AI workforce
AI workforce
AI workforce
AI workforce
Privacy Policy
Privacy Policy
Last updated: 18 August 2025
CRUV DIMENSION PVT. LTD. (CRUV, we, us) cares about your privacy and security. This Privacy Policy explains how we collect, use, disclose, secure, and retain personal information across our websites, products, and services, including the Aevis platform and any Google integrations that use IMAP or Gmail API scopes.
If anything here is unclear, email us at sanidhya@aevis.io and we will help. If a term changes, we will give you advance notice as described in Section 14.
1. What this policy covers
This policy applies to:
Aevis web and mobile apps
Public websites and support portals operated by CRUV
APIs, webhooks, developer tools, and SDKs
Integrations you turn on, including Google IMAP and Gmail API scopes
2. The data we process
We collect and process only what we need for the features you use.
Account and contact data - name, email, phone, organization, role
Authentication and security data - session identifiers, OAuth tokens, role assignments, audit trails
Product usage data - feature usage counts, performance metrics, timestamps, IP address, device or browser type
Content you provide - documents, forms, attachments you upload to Aevis
Payments and billing - we use a payment processor. We receive transaction IDs, payment status, invoice details, last 4 digits and card brand if returned by the processor, and billing address for tax compliance. We do not store full card numbers or CVV.
Gmail and IMAP specific
If you enable Gmail IMAP or Gmail API scopes, Aevis may access your mailbox to perform workflows you configure, such as reading renewal confirmations, parsing attachments, or sending policy documents that you request.
3. Why we process data and our legal bases
We process data for the purposes below and on these legal bases:
Provide and operate the services you request - contract
Authenticate users, secure the platform, prevent fraud and abuse - legitimate interests and legal obligations
Troubleshoot, debug, and ensure reliability for enabled features - legitimate interests
Provide customer support and respond to you - contract and legitimate interests
Comply with law, tax, accounting, and enforce terms - legal obligations
Improve Aevis in a privacy protective way - legitimate interests
We use aggregated and de-identified metrics wherever possible. We do not train models on your Gmail content.
You can object to processing based on legitimate interests where your rights override our interests. See Section 13 for your rights.
4. Data minimization for Google integrations
We apply strict least privilege practices:
Minimal scopes - we request only the Gmail or IMAP scopes needed for the specific features you enable
Ephemeral processing - Gmail message bodies, headers, and attachments are processed in memory and are not stored, logged, or indexed on CRUV servers
Defensive design - swap is disabled on production application hosts, crash dumps that may include memory are disabled, and services run in ephemeral containers with read only filesystems wherever feasible
No human reading - CRUV personnel do not read Gmail content. Limited exceptions apply only when you explicitly ask us to view content for support, to investigate a specific security or abuse incident, or where we are legally required to do so. All such access requires documented approval, is time bound, and is logged and reviewed.
5. Security measures for sensitive data
We treat all personal information and Gmail data as sensitive.
Encryption in transit - TLS 1.2 or higher
Encryption at rest for secrets and tokens - AES 256 GCM for data at rest, RSA 2048 or higher for key transport, with automated key rotation
Secrets management - tokens, keys, and credentials are stored in a dedicated secrets manager, not in source code or client apps
Identity and access management - role based access control, least privilege, multi factor authentication, SSO, and just in time access with time limits
Network and platform hardening - segmented VPCs or equivalent, firewall rules, restricted egress, automated patching, container image scanning, and supply chain controls
Logging and redaction - operational logs exclude message bodies and full email addresses. Incidental identifiers are masked or hashed
Monitoring and alerting - security events and administrative actions are logged and monitored for anomalies
Independent testing - we conduct annual third party penetration tests. A high level summary is available under NDA upon request
Incident response - documented 24x7 incident response with containment, eradication, recovery, and customer notification without undue delay if your data is affected
6. Transparency about diagnostic data
Diagnostic events means strictly the following:
Service health and performance metrics - timestamps, status codes, response times
Error details - exception type, stack traces without message content
Client metadata - app version, device or browser type, IP address
We do not include Gmail message bodies, attachments, or full headers in diagnostics.
7. Vendor and subprocessor transparency
We use infrastructure and security vendors to help us operate the service. They act as processors and may not use your data for advertising or profiling.
