Privacy Policy

1. Introduction

This Privacy Policy explains how AVM Studio ("Service", "Platform", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use our web-based integrated development environment for Algorand smart contract development.

By using AVM Studio, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email Authentication (via Clerk):

• Email address
• Name (if provided)
• Profile picture/avatar (if provided)

Wallet Authentication:

• Algorand wallet public address(es)
• Primary wallet designation
• Authentication challenge responses (temporary)

We never collect or store your wallet seed phrases or private keys for wallet authentication.

2.2 User-Generated Content

When you use the Service, we store:

• Smart contract source code (PuyaTS, Puya Python, TEAL)
• Project names, descriptions, and settings
• Build configurations and compilation settings
• Build artifacts (compiled TEAL code, application specifications)
• Build logs and metadata
• Organization names, settings, and member lists
• Contract deployment records and transaction metadata

2.3 AI Interaction Data

When you use AI-assisted features, we store:

• Your prompts and messages to the AI
• AI responses
• Tool calls and their results
• Edit proposals generated by AI
• Token usage metrics (input/output counts)
• Model used and conversation metadata

2.4 API Keys and Secrets (Encrypted)

You may provide us with API keys and secrets, which are encrypted using AES-256-GCM before storage:

• AI provider API keys (Anthropic, OpenAI, Google Gemini, Grok, OpenRouter)
• Algorand account private keys for platform-managed signing
• Custom encrypted key-value pairs for your projects
• MCP server authentication credentials

2.5 Usage and Activity Data

We automatically collect:

• Feature usage patterns
• Build and deployment activity
• AI credit usage (for free tier users)
• Request counts and token consumption
• IP addresses (for rate limiting and security)
• Browser type and version
• Access timestamps

2.6 Cookies and Local Storage

We use:

• Session authentication cookies
• Anonymous session identification (30-day expiration)
• Browser local storage for client-side preferences
• WalletConnect session data

3. How We Use Your Information

We use collected information to:

3.1 Provide and Operate the Service

• Authenticate your identity
• Store and retrieve your projects and code
• Compile smart contracts
• Execute blockchain transactions on your behalf
• Provide AI-assisted development features
• Manage organizations and collaboration

3.2 Improve the Service

• Analyze usage patterns to improve features
• Debug and fix issues
• Optimize performance
• Develop new features

3.3 Security and Abuse Prevention

• Detect and prevent fraud, abuse, and security incidents
• Enforce rate limits
• Monitor for terms of service violations

3.4 Communication

• Send transactional emails (authentication codes, notifications)
• Respond to support requests
• Provide service updates and announcements

4. Information Sharing and Disclosure

4.1 Third-Party AI Providers

When you use AI features, your data may be shared with:

Each provider has their own privacy policy. We recommend reviewing their policies before using their services.

4.2 MCP Servers

If you connect third-party MCP servers, tool call parameters and arguments are sent to those servers. We do not control how MCP servers process data.

4.3 Blockchain Networks

When you deploy or interact with contracts:

• Transactions are broadcast to public blockchain networks
• Transaction data becomes permanently public on the blockchain
• Wallet addresses and transaction history are publicly visible
• We cannot delete blockchain data

4.4 Other Service Providers

• Clerk: Email authentication and profile data
• Resend: Email addresses for transactional emails
• S3/MinIO: Build artifacts and compiled code

4.5 Legal Requirements

We may disclose your information to comply with legal obligations, protect our rights, or respond to lawful requests from authorities.

5. Data Security

5.1 Encryption

• Encryption at Rest: API keys, signing account private keys, and project secrets are encrypted using AES-256-GCM
• Encryption in Transit: All connections use HTTPS/TLS
• Key Management: Encryption keys are stored separately from encrypted data

5.2 Access Controls

• Role-based access control for organizations
• Authentication required for sensitive operations
• Rate limiting to prevent abuse

5.3 Limitations

While we implement security measures, no system is 100% secure. We cannot guarantee absolute security of your data. As an alpha product, security practices are evolving.

6. Data Retention

Active Accounts: We retain your data while your account is active.

Deleted Content: Deleted data may persist in backups for a limited time.

Anonymous Sessions: Anonymous session data expires after 30 days of inactivity and may be deleted at any time.

Account Termination: Upon account deletion, personal data will be deleted or anonymized. Blockchain transactions cannot be deleted.

7. Your Rights and Choices

You can:

• Access Your Data: View and export your projects through the Service
• Correct Your Data: Update profile information, project content, and settings
• Delete Your Data: Delete projects, conversation histories, API keys, and request account deletion
• Opt Out: Choose not to use AI features or disconnect MCP servers

Limitations

Some data cannot be deleted:

• Blockchain transactions (immutable public record)
• Data required for legal compliance
• Anonymized aggregate data

8. Regional Privacy Rights

European Economic Area (GDPR)

If you are in the EEA, you have additional rights including the right to access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact us at [email protected].

California (CCPA/CPRA)

If you are a California resident, you have rights to know what personal information we collect, delete your personal information, and opt out of the sale of personal information (we do not sell personal information).

9. Children's Privacy

AVM Studio is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. By using the Service, you consent to such transfers. We implement appropriate safeguards including standard contractual clauses and encryption of sensitive data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service and updating the "Last Updated" date.

12. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: [email protected]

For Data Rights Requests: [email protected]