Privacy Policy
We operate the websites A-Leads.co & joinalva.ai (the “Site”), as well as any other related products and services that refer or link to these legal terms (the “Legal Terms”) (collectively, the “Services”).
of Alva Intelligence LLC
Effective Date: November 2025
Last Updated: 1 November, 2025
This Privacy Policy sets forth how Alva Intelligence LLC, a Wyoming limited liability company (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”), collects, uses, discloses, and safeguards personal information in connection with its websites, platform, and related analytics and data-intelligence services.
This Policy is intended to comply with the requirements of the General Data Protection Regulation (GDPR), the United Kingdom GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable federal, state, and international privacy laws.
By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the practices described herein.
This Privacy Policy explains in detail how Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) collects, uses, stores, shares, and protects personal information in connection with the services, websites, applications, and platforms that we operate. It is intended to provide every user, client, and business partner with a transparent understanding of our privacy practices and the choices available to them. We believe that responsible stewardship of data is an essential part of our commitment to integrity, innovation, and trust.
Alva Intelligence is committed to maintaining the highest standards of privacy and data protection. We handle personal information in a manner consistent with the laws of the jurisdictions in which we operate, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and comparable state and international frameworks. Our policies and procedures are designed to exceed minimum statutory requirements by incorporating recognized industry standards such as SOC 2 Type 2, the NIST Privacy Framework, and the ISO 27001 information-security controls.
We understand that our clients and users entrust us with information that may be sensitive or commercially valuable. Protecting that information is therefore integral to every aspect of our operations, from the design of our technology to the training of our personnel.
The purpose of this Privacy Policy is fourfold:
To inform you about the categories of personal data that we collect and the specific purposes for which we use it.
To describe your rights under the privacy laws that apply to you and explain how you may exercise those rights.
To identify our legal bases for processing personal data under the GDPR and similar regimes.
To demonstrate accountability by describing our governance structure, our security and compliance measures, and our commitment to lawful, fair, and transparent processing.
This document forms part of the contractual relationship between Alva Intelligence and its customers and users. In the event of any inconsistency between this Privacy Policy and an executed agreement with a customer, the executed agreement will prevail with respect to the specific subject matter of that contract.
Alva Intelligence LLC is a limited liability company organized under the laws of the State of Wyoming, United States. The Company provides a SaaS-based data-intelligence and analytics platform for enterprise and institutional clients. Our platform enables clients to process, analyze, and visualize information in secure, cloud-based environments. Depending on the context of our engagement, Alva Intelligence may act as a data controller, determining the purposes and means of processing personal data, or as a data processor, processing data on behalf of a customer that controls such information. This Privacy Policy applies in both capacities, and the distinction is explained in greater detail in later sections of this document.
This Privacy Policy should be read together with our Terms of Service, Data Processing Agreement, Cookie Policy, Security Documentation, and other contractual instruments incorporated by reference (collectively, the “Governing Documents”). Each of these documents serves a distinct but complementary function. The Terms of Service establish the general conditions of use; the Data Processing Agreement governs the processing of customer data; and the Security Documentation describes the technical and organizational measures that safeguard that data. This Privacy Policy provides the overarching statement of how those commitments operate in practice.
For clarity and consistency, capitalized terms used in this Privacy Policy have the meanings given below unless the context indicates otherwise:
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person.
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means the entity that processes personal data on behalf of a controller.
“Data Subject” means the individual to whom the personal data relates.
“Applicable Law” means all data-protection and privacy laws, regulations, and guidance that apply to the Company’s activities.
These definitions align with those used in the GDPR, CPRA, and similar frameworks, and are intended to ensure interpretive consistency throughout the Policy and related documents.
This Policy applies to all personal data that we collect or receive in any form, whether electronic, paper, or verbal, in connection with:
The use of our websites, platforms, and mobile applications;
Customer relationships, contracts, and account management;
Employment and recruitment activities; and
Vendor and partner interactions that involve the exchange of personal information.
Certain sections of this Policy apply only to residents of particular jurisdictions. Where such jurisdiction-specific provisions are relevant, they are clearly identified in Section 25.
Our privacy program is based on the following principles, which guide every operational decision concerning personal data:
Lawfulness, Fairness, and Transparency – We process personal data only for legitimate purposes and in a transparent manner that individuals can understand.
Purpose Limitation – Data is collected for specific, explicit, and legitimate purposes and is not further processed in ways incompatible with those purposes.
Data Minimization – We collect only the data necessary for the stated objectives.
Accuracy – We maintain data that is accurate and up to date, implementing correction mechanisms as needed.
Storage Limitation – We retain personal data only for as long as required by the purposes of processing or by law.
Integrity and Confidentiality – We protect data with appropriate technical and organizational measures to prevent unauthorized access, loss, or alteration.
Accountability – We maintain records and audit trails demonstrating compliance with each of these principles.
The sections that follow describe in detail what information we collect, how we use it, with whom we share it, and how we protect it. Readers who wish to locate a specific subject quickly may refer to the Table of Contents at the beginning of the full document. References to “you” or “your” mean any natural or legal person who interacts with our services or whose personal information we process. Where applicable, this Policy is supplemented by contractual terms agreed upon with our clients.
By accessing our services, submitting personal information to us, or entering into a contract with Alva Intelligence, you acknowledge that you have read this Privacy Policy and understand its contents. Where consent is required under applicable law, we will obtain it separately and transparently.
This Privacy Policy applies to all personal information that Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) collects, receives, or processes in any form, whether electronic, paper, or verbal.It governs how we handle personal data in connection with every aspect of our business operations, including but not limited to our websites, SaaS platform, analytics environment, customer relationships, partnerships, and employment activities.
Our privacy commitments extend to everyone whose information we process, regardless of where they are located. This includes clients, end-users of client systems, business partners, vendors, contractors, job applicants, and visitors to our websites or physical locations.
The scope of this Policy reflects the range of technology services provided through the Alva platform, which may involve hosting, analyzing, or otherwise processing data on behalf of our customers or as part of our internal business operations.
Alva Intelligence operates globally and may process information in multiple jurisdictions. Accordingly, this Policy is designed to meet or exceed the requirements of the following legal frameworks:
United States: including the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA).
European Union and European Economic Area: the General Data Protection Regulation (GDPR).
United Kingdom: the UK GDPR and Data Protection Act 2018.
Switzerland: the revised Federal Act on Data Protection (FADP).
Other International Jurisdictions: where required by local privacy or data-protection laws that substantially mirror the principles set forth above.
Where national or state laws impose additional or stricter obligations, we apply those obligations to the extent required by law or, where feasible, voluntarily as part of our global compliance framework.
The Company may transfer personal information across borders for legitimate business purposes, such as providing services, maintaining our systems, or fulfilling contractual obligations. These transfers are subject to the safeguards described in Section 7 (“International Data Transfers”).
This Policy governs personal data that falls within the following subject-matter categories:
Client and User Data – information related to our customers, their authorized users, and any end-users whose data may be processed through our platform.
Website and Application Data – information collected through our corporate websites, customer portals, mobile applications, and online forms.
Marketing and Communication Data – information collected through subscriptions, events, surveys, or direct communications.
Vendor and Partner Data – information relating to suppliers, consultants, and business partners.
Employee and Recruitment Data – personal data processed in the context of hiring, employment, or contractor management.
Operational and Security Data – logs, system records, and similar information necessary for system operation, troubleshooting, and security monitoring.
Each category is subject to the same general principles described in this Policy, but certain sections may apply differently depending on whether Alva Intelligence acts as a data controller or a data processor, as defined below.
Depending on the context of data processing, Alva Intelligence may act in one of two primary roles:
Controller: When we determine the purposes and means of processing personal data for example, when managing our customer accounts, maintaining our website, or marketing our services we act as a data controller.
Processor: When we process personal data on behalf of our clients in accordance with their written instructions and contractual agreements, we act as a data processor. In those cases, our activities are governed by the terms of our Data Processing Agreement (“DPA”) with the client.
Where Alva Intelligence acts as a processor, our clients remain responsible for ensuring that appropriate legal grounds exist for the collection and use of personal data, and for providing any necessary notices to individuals. We, in turn, ensure that our processing complies with the contractual and regulatory obligations applicable to processors.
Where Alva Intelligence acts as a controller, we determine the purpose and means of processing, and we are directly responsible for compliance with applicable privacy laws.
This Policy covers, without limitation, the following data-handling activities:
The collection and processing of personal data through our websites, portals, and mobile applications.
The provision of data-analytics and software services to our clients, whether through cloud-based or on-premises solutions.
The management of user accounts, customer service requests, billing, and other administrative processes.
The processing of data for security, risk management, and compliance purposes.
The use of personal data for marketing, communication, and business-development activities.
The retention and secure disposal of records and archived information.
The evaluation of potential vendors, consultants, and employees.
Unless explicitly excluded, any activity in which Alva Intelligence processes personal data in connection with its business operations falls within the ambit of this Policy.
This Policy does not apply to:
Information that cannot reasonably identify an individual, such as anonymized or aggregated data that no longer constitutes personal data under applicable law.
Publicly available information obtained from government records.
Data processed by third parties acting independently of Alva Intelligence, where we have no control over their collection or use of information.
Personal information collected and processed exclusively for journalistic, artistic, or literary purposes, where such activities are exempt under applicable law.
Third-party services integrated into our platform or website may be subject to their own privacy terms. We encourage users to review those third-party policies carefully.
This Policy supplements, and does not replace, any contractual terms or notices that govern a specific relationship with the Company. In the event of a conflict between this Policy and another agreement executed by Alva Intelligence, the latter will prevail with respect to the subject matter it specifically addresses.
This Policy also operates alongside the following documents, which should be read together for a complete understanding of our privacy commitments:
Terms of Service (defining user rights and obligations).
Data Processing Agreement (setting forth our processor obligations).
Security and Incident Response Framework (describing security measures).
Cookie Policy (detailing our use of cookies and tracking technologies).
Each of these instruments forms part of the overall privacy governance structure of Alva Intelligence.
This Policy applies to all subsidiaries, affiliates, and controlled entities of Alva Intelligence LLC that process personal information on our behalf. It also extends to our contractors and service providers who have access to personal data in the course of performing services for us.
All such parties are required to comply with our privacy and security standards, either by written contract or by policies that provide equivalent protection. We conduct appropriate due-diligence and compliance checks to ensure that those third parties uphold the commitments described in this Policy.
The provisions of this Policy are intended to be interpreted broadly to achieve full compliance with applicable law and to uphold the privacy rights of all individuals whose data we process. In the event that a provision of this Policy is inconsistent with local law, the Company will comply with the law to the extent required, and the remainder of the Policy will continue in full force and effect.
The scope of this Policy may evolve as our business expands or as privacy laws develop. Any material changes to the scope or applicability will be communicated in accordance with Section 19 (“Updates to this Privacy Policy”).
By defining the boundaries of this Policy, Alva Intelligence seeks to make clear that privacy protection is not limited to regulatory compliance but is a fundamental business obligation. Whether data is processed on our own behalf or on behalf of a client, every activity involving personal information is subject to the principles and standards set forth herein.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) collects and processes personal information in several ways, depending on the nature of your interaction with our services and the capacity in which we receive the information.
We gather data directly from you, automatically through the use of our platforms, and occasionally from third parties or public sources.
We collect only the data that is relevant, proportionate, and necessary to fulfill clearly defined business, contractual, and legal obligations.
Personal data is any information that identifies, relates to, describes, or can reasonably be associated with an identifiable individual.
The specific data we collect varies based on whether you are a customer, an authorized user, a website visitor, a business partner, a supplier, or an employee or candidate.
You may provide personal data to us voluntarily when you register for an account, subscribe to updates, request information, engage with support services, or otherwise communicate with the Company.
The categories of information you may provide include:
Identification and Contact Details
Full name, company name, job title, business address, telephone number, and email address.
Account credentials and authentication identifiers.
Account Registration and Profile Information
Account ID, username, password, and associated security questions.
Preferences, usage configurations, and selected features.
Transactional and Billing Information
Payment card details, billing address, and records of payments made.
Purchase orders, invoices, tax identification numbers, and related correspondence.
Customer Service and Communication Records
Support tickets, chat logs, email exchanges, and call recordings used for quality assurance.
Information shared voluntarily in surveys, webinars, or customer feedback forms.
Event and Marketing Participation Data
Registration information for conferences, online events, or marketing campaigns.
Professional interests, company size, and industry type.
Employment or Contractor Applications
Curriculum vitae, employment history, education records, references, and eligibility information.
Voluntary demographic data where permitted by law.
We collect these categories to create and maintain accounts, deliver services, process transactions, respond to inquiries, manage contracts, and comply with applicable regulations.
When you visit our websites, interact with our platforms, or use our products, certain information is collected automatically.
This data helps us understand how our systems are used, maintain performance, and enhance security.
Device and System Information
Type and model of device, operating system version, browser type, and network connection data.
IP address, device identifiers, and regional settings (language, time zone).
Usage and Interaction Data
Pages viewed, links clicked, features used, session duration, and navigation paths.
Metadata associated with uploaded content or transactions within the platform.
Cookies and Similar Technologies
We use cookies, web beacons, and pixels to remember user preferences, authenticate sessions, and analyze traffic patterns.
Detailed information on our use of cookies and options for managing them is provided in our separate Cookie Policy.
Log and Diagnostic Files
Security and Performance Monitoring Data
Automatically collected data is typically aggregated or pseudonymized before analysis to limit the ability to link it back to any identifiable individual.
We may receive personal data from third parties in circumstances permitted by law or by the data subject’s authorization.
These sources include:
Business Partners and Resellers: who provide referral information or joint-marketing leads.
Service Providers: such as analytics vendors, payment processors, and communications platforms that supply data necessary to perform contracted functions.
Publicly Available Sources: including professional profiles, public directories, and official registries.
Affiliates and Subsidiaries: that share information internally for administrative efficiency and compliance purposes.
We review such data before use to ensure it is relevant, accurate, and collected in compliance with applicable laws and contractual obligations.
Alva Intelligence does not intentionally collect sensitive or special-category data (such as racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, or data concerning health or sexual orientation) unless required by law or necessary to fulfill a specific contractual obligation.
When such processing is unavoidable, we apply heightened security controls and rely on explicit consent or another lawful basis permitted under applicable law.
Sensitive data may be collected only in the following limited contexts:
For employment or background-verification purposes.
For security clearance or regulatory compliance related to a client engagement.
To ensure accessibility accommodations, health, or safety requirements for employees or visitors.
Where collected, such data is stored securely, subject to restricted access, and deleted as soon as the legitimate purpose has been satisfied.
We may create aggregated or anonymized data from personal information to generate insights, improve our products, and conduct research.
Once anonymized, the data can no longer be linked to a specific individual and is therefore not considered personal data under applicable law.
Aggregated analytics may include patterns of usage, performance metrics, or demographic summaries.
We maintain internal procedures to ensure that anonymization and aggregation processes are robust and irreversible.
When we act as a data processor, we process personal information solely in accordance with the instructions of our clients, who act as controllers.
Examples include:
Data uploaded by clients into our platform.
