Privacy Policy

Effective Date: May 1, 2026 Last Updated: May 29, 2026

This Privacy Policy describes how GoodGist, Inc., a Delaware corporation with its principal place of business at 1825 S. Grant St., Suite 200, San Mateo, CA 94404, USA, doing business as Avery.Software ("Avery.Software," "we," "us," or "our"), collects, uses, shares, and protects information in connection with the Avery NXR desktop application, the Avery NXR central service, the Forge plugin marketplace, and all related software and services (collectively, the "Software").

This Policy is incorporated by reference into our Terms of Use. Capitalized terms not defined here have the meaning given in the Terms of Use.

Privacy at a Glance

Most data stays on your device. Avery NXR is a privacy-first desktop product. Your prompts, generated source code, agent graphs, project files, BYOK keys, and OAuth tokens live on your local machine. They are not transmitted to Avery.Software except in the narrowly scoped exceptions described below (e.g., a license heartbeat or your own crash report submission).
The central service is light. Avery.Software's central service is used for authentication, license issuance, plugin catalog distribution, anonymized telemetry, payment processing, and software updates. Nothing else routes through it by default.
Cloud AI is direct. Avery NXR talks to third-party AI providers in two situations:
- App building (turning your prompt into a Next.js app) runs through a cloud provider you configure in Settings → AI using your own API key (the "Build profile"). Each scaffold request — and any follow-up /scaffold.fix or /scaffold.enhance call — sends the prompt, the project file listing, the generator catalog, and the iterative tool results directly from your device to the chosen provider. Avery.Software is not in the path of that traffic.
- Agent runtime (the LLM your agents call at run-time) defaults to whatever you choose — a local SLM on your machine, the same cloud provider as Build, or a different cloud provider. Runtime calls follow the same direct path: your device → the chosen provider, with Avery.Software not in between. Avery.Software does not see, log, or store the contents of any prompt or response in either case. You can switch the runtime to a local SLM at any time in Settings. App building always uses a cloud provider — the local SLM has historically shipped a "staged" build pipeline but the tool-loop engine (the default since v1.4) requires a cloud provider.
Telemetry is anonymized. We collect coarse counters and enums to operate, secure, and improve the Software. We do not collect prompts, project content, file paths, names, or any other personally identifiable detail. You can disable telemetry in Settings.
Hosted apps are not our problem. When you deploy a generated application to Vercel, Railway, or an on-premises host, that environment is operated by you and the third-party hosting provider. Avery.Software has no visibility into and no responsibility for that environment.
External A2A agents you connect are your choice. When you add a third-party agent that speaks the Agent2Agent (A2A) protocol — by pasting its AgentCard URL into the Software — outbound A2A calls go directly from your device to that agent's URL. Only the prompt text + configuration block you authored cross the wire. Your connector secrets, OAuth tokens, per-agent secrets, and project-folder references are never forwarded. Avery.Software's central service is not in the path of those calls.

1. Scope of This Policy

This Policy applies to information processed in connection with your use of the Software. It does not apply to:

Your own development environment, operating system, hardware, or any data you store on your local machine.
The behavior or data practices of any third-party AI provider (Anthropic, OpenAI, Google, Azure OpenAI, Bedrock, Hugging Face, etc.) you connect to — whether for building apps (Build profile in Settings → AI) or for agent runtime (Runtime profile). Their privacy policies govern that processing.
The behavior or data practices of any third-party hosting provider (Vercel, Railway, on-prem hosts, etc.) to which you deploy a generated application.
The behavior or data practices of any third-party OAuth service (Google, Microsoft, Slack, GitHub, etc.) you connect to. Their privacy policies govern that processing.
Third-Party Plugins distributed through Forge or otherwise installed into the Software. These are governed by the privacy policy of the Plugin's publisher (if any).
Applications generated by the Software. You are the controller of any data your generated application processes.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you provide when you:

Create or update an Account. Through the central service: email address, display name, organization (where applicable), password (hashed; we never store plaintext), and, for paid plans, billing details (handled by our payment processor — see Section 4.2).
Subscribe to a paid plan. Tier (Free / Pro / Enterprise), Subscription Term, renewal status, billing cycle, and Subscription history. Payment instrument details (card number, CVV, expiration) are collected and stored by our payment processor (Stripe), not by us. We retain only a tokenized reference, the last four digits of the card, and the brand.
Publish a Plugin to Forge. Plugin metadata (name, version, description, dependencies, signed manifest), and the Plugin publisher identity associated with your Account.
Contact support. Any information you choose to share in a support email or feedback form, including the contents of any attachments you provide.
Submit a crash report or feedback (opt-in, where the Software prompts you to share). Stack traces, the user-supplied description, and any data you elect to include.

