ANAVA, INC.

DATA PRIVACY POLICY

MAY 2026

IMPORTANT NOTICE REGARDING DATA

 

Anava's software processes images captured from CCTV and video surveillance cameras. This may include images of individuals in public or private spaces and, in some cases, biometric data (including facial images). This Privacy Policy explains how we collect, process, store, and protect such data, and sets out your rights under applicable law including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

1.  Who We Are

Anava AI, Inc. (“Anava,” “we,” “us,” or “our”) develops and operates the Anava software platform — a software application installed on or connected to CCTV cameras and video surveillance systems. Anava captures image frames from video feeds and transmits them to cloud-based AI services for analysis.

 

Controller vs. Processor: Depending on context and applicable law:



Where Anava determines the purposes and means of processing personal data (e.g., operating our platform, improving our services), Anava acts as a data controller.


Where a customer deploys Anava on their premises and directs how data is processed, Anava typically acts as a data processor on behalf of that customer, who is the data controller.


Customers are responsible for providing appropriate notice to individuals in surveilled areas, obtaining any required consents, and complying with local surveillance and data protection laws.



 

Contact: Questions about this Policy or our data practices may be directed to: privacy@anava.a

2.  What Personal Data We Collect

Anava collects the following categories of data in connection with operating its platform:

2.1  Video and Image Data



Still image frames (201cscreenshots201d) periodically captured from live CCTV or IP camera video feeds.


These images may depict individuals and, depending on image quality and camera placement, may constitute biometric data (including facial images) under applicable law, including the GDPR, UK GDPR, Illinois BIPA, and Texas CUBI.


Images are captured at configurable intervals and transmitted to cloud AI services for processing.



2.2  AI-Generated Analytical Data



Output generated by the AI model (Google Gemini or Anthropic Claude) in response to the submitted image frames, which may include object detection results, scene descriptions, event classifications, alerts, or other analytical inferences.


These outputs may reference or describe individuals captured in the images.



2.3  Technical and Operational Data



Device identifiers, camera identifiers, and installation metadata.


System logs, timestamps, API call records, and error reports.


Network and connectivity information.



2.4  Customer and Account Data



Name, email address, company name, and job title of customer account holders.


Billing and payment information (processed via third-party payment processors; we do not store full payment card numbers).


Configuration preferences and dashboard usage data.



2.5  Data We Do Not Intentionally Collect

Anava does not intentionally collect audio data, continuously recorded video streams, or any data from children under the age of 16. If you believe we have inadvertently collected such data, please contact us at privacy@anava.ai.

3.  How We Use Personal Data

We may use the data we collect for the following purposes:



Processing image frames through AI models to generate real-time analytics, alerts, and reports as configured by the customer. 


Maintaining, securing, and improving the reliability and performance of our platform. 


Reviewing a limited sample of processed data, subject to strict access controls, to identify errors, improve AI accuracy, and ensure outputs are safe and appropriate. Customers may opt out of this use — see Section 8. 


Using account data and operational logs to diagnose issues and respond to support requests. Customer Support:


Detecting and preventing unauthorized access, fraud, abuse, or other harmful activity. 


Complying with applicable laws, regulations, and lawful requests from competent authorities. 


Processing payments, managing subscriptions, and sending service notifications. 


Sending product updates, security notices, and — with consent where required — marketing communications. 



4.  Legal Basis for Processing (GDPR / UK GDPR)

For individuals in the European Economic Area (EEA) and the United Kingdom, our processing of personal data is carried out on the following legal bases:



Legitimate Interests (Article 6(1)(f) GDPR): Processing image frames to deliver our analytics services, improve platform quality, and detect security threats, where our legitimate interests are not overridden by the rights and freedoms of data subjects. 


Performance of a Contract (Article 6(1)(b) GDPR): Processing account and billing data necessary to perform our contract with customers. 


Compliance with a Legal Obligation (Article 6(1)(c) GDPR): Where we are required to process data to comply with EU, UK, or member state law. 


Consent (Article 6(1)(a) GDPR): Where we rely on consent — for example, for optional marketing communications — you may withdraw consent at any time. 