Information about their employees, customers, or end users that the client chooses to process through our systems.
Analytical outputs or logs derived from that data.
In such cases, the client’s privacy notice governs the initial collection of personal data, and we act only as a service provider to support the client’s processing activities.
We do not use or disclose client-provided data for any purpose other than to perform our contractual obligations or as required by law.
We take reasonable steps to ensure that the personal information we collect is accurate, complete, and current.
Individuals may review and correct their account details by contacting our privacy office or using self-service features within the platform.
We also adhere to the principle of data minimization: we collect and retain only the information necessary to achieve the specific purpose for which it was collected, consistent with Section 8 (“Data Retention and Deletion”).
Where the provision of certain personal data is necessary for the performance of a contract or to comply with legal requirements, failure to provide that information may limit our ability to deliver services or fulfill obligations.
We identify mandatory data elements at the point of collection.
Optional data fields are clearly marked as such, and the decision not to provide optional information will not affect access to the core features of our services.
For transparency, the following table summarizes the major categories of data we collect, along with examples of each and typical sources:
| Category | Examples | Typical Source |
|---|---|---|
| Identification and Contact | Name, address, email, phone number | Provided directly by the individual |
| Account and Access | Login credentials, role assignments | Provided during account setup |
| Transactional | Payment details, purchase records | Generated through service transactions |
| Technical and Usage | IP address, device ID, analytics | Automatically collected |
| Communications | Support tickets, emails, surveys | Provided by the individual |
| Employment | Resume, background information | Provided by applicant |
| Marketing | Preferences, opt-in status | Collected via forms or partners |
This summary is provided for convenience and does not limit the broader descriptions contained elsewhere in this Policy.
The types and sources of personal data we collect may evolve as our services and technologies develop.
We periodically review our data-collection activities to ensure they remain aligned with our stated purposes and the principles of lawful, fair, and transparent processing.
Any material changes will be reflected in future revisions of this Privacy Policy, as described in Section 19 (“Updates to this Privacy Policy”).
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) processes personal information for clearly defined, legitimate, and proportionate business purposes.
Every instance of data use is guided by the principles of lawfulness, fairness, transparency, and accountability described in Section 1.7 of this Policy.
We do not use personal information in ways that are materially different from or incompatible with the purposes for which it was collected, unless such use is permitted or required by applicable law or with the individual’s consent.
Our processing activities fall into two primary categories:
(1) data processed as a controller, when we determine the purpose and means of processing (for example, managing customer accounts, providing information about our services, or operating our websites), and
(2) data processed as a processor, when we handle information on behalf of clients in accordance with their written instructions.
The subsections below describe these uses in greater detail.
We use personal information to provide and manage the services that customers have requested and to perform our contractual obligations.
Specific operational uses include:
Account Creation and Management
Establishing and maintaining user accounts and profiles.
Authenticating credentials and managing access permissions.
Communicating important updates about accounts, terms, and system availability.
Service Provision and Support
Delivering our analytics, data-processing, and software solutions.
Implementing configurations, integrations, and technical deployments requested by clients.
Providing maintenance, troubleshooting, and customer support through multiple channels.
Transaction Processing and Billing
Processing orders, subscriptions, renewals, and invoices.
Managing billing and payment data in compliance with accounting and tax laws.
Quality Assurance and Performance Monitoring
Monitoring service performance, response times, and usage levels.
Reviewing support communications for accuracy and training purposes.
All operational processing is performed to fulfill contractual obligations or legitimate business needs directly related to service delivery.
We may use personal data in a limited and controlled manner to analyze system performance, improve product functionality, and develop new features.
This processing supports innovation while maintaining strong privacy safeguards.
Examples include:
Usage Analytics: Evaluating aggregate patterns of service usage to identify improvements or detect anomalies.
Product Testing: Using anonymized or pseudonymized datasets for software testing and model development.
Service Optimization: Adjusting algorithms, interface design, or workflow efficiency based on aggregated usage metrics.
Benchmarking: Generating statistical reports to measure product performance in comparison to industry standards.
When we use personal information for research or analytical purposes, we apply data-minimization techniques, remove direct identifiers wherever feasible, and do not use such data to make decisions that affect specific individuals unless explicitly authorized.
We process personal information where necessary to comply with our legal obligations and to establish, exercise, or defend legal claims.
Examples include:
Meeting record-keeping and audit requirements under corporate, tax, and financial laws.
Responding to lawful requests from regulatory or governmental authorities.
Conducting internal investigations and compliance audits.
Managing disputes, claims, or litigation.
Preventing, detecting, and responding to fraud, misuse, or unauthorized access.
Enforcing our contractual rights and ensuring compliance with applicable laws.
Such processing is carried out only to the extent required or expressly permitted by law and in accordance with our internal governance and retention policies.
Maintaining the security and integrity of our systems and data is a core organizational objective.
We process personal data to protect against unauthorized access, detect potential security incidents, and ensure system resilience.
Activities under this category include:
Monitoring network traffic and access logs.
Detecting and responding to cybersecurity threats.
Conducting vulnerability assessments and penetration tests.
Managing user authentication, authorization, and audit trails.
Implementing encryption, logging, and incident-response measures as described in Exhibit D (Security and Incident Response Framework).
Processing for security purposes is based on legitimate interests and, in certain jurisdictions, on legal obligations to safeguard personal and customer data.
We use personal information to communicate with existing and prospective customers and to provide information about our products, services, and industry developments.
This includes:
Sending newsletters, updates, and event invitations.
Offering webinars, demonstrations, and training opportunities.
Conducting satisfaction surveys and gathering feedback.
Marketing communications are conducted in accordance with applicable law and are subject to the recipient’s consent or right to opt out.
Individuals may withdraw their consent or unsubscribe from promotional communications at any time by using the unsubscribe link in the communication or by contacting us directly.
We do not sell or rent personal information for marketing purposes.
For employees, contractors, and job applicants, we process personal data to manage recruitment, hiring, employment, payroll, benefits, and compliance obligations.
This includes verifying eligibility, conducting background checks (where permitted), and maintaining employment records.
Employment-related data is subject to strict confidentiality and access controls and is processed only for legitimate human-resources purposes.
We may process personal data as part of normal corporate administration, including business planning, finance, and strategic operations.
If Alva Intelligence undergoes a merger, acquisition, restructuring, or sale of assets, personal information may be transferred to the acquiring entity subject to confidentiality and data-protection requirements.
Any such transfer will be conducted in a manner consistent with this Policy and applicable law.
We may de-identify or aggregate personal information to remove elements that can identify specific individuals.
De-identified or aggregated data may be used for analytics, benchmarking, or research that supports the Company’s legitimate interests, including quality improvement and innovation.
We do not attempt to re-identify individuals from de-identified data, and any third parties receiving such data are contractually prohibited from doing so.
We do not use personal information for the following purposes:
Selling, trading, or licensing personal data to unrelated third parties.
Profiling or automated decision-making that produces legal or similarly significant effects, unless explicit consent or a clear legal basis exists.
Combining personal data from different sources for unrelated purposes without notice or consent.
Processing that contradicts or undermines applicable data-protection principles.
Our privacy governance structure requires that any new or materially changed data-use purpose undergo a documented review process, including assessment under the Data Protection Impact Assessment (DPIA) framework described in Section 10.
Where processing is based on our legitimate interests, we carefully assess the necessity and proportionality of the activity against the rights and freedoms of the individuals concerned.
Examples of legitimate interests include improving our services, ensuring network security, preventing fraud, and managing business operations efficiently.
The results of these balancing assessments are documented in our internal records and reviewed periodically by our privacy officer.
Before we use personal data for a purpose other than the one for which it was originally collected, we evaluate whether the new purpose is compatible with the initial purpose.
If the new purpose is incompatible, we will seek consent or identify a new lawful basis before proceeding.
Compatibility is assessed according to the relationship between the purposes, the nature of the data, and the context of collection.
We maintain internal records describing each category of data we process, the corresponding purpose, and the legal basis relied upon.
These records form part of our Record of Processing Activities (RoPA) and support our obligation to demonstrate compliance.
Individuals may request additional information about specific processing purposes by contacting us through the channels described in Section 24.
Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and comparable international privacy frameworks, every act of processing personal data must be grounded in a lawful basis.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) identifies and documents a lawful basis for each category of processing activity before personal data is collected or used.
This section outlines the legal bases upon which we rely and the rationale for doing so.
Where multiple legal bases may apply, we select the one that most appropriately reflects the specific context and purpose of the processing.
We process personal data where it is necessary to enter into or perform a contract with you or with the organization that you represent.
This includes:
Creating and managing customer or vendor accounts.
Providing our products, platforms, and professional services.
Fulfilling orders, processing payments, and delivering reports.
Managing user authentication and access control.
Providing technical support and system maintenance.
Processing based on contractual necessity ensures that we can perform our obligations, provide requested services, and maintain the functionality of our systems.
If you choose not to provide the personal information required for these functions, we may be unable to deliver the contracted services.
We process certain categories of personal data to comply with obligations imposed by law, regulation, court order, or other legal authority.
Examples include:
Tax and accounting record-keeping.
Anti-fraud, anti-money laundering, and sanctions screening requirements.
Data security and breach-notification obligations.
Responding to lawful requests from regulators, law enforcement, or courts.
Maintaining corporate records and internal audit documentation.
Processing under this basis is not optional. We retain such data for as long as required by applicable law or by the limitation period for potential claims.
We process personal data where it is necessary for our legitimate business interests, provided that such interests are not overridden by your rights and freedoms.
Our legitimate interests include:
Service Improvement and Innovation – analyzing aggregated data to enhance our products, user interfaces, and platform stability.
Security and Fraud Prevention – protecting our network and systems, detecting unauthorized activity, and ensuring data integrity.
Business Operations – maintaining records, managing internal processes, and supporting corporate governance.
Marketing and Relationship Management – communicating with customers and partners about relevant services and updates, subject to applicable opt-out rights.
Legal Defense and Risk Management – establishing or defending legal claims, ensuring compliance with contractual commitments, and managing insurance matters.
When we rely on legitimate interests, we perform a documented balancing test that evaluates (a) the necessity of the processing, (b) the proportionality of the processing activity, and (c) the potential impact on the individual.
The outcome of these assessments is reviewed periodically and recorded as part of our privacy governance documentation.
In certain situations, we process personal data based on the individual’s explicit or implied consent.
Examples include:
Sending marketing communications to individuals who have subscribed to receive them.
Collecting optional demographic information in a survey or event registration.
Deploying non-essential cookies or tracking technologies on our websites.
Processing special-category or sensitive data, where required.
Consent is always obtained in a clear, specific, and informed manner.
Individuals may withdraw consent at any time by following the instructions provided in the relevant communication or by contacting us as set out in Section 24 (“Contact Information”).
Withdrawal of consent does not affect the lawfulness of processing that occurred prior to its withdrawal.
When consent is required for multiple distinct purposes, it is obtained separately for each, ensuring compliance with the principles of granularity and informed choice.
On rare occasions, we may process personal data to protect an individual’s vital interests or those of another person.
This basis applies only in exceptional circumstances, such as a medical emergency or a credible threat to the safety of an individual.
Any such processing is narrowly tailored to the exigent situation and documented immediately afterward.
Although Alva Intelligence is a private-sector entity, certain engagements may involve work for public institutions, regulators, or research organizations. In those cases, we may process data as necessary to perform tasks carried out in the public interest or under official authority.
Such processing occurs only under formal contract and within the scope authorized by the governing body or law.
Where processing involves special-category data under Article 9 of the GDPR or UK GDPR, we do so only under one of the permitted grounds, including:
Explicit Consent of the data subject.
Employment and Social Security Law Compliance, where necessary to fulfill obligations related to labor, benefits, or occupational safety.
Legal Claims where processing is required for the establishment, exercise, or defense of legal rights.
Substantial Public Interest where authorized by law and accompanied by appropriate safeguards.
We do not process sensitive data for marketing or profiling purposes.
All special-category processing is subject to enhanced access controls, encryption, and retention limitations, as described in Exhibit D (Security and Incident Response Framework).
Alva Intelligence does not routinely collect or process data relating to criminal convictions or offenses.
If such processing becomes necessary for example, during pre-employment screening or in response to a legal investigation it is conducted in strict compliance with Article 10 of the GDPR, relevant national law, and the Company’s internal policies.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
If automated analysis is introduced in the future, we will ensure that it is supported by an appropriate legal basis, accompanied by transparency disclosures, and subject to human oversight, as detailed in Section 11.
If the lawful basis for a processing activity changes such as when a contract concludes or consent is withdrawn we will reassess the activity, determine whether a new legal basis applies, and document the transition.
Where required, we will notify affected individuals of the change on a lawful basis and explain any new rights or obligations that may arise.
For accountability and audit purposes, Alva Intelligence maintains a comprehensive Record of Processing Activities (RoPA) as required by Articles 30 of the GDPR and UK GDPR.
This record includes:
The purpose and legal basis for each processing activity.
The categories of data subjects and personal data involved.
The categories of recipients and international transfers.
Retention periods and security measures.
These records are maintained by our Privacy Officer and are reviewed annually as part of our compliance and SOC 2 audit cycles.
Although the GDPR and UK GDPR specifically require identification of legal bases, we apply equivalent principles to processing that occurs under other regimes, including U.S. state privacy laws.
Where a U.S. state law requires consent, opt-out, or notice mechanisms, those obligations are incorporated into our global compliance framework.
Our reliance on legitimate interests under the GDPR corresponds to the concept of “business purposes” under the CPRA and similar statutes, ensuring a harmonized, cross-jurisdictional approach to privacy governance.
| Purpose of Processing | Typical Legal Basis |
|---|---|
| Service delivery, account management, and billing | Contractual necessity |
| Customer support and communications | Contractual necessity / Legitimate interest |
| Product development and analytics | Legitimate interest |
| Security, fraud prevention, and compliance | Legal obligation / Legitimate interest |
| Marketing and newsletters | Consent / Legitimate interest |
| Employment management | Legal obligation / Contractual necessity |
| Regulatory reporting | Legal obligation |
| Research or benchmarking (aggregated data) | Legitimate interest / Consent |
This table is intended as an overview only. Detailed mappings are contained in Appendix B of this Policy and in the Company’s internal RoPA documentation.
Regardless of the specific legal basis relied upon, Alva Intelligence ensures that all processing of personal data is conducted in accordance with the principles of fairness, transparency, and accountability.
We communicate clearly with individuals about the purposes and bases for processing, maintain appropriate records of consent and legitimate-interest assessments, and make those records available to supervisory authorities upon request.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) treats all personal information as confidential and shares it only where necessary for legitimate business, operational, or legal reasons.
We do not sell, lease, or exchange personal data for monetary consideration.
Any disclosure of personal information is made in accordance with applicable law, under written agreements that ensure appropriate data protection, and only with entities that have demonstrated the capability to safeguard the information they receive.
All recipients of personal data are bound by confidentiality obligations that meet or exceed the standards described in this Policy and in our internal governance framework.
We may share personal data internally among departments and affiliated entities of Alva Intelligence to ensure consistent service delivery, maintain security, and manage global operations efficiently.
