration, and system logs.
Diagnostic and Performance Logs: Crash reports, error traces, and load metrics used for debugging and performance optimization.
Security Telemetry: Authentication attempts, API requests, and access tokens monitored for anomaly detection and threat prevention.

Such information is non-personal in isolation but may be linked with personal data for audit, security, or compliance validation.

4.3 Cookies and Similar Technologies

Aavgo uses essential cookies and local-storage mechanisms to enable secure session management and preserve user preferences.
We categorize these as:

Strictly Necessary Cookies – Required for authentication, session continuity, and fraud prevention.
Preference Cookies – Remember language or interface settings.
Security Cookies – Detect malicious activity and enforce account-protection measures.

Aavgo does not use advertising, behavioral-tracking, or third-party marketing cookies.
Users can control or delete cookies through browser settings; however, disabling essential cookies may affect service functionality.

4.4 Information from Third Parties

Aavgo may receive limited information from authorized partners solely to deliver integrated services. Examples include:

Hotel management systems providing reservation data for guest check-in.
Corporate partners sharing contact details for authorized staff access.
Payment gateways confirming transaction status (without revealing full financial data).

All third-party data exchanges are governed by written data-processing or confidentiality agreements ensuring compliance with DPDPA, GDPR, and CCPA/CPRA obligations.

4.5 Aggregated or Anonymized Data

Aavgo may generate and use aggregated or anonymized statistical information (e.g., platform uptime metrics, average response times) that cannot identify any individual.
Such information is used exclusively for analytics, system improvement, and compliance reporting.

4.6 Data Excluded from Collection

Aavgo does not intentionally collect or process:

Racial or ethnic origin, political opinions, or religious beliefs;
Biometric or genetic identifiers;
Precise geolocation data;
Personal information of minors (under 18 years);
Marketing preference data from cookies or third-party trackers.

Any such data received inadvertently is immediately deleted or anonymized.

4.7 Lawful and Fair Collection

All personal data is collected lawfully, fairly, and transparently, ensuring:

Users are informed at or before the point of collection;
Data is limited to what is necessary (“data-minimization”);
Processing is aligned with clearly defined and legitimate purposes;
Appropriate technical and organizational safeguards protect confidentiality and integrity.

Use of Data

Aavgo collects and processes personal information solely for legitimate, clearly defined business and security purposes. Every processing activity is tied to a lawful basis, and no personal data is used in ways inconsistent with the purposes for which it was obtained.

We do not engage in cross-context behavioral advertising, user profiling for marketing, or automated decision-making that produces legal or similarly significant effects.

5.1 Primary Purposes of Processing

Purpose Category	Description of Processing Activity	Lawful Basis (Where Applicable)
Service Delivery and Operations	Operating websites, mobile applications, APIs, and hotel-management features; enabling digital check-in/out, communication, and workflow management.	Contractual necessity / Legitimate interest
User Account Management	Creating, verifying, and maintaining accounts for guests, hotel staff, and business partners; managing credentials and user preferences.	Contractual necessity / Legitimate interest
Customer Support and Communication	Responding to inquiries, troubleshooting technical issues, providing assistance, and recording interactions for quality assurance.	Contractual necessity / Consent
Security and Fraud Prevention	Monitoring login attempts, detecting suspicious activity, applying access-control policies, and performing incident-response or forensic analysis.	Legitimate interest / Legal obligation
Compliance and Audit Requirements	Maintaining logs, audit trails, and regulatory documentation to satisfy PCI DSS, data-protection, and corporate-governance obligations.	Legal obligation
System Improvement and Performance Analytics	Using anonymized or aggregated data to evaluate uptime, enhance functionality, and optimize system reliability.	Legitimate interest
Legal and Contractual Obligations	Handling data necessary for enforcing agreements, resolving disputes, or complying with law-enforcement or regulatory requests.	Legal obligation
Notifications and Service Updates	Sending transactional or operational notices (e.g., policy changes, scheduled maintenance). Marketing communications are excluded.	Contractual necessity / Legitimate interest
Payment and Billing Verification	Processing limited billing references and confirming successful transactions via PCI DSS-certified gateways.	Contractual necessity / Legal obligation

5.2 Security and Incident-Response Use

Aavgo may analyze access logs, session identifiers, and usage patterns to:

Authenticate legitimate users and prevent account misuse;
Detect malware injection, data-tampering, or unauthorized access;
Investigate system alerts or anomalies within internal monitoring tools; and
Fulfill forensic and compliance reporting obligations following an event.

All such processing follows strict least-privilege access controls, data-minimization, and retention-limitation principles.

5.3 Data Use in Compliance with PCI DSS

When Aavgo systems interact with payment instruments:

Sensitive cardholder data (CHD) is never stored, transmitted, or processed unencrypted.
All payment flows are executed through PCI DSS Level 1-certified processors.
Data retained for reconciliation or chargeback verification is truncated or tokenized.

Aavgo audits its Service Providers to ensure adherence to PCI DSS Requirement 12.8 and other applicable controls.

5.4 Prohibited or Restricted Uses

Aavgo strictly prohibits the following uses of personal data:

Sale, rental, or commercial sharing of user information for advertising or profiling;
Disclosure of data to unauthorized third parties;
Combining personal data with unrelated datasets to infer sensitive attributes;
Automated decision-making without human oversight;
Processing of minors’ information for any purpose.

5.5 Purpose Limitation and Data Minimization

Personal data is collected and used only for legitimate, explicitly stated purposes and retained no longer than necessary.
Before any new processing activity begins, Aavgo performs an internal privacy-impact review to ensure:

The purpose is compatible with the original context of collection;
The least amount of personal data is used;
Appropriate technical and organizational measures safeguard confidentiality and integrity.