We publish a current list of subprocessors and the purpose of each at: https://aevis.io/legal/subprocessors
We will post updates at least 30 days before adding or replacing a subprocessor, except in emergencies
You may object to a new subprocessor by contacting us. If we cannot provide a reasonable alternative, you may disable the affected feature or terminate for convenience
8. What we never do with Gmail data
No selling or renting Gmail data
No advertising or profiling based on Gmail data
No training of models on Gmail data
No transfer of Gmail content to third parties except to subprocessors that are strictly necessary to provide the service as processors and only under contract
9. Retention and deletion
We keep data only as long as needed for the purposes stated here.
Gmail content - not stored
OAuth tokens - stored encrypted, deleted immediately when you revoke access, and otherwise automatically expire per Google policies
Application logs - 30 days
Security and audit logs - 180 days
Support tickets and attachments you send us - 18 months
Account, billing, and tax records - up to 7 years as required by law
Backups - encrypted and retained up to 30 days on a rolling basis
You can request deletion of your account data at any time. We will complete the request within 30 days unless a longer period is required by law, in which case we will explain why.
10. International transfers
If data is processed outside your country, we apply legally recognized safeguards:
European Economic Area and United Kingdom - transfers rely on the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum, as applicable
India - processing follows the Digital Personal Data Protection Act 2023 and applicable rules
In all cases, Gmail content is not stored by us
11. Children’s privacy
Our services are not directed to children under 13, and we do not knowingly collect data from them.
Proactive measures:
Age confirmation at sign up
If we learn a child has provided personal data, we will delete the account and data promptly and notify the parent or guardian if contact information is available
12. Your choices and controls
Permissions - you can revoke Gmail access at any time in your Google Account permissions
Settings - you can disable integrations, change roles, and adjust feature settings inside Aevis
Marketing - we do not send marketing emails based on Gmail data. You can opt out of general marketing any time
13. Your privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing, and to data portability. You also have the right to complain to your data protection authority.
For requests, contact sanidhya@aevis.io. We will respond within 30 days.
14. Changes to this policy
Notice period - we will give at least 14 days notice for material changes before they take effect. The Effective date at the top shows when this version becomes active
What counts as material - changes to categories of data collected, purposes of processing, retention periods, user rights, international transfer mechanisms, or vendor disclosures
How we notify you - email to the account owner, in app notification, or both
Changelog - we maintain a changelog for prior versions at https://aevis.io/legal/privacy-changelog
15. Role of CRUV
For account, billing, and platform usage data - CRUV is the controller
For Gmail content accessed to perform workflows you configure - CRUV acts as a processor on your behalf and processes data only per your instructions
16. Gmail and IMAP compliance
We comply with the Google API Services User Data Policy, including the Limited Use requirements:
We use Gmail data only to provide or improve user facing features that you enable
We do not transfer Gmail data except to subprocessors necessary to provide the service, and only as processors
We do not use Gmail data for advertising or profiling
Technical details for Google reviewers
Ephemeral processing - no storage of Gmail message bodies, attachments, or full headers. Swap disabled, crash dumps disabled, containers are short lived
Encryption - TLS 1.2 or higher in transit, AES 256 GCM at rest for secrets and tokens, automated key rotation, access logging
Access controls - RBAC, MFA, SSO, just in time access, time bound approvals, and complete audit logs of administrative actions
Testing and assurance - annual third party penetration testing, vulnerability scanning, and timely patching
Retention - concrete timelines as listed in Section 9
17. Contact
Email - sanidhya@aevis.io
HQ Address - KE-7, Kabeer Marg, Bani Park, Jaipur (RJ), India
If you need a Data Processing Addendum, subprocessor list, or security summary, contact us.
Appendix A - Gmail and IMAP integration specifics
Scopes we may request
IMAP access for mailbox read or send if required by a workflow you enable
Gmail API scopes for read, compose, modify, and send operations only when strictly necessary
Operational posture
Access is initiated by you and limited to the workflow you configure
Processing is in memory and short lived
OAuth tokens are encrypted at rest, rotated automatically, and revoked on disconnect
Administrative access to view content requires your explicit request or a documented, time bound security investigation with audit logs
User safety by design
Server side checks enforce per tenant, per workflow access limits
Safe defaults prevent overbroad mailbox access
Fine grained role and permission controls reduce accidental exposure
Privacy Policy
Last updated: 18 August 2025
CRUV DIMENSION PVT. LTD. (CRUV, we, us) cares about your privacy and security. This Privacy Policy explains how we collect, use, disclose, secure, and retain personal information across our websites, products, and services, including the Aevis platform and any Google integrations that use IMAP or Gmail API scopes.