Internal sharing occurs under the same access-control restrictions that govern the original collection of the information and is limited to personnel who have a legitimate business need.
Examples of internal disclosures include:
Transmitting customer account information to finance teams for billing.
Providing technical staff with log data for troubleshooting or maintenance.
Sharing contact details with account managers or client-success personnel.
Coordinating cross-department projects such as audits, compliance assessments, or incident response.
All employees and contractors are required to sign confidentiality agreements and complete annual privacy and security training as a condition of access to personal data.
To operate effectively, we engage carefully selected third-party service providers who perform functions on our behalf. These providers may have limited access to personal data only to the extent necessary to perform the contracted services.
Common categories of service providers and sub-processors include:
Cloud-Hosting and Infrastructure Providers – for secure data storage and computing services.
Payment Processors and Financial Institutions – to process transactions and verify billing information.
Customer Relationship and Support Platforms – to manage customer communications and ticketing systems.
Analytics and Performance Vendors – to evaluate system performance, usage metrics, and reliability.
Professional Advisors – including auditors, legal counsel, and consultants engaged under confidentiality agreements.
Each sub-processor is subject to a written agreement incorporating the data-protection requirements mandated by Article 28 of the GDPR and equivalent provisions of the UK GDPR. We conduct due-diligence reviews before onboarding any provider and monitor ongoing compliance through periodic assessments, certifications (such as ISO 27001 or SOC 2 Type 2), and contractual audits.
An updated list of approved sub-processors is maintained in Exhibit A and is available to clients upon request.
We may share limited personal data with trusted business partners when it is necessary to support joint initiatives, co-branded services, or system integrations requested by clients.
Examples include identity-management providers, data-visualization platforms, or software-integration partners that enable interoperability with the Alva Intelligence environment.
Such disclosures are governed by contractual arrangements that define the scope of permitted use, impose confidentiality obligations, and require equivalent data-protection measures.
We prohibit partners from using shared data for independent marketing or profiling purposes unless explicit consent has been obtained from the affected individuals.
If Alva Intelligence undergoes a merger, acquisition, restructuring, or sale of all or part of its assets, personal information relevant to that transaction may be transferred to the acquiring or successor entity.
Any such transfer will:
Be subject to confidentiality and security protections;
Occur only for the purpose of continuing the same or substantially similar business activities; and
Be communicated to affected individuals where required by law.
Should a transaction result in a material change to the handling of personal data, we will update this Privacy Policy accordingly.
We may disclose personal data when required to do so by law or when we believe, in good faith, that such action is necessary to:
Comply with a legal obligation or enforceable governmental request.
Respond to subpoenas, court orders, or lawful discovery demands.
Protect the rights, property, or safety of Alva Intelligence, our customers, or others.
Detect or prevent fraud, security breaches, or other harmful activity.
Any disclosure made under this section is reviewed and authorized by our Legal Department to ensure that only the minimum necessary information is released. Where legally permissible, we will notify affected individuals or clients before responding to such requests.
In the event of a suspected or confirmed security incident, we may share relevant information with:
Incident-response teams and forensic investigators.
Law-enforcement agencies and regulators, where required.
Affected customers or partners, to facilitate mitigation or remediation.
These disclosures are limited to what is necessary to assess, contain, and remediate the event, consistent with the timelines and protocols described in Exhibit D (Security and Incident Response Framework).
We may share personal information with our professional advisers including legal counsel, auditors, accountants, and insurance providers where disclosure is necessary for compliance, risk management, or the protection of legal interests.
All such advisers are subject to confidentiality obligations and professional ethical duties that protect the information they receive.
Because Alva Intelligence operates on a global basis, personal information may be transferred to, or accessed by, our affiliates and partners in other jurisdictions.
Any such transfer is governed by the safeguards described in Section 7 (International Data Transfers), including the use of Standard Contractual Clauses (SCCs 2021/914) and related addenda.
We ensure that these transfers maintain the same level of protection as data processed within the country of origin.
We may share aggregated or de-identified data with third parties for research, analysis, or statistical purposes. Such information cannot reasonably be used to identify an individual and therefore is not considered personal data under applicable law. Recipients of de-identified data are contractually prohibited from attempting to re-identify any individual or combining the data with other sources for that purpose.
When we act as a data processor, we disclose personal data only as instructed by the client (the data controller). This may include transferring information to other processors or third parties designated by the client. We do not make independent decisions about the disclosure or secondary use of client-provided data except as required by law or necessary to maintain system integrity.
In all such cases, we promptly inform the client of the disclosure unless prohibited by law or governmental order.
We maintain detailed records of all categories of recipients to whom personal data is disclosed, as required under Article 30 of the GDPR and Article 31 of the UK GDPR. Clients may request confirmation of sub-processors or third-party disclosures relevant to their engagement. Where appropriate, we provide supporting documentation or audit summaries to demonstrate compliance with our contractual and regulatory obligations.
All recipients of personal information from Alva Intelligence are required to:
Use the information only for the specific purpose for which it was provided.
Protect it with technical and organizational measures equivalent to those applied by Alva Intelligence.
Refrain from any further disclosure without our written authorization.
Return or securely delete the data upon completion of the engagement or at our direction.
We enforce these restrictions through contractual terms, periodic verification, and where applicable technical access controls that limit data retrieval and export.
Our approach to data sharing reflects our core values of trust, transparency, and accountability.
We recognize that responsible sharing, when conducted under strict safeguards, supports service efficiency and innovation while preserving individual privacy.
Each disclosure is evaluated under our Data Governance Policy to ensure that it aligns with legal requirements, ethical standards, and the expectations of our clients and users.
Because Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) supports clients in multiple regions, personal data … may occasionally be transferred … outside the country where it originated. Alva’s primary data hosting and processing occur in Europe through Azure and Hetzner environments; any limited cross-border transfers follow the safeguards described below. These transfers are an essential component of our global business operations and occur only when lawful, necessary, and protected by appropriate safeguards. We apply a uniform level of data-protection standards across all locations in which we operate, regardless of differing national privacy regimes.
We rely on recognized international transfer mechanisms and safeguard instruments to ensure that all personal data moved across borders remains protected at a level consistent with the requirements of the GDPR, the UK GDPR, and the Swiss FADP.
Our compliance program incorporates:
Standard Contractual Clauses (“SCCs”) (EU 2021/914) approved by the European Commission.
UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office.
Swiss Addendum aligning with Article 16 of the Swiss FADP.
Transfer Impact Assessments (TIAs) evaluating the legal environment of destination countries.
Supplementary Technical and Organizational Measures, including encryption, access control, and data-segmentation procedures.
Where another lawful mechanism becomes available or recognized by a competent authority such as adequacy decisions, Binding Corporate Rules (BCRs), or an equivalent certification we may adopt that mechanism as appropriate.
Personal data may be processed or stored in data centers and facilities located in:
The European Union (Azure and Hetzner data centers), which host the primary production and client environments.
“The United States, limited to administrative and corporate operations (non-production systems).”
Other regions such as Canada and Singapore, for redundancy and specialized services provided by approved sub-processors.
These environments are continuously reviewed to confirm alignment with contractual and regulatory requirements.
When personal data originating in the EEA, UK, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of protection, we implement SCCs and relevant addenda between the exporting and importing entities.
Under these instruments:
The exporting entity (controller or processor) remains responsible for ensuring lawful transfer conditions.
The importing entity (such as Alva Intelligence LLC in the United States) agrees to protect the data in accordance with the contractual clauses.
Data subjects retain enforceable rights and effective legal remedies in the event of breach.
We conduct periodic audits and monitoring to verify compliance with the obligations contained in those instruments.
Prior to any new cross-border transfer, we perform a documented Transfer Impact Assessment to evaluate:
The legal framework of the destination country, including surveillance laws and data-subject rights.
The nature, volume, and sensitivity of the personal data involved.
The adequacy of contractual, technical, and organizational measures.
The likelihood and severity of potential risks to individuals.
Where the assessment identifies residual risks, we adopt mitigation measures such as additional encryption, pseudonymization, and strict access restrictions. These assessments are retained as part of our compliance records and reviewed annually.
To ensure continuous protection during transfer and subsequent processing, we apply layered safeguards that include:
Encryption in Transit and at Rest: all data transmitted across borders is encrypted using current industry standards (TLS 1.2+ for transport, AES-256 for storage).
Access Controls: restricted to authorized personnel with legitimate need; access logs maintained and reviewed.
Segregation of Environments: client data logically separated from other tenants in multi-tenant systems.
Data-Minimization Protocols: only the minimal required dataset is transferred.
Incident-Response Coordination: defined escalation procedures for cross-border incidents in accordance with Exhibit D.
These safeguards align with our SOC 2 Type 2 controls and ISO 27001 information-security framework.
We continuously monitor regulatory developments affecting international data transfers and adjust our compliance strategy accordingly. Our privacy and legal teams track guidance from the European Data Protection Board (EDPB), the UK ICO, and the Swiss Federal Data Protection and Information Commissioner (FDPIC). If any existing mechanism is invalidated or modified, we will implement replacement safeguards within the legally prescribed timeframe and notify affected clients and individuals as necessary.
When acting as a data processor, Alva Intelligence conducts international transfers only on documented instructions from the client (the controller). The client remains responsible for determining the lawful transfer basis and ensuring that appropriate consent or notice has been obtained from data subjects. We support these transfers by executing the required contractual clauses, implementing encryption, and restricting onward transfers to authorized sub-processors only.
Sub-processors located outside the EEA, UK, or Switzerland may process personal data solely for the purpose of providing contracted services.
Each sub-processor is required to:
Execute SCCs or equivalent contractual safeguards with Alva Intelligence.
Implement security controls consistent with Exhibit D.
Refrain from engaging additional sub-processors without prior written authorization.
Notify us of any inability to comply with the obligations imposed by the transfer instruments.
We maintain transparency by listing all approved sub-processors in Exhibit A and updating that list whenever changes occur.
Where a jurisdiction mandates that certain categories of data remain within its borders such as government, health, or financial information, we comply by ensuring that the relevant data is hosted locally or processed under approved localization frameworks. “Where clients request EEA-only data residency, Alva ensures that processing and storage occur exclusively within Azure and Hetzner facilities located in Europe. For example, if a client requires EEA-only data storage, we host that client’s environment exclusively within EU-based data centers certified to recognized security standards.
Individuals whose personal data is transferred internationally retain all rights granted by applicable privacy laws, including the right to:
Obtain a copy of the appropriate safeguards under which their data is transferred.
File a complaint with a supervisory authority in their country of residence.
Seek judicial remedies for alleged violations of data-protection rights.
Requests to access copies of SCCs or equivalent transfer instruments may be submitted as described in Section 24. Certain commercial details may be redacted to preserve confidentiality.
Alva Intelligence is not primarily reliant on U.S. hosting; cross-border transfers to the United States are limited to administrative or support functions. For transfers from the EEA, UK, and Switzerland to the United States, Alva Intelligence relies primarily on SCCs and supplementary measures.
Where appropriate, we also align our practices with the principles set forth in the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, administered by the U.S. Department of Commerce.
Participation in these frameworks provides an additional layer of accountability and independent dispute-resolution mechanisms.
All international-transfer arrangements are documented in our Record of Processing Activities (RoPA) and reviewed at least annually as part of our compliance and SOC 2 audit cycles.
Records include:
The categories of data transferred.
The transfer mechanism employed.
The recipient entities and locations.
The technical and organizational safeguards applied.
Results of any Transfer Impact Assessment.
These records may be made available to supervisory authorities upon request.
Cross-border data flows are essential to a modern, cloud-based business, but they must never compromise individual privacy.Alva Intelligence remains committed to transparency and continuous improvement in its international-transfer practices.We review our safeguards regularly, adopt emerging best practices, and provide clients and data subjects with clear information about how and where their data travels.Any material change to our transfer mechanisms or the jurisdictions involved will be reflected in an update to this Policy and communicated in accordance with Section 19 (“Updates to this Privacy Policy”). Details of active data-transfer mechanisms and hosting regions are maintained in Alva’s Record of Processing Activities (RoPA) and may be provided to clients upon request.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) maintains personal data only for as long as necessary to fulfill the legitimate purposes for which it was collected, to comply with legal or contractual obligations, and to support our business operations. Personal data is never retained for speculative analytics or commercial resale, and Alva Intelligence does not sell or share personal information with third parties.
Our retention strategy is grounded in the following principles:
Purpose Limitation: Data is kept only for clearly defined business or legal purposes.
Storage Minimization: Information that no longer serves a legitimate purpose is securely deleted, anonymized, or aggregated.
Transparency: Retention periods are documented and communicated to clients and data subjects where required.
Accountability: Every business unit must justify and document retention of data beyond its standard lifecycle.
These principles ensure alignment with GDPR Article 5(1)(e) and similar global standards mandating that personal data be stored no longer than necessary.
Retention periods vary according to the category of data, its use, and statutory requirements. Representative categories include:
| Category of Data | Examples of Content | Typical Retention Period | Basis for Retention |
|---|---|---|---|
| Client Account Records | Account registration, contact details, billing info | Duration of contract + 5 years | Contractual necessity; tax and accounting laws |
| Service Usage Logs | Access logs, IP addresses, session identifiers | Up to 24 months | Security, diagnostics, and fraud prevention |
| Support Tickets and Communications | Emails, chat transcripts, attachments | Duration of support engagement + 3 years | Quality assurance, dispute resolution |
| Marketing and Consent Records | Newsletter subscriptions, consent preferences | Until withdrawal of consent + 2 years | Proof of lawful basis for processing |
| Employment and HR Data | Applications, payroll records, evaluations | During employment + 7 years after | Employment law requirements |
| Legal and Compliance Files | Contracts, audit records, regulatory submissions | Minimum 7 years | Legal defense and statutory obligations |
Custom retention schedules for specialized data (e.g., pseudonymized analytics, AI-model training datasets, or forensic archives) are documented in Alva’s internal Data Retention Matrix, available to clients upon request.
Certain jurisdictions mandate fixed retention periods regardless of operational needs.
Examples include:
U.S. Tax and Accounting Records: retained for a minimum of 7 years pursuant to IRS Reg. § 1.6001-1(e).
Employment Records: subject to federal and state labor laws, typically 3–7 years post-termination.
Commercial Contracts and Transaction Data: preserved to satisfy limitations periods for potential claims.
EU and UK Data Protection Requirements: require documentation of processing activities and legal bases as long as processing continues.
We periodically review applicable statutes to ensure ongoing compliance with mandatory retention provisions. Alva Intelligence periodically reviews all applicable statutes and guidance to ensure retention durations remain proportionate and compliant with evolving privacy frameworks.
When statutory retention periods are not defined, the Company evaluates:
Nature and Sensitivity of the Data – Sensitive categories (e.g., biometrics, financial data) receive shorter default periods.
Purpose of Processing – Operational data retained longer than transient data (e.g., session cookies).
Potential Risk of Harm – If continued storage could expose individuals to risk, earlier deletion is triggered.
Contractual or Client Obligations – Client agreements specifying custom retention windows prevail.