5.6 Lawful Bases for Processing

Aavgo relies on one or more of the following bases, depending on the nature of processing and jurisdiction:

Consent: When users voluntarily submit information (e.g., registration, support requests).
Contractual Necessity: When processing is required to deliver services users request.
Legitimate Interests: For maintaining platform integrity, improving performance, and ensuring security, provided user rights are not overridden.
Legal Obligation: When required to comply with applicable law, audit, or regulatory requirements.
Vital Interests: Rarely, to protect the safety or security of individuals if an immediate threat is identified.

5.7 Transparency and User Notice

Whenever Aavgo collects personal data, users are informed about:

The specific purpose of processing;
The legal basis under which processing occurs;
Categories of recipients (if any); and
Available data-subject rights and grievance mechanisms.

No processing activity is undertaken without a clearly identified legal justification or user consent where required.

Legal Basis for Processing Personal Data

Aavgo ensures that every activity involving the collection or use of personal data is supported by a clearly defined, lawful basis consistent with applicable privacy regulations. Each processing operation is necessary for a legitimate purpose that has been communicated to the user at or before the time of collection.

No processing is performed arbitrarily or without one of the legal justifications described below.

6.1 Consent

Aavgo obtains clear, specific, and informed consent before collecting or processing personal data where required by law.
Consent is considered valid only when:

It is freely given, unambiguous, and based on adequate information;
It specifies the purposes of processing; and
The user has the ability to withdraw consent at any time without detriment.

Examples include registration, voluntary information submission, or service-related communications initiated by the user.
Upon withdrawal of consent, Aavgo ceases all related processing unless another lawful basis applies.

6.2 Contractual Necessity

Processing is lawful when it is required to perform or enter into a contract between Aavgo and the user or a partner organization.
Typical scenarios include:

Providing digital check-in/check-out functionality;
Maintaining hotel staff and guest accounts;
Delivering requested technical support or operational services; and
Managing legitimate transactions or confirmations through PCI DSS-certified processors.

Without such processing, Aavgo would be unable to fulfill its service obligations.

6.3 Legitimate Interests

Aavgo may process personal data to pursue its legitimate business interests, provided that these interests are not overridden by users’ rights and freedoms.
Examples include:

Securing and maintaining the reliability of Aavgo’s systems and networks;
Preventing fraud, misuse, or unauthorized access;
Conducting internal audits, performance monitoring, and service improvement; and
Ensuring operational continuity and compliance documentation.

Whenever legitimate-interest processing is applied, a balancing assessment is performed to ensure fairness and proportionality.

6.4 Legal and Regulatory Obligation

Aavgo processes certain information to comply with statutory and regulatory requirements, such as:

Record-keeping and audit duties under tax, corporate, or data-protection laws;
Responding to lawful requests or orders from public authorities; and
Maintaining logs required by PCI DSS, DPDPA, or security-incident reporting frameworks.

Such processing occurs only to the extent necessary to meet the organization’s legal obligations.

6.5 Vital Interests

In rare and exceptional circumstances, Aavgo may process personal data to protect the life, safety, or physical integrity of individuals.
For example, in emergency cases affecting guests or employees at a managed property, Aavgo may share essential information with authorized responders or relevant authorities.

6.6 Public Interest and Good Faith Disclosures

When compelled by public authorities or legal mandate, Aavgo may disclose limited personal information in good faith to:

Prevent or investigate security incidents or unlawful activities;
Protect network or data integrity; or
Enforce terms of service and contractual obligations.

All such disclosures are narrowly tailored and documented for accountability.

6.7 Cross-Jurisdictional Alignment

Because Aavgo’s operations span multiple legal regimes, processing bases are aligned as follows:

Regulatory Framework	Recognized Lawful Bases Used by Aavgo
Digital Personal Data Protection Act 2023 (India)	Consent, Legitimate Uses (including security, compliance and employment-related purposes)
General Data Protection Regulation (GDPR – EU)	Consent, Contractual Necessity, Legal Obligation, Legitimate Interest, Vital Interest
CCPA/CPRA (California)	Notice at Collection and Right to Opt Out of Sale/Sharing (though Aavgo does not sell data)
PCI DSS (Security Standard)	Legal Obligation and Contractual Necessity for handling payment data securely

Aavgo continuously reviews its practices to ensure that all processing activities remain supported by a valid legal basis under each applicable framework.

6.8 Documentation and Accountability

Aavgo maintains detailed records of processing activities, including:

The purpose and lawful basis of each operation;
Data categories involved;
Retention schedules; and
Associated Service Providers or Data Processors.

These records demonstrate compliance with the principles of lawfulness, fairness, purpose limitation, and accountability as required by global privacy laws.

Data Retention

Aavgo retains personal data only for as long as it is necessary to fulfill the purposes for which it was collected or to satisfy applicable legal, contractual, and regulatory requirements. Retention periods are defined in accordance with the principles of purpose limitation, storage limitation, and data minimization under global data-protection frameworks.

We maintain formal data-retention schedules reviewed annually by the Information Security and Compliance Team to ensure ongoing relevance and compliance.

7.1 Purpose-Based Retention

Each category of personal data is associated with a specific purpose, and the corresponding retention period depends on that purpose:

Data Category	Example Contents	Typical Retention Period / Criteria	Rationale / Legal Basis
Account and Identity Data	Name, email address, login credentials, hotel/staff association	Retained for the duration of the active account and deleted within 90 days after closure or inactivity (whichever comes first)	Required to maintain access and authenticate users under contractual necessity.
Operational and Guest Service Data	Check-in/out records, preferences, support requests	Retained for up to 24 months from the transaction date unless earlier erasure is requested or required by law	Needed for service performance validation and audit purposes.
Support and Communication Logs	Help-desk tickets, chat transcripts, email communications	18 months from closure of the support case	Enables quality assurance and dispute resolution.
Security and Audit Logs	System access records, event logs, authentication records	Minimum 1 year and up to 2 years per PCI DSS and internal audit policy	Demonstrates compliance with security and forensic requirements.
Financial and Billing Data	Truncated card details, transaction IDs, invoices	7 years in accordance with financial and tax laws or the duration of statutory record-keeping requirements	Legal obligation under taxation and audit regulations.
Anonymized and Aggregated Data	Statistical analytics without identifiers	Retained indefinitely as long as it remains irreversible and non-identifiable	Used solely for analytics and system optimization.