 

For biometric data or other special category data under Article 9 GDPR, we rely on:



Explicit consent of the data subject, where obtained by the customer deploying Anava; or


The substantial public interest condition, where applicable (e.g., crime prevention and detection); or


Other applicable Article 9(2) conditions as documented in our Data Protection Impact Assessments.



 

Customers who deploy Anava in the EEA or UK and process personal data using our platform are responsible for identifying their own legal basis for that processing and for satisfying the requirements of Article 13/14 GDPR (transparency notices to individuals in surveilled areas).

5.  AI Subprocessors and Third-Party Services

5.1  AI Processing Partners

Depending on customer configuration, image frames are transmitted to one or both of the following AI providers for processing:



Google LLC (Google Gemini) — images may be processed via Google Cloud AI services. Google's data processing terms and privacy commitments apply. See: cloud.google.com/terms/data-processing-addendum


Anthropic PBC (Claude) — images may be processed via Anthropic's API. Anthropic's usage policies and data handling commitments apply. See: anthropic.com/legal/privacy



 

Neither Google nor Anthropic is permitted to use customer data submitted via API to train their foundation models without separate agreement. 

6.  International Data Transfers

Anava operates globally. When we transfer personal data from the EEA or UK to countries that are not recognized as providing an adequate level of data protection, we rely on one or more of the following safeguards:



Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK International Data Transfer Agreements (IDTAs).


Binding Corporate Rules, where applicable.


An adequacy decision by the European Commission or UK Secretary of State.



 

Customers may request a copy of the relevant transfer mechanism documentation by contacting privacy@anava.ai.

7.  Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:



Transmitted to the AI provider in real time and not stored by Anava on a persistent basis beyond the period required for processing (typically seconds to minutes), unless the customer has enabled archival features, in which case the customer's configured retention period applies. 


Retained for the duration of the customer's subscription plus 90 days, unless a longer or shorter period is contractually agreed. 


Retained for up to 12 months for security and operational purposes.


Retained for the duration of the customer relationship and for up to 7 years thereafter for legal, tax, and compliance purposes. 



 

At the end of the applicable retention period, data is securely deleted or anonymized. Customers may request earlier deletion as set out in Section 8.

8.  Your Rights

Depending on your location and applicable law, you may have the following rights in relation to your personal data:

8.1  Rights Under GDPR / UK GDPR (EEA & UK Residents)



Right of Access (Art. 15): Request a copy of the personal data we hold about you. 


Right to Rectification (Art. 16): request correction of inaccurate or incomplete data. 


Right to Erasure (Art. 17): Request deletion of your personal data (right to be forgotten), subject to legal exceptions. 


Right to Restriction of Processing (Art. 18): Request that we restrict the processing of your data in certain circumstances. 


Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format. 


Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling. 


Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing. 


Right to Lodge a Complaint: Lodge a complaint with your national supervisory authority. In the EU, see edpb.europa.eu for authority contacts. In the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk. 



8.2  Rights Under CCPA / CPRA (California Residents)

California residents have the following rights under the California Consumer Privacy Act (as amended by CPRA):



Right to Know: Request disclosure of the categories and specific pieces of personal information collected, the purposes for collection, and the categories of third parties with whom it is shared. 


Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions. 


Right to Correct: Request correction of inaccurate personal information. 


Right to Opt-Out of Sale or Sharing: Anava does not sell personal information. We do not share personal information for cross-context behavioral advertising. You may submit an opt-out request at www.anava.ai/privacy-choices. 


Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information to purposes permitted by the CPRA. 


Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. 



 

California residents may submit requests through any of the following methods:



Email: privacy@anava.ai


Web form: www.anava.ai/privacy-request



 

We will respond to verifiable requests within 45 days (extendable by a further 45 days with notice). We are required to verify your identity before fulfilling certain requests.

8.3  How to Exercise Your Rights

To exercise any of the rights listed above, please contact us at privacy@anava.aiWe will respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA/CPRA) of receiving a verifiable request.

 

Please note: where Anava acts as a data processor on behalf of a customer (your employer, a business operating a camera system), you should direct your request to that customer (the data controller). Anava will assist customers in responding to such requests as required by law.

8.4  Opt-Out of AI Quality Review

Customers may opt out of Anava's use of their data for AI model quality and safety review (described in Section 3) by contacting privacy@anava.ai.