Legal Hold or Litigation Needs – Data subject to a legal hold is preserved until resolution.
Retention determinations are reviewed by the Privacy and Compliance Committee and approved by the Data Protection Officer to ensure that business efficiency does not override privacy obligations. These criteria are applied through our automated Data-Lifecycle Management (DLM) system integrated with access-control tools described in Exhibit D.
Before deletion, data may be transitioned to secure archives if continued retention serves compliance, research, or statistical purposes.
Archived data is:
Isolated: stored on segregated systems with restricted access.
Pseudonymized or Anonymized: direct identifiers removed or replaced with irreversible tokens.
Encrypted: using AES-256 encryption standards.
Anonymized datasets may be used indefinitely for analytics or service-improvement purposes, provided re-identification is technically impossible and prohibited by policy. Such anonymized use does not include any customer-specific or identifiable business contact data.
Alva Intelligence employs standardized, auditable deletion workflows. Deletion activities are initiated automatically through scheduled tasks or upon verified requests from data subjects or clients, and are confirmed through logged, auditable workflows.
Our procedure includes:
Identification of Eligible Records through metadata queries and retention flags.
Secure Deletion using cryptographic wiping or overwrite methods conforming to NIST SP 800-88 Rev. 1 guidelines.
Propagation Across Backups: ensuring erasure extends to replicated and off-site storage within 30 days.
Verification and Audit Logging: automated reports confirm completion and are retained for compliance review.
Client Notification: when acting as a processor, we confirm deletion to the controller in writing.
All deletion events are subject to internal review by our Data Protection Officer (DPO).
When the Legal Department issues a litigation hold or investigation notice, deletion schedules are temporarily suspended for affected records.Employees are notified and trained to preserve all relevant data until the hold is formally lifted.Once resolved, normal retention and deletion timelines resume under supervised clearance protocols.
For data processed on behalf of clients, the retention and deletion periods are dictated by the client’s instructions and the terms of our Data Processing Agreement.
Upon termination or expiration of a contract, we will either:
Return the data to the client in an agreed format; or
Delete the data securely within the agreed period, certifying completion in writing.
No client data is retained beyond this period except to comply with legal obligations or defend legal claims. Alva Intelligence does not copy or otherwise reuse client data for internal training or secondary processing once deletion is confirmed.
Backup files exist solely to maintain system integrity and ensure business continuity.These files are encrypted and stored in isolated environments with restricted access. When the primary data is deleted, corresponding backups are overwritten or purged within the defined window (typically 30 to 90 days), subject to technical constraints and legal holds. Backup data is encrypted in transit and at rest within Azure and Hetzner environments located in Europe.
The Data Retention and Deletion Policy is reviewed at least annually by the Privacy and Compliance Committee. The review also verifies that data-retention durations remain proportionate to the nature and scale of processing activities. The review verifies that retention schedules remain appropriate, deletion tools function as intended, and legal requirements are current. Improvements may include new automation capabilities, updated criteria for risk-based retention, or expanded reporting metrics.
Documentation of retention and deletion activities is maintained as part of our Record of Processing Activities (RoPA) and SOC 2 Type 2 audit evidence.These records include policy versions, execution logs, verification reports, and training attendance records.Supervisory authorities or clients may request copies of these records to validate compliance.
Our goal is to retain personal information only for as long as necessary and to delete it securely once its purpose is fulfilled. This discipline reduces privacy risk, lowers data management costs, and demonstrates our commitment to ethical data governance and trust. Alva Intelligence’s retention and deletion practices are an integral component of its SOC 2 Type 2 and GDPR compliance programs.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) recognizes and respects the privacy rights of all individuals whose personal information we process. We are committed to enabling data subjects to exercise their rights lawfully, transparently, and without discrimination.This section outlines those rights, the process for submitting requests, and the Company’s obligations when responding to them.
Data subjects include customers, users, employees, contractors, business partners, and any other individuals whose personal information is collected, used, or stored by Alva Intelligence.
We adhere to the following foundational principles when responding to data subject requests:
Fairness and Non-Discrimination: No individual will be denied goods, services, or benefits for exercising privacy rights.
Transparency: Responses are provided in clear and accessible language.
Verification: Requests are honored only after reasonable verification of the requester’s identity.
Timeliness: Requests are fulfilled within the statutory period, typically thirty (30) days, unless an extension is lawfully justified.
No Charge: We process requests free of charge unless they are manifestly unfounded, repetitive, or excessive.
All privacy requests are coordinated through our Data Protection Officer (DPO) and documented in accordance with Article 30 of the GDPR and Section 1798.130 of the CPRA.
Depending on the jurisdiction, individuals may have one or more of the following rights.Alva Intelligence provides these rights globally wherever operationally feasible, even when not legally mandated.
Data subjects have the right to obtain confirmation as to whether we process their personal data and, if so, to receive:
A copy of the personal data undergoing processing.
The categories and sources of that data.
The purposes of processing.
The categories of recipients to whom the data has been disclosed.
The envisaged retention period or the criteria used to determine it.
Information about automated decision-making, if applicable.
We provide this information in a structured and commonly used electronic format unless another format is requested.
Individuals may request correction of inaccurate or incomplete personal information. We take reasonable steps to verify accuracy and update records promptly, informing downstream processors or recipients of the corrected data as appropriate.
Data subjects may request deletion of personal information when:
It is no longer necessary for the purpose it was collected.
Consent has been withdrawn and no other lawful basis applies.
The data was unlawfully processed.
Deletion is required to comply with a legal obligation.
We comply with such requests except where continued retention is necessary for legal compliance, defense of claims, or overriding legitimate interests consistent with applicable law.
Individuals may request that we temporarily limit processing where:
The accuracy of data is contested.
Processing is unlawful but the individual opposes deletion.
We no longer need the data, but the individual requires it for legal claims.
A verification of legitimate grounds is pending following an objection.
During the restriction period, we mark affected data accordingly and restrict access internally.
Individuals have the right to receive their personal data in a structured, machine-readable format and to transmit it to another controller where technically feasible. This right applies to data processed based on consent or contract and by automated means. Transfers are performed securely and without prejudice to the rights of others.
Data subjects may object at any time to processing carried out:
On the basis of legitimate interests; or
For direct marketing purposes.
Upon receiving an objection, we cease the relevant processing unless we can demonstrate compelling legitimate grounds overriding the individual’s interests, rights, and freedoms.
Where processing is based on consent, individuals may withdraw that consent at any time.Withdrawal does not affect the lawfulness of processing carried out before withdrawal but terminates continued use for that purpose. Mechanisms for withdrawal are made as simple as the process for granting consent.
Alva Intelligence does not engage in automated decision-making or profiling that produces legal or similarly significant effects without human involvement. If such activity is introduced, individuals will be notified and provided with the right to obtain human intervention, express their views, and contest the decision.
We will not discriminate against individuals for exercising their privacy rights, including by denying services, charging different prices, or offering reduced quality. Where a legitimate value exchange exists (for example, loyalty programs), we will clearly disclose the terms and lawful basis for such differential treatment.
To protect privacy and prevent unauthorized disclosure, we verify the identity of each requester before fulfilling a rights request.
Verification may include:
Matching identifying information (such as email address or account ID) to existing records.
Requesting additional evidence (such as transaction details or government-issued identification).
Confirming through secure links sent to registered contact points.
Authorized agents submitting requests on behalf of another individual must provide written authorization or proof of power of attorney.
Individuals may submit privacy requests using any of the following channels:
Online Privacy Portal: accessible via our website privacy section.
Email: sent to privacy@joinalva.ai with “Privacy Request” in the subject line.
Mail: addressed to the Data Protection Officer at Alva Intelligence LLC, 30 N Gould STR, Sheridan, Wyoming. 82801, USA.
Client Representative: where applicable, clients may aggregate and transmit data subject requests under their own control.
All requests receive written acknowledgment within ten (10) business days and are tracked through completion.
We aim to respond to valid requests within thirty (30) days of receipt. Where the request is complex or numerous, we may extend this period by up to an additional sixty (60) days, providing notice and justification to the requester. We maintain detailed logs of request dates, decisions, and outcomes to demonstrate compliance.
Requests may be denied if:
The requester cannot be adequately verified.
The request is manifestly unfounded, repetitive, or excessive.
Disclosure would adversely affect the rights or freedoms of others.
Retention is required by law or for legal defense.
Where a request is denied, the individual will receive a written explanation of the reasons and guidance on available recourse options.
Individuals who disagree with a decision or response may request an internal review by our Data Protection Officer.
If unresolved, they may escalate the matter to:
The relevant supervisory authority (e.g., the EU Data Protection Authority of residence).
The UK Information Commissioner’s Office (ICO) for UK data subjects.
The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland.
The U.S. Federal Trade Commission (FTC) or a state attorney general where applicable.
Contact information for major authorities is provided in Exhibit F (Supervisory Authority Directory).
All data subject requests are recorded in our Privacy Request Management System (PRMS).
The log includes:
Date and nature of the request.
Verification actions taken.
Response timeline and resolution.
Decisions, communications, and responsible staff.
Records are retained for at least three years for compliance and audit purposes.
Alva Intelligence ensures accessibility for all individuals, including those with disabilities or language barriers.We provide alternative formats upon request and translation assistance where feasible. Support channels are available to guide individuals through the submission process.
Although privacy laws vary across jurisdictions, we apply a harmonized standard consistent with the highest level of protection.This unified approach simplifies compliance, ensures consistency for global users, and demonstrates Alva Intelligence’s commitment to accountability and respect for personal privacy.
Empowering individuals to control their personal data is a cornerstone of our privacy philosophy. Through transparent processes, clear communication, and robust verification, we uphold the rights of data subjects worldwide while maintaining the security and integrity of their information.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) processes personal information only where a lawful basis exists under applicable data-protection laws. Each activity involving personal data is mapped to one or more legitimate legal bases, ensuring that all processing is fair, transparent, and proportionate. This section describes those lawful bases, how they apply to our operations, and the measures we use to maintain ongoing compliance.
Under Article 6 of the EU and UK GDPR, Alva Intelligence may rely on the following legal bases:
Consent (Article 6(1)(a)) – the individual has given clear consent for the specific processing purpose.
Contractual Necessity (Article 6(1)(b)) – processing is required to perform a contract or to take pre-contractual steps at the individual’s request.
Legal Obligation (Article 6(1)(c)) – processing is necessary to comply with legal or regulatory duties.
Vital Interests (Article 6(1)(d)) – processing is required to protect someone’s life or physical safety.
Public Task (Article 6(1)(e)) – processing is necessary to perform a task in the public interest or under official authority (rarely applicable to Alva Intelligence).
Legitimate Interests (Article 6(1)(f)) – processing is necessary for the Company’s or a third party’s legitimate interests, provided those interests are not overridden by the rights of the individual.
Each business unit is responsible for identifying and documenting the applicable lawful basis before any new processing activity begins.
We rely on consent when processing is not otherwise required for contractual or legal reasons such as when individuals:
Subscribe to marketing communications or newsletters.
Participate voluntarily in research, beta testing, or feedback surveys.
Permit cookies or analytics tools that are not strictly necessary for site functionality.
Consent is obtained through affirmative action (for example, ticking a box or clicking “Accept”), recorded in our consent-management system, and can be withdrawn at any time using the same ease as granted.
Processing is considered contractually necessary when required to:
Create, manage, and maintain customer accounts.
Provide and support the software or platform services purchased.
Process payments, subscriptions, and renewals.
Respond to customer support inquiries or troubleshoot issues.
Execute pre-contractual steps, such as responding to business proposals or drafting agreements.
Without this processing, we could not deliver or administer the services requested by the customer.
We process certain categories of personal data to comply with legal and regulatory requirements, including:
Tax and accounting obligations.
Record-keeping mandates under corporate or employment law.
Compliance with anti-money-laundering, sanctions, or export-control regulations.
Responding to lawful subpoenas, court orders, or regulatory requests.
Data processed under this basis is retained for as long as the law requires and cannot be deleted prematurely.
We rely on legitimate interests for operational activities that support our business and enhance user experience while respecting individual rights.
Examples include:
Securing our network and information systems.
Preventing fraud, misuse, and unauthorized access.
Conducting internal analytics to improve service performance.
Managing business relationships and communications with corporate clients.
Enforcing contractual rights and defending legal claims.
Before relying on legitimate interests, we conduct a Legitimate Interests Assessment (LIA) to confirm that our interests are balanced against the data subject’s rights and expectations.
Although rare, we may process limited personal data to protect vital interests, such as sharing emergency contact information to prevent serious harm to an individual’s life or safety.
In limited cases, Alva Intelligence may process special categories of data (such as health information, biometrics, or racial or ethnic origin) only where one of the additional bases under Article 9(2) of the GDPR applies, including:
Explicit consent of the data subject.
Necessity for employment, social-security, or social-protection law.
Protection of vital interests where the data subject is incapable of giving consent.
Establishment, exercise, or defense of legal claims.
Substantial public interest authorized by law.
Where special category data is processed, enhanced safeguards are applied, including restricted access, encryption, and mandatory DPO review.
Marketing communications are conducted only under a lawful basis consistent with applicable laws such as GDPR Article 6(1)(a) or (f) and the CAN-SPAM Act.
Recipients are given a clear opportunity to opt-out at any time through unsubscribe links or by contacting us directly.
We maintain suppression lists to ensure that opt-out preferences are respected and audited periodically.
Any processing that involves automation or algorithmic profiling such as behavioral analytics, recommendation engines, or fraud detection is undertaken only where a lawful basis exists and with appropriate safeguards. Individuals may request information about the logic involved and may object to processing that has legal or similarly significant effects.
For data processed under U.S. state privacy laws (e.g., CPRA, VCDPA, CPA, CTDPA, UCPA), we rely on comparable bases, including:
Performance of Services: equivalent to contractual necessity.
Compliance with Law: fulfilling legal obligations.
Security and Fraud Prevention: comparable to legitimate interest.
User Consent: for sales, targeted advertising, or sensitive data use.
We harmonize these bases globally so that privacy practices remain consistent across jurisdictions.
Every processing activity is catalogued in our Record of Processing Activities (RoPA) and linked to its corresponding lawful basis.
This record includes:
Purpose of processing.
Data categories and data-subject groups.
Lawful basis and justification.
Retention period and transfer mechanism.
Security controls and responsible business unit.
The RoPA is reviewed at least annually and during internal or external compliance audits to ensure accuracy and completeness.
If we rely on a different lawful basis for processing than initially communicated, we will:
Notify affected individuals in advance.
Update relevant consent or contract documentation.
Ensure that the new basis is fully compliant before continuing processing.
No personal data is used for materially new purposes without meeting these requirements.
Information about the applicable legal basis is made available:
In this Privacy Policy.
Within product interfaces or consent dialogs at the point of data collection.
Upon request through our Data Protection Officer.
This transparency ensures that individuals understand why their data is being processed and how their rights apply.