7.2 Legal and Regulatory Requirements

Certain records must be preserved longer than business needs to comply with:

Statutory retention requirements under taxation, corporate, and data-protection laws;
PCI DSS Requirements 3 and 10, mandating secure retention of audit and access logs;
Investigation or litigation holds, where data must be retained until the matter is resolved.

Where multiple obligations overlap, Aavgo follows the longest legally required retention period.

7.3 Automatic Deletion and Review Process

Aavgo employs automated controls and manual reviews to enforce data deletion schedules:

Deletion scripts and data-lifecycle rules automatically remove expired records.
Compliance Team performs quarterly reviews to verify purge execution.
Any exceptions (e.g., ongoing investigation or audit) are logged and approved by the Data Protection Officer (DPO).

All deletion activities are documented for audit traceability.

7.4 Secure Disposal and Anonymization

When personal data reaches the end of its retention period, it is permanently deleted or anonymized using industry-approved methods:

Electronic Data: Secure wiping tools or cryptographic erasure render data irrecoverable.
Physical Records: Paper documents are shredded using cross-cut machines and disposed through certified vendors.
Backups: Archived data is retained only for disaster recovery purposes and purged after expiry of the backup cycle.
Anonymization: When retention for analytics is needed, all identifiers are irreversibly removed to prevent re-identification.

7.5 Right to Erasure and Data Deletion Requests

In addition to automated retention controls, users may request deletion of their personal data at any time by contacting security@aavgo.com.
Aavgo will:

Verify the requester’s identity to prevent unauthorized deletion;
Confirm whether any legal obligation requires retention; and
Permanently erase eligible data within 45 days of a verified request, in compliance with CCPA/CPRA and DPDPA response timelines.

Where data must be retained for regulatory reasons, Aavgo will restrict its processing and notify the requester accordingly.

7.6 Retention Alignment Across Frameworks

Regulatory Framework	Retention Principle
DPDPA (India 2023)	Data shall be retained only as long as necessary for the specified purpose and deleted once that purpose is fulfilled.
GDPR (Article 5(1)(e))	Personal data must be kept no longer than necessary for the purposes for which it was processed.
CCPA/CPRA (California)	Businesses must disclose retention periods or criteria for each data category and delete upon request unless legally required to retain.
PCI DSS (Req. 3 & 10)	Cardholder and audit logs must be retained securely for a defined period and then disposed of safely.

Aavgo’s internal Data Retention and Disposal Policy maps each data category to these requirements to ensure consistent application across jurisdictions.

7.7 Review and Policy Maintenance

This retention framework is reviewed annually or whenever there are significant changes to business processes, legal requirements, or technology infrastructure.
All revisions are approved by the Compliance Office and documented for audit purposes.

Data Security and PCI DSS Compliance

Aavgo maintains a multilayered information-security program designed to preserve the confidentiality, integrity, and availability of all personal and transactional data processed through its platforms.
Security safeguards are implemented in proportion to the sensitivity of the data and the potential risks identified through ongoing assessments.

Our security controls follow internationally recognized standards and frameworks, including the Payment Card Industry Data Security Standard (PCI DSS v4.0.1), ISO/IEC 27001, and NIST Cybersecurity Framework best practices.

8.1 Security Governance and Accountability

Information Security Program: Overseen by the Compliance and Security Office, this program defines organizational, physical, and technical controls to protect personal data across all environments.
Policies and Standards: Aavgo enforces approved security policies covering access control, network segmentation, encryption, change management, incident response, and secure software development.
Roles and Responsibilities: All personnel with system or data access are bound by confidentiality agreements and undergo mandatory annual security-awareness training.
Vendor Due Diligence: Third-party service providers are evaluated for compliance with equivalent security standards before onboarding and at renewal.

8.2 Technical and Organizational Safeguards

Aavgo employs a defense-in-depth model combining preventive, detective, and corrective measures:

Security Domain	Safeguard Implemented
Encryption & Key Management	All personal data in transit is protected with TLS 1.2+; data at rest is encrypted using AES-256. Encryption keys are centrally managed and rotated per the Key-Management Policy aligned with PCI DSS Requirement 3.
Access Control & Authentication	Role-based access control (RBAC), unique user IDs, strong password policies, and enforced Multi-Factor Authentication (MFA) for privileged and administrative accounts.
Network Security	Segmentation of production, staging, and test environments; use of next-generation firewalls, intrusion-detection/prevention systems (IDS/IPS), and continuous vulnerability management.
Endpoint Protection	All endpoints run enterprise-grade anti-malware with real-time scanning and centralized logging to the SIEM platform.
Secure Development Lifecycle (SDLC)	Applications undergo static and dynamic code analysis, penetration testing, and change-control review before deployment.
Logging and Monitoring	Comprehensive audit logs are retained per PCI DSS Requirement 10 and monitored 24×7 for anomalies through the centralized SIEM.
Data Backups & Resilience	Encrypted backups are performed daily and stored in geo-redundant facilities. Disaster-recovery plans are tested semi-annually.
Physical Security	Data centers and office facilities are access-controlled via electronic badges and CCTV monitoring; visitor logs are maintained for audit purposes.

8.3 PCI DSS Compliance

To safeguard cardholder data (CHD) and sensitive authentication data (SAD), Aavgo enforces full alignment with the PCI DSS v4.0.1 requirements:

Secure Network Configuration – Firewalls restrict inbound/outbound connections to only required services.
Protection of Stored Cardholder Data – CHD is stored only if necessary and always encrypted using strong cryptography; primary account numbers (PANs) are truncated or tokenized.
Encryption of Transmission – CHD transmitted across open networks is protected by TLS 1.2+ or IPSec VPNs.
Vulnerability Management Program – Regular scans and patch cycles ensure all systems remain hardened and up-to-date.
Access Control – Least-privilege principle enforced; default passwords and accounts disabled.
Monitoring and Testing – Continuous log review, file-integrity monitoring, and quarterly internal/external penetration testing.
Information Security Policy – Formal documentation reviewed annually and communicated to all employees.

