Last updated: May 1, 2026
Privacy Policy
Introduction
Avio Group Company Limited (“Avio Group,” “we,” “us,” or “our”) is a Vietnam-based technology company registered in Vietnam and identified by D-U-N-S Number 626314981 (verified by Dun & Bradstreet). We develop Vitaro, a behavior-change platform, and operate the corporate website at aviogroup.eco.
This Privacy Policy explains how we collect, use, disclose, retain, and protect information when you visit aviogroup.eco or use Vitaro on supported devices. If you have privacy questions, contact us at privacy@aviogroup.eco. We aim to respond to privacy inquiries promptly and, where applicable, within the timelines described below.
By using our website or app, you acknowledge this policy. If you do not agree, please discontinue use. We may update this policy from time to time; material changes will be communicated as described in the “Changes to this policy” section.
What information we collect
Information you provide directly may include account details such as your name and email address; descriptions of challenges and context you share in guided sessions; responses to daily check-ins; and optional profile fields you choose to provide.
Information collected automatically may include device type, operating system version, app version, approximate regional settings needed for localization, anonymized usage analytics, and crash or stability diagnostics that help us improve reliability.
Information from third parties may include basic profile details from authentication providers (for example, Google or Apple Sign-In) if you choose those sign-in methods. We only receive what the provider shares according to your consent and their policies.
How we use information
We use information to provide and personalize the service; to generate and adapt behavior-change protocols and guidance you request; to deliver notifications you opt into; and to maintain account security.
We also use aggregated analytics to understand product quality and prioritize engineering work, and we process information where necessary to comply with applicable law, enforce our terms, and protect users.
We do not sell personal data. We do not train external artificial intelligence models on your content without explicit opt-in consent. We do not share personal information with advertisers for their own marketing purposes.
How we share information
We may share information with processors who help us operate the service — for example, hosting, infrastructure, analysis, email delivery, or customer support — subject to strict contractual confidentiality and security obligations.
We may disclose information if required by lawful process, provided we assess validity and seek to narrow requests where appropriate. If Avio Group is involved in a merger, acquisition, or asset transfer, information may transfer subject to continued protections communicated to users.
We may publish aggregate statistics that cannot reasonably identify individuals. Research uses, if any, rely on de-identified or aggregated datasets with technical and organizational safeguards.
Data security
We apply encryption at rest (for example, AES-256 where supported by our infrastructure providers) and encryption in transit using modern TLS (1.2+). Administrative access is limited, logged where appropriate, and reviewed against least-privilege principles.
We conduct periodic security reviews and dependency hygiene work commensurate with our stage and risk profile. No method of storage or transmission is perfectly secure; we work continuously to reduce realistic risks to user data.
Where conversations contain acute crisis content, we apply automatic deletion policies designed to avoid long-term retention of highly sensitive material beyond what is necessary for immediate safety workflows, including deletion within approximately one hour for designated crisis-related content categories.
Data retention
For active accounts, we retain personal information as needed to deliver the service, maintain integrity, resolve disputes, and meet legal obligations. Features that require historical context may retain relevant data until you delete it or close your account according to product controls.
When you delete an account, we may apply a grace period (for example, up to 30 days) to prevent accidental loss and to complete billing or abuse investigations, followed by erasure or irreversible de-identification consistent with backups and legal holds.
Anonymized analytics may be retained indefinitely because they are not linkable to an identifiable individual. Crisis-oriented content is not intended for long-term storage; automated deletion complements our broader minimization practices.
Your rights (GDPR and similar rights)
Depending on your jurisdiction, you may have rights including: access to your personal data; rectification of inaccurate data; erasure (“right to be forgotten”); portability in a machine-readable format; objection to specific processing; and restriction in certain cases.
You may also lodge a complaint with a competent supervisory authority. We support these principles globally where feasible and document our processes to respond consistently regardless of whether a specific statute applies in your location.
To exercise rights, email privacy@aviogroup.eco with sufficient detail to verify your identity. We typically respond within 30 days for privacy rights requests, subject to complexity and legal exceptions. We do not charge a fee unless requests are manifestly unfounded or excessive.
Children’s privacy
Vitaro and our corporate websites are not directed to children under 13 (or the higher minimum age required in your jurisdiction). We do not knowingly collect personal information from children.
If you believe a child has provided information, contact us immediately at privacy@aviogroup.eco so we can investigate and delete data where appropriate. Parents and guardians should supervise minors’ online activities and device permissions.
Age gates, parental controls, and device-level restrictions can supplement our policies. We encourage families to use platform features designed to protect younger users.
International data transfers
We seek regional placement of storage and processing so that user data remain close to the regions we serve, aligned with product configuration and infrastructure availability. Geography may influence latency, redundancy, and legal obligations.
Where cross-border transfers occur (for example, within a cloud provider’s global network), we implement safeguards such as Standard Contractual Clauses or other approved mechanisms, supplemented by technical measures including encryption and access controls.
We use responsible signals — including account country selection where collected — to determine default regions while recognizing that IP-based inference is imperfect. Users may contact us for questions about regional handling.
Cookies and tracking
We use minimal cookies and similar technologies. Essential cookies support core functionality such as security, load balancing, and language preference consistency. We do not deploy third-party advertising cookies on our corporate site.
Where analytics technologies rely on cookies or local storage, we prefer aggregated or pseudonymous identifiers and honor browser settings that signal “Do Not Track” where practical, noting industry inconsistency in DNT standards.
You can control cookies through browser settings. Blocking essential cookies may degrade functionality. We document major categories in internal records available for audit and regulatory inquiry.
Changes to this policy
We may revise this policy to reflect new features, legal requirements, or clarifications. When changes are material, we will notify users by email (where we have an address) and through in-app notices when Vitaro is generally available, at least 30 days before enforcement unless immediate changes are legally required.
Continued use after the notice period constitutes acceptance unless applicable law requires express consent for specific new processing. If you disagree with an update, you should stop using the service and may request deletion as permitted.
Prior versions can be provided upon reasonable request for transparency. We archive policy text changes with timestamps internally.
Contact us
Privacy inquiries: privacy@aviogroup.eco
Postal address: Avio Group Company Limited, Vietnam (please email for the appropriate mailing line if needed for formal correspondence).
For general questions unrelated to privacy, hello@aviogroup.eco. We aim to acknowledge privacy communications within two business days.