Alva Intelligence’s approach to lawful processing is rooted in accountability and respect for privacy rights. By documenting, reviewing, and continuously improving our legal bases for data processing, we maintain compliance with global privacy regulations and uphold the trust placed in us by our clients and users.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) implements and maintains a comprehensive information-security program designed to protect personal information and all other data entrusted to us. This program combines organizational, technical, and physical controls to ensure the confidentiality, integrity, and availability of data, to prevent unauthorized access or loss, and to support compliance with applicable privacy and security laws.
Our security framework aligns with the principles of defense in depth, risk-based management, and continuous improvement.
Responsibility for security rests with the Chief Information Security Officer (CISO), who oversees strategy, implementation, and periodic review. The Privacy and Security Committee composed of representatives from Legal, Engineering, Operations, and Compliance meets quarterly to evaluate risk assessments, incidents, and policy updates. All employees, contractors, and third parties with system access are bound by confidentiality and acceptable-use agreements and must complete annual security training.
Policies supporting this framework include, among others:
Information-Security Policy
Data-Classification and Handling Policy
Access-Control Policy
Incident-Response and Breach-Notification Policy
Business-Continuity and Disaster-Recovery Policy
We maintain a formal Risk-Assessment Program that identifies, analyzes, and mitigates threats to data throughout its lifecycle.
Key components include:
Annual enterprise-wide risk assessments reviewed by executive management.
Technical vulnerability scans and penetration tests performed by independent assessors.
Threat modeling during system design and major product changes.
Remediation plans tracked to completion with documented evidence.
Findings are prioritized according to severity and likelihood, ensuring prompt remediation of high-risk issues.
We employ layered technical controls consistent with industry standards:
Encryption:
Data in transit secured with TLS 1.2+ protocols.
Data at rest encrypted using AES-256 or stronger algorithms.
Encryption keys managed through segregated key-management systems.
Access Control and Authentication:
Role-based access with least-privilege enforcement.
Multi-factor authentication for administrative and remote access.
Regular review and revocation of dormant or unnecessary accounts.
Network and Infrastructure Security:
Segmentation between production, staging, and corporate networks.
Firewalls, intrusion-detection, and intrusion-prevention systems monitored 24/7.
Endpoint-protection software and automatic patch management.
System Logging and Monitoring:
Centralized logging with retention and integrity controls.
Automated alerts for anomalous or suspicious activity.
Correlation and analysis through our Security Information and Event Management (SIEM) platform.
Our data-handling practices extend beyond technology to include physical and administrative measures:
Access to offices, server rooms, and data-center facilities is restricted through key-card or biometric systems.
Visitors are escorted and logged at all times.
Workstations automatically lock after inactivity; removable media use is limited.
Secure disposal of hardware and documents is performed through certified destruction vendors.
Confidential discussions occur only in secure environments.
All staff are required to report any observed or suspected security weaknesses immediately to the Security Team.
Software developed or maintained by Alva Intelligence follows secure-coding standards based on OWASP Top 10 guidance.
Every code release passes through:
Static and dynamic security testing.
Peer review by senior engineers.
Change-management approval with rollback capability.
Deployment only after successful verification in controlled environments.
Third-party libraries and dependencies are monitored for vulnerabilities through automated tools and updated promptly when patches are available.
Our Incident-Response Plan, detailed in Exhibit D, ensures that all suspected security incidents are:
Detected and triaged by our monitoring systems.
Investigated by a designated response team.
Contained to prevent further exposure.
Remediated with documented corrective actions.
If a breach of personal information occurs, we will:
Notify affected clients and, where required, supervisory authorities without undue delay and within applicable legal timeframes (for example, 72 hours under GDPR).
Provide details of the nature of the breach, likely consequences, and measures taken or proposed to address it.
Cooperate fully with regulatory investigations and client-requested audits.
Alva Intelligence maintains comprehensive business-continuity and disaster-recovery plans to ensure minimal disruption in the event of natural disasters, power outages, cyberattacks, or other emergencies.
Key components include:
Redundant data centers in geographically diverse regions.
Daily backups with encrypted replication and periodic restoration testing.
Defined recovery-time and recovery-point objectives (RTO/RPO).
Crisis-communication procedures for clients and regulators.
Plans are tested at least annually, and lessons learned are incorporated into future updates.
Before engaging any vendor or sub-processor, we perform due-diligence reviews covering security posture, certifications, and data-handling practices.
All vendors must:
Execute a written agreement including security and confidentiality clauses.
Maintain recognized certifications such as SOC 2 Type 2 or ISO 27001, where appropriate.
Undergo periodic reassessment and remediation of any deficiencies identified.
We maintain a current list of approved sub-processors in Exhibit A.
Security awareness is integral to our culture.
All personnel receive:
Onboarding training on privacy, data protection, and incident reporting.
Annual refresher courses with updated threat scenarios.
Targeted workshops for developers, system administrators, and customer-support teams.
Completion of training is tracked and required for continued system access.
We continually enhance our security controls through internal audits, third-party assessments, and alignment with emerging standards. Our security program is audited annually under the SOC 2 Type 2 framework, with results made available to clients under nondisclosure. Where feasible, we pursue supplementary certifications and attestations to validate our commitment to information security.
Protecting the information entrusted to us is central to our mission. By maintaining layered defenses, rigorous governance, and a culture of accountability, Alva Intelligence ensures that privacy and security remain embedded in every stage of our operations, technology, and decision-making processes.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) engages selected third-party organizations to provide specialized services and technical support that enable the operation, maintenance, and improvement of our products and infrastructure. These entities, known as service providers or sub-processors, may have limited access to personal information as required to perform contracted functions. We hold each provider to the same standards of confidentiality, integrity, and security that govern our own operations.
For purposes of this section:
Service Provider means any third party engaged by Alva Intelligence to process personal data on its behalf under a written contract.
Sub-Processor means any service provider engaged by Alva Intelligence that processes data originating from, or controlled by, a client of Alva Intelligence.
Vendor refers broadly to any third party providing goods or services that may or may not involve data processing.
We maintain a formal Third-Party Risk-Management Program (TPRM) that governs the entire vendor lifecycle from selection and contracting through ongoing monitoring and termination.
The framework includes:
Due Diligence and Risk Assessment
Evaluation of financial stability, reputation, data-handling practices, and compliance certifications (for example, SOC 2 Type 2, ISO 27001, or PCI DSS).
Review of information-security questionnaires and evidence of internal controls.
Approval by the Privacy, Legal, and Security teams before onboarding.
Contractual Safeguards
Execution of a Data Processing Agreement (DPA) containing Article 28-compliant clauses.
Clear definition of processing purpose, categories of data, and duration of processing.
Confidentiality obligations, data-return and deletion requirements, and audit rights.
Ongoing Monitoring
Periodic reassessments based on risk tier (annually for high-risk providers).
Review of penetration-test summaries, audit reports, or certification renewals.
Continuous monitoring for cybersecurity incidents or material changes.
Termination and Off-Boarding
Secure return or deletion of all client data.
Confirmation of data-destruction certificates.
Revocation of system credentials and physical access.
Our service providers generally fall into the following categories:
| Category | Purpose of Processing | Examples of Typical Providers |
|---|---|---|
| Cloud Infrastructure and Hosting | Data storage, compute, and redundancy services | AWS, Google Cloud, Microsoft Azure |
| Payment and Billing Services | Payment authorization and invoicing | Stripe, QuickBooks, banking partners |
| Customer Relationship Management (CRM) | Client communications and support tracking | HubSpot, Zendesk |
| Analytics and Performance Monitoring | System analytics, reliability measurement | Datadog, New Relic |
| Security and Compliance Tools | Threat detection, vulnerability scanning | CrowdStrike, Vanta |
| Professional Advisors (to Alva) | Internal legal, accounting, or insurance support | Law firms, CPA firms, insurers |
| Communications and Collaboration | Email, messaging, and file transfer | Microsoft 365, Slack, DocuSign |
A current list of sub-processors, including company name, processing purpose, and geographic region, is maintained in Exhibit A and updated as necessary.
When Alva Intelligence acts as a processor on behalf of its clients, it will not engage any sub-processor without prior written authorization or general authorization subject to notification obligations as outlined in the client’s DPA. Clients are notified of proposed changes to the sub-processor list at least thirty (30) days in advance. If a client objects on reasonable privacy or security grounds, we work in good faith to identify an alternative provider or processing method.
Every service provider and sub-processor must:
Implement technical and organizational measures consistent with Article 32 GDPR.
Limit data access to personnel with a legitimate operational need.
Maintain up-to-date security certifications and provide evidence upon request.
Notify Alva Intelligence without undue delay of any security incident or breach.
Cooperate fully with investigations and remedial actions.
Our contracts expressly prohibit re-disclosure or secondary use of personal data for marketing, analytics, or any purpose not authorized in writing.
If a service provider processes data outside the European Economic Area (EEA), United Kingdom, or Switzerland, it must implement one of the approved international-transfer mechanisms described in Section 7 (International Data Transfers). These include Standard Contractual Clauses, UK and Swiss addenda, and supplemental safeguards such as encryption and access control. Sub-processors are prohibited from engaging additional downstream processors without prior approval and equivalent contractual protections.
Alva Intelligence reserves the right to audit or request third-party audit reports from service providers to verify compliance with contractual obligations.
For high-risk providers, we may:
Conduct remote or on-site audits;
Review SOC 2 Type 2 or ISO 27001 certification reports; and
Require remediation of any material deficiencies within defined timeframes.
Results of these audits are documented and reviewed by the Privacy and Security Committees.
In the event of a suspected or confirmed data incident involving a service provider or sub-processor:
The provider must notify Alva Intelligence immediately upon discovery.
The provider must cooperate fully in investigating the cause and scope of the incident.
Corrective actions must be taken promptly, with progress updates shared until closure.
Clients and authorities are notified in accordance with our Incident-Response Plan (see Exhibit D).
Failure to comply may result in suspension or termination of the provider’s contract.
Upon termination or expiration of the service agreement, each provider must securely return or destroy personal data within the timeframe specified in the contract or client DPA. Destruction must conform to NIST SP 800-88 Rev. 1 or equivalent standards, and a written certificate of deletion must be furnished to Alva Intelligence. Where return or deletion is technically infeasible, the provider must continue to protect the data under this Policy’s standards until permanent deletion occurs.
We maintain detailed records of all third-party engagements, including:
Provider name and contact details;
Nature and purpose of processing;
Categories of data subjects and data;
Transfer mechanisms and locations;
Date of onboarding and last review.
This registry supports compliance with GDPR Article 30 and is available to supervisory authorities upon request. A summary of authorized providers may be published on our website or provided to clients upon written request.
The Third-Party Risk-Management Program is reviewed annually to reflect changes in regulatory expectations, technology, and business operations. Updates may include new risk-scoring methodologies, enhanced monitoring tools, or revised audit frequencies. Lessons learned from incidents, assessments, or regulatory guidance are incorporated into subsequent program iterations.
Alva Intelligence recognizes that third-party relationships are essential to modern business yet pose inherent risks. Through rigorous vetting, clear contractual controls, and ongoing oversight, we ensure that every service provider and sub-processor upholds our high standards of privacy, security, and ethical responsibility.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) uses cookies and similar tracking technologies to enhance user experience, analyze website performance, deliver personalized content, and support security and compliance operations. This section describes what these technologies are, how and why we use them, the categories deployed on our websites and platforms, and how individuals can manage or withdraw consent for their use.
We maintain transparency and control by allowing users to review cookie settings through our online cookie banner and preference-management center.
Cookies are small text files stored on a user’s browser or device that enable recognition and functionality during subsequent visits.
Session Cookies are temporary and expire once the browser is closed.
Persistent Cookies remain on the device until manually deleted or until they reach their set expiration date.
First-Party Cookies are placed directly by Alva Intelligence.
Third-Party Cookies originate from external domains that provide analytics, advertising, or embedded functionality.
Similar Technologies include web beacons, pixels, tags, SDKs, local storage, and server logs used to track activity, measure effectiveness, or detect anomalies.
All cookies and related tools are governed by the same principles of lawfulness, fairness, and transparency that apply to personal data.
The deployment of cookies is governed by two legal frameworks:
Strictly Necessary Cookies – used based on legitimate interest or contractual necessity, requiring no consent.
Non-Essential Cookies (analytics, personalization, advertising) – deployed only after obtaining explicit, informed consent under GDPR Article 6(1)(a) and the ePrivacy Directive (Directive 2002/58/EC).
Users are informed of cookie categories and purposes via our cookie banner, and no non-essential cookies are set before consent is provided. Consent can be withdrawn at any time by adjusting preferences within the cookie settings interface.
We classify our cookies as follows:
These cookies are essential for basic website functionality, such as logging in, maintaining session state, and processing secure transactions. They enable core features like load balancing, authentication, and access to restricted areas.
Examples:
Authentication tokens
Security verification identifiers
Session management cookies
Without these, the website or platform may not function properly.
These cookies remember user preferences and selections, enhancing usability and customization. They may store language settings, display preferences, or saved form entries. Their absence may result in a less personalized experience but will not affect essential functionality.
Examples:
Language or region selection
Saved login options
Interface customization preferences
Used to collect aggregate information about user interactions, these cookies help us understand how visitors engage with our content and identify areas for improvement. They do not directly identify individuals but may rely on pseudonymous identifiers such as IP addresses or session IDs.
Examples:
Google Analytics or equivalent tools (configured with IP anonymization)
Performance metrics for page load times and error rates
Heatmaps or click-path analysis tools
Analytics cookies are deployed only after user consent, and collected data is anonymized whenever feasible.
These cookies track browsing activity across websites to build user profiles and deliver relevant advertising. Alva Intelligence currently does not engage in behavioral advertising but may use limited targeting to measure campaign reach and effectiveness. Where third-party advertising cookies are employed, users will be explicitly notified, and consent will be sought prior to activation.
Examples:
Conversion-tracking pixels from advertising partners
Campaign attribution and frequency-capping cookies
Used to safeguard the integrity of our systems, these cookies detect unusual login activity, prevent fraudulent use, and protect against abuse. They may monitor repeated failed logins, detect anomalies, or flag automated traffic.
Examples:
Anti-bot verification cookies
Device-fingerprint cookies for suspicious activity monitoring
Processing based on legitimate interest under GDPR Article 6(1)(f).
Cookies are retained for varying durations depending on their function:
| Type of Cookie | Duration |
|---|---|
| Session Cookies | Deleted when the browser is closed |
| Persistent Cookies | Typically 6 months to 2 years |
| Third-Party Cookies | Controlled by respective third-party policies |
Users can review expiration periods in the browser’s privacy settings or through our cookie preference center.
Some cookies are operated by external partners providing analytics or integrated functionality.
All third parties are vetted for compliance with privacy and security requirements and are listed in Exhibit G (Cookie and Tracker Registry), which includes:
Name and domain of the third party
Purpose and description of the cookie
Retention period and data collected
Applicable legal basis
Where third-party cookies may result in international data transfers, appropriate transfer mechanisms (SCCs or DPF certification) are applied as detailed in Section 7.
Users can manage or revoke cookie consent in several ways:
Cookie Banner: Displayed upon first visit and accessible through a persistent footer link.
Browser Settings: Most browsers allow users to block, delete, or limit cookies through their privacy settings.