When CHD is processed via integrated payment gateways or hotel-property systems, Aavgo ensures such vendors are PCI-validated Service Providers, and contractual clauses assign each party’s compliance responsibilities per Requirement 12.8.

8.4 Incident Detection and Response

Aavgo maintains a documented Incident Response Plan (IRP) that defines the escalation, containment, and notification process for any suspected or confirmed data breach.
Key elements include:

Immediate Containment: Isolation of affected systems to prevent further impact.
Forensic Investigation: Root-cause analysis conducted by internal or certified external experts.
Notification: Timely reporting to affected individuals and relevant authorities in accordance with DPDPA, GDPR (Articles 33–34), and CCPA/CPRA timelines.
Post-Incident Review: Implementation of corrective actions and security-control enhancements.

All incidents are logged, reviewed, and subject to quarterly management reporting.

8.5 Data Integrity and Availability Assurance

Redundant systems and load-balancing mechanisms maintain high service uptime.
Database replication and transactional backups protect against corruption or data loss.
Regular integrity checks validate that data remains accurate and complete across systems.

8.6 Employee Training and Awareness

Every employee and contractor undergoes annual information-security and privacy-protection training that covers:

Safe handling of personal and cardholder data;
Recognizing phishing or social-engineering attempts;
Secure-use guidelines for cloud and collaboration tools; and
Reporting obligations for suspected data incidents.

Completion of this training is mandatory and tracked for compliance reporting.

8.7 Independent Audits and Continuous Improvement

Aavgo’s security controls are independently assessed through:

Annual PCI DSS Compliance Assessments by a Qualified Security Assessor (QSA);
Periodic SOC 2 Type II audits to validate operational effectiveness; and
Internal risk assessments and vulnerability scans conducted quarterly.

Findings are documented, remediation plans are tracked to closure, and lessons learned feed into continuous improvement initiatives.

8.8 User Responsibility and Shared Security Model

While Aavgo implements robust security measures, data protection also depends on user cooperation. Users are advised to:

Maintain strong, unique passwords and protect their login credentials;
Access the platform only through trusted devices and secure networks;
Report any suspected unauthorized access to security@aavgo.com immediately.

8.9 Security Commitment

Through its layered security architecture, governance framework, and compliance with PCI DSS and other global standards, Aavgo reaffirms its commitment to safeguarding every user’s personal information and maintaining the highest standards of trust and data protection.

Sharing and Disclosure of Information

Aavgo respects the confidentiality of personal data and discloses it only in accordance with the principles of lawfulness, fairness, purpose limitation, and data minimization.
We do not sell, rent, trade, or otherwise disclose personal information for marketing or advertising purposes.

Data may be shared only with trusted entities that have a legitimate need to access it to perform services on Aavgo’s behalf, subject to strict confidentiality and security requirements.

9.1 General Principles of Disclosure

All data sharing by Aavgo adheres to the following conditions:

Purpose Limitation: Personal data is disclosed only for the specific, lawful purposes for which it was originally collected.
Confidentiality Obligations: All recipients are bound by contractual confidentiality and data-protection clauses consistent with applicable laws.
Security Safeguards: Recipients must maintain equivalent technical and organizational security measures as those implemented by Aavgo.
Restricted Access: Only the minimum amount of personal data necessary for the intended purpose is shared.
Legal Compliance: Disclosures comply with applicable legislation, court orders, or law-enforcement requests.

9.2 Categories of Authorized Recipients

Aavgo may disclose or share personal information with the following categories of recipients, strictly within the framework of lawful processing:

Recipient Category	Purpose of Disclosure	Example Entities
Service Providers / Data Processors	To enable core operations such as cloud hosting, IT infrastructure, customer support, or email delivery.	Cloud-hosting providers, managed database services, ticketing platforms.
Payment Gateway Partners	To securely process payments, handle refunds, or verify transactions under PCI DSS controls.	PCI DSS Level 1–certified processors.
Hotel and Property Partners	To facilitate guest services, check-in/out operations, or staff coordination.	Partner hotels and authorized on-premise administrators.
Auditors and Legal Advisors	To conduct compliance assessments, financial audits, or respond to legal obligations.	External auditors, QSAs, legal counsel.
Law Enforcement or Regulatory Authorities	When legally required to disclose information under subpoena, court order, or statutory authority.	Government agencies or regulators within lawful jurisdiction.
Corporate Affiliates or Successors	In the event of a merger, acquisition, restructuring, or sale, personal data may be transferred to the acquiring entity, subject to this Policy’s protections.	Acquiring or successor organizations under binding agreements.

All recipients are contractually obligated to process the data solely for the intended purpose and to delete or return it upon completion of their engagement.

9.3 Cross-Border Disclosures

Aavgo may transfer limited personal data to service providers or partners located in other jurisdictions for legitimate operational purposes (e.g., cloud storage, ticketing, or customer communication).

When such transfers occur, Aavgo ensures that:

The destination country or entity provides an adequate level of data protection;
Transfers are governed by data-transfer agreements incorporating Standard Contractual Clauses (SCCs) or equivalent safeguards;
Encryption and pseudonymization are applied before transmission; and
Compliance with GDPR Chapter V and DPDPA Section 16(2) is maintained.

Aavgo retains full accountability for ensuring that transferred data remains protected in accordance with this Policy and applicable laws.

9.4 Disclosures for Legal, Compliance, and Security Purposes

Aavgo may disclose personal information in limited circumstances when required to:

Comply with any applicable law, regulation, legal process, or enforceable government request;
Protect the safety, rights, or property of Aavgo, its users, or the public;
Enforce contracts, detect or prevent fraud, and ensure network or information security;
Respond to incidents involving potential data breaches, unlawful activity, or threats to systems and users.