If anything here is unclear, email us at sanidhya@aevis.io and we will help. If a term changes, we will give you advance notice as described in Section 14.
1. What this policy covers
This policy applies to:
Aevis web and mobile apps
Public websites and support portals operated by CRUV
APIs, webhooks, developer tools, and SDKs
Integrations you turn on, including Google IMAP and Gmail API scopes
2. The data we process
We collect and process only what we need for the features you use.
Account and contact data - name, email, phone, organization, role
Authentication and security data - session identifiers, OAuth tokens, role assignments, audit trails
Product usage data - feature usage counts, performance metrics, timestamps, IP address, device or browser type
Content you provide - documents, forms, attachments you upload to Aevis
Payments and billing - we use a payment processor. We receive transaction IDs, payment status, invoice details, last 4 digits and card brand if returned by the processor, and billing address for tax compliance. We do not store full card numbers or CVV.
Gmail and IMAP specific
If you enable Gmail IMAP or Gmail API scopes, Aevis may access your mailbox to perform workflows you configure, such as reading renewal confirmations, parsing attachments, or sending policy documents that you request.
3. Why we process data and our legal bases
We process data for the purposes below and on these legal bases:
Provide and operate the services you request - contract
Authenticate users, secure the platform, prevent fraud and abuse - legitimate interests and legal obligations
Troubleshoot, debug, and ensure reliability for enabled features - legitimate interests
Provide customer support and respond to you - contract and legitimate interests
Comply with law, tax, accounting, and enforce terms - legal obligations
Improve Aevis in a privacy protective way - legitimate interests
We use aggregated and de-identified metrics wherever possible. We do not train models on your Gmail content.
You can object to processing based on legitimate interests where your rights override our interests. See Section 13 for your rights.
4. Data minimization for Google integrations
We apply strict least privilege practices:
Minimal scopes - we request only the Gmail or IMAP scopes needed for the specific features you enable
Ephemeral processing - Gmail message bodies, headers, and attachments are processed in memory and are not stored, logged, or indexed on CRUV servers
Defensive design - swap is disabled on production application hosts, crash dumps that may include memory are disabled, and services run in ephemeral containers with read only filesystems wherever feasible
No human reading - CRUV personnel do not read Gmail content. Limited exceptions apply only when you explicitly ask us to view content for support, to investigate a specific security or abuse incident, or where we are legally required to do so. All such access requires documented approval, is time bound, and is logged and reviewed.
5. Security measures for sensitive data
We treat all personal information and Gmail data as sensitive.
Encryption in transit - TLS 1.2 or higher
Encryption at rest for secrets and tokens - AES 256 GCM for data at rest, RSA 2048 or higher for key transport, with automated key rotation
Secrets management - tokens, keys, and credentials are stored in a dedicated secrets manager, not in source code or client apps
Identity and access management - role based access control, least privilege, multi factor authentication, SSO, and just in time access with time limits
Network and platform hardening - segmented VPCs or equivalent, firewall rules, restricted egress, automated patching, container image scanning, and supply chain controls
Logging and redaction - operational logs exclude message bodies and full email addresses. Incidental identifiers are masked or hashed
Monitoring and alerting - security events and administrative actions are logged and monitored for anomalies
Independent testing - we conduct annual third party penetration tests. A high level summary is available under NDA upon request
Incident response - documented 24x7 incident response with containment, eradication, recovery, and customer notification without undue delay if your data is affected
6. Transparency about diagnostic data
Diagnostic events means strictly the following:
Service health and performance metrics - timestamps, status codes, response times
Error details - exception type, stack traces without message content
Client metadata - app version, device or browser type, IP address
We do not include Gmail message bodies, attachments, or full headers in diagnostics.
7. Vendor and subprocessor transparency
We use infrastructure and security vendors to help us operate the service. They act as processors and may not use your data for advertising or profiling.