Opt-Out Tools:
Google Analtics: tools.google.com/dlpage/gaoptout
Network Advertising Initiative (NAI): optout.networkadvertising.org
Digital Advertising Alliance (DAA): optout.aboutads.info
Opting out of cookies may limit certain site functions or personalization features but will not prevent access to core services.
Our systems recognize and respect browser-based privacy signals such as Global Privacy Control (GPC) where legally required, including under the CPRA. We do not respond to legacy Do Not Track (DNT) signals due to the lack of an industry-standard definition but continue to monitor regulatory developments to ensure alignment with evolving guidance.
All cookie consents are recorded within our Consent-Management Platform (CMP). The CMP logs the date, time, and nature of each consent action and provides proof of compliance to supervisory authorities upon request. Withdrawal of consent triggers automated deactivation of non-essential cookies and erasure of corresponding identifiers.
Cookies are configured to minimize personal data collection.
Identifiers are pseudonymized, encrypted where feasible, and not used to infer sensitive attributes. Third parties are contractually restricted from combining cookie data with unrelated datasets for independent profiling. Security controls prevent unauthorized access to cookie data through cross-site scripting (XSS) or injection attacks.
This section may be updated periodically to reflect new cookies, technology changes, or evolving legal requirements. The date of the most recent update is displayed in the “Last Updated” field at the top of this Privacy Policy. Material changes will be communicated through website notifications or email alerts where applicable.
Alva Intelligence believes in privacy by design and informed user choice.
Our approach to cookies and tracking technologies emphasizes transparency, minimal data use, and user empowerment, ensuring compliance with applicable law while maintaining a secure, functional, and optimized experience for every user.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) is firmly committed to protecting the privacy and security of children’s personal information. Our services, platforms, and websites are designed and intended for use by business professionals, corporate clients, and individuals over the age of eighteen (18). We do not knowingly collect, process, or store personal information from children under the age of sixteen (16), or under the age of digital consent as defined by applicable law, without verified parental or guardian consent.
Our practices are governed by and consistent with the following regulatory frameworks:
U.S. Children’s Online Privacy Protection Act (COPPA) – prohibiting the collection of personal information from children under 13 without verifiable parental consent.
GDPR Article 8 and UK GDPR Article 8 – establishing 16 as the default minimum age for consent to online services, unless local laws lower the threshold to no less than 13.
State Privacy Laws (e.g., CPRA, VCDPA, CPA) – imposing heightened obligations for the handling of minor data.
Other International Regulations – such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act 1988, which include parallel requirements for minors.
Where Alva Intelligence operates or provides services in jurisdictions with differing age thresholds, we apply the most protective standard available.
Our products and services are marketed exclusively to adults and professional entities.
We do not knowingly:
Solicit or collect information from children.
Create user accounts or service subscriptions intended for minors.
Direct marketing, advertisements, or content toward individuals under the age of 18.
If it is discovered that a child has provided personal data without appropriate consent, we will take prompt steps to delete that data from our systems.
In the rare event that a minor’s personal information must be collected for legitimate reasons (for example, participation in an educational pilot project or research initiative), the following safeguards apply:
Verified Parental Consent: We obtain explicit, verifiable consent using reasonable methods (such as signed consent forms, payment-card verification, or secure digital identity checks).
Purpose Limitation: The information is used solely for the specific, approved activity and not for marketing or profiling.
Right to Review and Delete: Parents or guardians may review, correct, or request deletion of their child’s information at any time by contacting privacy@joinalva.ai.
Data Minimization: Only the minimal necessary information is collected, retained for the shortest feasible duration, and subject to heightened security controls.
We will not condition a child’s participation in an activity on the disclosure of more personal data than is reasonably necessary.
To prevent inadvertent collection, we employ age-verification measures at key data-collection points.
These may include:
Affirmative confirmation of age before registration or form submission.
Age-gating tools in online portals.
Internal audits to detect any data linked to individuals below the age of consent.
If age verification later reveals that personal data has been obtained from a minor without proper consent, the data is deleted immediately, and the user’s account (if any) is disabled.
Any personal data legitimately collected from minors under verified parental consent is subject to enhanced protection, including:
Encryption at rest and in transit.
Restricted access to designated staff trained in handling minor data.
Separate storage from standard customer records.
Automatic deletion upon expiration of the stated purpose or withdrawal of consent.
Retention periods for such data are documented in our Data Retention Matrix (Exhibit E) and comply with applicable legal obligations.
Parents or legal guardians have full rights regarding their child’s data, including:
The right to know what information has been collected.
The right to request access and obtain copies.
The right to request correction or deletion.
The right to withdraw consent at any time.
Requests must be submitted in writing to our Data Protection Officer at privacy@joinalva.ai
Verification of the parent’s identity will be required before processing the request.
Alva Intelligence does not share, disclose, or sell any minor’s personal information to third parties.
Where external service providers are engaged for educational or research purposes involving minors, those providers are bound by written agreements containing:
Confidentiality obligations and security standards equivalent to our own.
Explicit restrictions on data use and onward transfer.
Requirements for immediate notification in the event of unauthorized access or misuse.
All third-party participation is approved and monitored by our Privacy and Security Committees.
Given our international reach, we evaluate each jurisdiction’s minor-protection laws to ensure compliance.
For instance:
European Union: parental consent is required for users under 16, unless local law lowers the age (e.g., 13 in the Netherlands, 14 in Italy).
United Kingdom: parental consent required under 13.
United States: COPPA compliance under 13.
Canada: meaningful consent required, generally not recognized for minors under 13.
In all cases, Alva Intelligence defaults to the strictest applicable rule.
Our personnel receive periodic training on children’s privacy obligations and how to identify and handle potential underage data incidents. We also maintain documentation of all consent and parental communication activities for auditing purposes. This reinforces our culture of compliance and ethical data stewardship.
Alva Intelligence does not knowingly engage with minors, but we take our obligations seriously wherever children’s data could be involved. Through preventive design, verified parental consent, and strong technical and organizational safeguards, we ensure that the privacy of minors and their families is protected with the utmost care, in accordance with global best practices.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) maintains a structured, documented, and tested Incident Response and Data Breach Management Program designed to ensure the rapid identification, containment, investigation, and remediation of any event that compromises or threatens the confidentiality, integrity, or availability of personal information or Company systems.
This section outlines the principles, roles, and procedures governing the management of information security incidents, including those constituting data breaches as defined under applicable laws.
A data breach is any confirmed or reasonably suspected incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information transmitted, stored, or otherwise processed.
Such incidents may arise from causes including but not limited to:
Cyberattacks (malware, ransomware, phishing, or intrusion).
Misconfiguration or system failure.
Employee error or policy violation.
Physical theft, loss, or compromise of devices or media.
Unauthorized third-party access or disclosure.
The scope of a breach encompasses both electronic and physical information assets, regardless of format or location.
Incident management is coordinated under the authority of the Chief Information Security Officer (CISO), who chairs the Incident Response Team (IRT). The IRT includes representatives from Security, Legal, IT Operations, Compliance, and Communications.
Their responsibilities include:
Coordinating incident detection, classification, and response actions.
Ensuring compliance with regulatory and contractual notification requirements.
Documenting events, findings, and remedial measures.
Liaising with affected clients, data subjects, and regulators.
Reviewing lessons learned and updating policies post-incident.
All employees, contractors, and vendors are required to report actual or suspected incidents immediately to the IRT via designated channels.
The incident management process follows five structured phases consistent with global security standards:
Continuous monitoring systems (SIEM, IDS/IPS, and endpoint detection tools) flag anomalies or potential compromises.
Employees are trained to recognize and report suspicious activities.
Reported incidents are logged in the centralized Incident Management Platform for triage.
Short-term containment isolates affected systems to prevent further propagation.
Long-term containment strategies may involve network segmentation, access revocation, or suspension of certain functions.
Evidence is preserved for forensic analysis.
Malicious components or unauthorized accounts are removed.
Systems are restored from clean, verified backups.
Business continuity and disaster-recovery procedures are activated as necessary.
Notifications are prepared in accordance with Section 15.6 below.
Clients, regulators, and affected data subjects are informed transparently and in a timely manner.
Media inquiries are handled exclusively by the Communications Team under Legal supervision.
A root-cause analysis identifies the origin, impact, and systemic weaknesses.
Corrective and preventive measures are documented.
Policies, procedures, and security controls are updated to prevent recurrence.
Incidents are categorized according to severity and impact:
| Category | Description | Examples |
|---|---|---|
| Low Severity | No compromise of personal data or critical systems. | Minor policy violations, contained malware. |
| Medium Severity | Limited exposure of non-sensitive data; controlled containment. | Accidental disclosure to limited recipients. |
| High Severity | Confirmed unauthorized access or loss of personal data. | Breach involving client or employee data. |
| Critical Severity | Large-scale compromise with regulatory impact or public disclosure. | Ransomware, system-wide intrusion, or nation-state attack. |
Severity levels determine escalation paths, resource allocation, and notification obligations.
If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, Alva Intelligence will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR.
The notification will include:
Nature and categories of the personal data affected.
Approximate number of data subjects and records involved.
Likely consequences of the breach.
Measures taken or proposed to mitigate harm.
Contact details of the Data Protection Officer (DPO).
If notification cannot be made within 72 hours, reasons for the delay will be documented and provided to the authority.
When the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
Such notification will:
Describe the nature of the breach in clear, plain language.
Outline potential consequences and recommended protective steps.
Describe corrective measures implemented.
Provide contact details for obtaining additional information.
Notification may be withheld where data has been rendered unintelligible (e.g., encrypted), where remedial measures have mitigated the risk, or where regulatory guidance allows.
Clients acting as controllers are notified promptly of any breach affecting their data or the data of their users. Notification includes sufficient detail for the client to meet its own legal obligations to regulators or data subjects. Communication channels and formats are defined in the applicable Data Processing Agreement (DPA).
For U.S. operations, Alva Intelligence complies with state-specific data-breach laws (e.g., California, New York, Texas) and sectoral requirements (e.g., GLBA, HIPAA if applicable). Notifications to individuals or regulators are made in accordance with the strictest applicable jurisdictional standard.
Where an incident involves third-party service providers or sub-processors:
The provider must immediately inform Alva Intelligence of the breach.
Alva Intelligence coordinates investigation and remediation efforts.
The provider must supply logs, evidence, and technical details to support forensic analysis.
Notification obligations flow through to affected clients per the contractual terms of the DPA.
Vendors that fail to comply with reporting timelines or mitigation requirements may face contractual penalties or termination.
All high- or critical-severity incidents trigger a forensic investigation to determine scope, cause, and impact. The investigation may be conducted by internal security teams or independent experts under legal oversight to preserve privilege. Evidence such as log files, system snapshots, and communications is preserved in accordance with the Chain of Custody Procedure outlined in Exhibit D. Findings are compiled into a confidential report reviewed by executive management and Legal.
For every incident or breach, we maintain a complete record containing:
Date and time of detection and reporting.
Description and classification of the incident.
Containment and remediation measures taken.
Notifications sent and recipients.
Root-cause analysis and lessons learned.
These records are retained for at least seven (7) years as part of our compliance documentation and may be reviewed by supervisory authorities upon request.
We conduct periodic testing of our Incident-Response Plan through simulations, tabletop exercises, and penetration tests. Each exercise evaluates readiness, response times, communication efficiency, and technical resilience. Lessons learned feed directly into updated procedures, employee training, and technology enhancements.
The plan is reviewed annually by the Privacy and Security Committees or upon major operational changes.
All external communications regarding a breach especially with media, investors, or the public are managed solely by designated representatives under Legal and Compliance oversight. This ensures accuracy, consistency, and regulatory alignment. Unauthorized disclosure by employees is strictly prohibited and may result in disciplinary action.
Alva Intelligence approaches incident management with transparency, urgency, and accountability. By combining rapid response protocols, robust security governance, and clear communication, we ensure that every event is managed effectively, regulatory obligations are fulfilled, and trust in our systems and services is preserved.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) is committed to embedding privacy-by-design and privacy-by-default principles throughout all operations. To achieve this, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs enable us to identify, assess, and mitigate data-protection risks before implementing new technologies, products, or business processes.
This section describes our DPIA methodology, roles and responsibilities, triggers, and procedures for consultation with supervisory authorities where residual risk remains.
The obligation to conduct DPIAs arises under:
Article 35 of the GDPR and Article 35 of the UK GDPR, requiring controllers to evaluate high-risk processing operations.
Recitals 84–95 of the GDPR, providing interpretive guidance on the scope and content of assessments.
Article 36 of the GDPR and UK GDPR, requiring Prior Consultation with a competent supervisory authority if mitigation measures cannot adequately reduce residual risks.
Comparable global standards, including ISO 27701 §7.4 and the NIST Privacy Framework’s “Assess – Manage – Monitor” cycle.
Even where not legally mandated, Alva Intelligence applies the DPIA framework voluntarily to demonstrate accountability and promote ethical data stewardship.
Our DPIA program is designed to:
Identify and evaluate potential risks to privacy and information security arising from new or modified processing activities.
Ensure compliance with data-protection principles such as fairness, lawfulness, transparency, data minimization, and purpose limitation.
Integrate privacy controls into system architecture early in the development lifecycle (“privacy by design”).
Support decision-making by senior management regarding project approval and resource allocation.
Provide documentation demonstrating accountability to regulators, clients, and auditors.
A DPIA is required or recommended when processing involves one or more of the following risk indicators:
Systematic and extensive evaluation or profiling of individuals, including automated decision-making.
Processing of special-category data (e.g., health, biometric, genetic, or racial/ethnic data) on a large scale.
Monitoring of publicly accessible areas or networks on a systematic basis.
Cross-border transfers to jurisdictions lacking adequate protection.
Deployment of new technologies, AI, or machine-learning algorithms involving personal data.
Large-scale data matching, combination, or analytics.
Use of data that may significantly affect individuals’ rights or freedoms.
Any activity listed in a supervisory authority’s published High-Risk Processing Register (for example, the EU EDPB or UK ICO lists).
Where uncertainty exists, the Privacy Office conducts a preliminary risk screening to determine whether a full DPIA is necessary.
Project Owner or Business Sponsor: initiates the DPIA during project planning and ensures timely completion.
Data Protection Officer (DPO): provides independent oversight, advises on methodology, and validates adequacy of risk mitigation.
Information Security Team: assesses technical safeguards and alignment with security standards.
Legal and Compliance: ensures conformity with regulatory and contractual obligations.
Senior Management or Privacy Committee: reviews findings and authorizes high-risk processing only after residual risks are mitigated or accepted with documented justification.
No high-risk processing may commence without written approval from the DPO or Privacy Committee.
Alva Intelligence follows a structured five-phase DPIA process consistent with international best practices:
Define the purpose, lawful basis, and scope of the processing.
Identify data categories, data subjects, and systems involved.
Document the context and objectives of the project.
Trace data from collection through storage, use, sharing, and disposal.
Identify data transfers, recipients, and cross-border flows.
Determine whether pseudonymization or anonymization is applied.
Evaluate likelihood and severity of potential impacts on individuals (confidentiality, identity theft, discrimination, loss of control).