Such disclosures are reviewed and approved by the Data Protection Officer (DPO) and are performed only to the extent necessary for compliance or protection purposes.

9.5 Third-Party Processors and Due Diligence

Before engaging any third-party processor, Aavgo performs a vendor risk assessment evaluating:

Security certifications (e.g., PCI DSS, ISO/IEC 27001, SOC 2 Type II, GDPR);
Data-handling procedures and incident-response capabilities;
Contractual adherence to confidentiality, retention, and deletion requirements.

Each processor operates under a Data Processing Agreement (DPA) that defines:

The scope, duration, and purpose of processing;
Data categories and types involved;
Security measures and compliance responsibilities; and
The processor’s obligation to support Aavgo in fulfilling user rights requests.

Periodic audits or attestation reviews are conducted to verify continued compliance.

9.6 Transparency in Disclosure

To uphold transparency, Aavgo discloses the categories of data and recipient types within this Policy and, where required by law, provides:

Prior notice before transferring personal data to new categories of recipients;
Updates to affected users if significant changes to data-sharing practices occur;
Mechanisms to opt out of certain disclosures where applicable (e.g., California residents under CCPA/CPRA).

9.7 Non-Sale of Personal Data

In compliance with CCPA Section 1798.140(t) and CPRA Section 1798.121, Aavgo confirms that it does not sell or share personal data for cross-context behavioral advertising or commercial benefit.
If future operations require sharing data for new lawful purposes, users will receive explicit notice and an opportunity to opt out prior to any such activity.

9.8 Accountability for onward transfers

Any onward transfer of personal data by a recipient (e.g., sub-processor) requires Aavgo’s prior written authorization and must meet equivalent contractual, technical, and legal safeguards.
Aavgo remains responsible for the actions of its authorized processors under the “accountability principle” set forth in GDPR Article 5(2) and DPDPA Section 10.

9.9 Record-Keeping of Disclosures

All data disclosures, including the recipient name, purpose, and lawful basis, are recorded in Aavgo’s Data Processing Register maintained by the Compliance Office.
This log ensures traceability, supports audit requirements, and provides evidence of compliance during regulatory reviews or PCI/SOC 2 audits.

9.10 User Rights and Recourse

Users may inquire about whether their data has been disclosed and to whom by contacting security@aavgo.com.
Upon verification, Aavgo will provide a summary of relevant disclosures consistent with applicable laws and user rights under GDPR Articles 15 & 19, CCPA Section 1798.110, and DPDPA Section 11.

Cross-Border Data Transfers

Aavgo operates a globally distributed digital infrastructure that may require the transfer, storage, or processing of personal data across international boundaries to ensure service availability, operational efficiency, and compliance continuity.

All such transfers are conducted in strict compliance with applicable data-protection laws and with appropriate contractual, organizational, and technical safeguards in place to maintain the same level of protection afforded within the originating jurisdiction.

10.1 Principles Governing Cross-Border Data Transfers

Aavgo ensures that all international data transfers adhere to the following principles:

Lawfulness and Fairness: Personal data is transferred only when there is a valid legal basis for doing so under applicable law.
Transparency: Individuals are informed, through this Privacy Policy or equivalent notices, that their data may be processed in other jurisdictions.
Equivalent Protection: Data transferred outside the original country is subject to equal or higher privacy and security safeguards.
Purpose Limitation: Transfers occur only for the same legitimate purposes for which the data was originally collected.
Accountability: Aavgo remains responsible for ensuring the continued protection of personal data throughout its transfer and subsequent processing lifecycle.

10.2 Legal Grounds for International Transfers

Aavgo relies on one or more of the following lawful mechanisms for cross-border data transfers:

Legal Mechanism	Description and Application
Contractual Clauses and Data Processing Agreements (DPAs)	Transfers to processors or affiliates are governed by written agreements incorporating industry-standard data-protection and confidentiality clauses consistent with GDPR Article 46(2)(c) and DPDPA Section 16(2).
Standard Contractual Clauses (SCCs)	For transfers involving regions without an adequacy decision (e.g., India to the U.S.), Aavgo implements European Commission–approved SCCs to ensure equivalent data-protection obligations.
Binding Corporate Rules (BCRs)	Where applicable within group entities or affiliates, Aavgo adopts BCRs consistent with GDPR Article 47, establishing uniform privacy commitments across jurisdictions.
Adequacy Decisions or Recognized Jurisdictions	Transfers to countries recognized by regulators (e.g., EEA to UK, Japan, or other approved regions) occur under adequacy determinations ensuring sufficient protection levels.
User Consent	In limited cases, explicit and informed consent is obtained prior to cross-border transfer, especially when no other mechanism applies.

10.3 Technical and Organizational Safeguards

To ensure continuous protection of data during transfer and storage, Aavgo applies the following controls:

Encryption in Transit and at Rest: All data transfers are encrypted using TLS 1.2+ and stored using AES-256 encryption.
Segregation and Access Control: Data access across environments is restricted using least-privilege principles and region-specific access policies.
Audit Logging: All cross-border data movements are logged and periodically reviewed by the Compliance Office for traceability.
Vendor Security Assessments: Cross-border service providers undergo annual security reviews to ensure ongoing compliance with contractual and legal obligations.
Data Localization Consideration: When mandated by local law (e.g., specific jurisdictions under DPDPA or financial regulations), Aavgo ensures that sensitive data categories are processed or mirrored within that jurisdiction before transfer.

10.4 Transfers Between Aavgo and Its Partners

Aavgo’s systems may interact with:

Cloud-hosting services and infrastructure providers,
Hotel-property systems and authorized third-party APIs, and
Customer-support and communication tools that may reside in global data centers.

In all cases, Aavgo ensures that such transfers:

Are limited to operational data required to deliver the service;
Occur under written agreements incorporating privacy and data-security clauses; and
Are regularly assessed for compliance with evolving international data-transfer rules.

