ProductPilot AI

Privacy Notice

Last updated: June 1, 2026

1. Who We Are

ProductPilot AI is operated by Avolyx Global Limited, a company incorporated in Sri Lanka ("Avolyx", "we", "us"). Avolyx is the data controller of personal data processed in connection with your account and use of the Service. You can reach us at billing@avolyx.com.

2. Personal Data We Collect

  • Account data — name, email address, password (hashed), profile preferences.
  • Authentication data — sign-in events, OAuth identifiers if you use Google sign-in.
  • Workspace & content data — the prompts, documents, PRDs, user stories, roadmaps, and other content you create or upload, and the AI outputs generated for you.
  • Usage & telemetry — feature usage, request counts, error logs, performance metrics.
  • Device & connection data — IP address, browser type, operating system, approximate location (derived from IP).
  • Support data — messages, attachments, and metadata when you contact support.
  • Billing identifiers — the customer and subscription identifiers our payment provider sends us. Card data and full billing addresses are collected and stored by Paddle, not by us.

3. How We Use Personal Data

  • Provide the Service — create your account, render the app, store your workspace, and generate AI outputs. Legal basis: performance of a contract.
  • Secure the Service — detect and prevent fraud, abuse, and unauthorised access. Legal basis: legitimate interests.
  • Improve the Service — analyse aggregated usage to fix bugs and improve features. Legal basis: legitimate interests.
  • Customer support — respond to your enquiries. Legal basis: performance of a contract / legitimate interests.
  • Billing — manage your subscription via our Merchant of Record. Legal basis: performance of a contract.
  • Communications — send service notifications (e.g. invoices, security notices). Legal basis: performance of a contract / legitimate interests. Marketing emails, where sent, are based on consent and you can opt out at any time.
  • Legal & compliance — comply with applicable laws and respond to lawful requests. Legal basis: legal obligation.

4. AI Processing

When you use AI features, your prompts and relevant workspace content are sent to third-party AI providers (currently routed via the Lovable AI Gateway, which uses models from Google and OpenAI) so they can return an output. We instruct these providers to act as processors on our behalf and not to use your content to train their general models, subject to their published terms.

5. How We Share Personal Data

  • Service providers / subprocessors — cloud hosting and database providers, email delivery providers, analytics, and error-monitoring tools, all bound by contractual confidentiality and security obligations.
  • Payment provider (Merchant of Record)Paddle.com Market Ltdprocesses your payment, calculates and remits sales tax, issues invoices, manages subscriptions, and handles refunds and chargebacks. Paddle acts as an independent controller for these purposes. See Paddle's privacy policy at paddle.com/legal/privacy.
  • AI providers — Google and OpenAI (via the Lovable AI Gateway) as described above.
  • Professional advisers — lawyers, accountants, and auditors, where necessary.
  • Authorities — where required by law or to protect rights, safety, and security.
  • Corporate transactions — in connection with a merger, acquisition, or sale of assets, subject to confidentiality safeguards.

We do not sell your personal data.

6. International Transfers

Our service providers may be located outside Sri Lanka, including in the United States and the European Union. Where personal data is transferred internationally, we rely on appropriate safeguards (such as the providers' standard contractual clauses or equivalent mechanisms) to protect your data.

7. Retention

We retain account and workspace data for as long as your account is active. If you close your account, we delete or anonymise the data within a reasonable period (typically within 90 days), except where we are required to retain it for legal, tax, accounting, or fraud-prevention purposes. Billing records held by Paddle are retained according to Paddle's own retention schedule.

8. Your Rights

Subject to applicable law (including the Sri Lanka Personal Data Protection Act and, where applicable, the EU/UK GDPR), you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request deletion of your data;
  • restrict or object to certain processing;
  • port your data to another provider in a structured format;
  • withdraw consent at any time (where processing is based on consent);
  • lodge a complaint with your local data protection authority.

To exercise these rights, email billing@avolyx.com. We will respond within the timeframes required by applicable law (typically within one month).

9. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest for sensitive fields, access controls, least-privilege role-based access, secure development practices, and regular review of our security posture. No internet service can be guaranteed 100% secure; please also keep your account credentials confidential.

10. Cookies & Similar Technologies

We use a small number of cookies and similar technologies:

  • Essential — required for authentication, session management, and security. These cannot be turned off.
  • Preferences — remember your theme and workspace settings.
  • Analytics — aggregated usage measurement to improve the product. You can disable analytics cookies through your browser settings.

Paddle may set its own cookies during checkout; see Paddle's privacy policy linked above.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this Notice

We may update this Privacy Notice from time to time. Material changes will be notified to you (for example, by email or in-product notice) before they take effect.

13. Contact

Avolyx Global Limited, Sri Lanka.
Email: billing@avolyx.com