9.  Data Security

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:



Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).


Role-based access controls and least-privilege access policies.


Regular security assessments, penetration testing, and vulnerability management.


Incident response procedures and breach notification protocols.


Employee training on data protection and information security.



 

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR where feasible).

10.  Children's Privacy

Anava's platform is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. Our customers are responsible for ensuring that the deployment of Anava complies with applicable laws protecting the privacy of minors, including any required parental consent.

 

If you believe that a child under 16 has been recorded by a camera system using Anava software, please contact the operator of that camera system (the data controller). If you have concerns that require our attention, contact us at privacy@anava.ai.

11.  Cookies and Tracking Technologies

Our website (www.anava.ai) and web-based dashboard use cookies and similar tracking technologies for the following purposes:



Required for the website and dashboard to function (e.g., session management, authentication). 


Used to understand how visitors use our site and to improve performance. These are only placed with your consent where required by law. 


Used to remember your settings and preferences. 



 

You can manage your cookie preferences via our cookie consent banner or by adjusting your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use our core services.

12.  Responsibilities of Camera Operators 

Customers who deploy Anava are data controllers in respect of individuals captured by their camera systems. As a controller, operators are responsible for:



Displaying clear and conspicuous signage informing individuals that they are in a surveilled area and that AI analytics are in use, as required by applicable law.


Conducting and documenting a Data Protection Impact Assessment (DPIA) prior to deployment where required under GDPR Article 35 (e.g., systematic monitoring of public spaces, large-scale processing of biometric data).


Establishing a valid legal basis for the surveillance and AI processing.


Entering into the Anava Data Processing Agreement (DPA), available at www.anava.ai/dpa.


Ensuring that camera placement and configuration are proportionate to the stated purpose and minimize unnecessary collection of personal data.


Responding to data subject rights requests from individuals captured by their camera systems.



 

Anava provides a standard Data Processing Agreement (DPA) for customers requiring one under GDPR Article 28. Please contact privacy@anava.ai.

13.  Special Notice: Biometric and Sensitive Data

Certain US states impose additional obligations on the collection and processing of biometric data, including:



Illinois Biometric Information Privacy Act (BIPA): Requires written notice and informed written consent before collecting biometric identifiers or information, including facial geometry.


Texas Capture or Use of Biometric Identifier Act (CUBI): Requires informed consent before capturing biometric identifiers.


Washington My Health MY Data Act and other state laws may impose additional requirements.



 

Customers deploying Anava in jurisdictions with biometric privacy laws are solely responsible for obtaining the legally required consent and providing the required notices. Anava provides compliance resources and documentation support — contact privacy@anava.ai for assistance.

 

Under GDPR and UK GDPR, facial images and related biometric data used for the purpose of uniquely identifying individuals are special category data under Article 9. Processing requires an explicit legal basis under Article 9(2). Customers are responsible for meeting this requirement in their deployment.

14.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify customers of material changes by:



Posting the updated Policy on www.anava.ai/privacy with a new effective date;


Sending an email notification to the registered account email address; and/or


Displaying an in-product notice.



 

Your continued use of Anava following notice of changes constitutes your acceptance of the updated Policy. If you disagree with any changes, you may close your account by contacting support@anava.ai.

15.  Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

 

Anava AI, Inc.

Email: privacy@anava.ai

Website: www.anava.ai

 

For EEA residents, you have the right to lodge a complaint with your local data protection supervisory authority at any time. A full list of EU supervisory authorities is available at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113.

Appendix A:  Summary of Key Terms

For ease of reference, the following terms have specific meanings throughout this Policy:

 

Personal Data: Any information relating to an identified or identifiable natural person.

Biometric Data: Personal data resulting from specific technical processing relating to the physical characteristics of a natural person that allows unique identification of that person, including facial images.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: An entity that processes personal data on behalf of a controller.

GDPR: The EU General Data Protection Regulation 2016/679.

UK GDPR: The GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.

CCPA/CPRA: The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

DPA: Data Processing Agreement — a contract between a controller and processor required under GDPR Article 28.

DPIA: Data Protection Impact Assessment — a process to identify and minimize data protection risks, required under GDPR Article 35 for high-risk processing.