10.5 Compliance Under Major Legal Frameworks

Regulation / Framework	Cross-Border Transfer Requirements Satisfied by Aavgo
DPDPA 2023 (India)	Transfers occur only to countries or entities ensuring adequate data protection. DPDPA Section 16(2) is followed, ensuring lawful processing and safeguard equivalence.
GDPR (EU)	SCCs, BCRs, and adequacy decisions are applied to ensure compliance with GDPR Chapter V (Articles 44–50).
CCPA/CPRA (California, USA)	Personal data transfers are limited to operational purposes. Notice is provided at or before collection, and users retain rights to access or delete their data.
APEC CBPR / Global Frameworks	Aavgo’s privacy management system aligns with APEC principles of accountability, security, and cross-border protection continuity.

10.6 Data Transfer Impact Assessments (DTIAs)

Before initiating or expanding cross-border data flows, Aavgo performs a Data Transfer Impact Assessment (DTIA) to evaluate:

The legal environment of the destination country;
Risks to data subjects’ rights and freedoms;
Adequacy of technical safeguards and encryption standards; and
Potential implications of government access requests in the destination jurisdiction.

Transfer approval is contingent upon successful completion of the DTIA and authorization by the Data Protection Officer (DPO).

10.7 User Notification and Rights

Aavgo provides transparency by informing users whenever their personal data is processed outside their jurisdiction.
Users may contact security@aavgo.com to:

Request confirmation of whether their data has been transferred internationally;
Obtain a summary of applicable safeguards; or
Request a copy of the relevant transfer mechanism (e.g., Standard Contractual Clauses), subject to redaction for confidentiality.

All such requests are addressed within the timelines prescribed by the DPDPA, GDPR, or CCPA, as applicable.

10.8 Retention and Deletion Post Transfer

Data transferred abroad is subject to the same retention and deletion controls described in Section 7 – Data Retention.
When the processing purpose is complete, the data is either:

Deleted securely from foreign systems, or
Anonymized to ensure it cannot be linked back to any identifiable individual.

Aavgo ensures that no third party retains transferred data beyond its authorized purpose or contractual retention term.

10.9 Accountability and Oversight

Aavgo remains fully accountable for all personal data transferred internationally, even when processed by third parties.
The Compliance Office conducts periodic internal and external audits to verify adherence to:

Data-transfer contractual clauses;
Regulatory adequacy requirements; and
Technical security controls governing transnational data handling.

Non-compliance by a vendor or partner triggers remediation or termination of the engagement, as per Aavgo’s Vendor Risk Management Policy.

10.10 Commitment to Continuous Compliance

Aavgo actively monitors global developments in data-transfer laws and frameworks (including potential changes under DPDPA rules, EU adequacy decisions, and U.S.–India data-bridge agreements).
Our policies, contractual safeguards, and technical measures are updated accordingly to ensure continuous compliance and protection for all users, irrespective of location.

Your Privacy Rights

Aavgo recognizes and respects every individual’s right to privacy and data protection.
Depending on your jurisdiction, you may exercise specific rights relating to your personal data.
Aavgo ensures that all such rights are facilitated fairly, transparently, and without discrimination.

All verified requests are handled by the Data Protection Officer (DPO) within legally prescribed timelines and documented for accountability.

11.1 Universal Rights Applicable to All Users

Regardless of geography, Aavgo grants the following fundamental rights to all users:

Right	Description
Right to Be Informed	To receive clear, concise information about how your personal data is collected, used, shared, and protected.
Right of Access	To obtain confirmation whether Aavgo processes your personal data and to receive a copy of that data in a commonly used format.
Right to Correction / Rectification	To request correction of inaccurate or incomplete personal data maintained by Aavgo.
Right to Deletion / Erasure	To request deletion of your personal data once the lawful purpose has been fulfilled or upon withdrawal of consent, unless retention is required by law.
Right to Restriction of Processing	To request suspension of processing when accuracy is contested, processing is unlawful, or pending verification of overriding legitimate grounds.
Right to Withdraw Consent	Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to Data Portability	To receive your data in a structured, machine-readable format and transmit it to another controller, where technically feasible.
Right to Non-Discrimination	You will not be denied services, charged different rates, or provided inferior quality for exercising your privacy rights.

11.2 Additional Rights Under the Digital Personal Data Protection Act (India)

Indian data principals are entitled to the following protections:

Right to Grievance Redressal (Section 13):
You may file a complaint regarding how your personal data is processed or protected. Aavgo’s grievance officer will respond within 30 days of receiving a valid request.
Right to Nominate (Section 14):
You may nominate another individual to exercise your data-protection rights in the event of death or incapacity.
Right to Consent Management:
You may withdraw or manage consent through written communication or designated digital means at any time.

Aavgo processes such requests per guidance issued by the Data Protection Board of India once operational.

11.3 Additional Rights Under the GDPR (EU / EEA / UK)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under Articles 12–23 GDPR:

Right to Object (Art. 21):
You may object to processing based on legitimate interests or direct communication.
Right to Automated Decision-Making and Profiling (Art. 22):
You have the right not to be subject to decisions solely based on automated processing that produce legal or similarly significant effects. Aavgo does not engage in such processing.
Right to Lodge a Complaint (Art. 77):
You may lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, or EDPB-designated authority) if you believe your rights are violated.
Right to Effective Judicial Remedy (Art. 79):
You may seek judicial redress if you believe Aavgo has not complied with its legal obligations.

All requests under GDPR are addressed within 30 calendar days, extendable by an additional 60 days for complex cases (with notification of extension).