Rate inherent risk using a standardized matrix (Low, Medium, High, Critical).
Identify applicable legal, technical, and organizational safeguards.
Define corrective and preventive measures to reduce identified risks.
Align with ISO 27001 controls and security baselines.
Implement privacy-enhancing technologies (e.g., data minimization, encryption, differential privacy).
Validate effectiveness through testing or simulation.
Record findings, decisions, and residual risk levels in the DPIA register.
Obtain sign-off from the DPO and business sponsor.
Schedule periodic re-evaluation (typically annually or upon significant change).
If a DPIA reveals that residual risk remains high and cannot be adequately mitigated, Alva Intelligence will engage in Prior Consultation with the appropriate supervisory authority before proceeding with processing.
The submission includes:
Description of the processing operations and purposes.
Assessment of risks and existing safeguards.
Explanation of reasons residual risk cannot be mitigated.
Contact details of the DPO and decision-makers.
We cooperate fully with the authority’s recommendations and may delay or modify implementation until receiving guidance.
All DPIAs and related documentation are stored in the secure Privacy Risk Management System and retained for a minimum of seven (7) years or for the life of the associated processing activity, whichever is longer.
Records include:
Project details and scope statement.
Risk analysis worksheets and mitigation plans.
Evidence of DPO involvement and approvals.
Re-evaluation outcomes and closure notes.
These records support accountability obligations under GDPR Article 5(2) and may be shared with clients or regulators under confidentiality agreements.
DPIAs are integrated into broader enterprise-risk and compliance functions:
Change-Management Procedures: any technology or product change triggers privacy review.
Procurement and Vendor Onboarding: third-party tools undergo DPIA screening when personal data is processed.
Security Assessments: results feed into the overall risk register and inform technical-control updates.
Training and Awareness: employees involved in system design receive DPIA training tailored to their roles.
This integration ensures privacy is evaluated alongside operational, security, and legal considerations from inception through decommissioning.
Our DPIA methodology evolves alongside regulatory developments and industry guidance. We benchmark against the European Data Protection Board (EDPB) Guidelines 4/2019, the UK ICO DPIA Template, and leading frameworks to ensure consistency and rigor. Lessons learned from audits, incidents, or regulatory feedback are incorporated into subsequent assessments, reinforcing a culture of continuous privacy improvement.
Conducting Data Protection Impact Assessments demonstrates Alva Intelligence’s proactive and accountable approach to privacy governance. By identifying risks before they materialize, applying strong mitigations, and engaging transparently with supervisory authorities when required, we ensure that all data-processing operations respect individual rights, meet legal standards, and uphold our clients’ and stakeholders’ trust.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) values the privacy, dignity, and security of all individuals who work for or with the Company. This section sets out how we collect, use, disclose, and safeguard personal information relating to employees, job applicants, interns, independent contractors, consultants, directors, and other personnel (“Personnel”).
Processing of Personnel data is performed only for legitimate business, employment, and legal purposes and in accordance with applicable labor, employment, and data-protection laws.
Depending on the relationship, role, and jurisdiction, the following categories of personal data may be collected:
Identification Data – name, address, contact details, date of birth, government-issued identifiers (such as Social Security number, national ID, passport).
Employment and Work-Related Data – job title, department, work history, performance records, disciplinary actions, payroll and benefits information.
Financial and Compensation Data – bank-account details, salary, bonus, equity participation, and expense reimbursement information.
Education and Qualifications – academic degrees, certifications, and training records.
Information Technology and System Data – login credentials, device identifiers, IP addresses, access logs, and system-usage data.
Health and Safety Data – occupational-health records, injury reports, ergonomic assessments, vaccination or fitness certifications where required by law.
Background-Check Data – criminal-record results, employment references, and verification reports, subject to applicable legal restrictions.
Immigration and Right-to-Work Data – work-authorization documents, visa information, and residency status.
Monitoring and Security Data – CCTV footage, access-control logs, visitor records, and building-entry credentials.
Emergency-Contact and Dependent Data – names, relationships, and contact details of individuals designated for emergency or benefit purposes.
Sensitive or special-category data are processed only where strictly necessary and subject to enhanced safeguards.
Personnel data are processed for the following legitimate purposes:
Recruitment, selection, and hiring.
Administration of payroll, benefits, and tax obligations.
Performance management, training, and career development.
Health, safety, and workplace-security compliance.
IT and network administration, including access control and monitoring for cybersecurity.
Compliance with legal, regulatory, and corporate-governance requirements.
Internal audits, investigations, and risk management.
Communication and collaboration within the Company.
Administration of travel, expense, and relocation programs.
Termination, severance, and off-boarding processes.
Where local law requires, separate notices may provide further detail on jurisdiction-specific uses.
Processing is grounded in one or more of the following lawful bases:
Contractual Necessity: to perform employment or service agreements.
Legal Obligation: to comply with tax, labor, or regulatory laws.
Legitimate Interests: to manage business operations and maintain security, balanced against individual rights.
Consent: where required for specific optional activities (for example, biometric timekeeping, wellness programs).
Vital Interests: in emergencies involving health or safety.
Personnel data may be disclosed to:
Authorized Company departments such as HR, Finance, IT, and Legal.
Payroll, benefits, and insurance providers.
Government agencies and regulators where legally required.
External auditors, attorneys, and professional advisors under confidentiality agreements.
Technology vendors supplying HR and collaboration platforms.
Affiliates or subsidiaries of Alva Intelligence for internal administrative purposes.
All third-party recipients are bound by written agreements requiring confidentiality, security, and use limitations consistent with this Policy.
Where Personnel data are transferred across borders, Alva Intelligence applies approved safeguards such as the EU Standard Contractual Clauses, UK Addendum, or other recognized mechanisms ensuring equivalent protection. Transfers are limited to jurisdictions necessary for operational or corporate-support purposes, and access is restricted to authorized personnel only.
Personnel records are retained only as long as required to fulfill employment obligations, meet legal and regulatory requirements, or resolve disputes.
Typical retention periods include:
Employment files: up to seven years after termination.
Payroll and tax records: as required by applicable law (generally three to seven years).
Health and safety records: duration of employment plus statutory period.
Upon expiration, data are securely deleted or anonymized in accordance with our Data-Retention Policy (Exhibit E).
Personnel data are protected through multi-layered safeguards described in Section 11 (Information Security and Safeguards), including:
Role-based access control and least-privilege principles.
Encryption of sensitive data at rest and in transit.
Secure file transfer, audit logging, and monitoring.
Mandatory confidentiality undertakings by all employees and contractors.
Personnel who violate data-protection or confidentiality obligations are subject to disciplinary action, up to and including termination.
To ensure operational security and compliance, Alva Intelligence may monitor network traffic, email systems, and device activity within lawful and proportionate limits. Monitoring is conducted for legitimate business reasons such as preventing data leakage, detecting cybersecurity threats, ensuring compliance with Company policy, and protecting intellectual property. Employees are informed of these practices through onboarding materials, internal policies, and acknowledgment forms. No monitoring is performed for personal or intrusive purposes.
Subject to applicable law, Personnel have the right to:
Access and obtain a copy of their personal data.
Request correction of inaccuracies.
Request deletion where legally permissible.
Restrict or object to certain processing activities.
Obtain information about data sharing or transfers.
Lodge complaints with supervisory authorities.
Requests are processed through the HR Privacy Portal or by contacting privacy@joinalva.ai. Responses are provided within statutory deadlines, typically thirty (30) days.
Health-related data are treated as special-category data and are handled only by authorized HR or occupational-health professionals. Such information is collected for legally required purposes fitness-for-duty assessments, workplace-injury reporting, or benefit administration and stored separately with restricted access. Disclosure occurs only with consent or as permitted by law.
All employees receive privacy and data-protection training upon hire and annually thereafter. Specialized training is provided to HR, Legal, and IT personnel with elevated access to Personnel data. Refresher courses reinforce obligations around data minimization, lawful processing, and incident reporting.
Alva Intelligence treats Personnel data with the same care and respect applied to client and customer information. Through transparent communication, robust safeguards, and adherence to global employment-privacy standards, we ensure that every stage of the employment lifecycle from recruitment to off-boarding protects the individual’s privacy, fosters trust, and upholds the Company’s ethical and legal obligations.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) recognizes that effective privacy and security compliance begins with informed people.
The Company maintains a formal, ongoing Training and Awareness Program to ensure that all employees, contractors, and relevant third parties understand their obligations regarding the protection of personal data and the proper use of Company systems.
This section outlines the scope, content, frequency, and governance of the training and monitoring activities that reinforce our culture of privacy, security, and accountability.
The objectives of Alva Intelligence’s Training and Awareness Program are to:
Instill a clear understanding of privacy, confidentiality, and data-protection principles among all personnel.
Ensure compliance with applicable laws and regulatory frameworks, including GDPR, CPRA, and sector-specific mandates.
Reduce operational and human error risks through regular education and awareness initiatives.
Strengthen the Company’s incident-prevention, detection, and reporting capabilities.
Demonstrate accountability to regulators, clients, and partners by documenting compliance with training requirements.
Responsibility for training and compliance monitoring resides with the Chief Compliance Officer (CCO) and the Data Protection Officer (DPO).
These functions coordinate with Human Resources, Legal, and Information Security to design, implement, and track the program.
Key governance principles include:
Mandatory Participation: All employees and contractors with access to Company systems must complete baseline privacy and security training.
Role-Based Curriculum: Tailored content for executives, HR, engineering, marketing, and customer-support teams.
Certification Tracking: Completion records maintained in the Learning Management System (LMS) for audit purposes.
Annual Review: Course materials updated annually to reflect regulatory and policy changes.
Board Oversight: Training statistics and compliance metrics reported quarterly to the Audit and Risk Committee.
Training occurs at multiple levels:
Every new employee and contractor receives initial privacy and data-protection training during onboarding.
This session covers:
Core privacy principles and lawful bases for processing.
Acceptable use of systems and devices.
Incident-reporting procedures and escalation channels.
Confidentiality obligations under employment agreements.
Overview of Alva Intelligence’s Privacy Policy, Code of Conduct, and Security Policies.
Completion is mandatory before system credentials are activated.
All personnel must complete refresher training annually. This training updates participants on changes in laws, internal policies, and emerging threat trends such as phishing, social engineering, and ransomware. Employees must achieve a passing score on assessment quizzes to maintain compliance certification.
Certain teams undergo enhanced training tailored to their responsibilities:
IT and Engineering: Secure development practices, encryption standards, vulnerability management, and incident response.
HR and Payroll: Handling employee data, background checks, and sensitive information protocols.
Marketing and Sales: Lawful basis for direct marketing, consent management, and opt-out compliance.
Customer Success and Operations: Managing client data, access permissions, and communication controls.
Executives and Managers: Governance duties, data-protection accountability, and regulatory reporting.
Third parties with system access are required to acknowledge and comply with Alva Intelligence’s privacy and security requirements.
Where applicable, they must demonstrate equivalent training standards or participate in Company-provided orientation sessions.
Beyond formal training, Alva Intelligence conducts periodic awareness initiatives to maintain vigilance across the organization.
These include:
Monthly privacy or cybersecurity newsletters.
“Data Privacy Week” and “Cybersecurity Awareness Month” campaigns.
Posters, intranet banners, and microlearning modules.
Phishing simulations and interactive quizzes.
Executive messages reinforcing accountability and ethical conduct.
These initiatives encourage continuous engagement and foster a culture of security mindfulness.
Compliance with training requirements is continuously monitored and enforced through automated and manual processes:
Tracking: The Learning Management System records participation, completion status, and test results.
Audits: The Compliance Team performs quarterly audits to verify records.
Non-Compliance Management: Employees who fail to complete required training receive reminders and escalation notices to supervisors. Persistent non-compliance may result in disciplinary action.
Metrics and Reporting: Completion rates, quiz performance, and incident-reporting frequency are tracked as key compliance indicators.
Training completion statistics are included in the Company’s annual SOC 2 Type 2 audit and internal risk reports.
The effectiveness of the Training and Awareness Program is periodically evaluated through:
Post-training assessments to measure knowledge retention.
Employee surveys to gauge clarity and applicability.
Tracking incident trends and correlating them to training topics.
Review of audit findings and regulatory developments to identify content gaps.
Program refinements are implemented following each review cycle.
All training materials, attendance logs, and evaluation results are retained for at least seven (7) years in accordance with the Company’s record-retention policy. Documentation is available for inspection during internal audits, client due-diligence reviews, or regulatory inquiries.
Records include:
Course outlines and version history.
Attendance and completion certificates.
Results of post-training assessments.
Annual review reports and updates.
Alva Intelligence regularly enhances the Training and Awareness Program based on evolving threats, new regulations, and feedback from employees and auditors. Emerging privacy topics such as artificial intelligence governance, data ethics, and algorithmic transparency are integrated into future modules. This adaptive approach ensures relevance and sustained compliance maturity.
Training and awareness are cornerstones of Alva Intelligence’s privacy and security governance. By investing in continuous education, monitoring compliance, and promoting a culture of responsibility, we ensure that every member of our organization understands and upholds the trust placed in us by our clients, partners, and stakeholders.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) recognizes that effective privacy and security compliance begins with informed people. The Company maintains a formal, ongoing Training and Awareness Program to ensure that all employees, contractors, and relevant third parties understand their obligations regarding the protection of personal data and the proper use of Company systems.
This section outlines the scope, content, frequency, and governance of the training and monitoring activities that reinforce our culture of privacy, security, and accountability.
The objectives of Alva Intelligence’s Training and Awareness Program are to:
Instill a clear understanding of privacy, confidentiality, and data-protection principles among all personnel.
Ensure compliance with applicable laws and regulatory frameworks, including GDPR, CPRA, and sector-specific mandates.
Reduce operational and human error risks through regular education and awareness initiatives.
Strengthen the Company’s incident-prevention, detection, and reporting capabilities.
Demonstrate accountability to regulators, clients, and partners by documenting compliance with training requirements.
Responsibility for training and compliance monitoring resides with the Chief Compliance Officer (CCO) and the Data Protection Officer (DPO). These functions coordinate with Human Resources, Legal, and Information Security to design, implement, and track the program.
Key governance principles include:
Mandatory Participation: All employees and contractors with access to Company systems must complete baseline privacy and security training.
Role-Based Curriculum: Tailored content for executives, HR, engineering, marketing, and customer-support teams.
Certification Tracking: Completion records maintained in the Learning Management System (LMS) for audit purposes.
Annual Review: Course materials updated annually to reflect regulatory and policy changes.
Board Oversight: Training statistics and compliance metrics reported quarterly to the Audit and Risk Committee.
Training occurs at multiple levels:
Every new employee and contractor receives initial privacy and data-protection training during onboarding.
This session covers:
Core privacy principles and lawful bases for processing.
Acceptable use of systems and devices.
Incident-reporting procedures and escalation channels.
Confidentiality obligations under employment agreements.
Overview of Alva Intelligence’s Privacy Policy, Code of Conduct, and Security Policies.
Completion is mandatory before system credentials are activated.