We publish a current list of subprocessors and the purpose of each at: https://aevis.io/legal/subprocessors
We will post updates at least 30 days before adding or replacing a subprocessor, except in emergencies
You may object to a new subprocessor by contacting us. If we cannot provide a reasonable alternative, you may disable the affected feature or terminate for convenience
8. What we never do with Gmail data
No selling or renting Gmail data
No advertising or profiling based on Gmail data
No training of models on Gmail data
No transfer of Gmail content to third parties except to subprocessors that are strictly necessary to provide the service as processors and only under contract
9. Retention and deletion
We keep data only as long as needed for the purposes stated here.
Gmail content - not stored
OAuth tokens - stored encrypted, deleted immediately when you revoke access, and otherwise automatically expire per Google policies
Application logs - 30 days
Security and audit logs - 180 days
Support tickets and attachments you send us - 18 months
Account, billing, and tax records - up to 7 years as required by law
Backups - encrypted and retained up to 30 days on a rolling basis
You can request deletion of your account data at any time. We will complete the request within 30 days unless a longer period is required by law, in which case we will explain why.
10. International transfers
If data is processed outside your country, we apply legally recognized safeguards:
European Economic Area and United Kingdom - transfers rely on the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum, as applicable
India - processing follows the Digital Personal Data Protection Act 2023 and applicable rules
In all cases, Gmail content is not stored by us
11. Children’s privacy
Our services are not directed to children under 13, and we do not knowingly collect data from them.
Proactive measures:
Age confirmation at sign up
If we learn a child has provided personal data, we will delete the account and data promptly and notify the parent or guardian if contact information is available
12. Your choices and controls
Permissions - you can revoke Gmail access at any time in your Google Account permissions
Settings - you can disable integrations, change roles, and adjust feature settings inside Aevis
Marketing - we do not send marketing emails based on Gmail data. You can opt out of general marketing any time
13. Your privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing, and to data portability. You also have the right to complain to your data protection authority.
For requests, contact sanidhya@aevis.io. We will respond within 30 days.
14. Changes to this policy
Notice period - we will give at least 14 days notice for material changes before they take effect. The Effective date at the top shows when this version becomes active
What counts as material - changes to categories of data collected, purposes of processing, retention periods, user rights, international transfer mechanisms, or vendor disclosures
How we notify you - email to the account owner, in app notification, or both
Changelog - we maintain a changelog for prior versions at https://aevis.io/legal/privacy-changelog
15. Role of CRUV
For account, billing, and platform usage data - CRUV is the controller
For Gmail content accessed to perform workflows you configure - CRUV acts as a processor on your behalf and processes data only per your instructions
16. Gmail and IMAP compliance
We comply with the Google API Services User Data Policy, including the Limited Use requirements:
We use Gmail data only to provide or improve user facing features that you enable
We do not transfer Gmail data except to subprocessors necessary to provide the service, and only as processors
We do not use Gmail data for advertising or profiling
Technical details for Google reviewers
Ephemeral processing - no storage of Gmail message bodies, attachments, or full headers. Swap disabled, crash dumps disabled, containers are short lived
Encryption - TLS 1.2 or higher in transit, AES 256 GCM at rest for secrets and tokens, automated key rotation, access logging
Access controls - RBAC, MFA, SSO, just in time access, time bound approvals, and complete audit logs of administrative actions
Testing and assurance - annual third party penetration testing, vulnerability scanning, and timely patching
Retention - concrete timelines as listed in Section 9
17. Contact
Email - sanidhya@aevis.io
HQ Address - KE-7, Kabeer Marg, Bani Park, Jaipur (RJ), India
If you need a Data Processing Addendum, subprocessor list, or security summary, contact us.
Appendix A - Gmail and IMAP integration specifics
Scopes we may request
IMAP access for mailbox read or send if required by a workflow you enable
Gmail API scopes for read, compose, modify, and send operations only when strictly necessary
Operational posture
Access is initiated by you and limited to the workflow you configure
Processing is in memory and short lived
OAuth tokens are encrypted at rest, rotated automatically, and revoked on disconnect
Administrative access to view content requires your explicit request or a documented, time bound security investigation with audit logs
User safety by design
Server side checks enforce per tenant, per workflow access limits
Safe defaults prevent overbroad mailbox access
Fine grained role and permission controls reduce accidental exposure