11.4 Additional Rights Under the CCPA / CPRA (California, USA)

California residents have the following rights under the California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798 et seq.) as amended by the CPRA (2023):

Right to Know:
To request disclosure of (1) categories of personal information collected, (2) sources from which it was collected, (3) purposes of collection or disclosure, and (4) categories of third parties with whom it is shared.
Right to Access / Portability:
To receive a copy of specific pieces of personal information collected about you in a portable format.
Right to Correction:
To request correction of inaccurate personal information maintained by Aavgo.
Right to Deletion:
To request deletion of personal information subject to statutory exceptions (e.g., legal compliance or security incidents).
Right to Opt-Out of Sale or Sharing:
Aavgo does not sell or share personal information for cross-context behavioral advertising.
If this practice ever changes, Aavgo will update this Policy and provide a clear “Do Not Sell or Share My Personal Information” link.
Right to Limit Use of Sensitive Personal Information:
To restrict processing of sensitive categories (e.g., payment information) beyond what is necessary for service delivery.
Right to Non-Discrimination:
You will not be subjected to differential treatment for exercising your rights under the CCPA/CPRA.

Requests from California residents are responded to within 45 days of verification (extendable by an additional 45 days with notice).

11.5 How to Exercise Your Rights

To exercise any of the rights listed above, you may submit a verified request to:

📧 Email: security@aavgo.com

Your request should include:

Your full name and contact information;
The specific right you wish to exercise; and
Sufficient details for Aavgo to verify your identity and locate your records.

Aavgo may seek additional information to confirm your identity before fulfilling the request to prevent unauthorized access or deletion.

11.6 Identity Verification and Authorized Agents

Verification: Aavgo will authenticate requests using reasonable methods (e.g., matching registered email addresses or requiring additional confirmation).
Authorized Agents: California and India-based users may designate an authorized agent to act on their behalf by providing a signed authorization letter and verifiable identity proof.
Response Time: All valid requests are acknowledged within 10 business days and resolved within the statutory timeline.

11.7 Record-Keeping of User Requests

Aavgo maintains a log of all privacy rights requests for audit and accountability purposes.
This log includes the date of receipt, type of request, status, and resolution date, without storing any sensitive content from the request itself.

Records are retained for 24 months in accordance with CCPA Regulation § 999.317 and DPDPA accountability principles.

11.8 Appeal and Escalation Procedure

If you are dissatisfied with Aavgo’s response:

You may submit a written appeal to security@aavgo.com within 30 days of receiving the response.
Appeals are reviewed by the Compliance Office and resolved within 30 days.
If still unsatisfied, you may escalate to the appropriate regulatory authority (e.g., Data Protection Board of India, EEA supervisory authority, or California Privacy Protection Agency).

11.9 No Fee for Requests

Exercising your rights is free of charge. However, Aavgo may charge a reasonable fee or refuse to act on manifestly unfounded, excessive, or repetitive requests, consistent with GDPR Article 12(5) and equivalent provisions in other jurisdictions.

11.10 Commitment to Fair Processing

Aavgo’s privacy rights framework is built on the principles of transparency, fairness, and accountability.
Every request is handled with due care to balance the rights of individuals with Aavgo’s legitimate business and legal interests.

Children’s Privacy and Age Restrictions

Aavgo is committed to protecting the privacy and safety of minors. Our platform, services, and digital tools are designed for use by adults, business professionals, and authorized hotel personnel only.
We do not knowingly collect, store, or process personal data belonging to individuals below the applicable legal age of consent as defined by international and local laws.

12.1 Applicability and Intended Audience

Aavgo’s websites, mobile applications, and hotel-automation services are intended for adult users (18 years and above).
Our Services are directed primarily to hotels, enterprises, and authorized employees or guests acting in a professional or transactional capacity.
We do not provide consumer-facing content or features designed to attract or engage minors.

12.2 Definition of a Child (Jurisdictional Thresholds)

Jurisdiction / Law	Definition of a Child / Minor	Aavgo Compliance Action
COPPA (United States)	Any individual under 13 years of age	Parental consent must be obtained before any data collection; Aavgo does not collect data from users under 13.
GDPR (European Union / UK)	Any individual under 16 years of age, with possible member-state variations between 13–16 years	No processing of data from individuals below the local age of consent; verification of age at registration where applicable.
DPDPA 2023 (India)	Any individual under 18 years of age	No collection of children’s personal data; no tracking, targeted advertising, or profiling of minors permitted.

Aavgo applies the most stringent applicable definition of “child” across all jurisdictions in which it operates.

12.3 Policy on Collection of Children’s Data

Aavgo does not knowingly collect or solicit personal information from minors.
Registration forms, authentication flows, and service integrations are restricted to adult business users.
In the unlikely event that a child submits personal information through any Aavgo interface, such data will be immediately deleted or anonymized once discovered.

If a parent or guardian believes that their child has provided personal data to Aavgo inadvertently, they should contact us at security@aavgo.com for prompt removal.

12.4 Parental / Guardian Rights and Controls

If parental consent is ever required under applicable law (for example, when a partner organization engages Aavgo for educational or youth-service operations), Aavgo will:

Provide a verifiable consent mechanism to ensure that the request originates from a lawful guardian;
Clearly describe what data will be collected, its purpose, and how it will be used;
Allow guardians to review, correct, or delete the child’s information; and
Revoke the child’s access immediately upon withdrawal of consent.

As of the date of this policy, Aavgo’s services do not include any modules or use-cases where such parental consent is applicable.

12.5 Prohibition of Profiling, Tracking, and Targeted Advertising

Aavgo strictly prohibits:

Behavioral tracking or profiling of users identified as minors;
Delivery of personalized marketing content or advertising based on a child’s usage patterns; and
Collection of location, biometric, or device identifiers that could indirectly identify a child.

These prohibitions are consistent with DPDPA Section 9(3), COPPA § 312.8, and GDPR Recital 38.

12.6 Data Security and Minimization for Incidental Collection

If children’s data is inadvertently collected (for example, when a hotel guest provides family information in a booking context), Aavgo will:

Limit processing strictly to what is necessary for the service requested by the adult account holder;
Pseudonymize or anonymize such data immediately after use;
Restrict internal access to authorized personnel under confidentiality obligations; and
Retain it only for the minimal time necessary per Section 7 (Data Retention).