All personnel must complete refresher training annually. This training updates participants on changes in laws, internal policies, and emerging threat trends such as phishing, social engineering, and ransomware. Employees must achieve a passing score on assessment quizzes to maintain compliance certification.
Certain teams undergo enhanced training tailored to their responsibilities:
IT and Engineering: Secure development practices, encryption standards, vulnerability management, and incident response.
HR and Payroll: Handling employee data, background checks, and sensitive information protocols.
Marketing and Sales: Lawful basis for direct marketing, consent management, and opt-out compliance.
Customer Success and Operations: Managing client data, access permissions, and communication controls.
Executives and Managers: Governance duties, data-protection accountability, and regulatory reporting.
Third parties with system access are required to acknowledge and comply with Alva Intelligence’s privacy and security requirements. Where applicable, they must demonstrate equivalent training standards or participate in Company-provided orientation sessions.
Beyond formal training, Alva Intelligence conducts periodic awareness initiatives to maintain vigilance across the organization.
These include:
Monthly privacy or cybersecurity newsletters.
“Data Privacy Week” and “Cybersecurity Awareness Month” campaigns.
Posters, intranet banners, and microlearning modules.
Phishing simulations and interactive quizzes.
Executive messages reinforcing accountability and ethical conduct.
These initiatives encourage continuous engagement and foster a culture of security mindfulness.
Compliance with training requirements is continuously monitored and enforced through automated and manual processes:
Tracking: The Learning Management System records participation, completion status, and test results.
Audits: The Compliance Team performs quarterly audits to verify records.
Non-Compliance Management: Employees who fail to complete required training receive reminders and escalation notices to supervisors. Persistent non-compliance may result in disciplinary action.
Metrics and Reporting: Completion rates, quiz performance, and incident-reporting frequency are tracked as key compliance indicators.
Training completion statistics are included in the Company’s annual SOC 2 Type 2 audit and internal risk reports.
The effectiveness of the Training and Awareness Program is periodically evaluated through:
Post-training assessments to measure knowledge retention.
Employee surveys to gauge clarity and applicability.
Tracking incident trends and correlating them to training topics.
Review of audit findings and regulatory developments to identify content gaps.
Program refinements are implemented following each review cycle.
All training materials, attendance logs, and evaluation results are retained for at least seven (7) years in accordance with the Company’s record-retention policy. Documentation is available for inspection during internal audits, client due-diligence reviews, or regulatory inquiries.
Records include:
Course outlines and version history.
Attendance and completion certificates.
Results of post-training assessments.
Annual review reports and updates.
Alva Intelligence regularly enhances the Training and Awareness Program based on evolving threats, new regulations, and feedback from employees and auditors. Emerging privacy topics such as artificial intelligence governance, data ethics, and algorithmic transparency are integrated into future modules. This adaptive approach ensures relevance and sustained compliance maturity.
Training and awareness are cornerstones of Alva Intelligence’s privacy and security governance. By investing in continuous education, monitoring compliance, and promoting a culture of responsibility, we ensure that every member of our organization understands and upholds the trust placed in us by our clients, partners, and stakeholders.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) maintains a governance framework built on accountability, transparency, and continuous compliance.
Accountability requires that every employee, officer, contractor, and business partner not only comply with privacy and security obligations but also demonstrate that compliance through verifiable behavior, documentation, and ethical decision-making.
This section establishes the mechanisms by which Alva Intelligence enforces its privacy and security policies, monitors adherence, and addresses violations in a consistent and equitable manner.
Our accountability framework rests on five core principles:
Responsibility: Each individual with access to personal or confidential data is responsible for protecting it in accordance with Company policy and applicable law.
Transparency: Actions affecting data are documented and traceable; decision-making processes are auditable.
Proportionality: Enforcement measures correspond to the severity and intent of the violation.
Fairness: Investigations are conducted objectively, respecting due process and employee rights.
Continuous Improvement: Lessons learned from enforcement actions feed into updated policies, training, and risk controls.
The Chief Compliance Officer (CCO) and Data Protection Officer (DPO) jointly oversee the enforcement program. They report directly to the Chief Executive Officer and provide quarterly updates to the Audit and Risk Committee of the Board.
Legal Department: interprets regulatory requirements and ensures consistent disciplinary application.
Human Resources (HR): administers employee investigations and disciplinary actions.
Information Security: investigates technical or system-related violations.
Internal Audit: reviews controls and validates corrective measures.
Management: ensures team-level accountability and reporting of compliance metrics.
Violations subject to enforcement include, but are not limited to:
Unauthorized access, use, or disclosure of personal or confidential information.
Failure to complete required privacy or security training.
Circumvention of authentication, encryption, or access-control mechanisms.
Mishandling of data transfers or breaches of retention policies.
Ignoring or falsifying records required for compliance reporting.
Failure to report incidents or cooperate with investigations.
Retaliation against individuals who raise privacy or security concerns.
Any breach of contractual confidentiality, intellectual-property, or acceptable-use obligations.
Disciplinary measures are proportionate to the gravity and intent of the violation, taking into account prior conduct, potential harm, and legal obligations.
Possible actions include:
Verbal or Written Warning: for inadvertent or first-time, low-impact violations.
Mandatory Retraining: to correct behavior and reinforce understanding of policies.
Suspension of System Access: pending investigation or remediation.
Formal Disciplinary Action: written reprimand placed in personnel file.
Financial Penalty or Withholding of Incentives: where contractually permitted.
Termination of Employment or Contract: for willful misconduct, gross negligence, or repeated violations.
Legal Action or Referral to Authorities: where conduct breaches law or regulation.
All disciplinary decisions are documented and approved by HR and Legal to ensure fairness and compliance with employment law.
Reporting: Suspected violations may be reported confidentially to a manager, HR, the Compliance Hotline, or directly to the DPO. Anonymous reporting is permitted where legally allowed.
Intake and Triage: The CCO and HR determine whether the allegation warrants a formal investigation.
Fact-Finding: Investigators collect relevant evidence, interview witnesses, and analyze system logs.
Findings and Determination: Results are summarized in a written report, classifying the violation and recommending corrective action.
Resolution: Management reviews findings, imposes disciplinary action, and documents closure.
Appeal: Individuals may request a review by the CCO or an independent panel within ten business days of receiving notice of action.
Confidentiality is maintained throughout, and retaliation against reporters is strictly prohibited.
Alva Intelligence encourages employees and partners to raise privacy or security concerns without fear of reprisal.
Reporting channels include:
Confidential compliance email: compliance@joinalva.ai
Anonymous online form via the internal portal
Direct contact with the DPO or CCO
Reports are logged, assigned case numbers, and tracked to resolution. The Company enforces a zero-tolerance policy against retaliation for good-faith reporting, consistent with whistleblower-protection laws.
To verify ongoing adherence, the Compliance and Internal-Audit teams conduct:
Quarterly policy-compliance audits of system access, training records, and data-handling practices.
Targeted reviews following significant incidents or process changes.
Management attestations confirming departmental compliance with privacy obligations.
Findings are graded by severity, and corrective-action plans are required for remediation within defined timeframes.
Performance metrics are used to measure the effectiveness of the enforcement framework.
Examples include:
Percentage of employees completing training on time.
Number and type of reported incidents.
Average time to investigate and resolve compliance cases.
Repeat-violation rates and disciplinary trends.
Aggregated results are reviewed quarterly by senior management and shared with the Board.
Trends inform updates to policies, training content, and risk-mitigation strategies.
Vendors, contractors, and service providers are subject to equivalent enforcement obligations under their contracts.
Breaches of confidentiality or data-protection terms may result in:
Immediate suspension of services.
Mandatory corrective-action plans.
Financial penalties or indemnification claims.
Termination for cause.
Referral to regulatory authorities where required.
The Vendor-Management Team ensures consistent enforcement and documentation across all third-party relationships.
All enforcement actions and investigations are documented in the Compliance Case Management System and retained for a minimum of seven years.
Records include:
Incident report and evidence summary.
Investigation findings and decision rationale.
Disciplinary action and completion status.
Follow-up monitoring or retraining confirmation.
Access to enforcement records is restricted to authorized HR, Legal, and Compliance personnel.
Enforcement is not solely punitive; it is corrective and educational. Insights gained from investigations guide updates to training materials, risk assessments, and internal controls. Leadership reinforces a tone at the top emphasizing ethics, integrity, and accountability as integral to business success. Regular communications remind employees that compliance is a shared responsibility and a reflection of our organizational values.
Alva Intelligence enforces its privacy and security standards through fairness, transparency, and diligence. By holding every individual accountable for protecting information assets and complying with laws, we maintain client confidence, uphold our ethical obligations, and strengthen the integrity of our operations worldwide.
Alva Intelligence LLC (“Alva Intelligence,” “the Company,” “we,” “our,” or “us”) recognizes that privacy, data-protection, and information-security requirements evolve continuously. To ensure that this Privacy Policy remains accurate, comprehensive, and compliant with applicable legal and operational standards, Alva Intelligence maintains a formal process for policy review, approval, version control, and communication.
This section defines how we maintain the integrity of this Policy, ensure it reflects current practices and regulatory expectations, and communicate changes effectively to all stakeholders.
The purpose of the Policy-Review and Maintenance Framework is to:
Ensure that all policies and related procedures remain up to date with applicable laws, industry standards, and internal operations.
Provide a structured schedule and methodology for periodic evaluation and revision.
Establish clear responsibilities for ownership, approval, and documentation of all updates.
Maintain transparency for clients, regulators, and employees regarding policy changes.
This framework applies to the Privacy Policy, the Data-Protection Framework, internal SOPs, and any supporting documents referenced herein (including the Exhibits).
Comprehensive Review: Conducted annually, or sooner if triggered by a material change in law, regulation, or business activity.
Interim Review: Conducted quarterly by the Compliance Office to confirm ongoing alignment with operational practices.
Ad-Hoc Review: Initiated immediately following:
Regulatory or judicial developments affecting data-protection requirements;
Introduction of new technologies or service offerings;
A significant security or privacy incident; or
Audit findings identifying a compliance gap.
Each review cycle is documented, including version number, date of approval, and summary of changes.
Policy Owner: The Chief Compliance Officer (CCO) has primary responsibility for maintaining and updating this Policy.
Data Protection Officer (DPO): Advises on regulatory changes, oversees legal alignment, and validates updates before publication.
Information Security: Ensures technical controls described in the Policy remain accurate and current.
Legal Department: Reviews updates for statutory compliance and contract consistency.
Executive Management: Approves all substantive changes prior to implementation.
Board of Directors / Audit and Risk Committee: Provides annual oversight and ratification of significant revisions.
No modifications to this Policy become effective until approved through the formal governance process.
Initiation: The Compliance Office initiates the review process and compiles proposed changes.
Impact Analysis: Legal and operational stakeholders assess potential effects on business processes, client obligations, and risk posture.
Drafting and Alignment: Updated language is drafted and cross-referenced with related documents (Data-Processing Agreements, Terms of Service, and internal SOPs).
Stakeholder Consultation: Key departments review the draft and provide feedback.
Approval: Final drafts are approved by Executive Management and, where required, the Board.
Publication: The approved version is published on the Company website and internal document repositories.
Notification: Stakeholders including clients, employees, and partners receive notice of material changes via email, intranet announcement, or contract addendum.
All revisions are logged in the Policy Version-Control Register maintained by the Compliance Office.
Each record includes:
Version number and effective date;
Summary of modifications;
Names and titles of approving officials;
Cross-reference to preceding version;
Dates of stakeholder notifications;
Archived copies of superseded versions retained for seven (7) years.
Policies are stored securely within the Compliance Document Repository, accessible only to authorized personnel.
Immediate updates are undertaken when:
Legislation or regulatory guidance changes (for example, amendments to the GDPR, CPRA, or U.S. state privacy laws).
The Company introduces new processing activities or technologies.
Supervisory authorities issue enforcement decisions impacting policy interpretation.
Independent audits or certifications reveal deficiencies requiring correction.
Clients or partners request clarifications under contractual data-protection clauses.
The Compliance Office ensures timely implementation and communicates revisions within thirty (30) days of adoption.
The current version of this Policy is always available:
On the Company’s public website under the “Privacy and Compliance” section;
On the internal employee intranet; and
Upon written request to privacy@joinalva.ai.
All employees are required to review the Policy upon each substantive update and acknowledge receipt electronically. Clients and partners are encouraged to review updates and may request summaries of significant changes.
This Privacy Policy forms part of Alva Intelligence’s broader compliance architecture.
It is integrated with and supported by:
Information-Security Policy;
Data-Classification and Retention Policy;
Incident-Response Plan;
Vendor-Management and Sub-Processor Policy;
Business-Continuity and Disaster-Recovery Plan; and
Employee Code of Conduct.
Consistency among these documents is verified during each review cycle, ensuring alignment across all governance layers.
Internal and external audits verify that this Policy is current, approved, and effectively communicated. Audit results are reviewed by the Audit and Risk Committee, and corrective actions are tracked to completion. Evidence of review, approval, and distribution is retained for regulatory inspection or certification audits (for example, SOC 2 Type 2 or ISO 27701).
Alva Intelligence views policy maintenance as an essential part of its accountability and continuous-improvement framework. Through scheduled reviews, disciplined version control, and transparent communication, we ensure that this Privacy Policy evolves with the legal, technological, and operational landscape preserving compliance integrity and reinforcing stakeholder trust.
The supporting documentation, operational registers, and implementation tools referenced in this Privacy Policy are maintained as Exhibits A through G. These Exhibits form an integral part of this Policy and collectively provide detailed operational, technical, and procedural information necessary to support compliance with applicable data-protection and privacy regulations. Each Exhibit may be reviewed and updated independently by the Compliance Office to reflect current business operations, legal requirements, and technological developments, without requiring formal amendment or reapproval of the main Policy text.
All such updates will be recorded in the Policy Version-Control Register and communicated to relevant stakeholders as appropriate.
This Privacy Policy has been reviewed and approved by the authorized officers of Alva Intelligence LLC as of the Effective Date stated below.
It supersedes all prior versions and shall remain in effect until formally amended or replaced.
| Authorized Signatory | Title | Date |
|---|---|---|
| Denniz Ozden | Chief Compliance Officer | 1 November, 2025 |
| Denniz Ozden | Chief Executive Officer | 1 November, 2025 |
Effective Date: 1 November, 2025
Version: 1.0
Next Scheduled Review: 1 October, 2025
CONTACT INFORMATION
If you have any questions, concerns, or requests related to this Privacy Policy or Alva’s data-handling practices, please contact:
Alva Intelligence LLC
Email: privacy@joinalva.ai or privacy@a-leads.co
We will respond to verified inquiries within the timelines required by applicable law.
This contact channel may also be used to exercise your data subject rights under GDPR, CPRA, or other applicable laws.
Effective Date: November 2025
Review Cycle: This Privacy Policy is reviewed annually as part of Alva’s SOC 2 Type 2 and GDPR compliance assessments to ensure continuing accuracy and regulatory alignment.
__________________________________________________________________________________________
Document Version: 1.0 | Effective Date: November 2025 | Last Reviewed: November 2025