12.7 Third-Party Services and Links

Aavgo’s websites and applications may contain links to third-party websites, APIs, or integrations (e.g., payment processors, communication tools).
Aavgo is not responsible for the content, privacy practices, or child-data handling of those third-party sites.
Users are encouraged to review the privacy policies of such services before interacting with them or allowing minors access.

12.8 Reporting and Contact for Child-Data Concerns

If you believe that Aavgo has inadvertently collected or processed a child’s personal information, please notify us immediately at:

📧 Email: security@aavgo.com

Aavgo’s Data Protection Officer (DPO) will:

Investigate the report within 72 hours of receipt;
Delete or anonymize the data upon verification; and
Confirm closure of the case to the reporting party.

12.9 Commitment to Age-Appropriate Design

While Aavgo’s services are not directed toward minors, our design principles incorporate privacy-by-default and age-appropriate considerations, including:

Avoidance of unnecessary data fields in all interfaces;
Clear, non-manipulative consent dialogs; and
Compliance with emerging frameworks such as the UK Children’s Code (Age-Appropriate Design Code) where relevant.

12.10 Continuous Review and Compliance

This section is reviewed annually or upon the introduction of new jurisdictions, laws, or product features that may impact child-data handling.
Any modifications will be reflected in updated policies, employee training, and system design reviews to maintain strict adherence to global child-privacy standards.

Cookies, Tracking Technologies and Online Identifiers

Aavgo uses cookies and related technologies only to ensure secure operation, maintain session continuity, and improve usability of our websites and mobile applications.
We do not employ third-party marketing trackers, ad-tech pixels, or cross-context behavioural profiling mechanisms.

13.1 Purpose of Cookies and Tracking Technologies

Cookies are small text files placed on your browser or device when you visit our Services. They serve the following lawful purposes:

Category	Purpose of Processing	Examples of Use	Lawful Basis
Strictly Necessary Cookies	Enable essential site functions such as authentication, navigation, and security.	Session management, load-balancing, fraud-prevention tokens.	Contractual necessity / Legitimate interest
Preference Cookies	Store user choices such as language, region, or interface layout.	Remembering default property view or notification settings.	Consent / Legitimate interest
Security Cookies	Detect abnormal activities and prevent unauthorized access.	Tracking login patterns for anomaly detection, enforcing MFA.	Legal obligation / Legitimate interest
Performance and Analytics Cookies	(Used internally only) Measure system uptime and response time. No personal identifiers or analytics profiles are created.	Collect anonymized telemetry for platform optimization.	Legitimate interest

Aavgo does not deploy advertising, retargeting, or social-media plug-in cookies.

13.2 Types of Identifiers Collected

Through cookies or equivalent technologies, Aavgo may process:

Browser type, version, and operating system
Session tokens or unique internal identifiers
Internet Protocol (IP) address truncated or pseudonymized for security
Date/time of access and referring URLs

These identifiers are used solely for system integrity, not for user profiling.

13.3 User Control and Consent Management

Initial Notice: Upon first visit, users receive a concise cookie notice explaining categories in use.
Opt-Out / Settings: Users may disable or delete cookies through browser settings or built-in preference panels. Essential cookies cannot be disabled because they are necessary for site operation.
Withdrawal of Consent: Users who previously accepted optional cookies may withdraw consent at any time; Aavgo will immediately cease non-essential cookie activity.
Browser Controls: Guidance for popular browsers (Chrome, Edge, Firefox, Safari) is linked in the cookie banner and help section.

13.4 Retention of Cookie Data

Cookie Type	Typical Duration	Handling After Expiry
Session Cookies	Deleted automatically when browser session ends.	Removed from memory upon logout/timeout.
Persistent Cookies	Stored 30–180 days depending on function.	Auto-deleted or renewed upon explicit reconfirmation.
Security Logs / Tokens	Retained up to 12 months for audit under PCI DSS Req. 10.	Archived in encrypted storage, then purged.

No cookie-derived identifiers are retained beyond their operational need.

13.5 Third-Party and Cross-Site Tracking

Aavgo does not permit any third-party analytics, ad-networks, or social-sharing scripts on its domains.
Where integrations (e.g., payment gateways or embedded hotel widgets) require cookies, those are governed by the third party’s own privacy notice. Users are advised to review such notices before interaction.

13.6 “Do Not Track” and Global Privacy Controls

Aavgo currently does not respond to “Do Not Track” (DNT) browser signals due to the absence of a universally accepted technical standard.
However, we honour Global Privacy Control (GPC) signals as valid opt-out requests under the CCPA/CPRA framework, where supported by the user’s browser.

13.7 Legal Compliance Mapping

Framework	Aavgo Compliance Measure
GDPR / ePrivacy Directive	Prior consent for non-essential cookies, transparent disclosure, right to withdraw consent.
DPDPA 2023 (India)	Consent-based tracking and prohibition of intrusive or unrelated data collection.
CCPA/CPRA (California)	Notice-at-collection, opt-out for sale/sharing (not applicable as Aavgo does not sell data), respect for GPC signals.
PCI DSS (Req. 10)	Secure logging and audit retention for security-event cookies/tokens.

13.8 Updates to Cookie Practices

Aavgo reviews its cookie inventory and retention schedules every six months or whenever a new technology or partner integration is introduced.
Any material change to cookie categories or purposes will be reflected in an updated cookie notice and in this Privacy Policy.

Updates to This Policy

Aavgo may update this Privacy Policy periodically to reflect legal, technical, or operational changes.
Any significant modifications will be communicated through our website and the updated “Effective Date” will appear at the top of this policy.

Contact and Grievance Redressal

If you have questions, concerns, or requests related to this Privacy Policy, please contact:

Data Protection Officer / Grievance Contact
Email: security@aavgo.com
Entity: Parshva Corp

We will acknowledge all requests within a reasonable timeframe and respond in accordance with applicable law.

Effective Date and Version

This Privacy Policy is effective as of November 5, 2025, and supersedes all previous versions.