2.2 Information Collected Automatically (Anonymized Telemetry)

When telemetry is enabled (the default; you may disable it in Settings → Account → Telemetry), the Software periodically transmits to our central service a small set of anonymized operational metrics, including:

A stable, non-identifying install ID generated on first run. This is a random UUID; it is not derived from any personally identifiable signal.
Coarse counters (e.g., number of scaffolds run, number of agent runs, number of plugin installs, build success/failure ratios).
Categorical enums (e.g., archetype slug, generator name, plugin id, error code, hardware tier slug, deploy target id, active SLM model id).
Durations (e.g., scaffold completion time, agent run duration, plan-orchestration time-to-converge).
License tier (Free / Pro / Enterprise) at the time of the event, for capacity planning.
Software version, OS family (macOS, Linux, Windows), and approximate region (derived from the IP address observed by our HTTP infrastructure; we do not store the IP itself in durable telemetry storage beyond what is required for security and abuse prevention).

We DO NOT collect via telemetry: your prompts, agent descriptions, project source, file paths, file contents, schema content, BYOK Keys, OAuth tokens, deployment URLs, real names, email addresses, or any natural-language strings you have entered into the Software.

2.3 Information Stored Locally on Your Device

The Software stores significant operational state on your local device. This data does not flow to Avery.Software except in the narrowly scoped exceptions described elsewhere in this Policy. Locally stored data includes:

Project files under your configured projects root (default $HOME/nxr-projects).
.nxr/ directories inside each project, containing the audit ledger, scaffold state, persisted activity stream, and console run history.
OS keychain entries (or, where the OS keychain is unavailable, an AES-256-GCM-encrypted local file keystore under ~/.nxr/keystore/). This is where the Software stores your license JWT, BYOK Keys, OAuth refresh tokens, deploy tokens (Vercel, Railway), telemetry preference, theme mode, Consult Mode opt-in, projects-root path, and nxrd endpoint override.
Installed plugins under ~/.nxr/plugins/.
Installed SLMs under ~/.nxr/models/ (or the runtime's own directory, e.g., ~/.ollama/).
Knowledge-base vectors for agents under ~/.nxr/kb/.
Agent runs, run feedback, and learnings under ~/.nxr/agents/<agentId>/ — per-run transcripts; any thumbs-up/down, notes, or "what it should have done" corrections you record on a run in the Run Audit view; and the durable "learnings" the agent accumulates from warmup repairs + your feedback (so it improves with usage). All of this stays on your device; it is used locally to prime your agents' self-repair + self-improvement, and is only sent to a cloud model if you explicitly run an AI-assisted warmup or improvement, under the same Build-profile path described above.
Logs in ~/.nxr/logs/ (rotated locally; not transmitted).

You can inspect, back up, or delete any of these files at any time using your operating system's tools.

2.4 Cookies and Similar Tracking Technologies

The Avery NXR desktop application does not use HTTP cookies.

The Avery.Software marketing website and central service web pages (such as the pricing page and the Stripe-mediated checkout) may use cookies and similar technologies for session management, fraud prevention, and analytics. Where required by applicable law, we will display a cookie banner and honor your choices.

3. How We Use Information

We use the information described above for the following purposes:

Provide the Software. Authenticate you, issue and verify license tokens, deliver plugin catalog data, enable paid features per your tier, and operate the auto-updater.
Process payments and manage Subscriptions. Bill you for paid plans, send renewal notices, prevent fraud, and resolve chargebacks (in coordination with our payment processor).
Communicate with you. Send transactional notices (e.g., security alerts, payment receipts, change notifications), respond to support requests, and — only with your explicit consent or where permitted by law — send product updates and marketing.
Operate, maintain, and improve the Software. Diagnose errors, monitor performance, plan capacity, prioritize features, detect fraud and abuse, and improve quality. This is the primary purpose of telemetry.
Enforce our agreements and protect rights. Investigate suspected violations of our Terms of Use, protect ourselves and others from harm, and comply with legal process.
Comply with law. Respond to lawful requests from government authorities, comply with tax and accounting obligations, and meet other legal duties.

We do not use your User Content or your prompts to train AI models. We do not sell your personal information.

4. How We Share Information

We share information only as described below.

4.1 With Service Providers

We share information with vendors that perform services for us, under written agreements that limit their use of the information to the purposes for which we engaged them. Current categories include:

Payment processor: Stripe, Inc. — handles credit-card details, processes Subscription billing.
Cloud hosting: Vercel, Inc. and other infrastructure providers — host the central service, license issuance API, Forge plugin catalog, and the marketing website.
Email delivery: transactional email provider — sends receipts, sign-in codes, and other notices.
Customer support tooling: ticket system to triage your support emails.
Error monitoring and observability: to capture central service errors and performance metrics. (We do not route desktop crash reports through this category by default; those are an opt-in category in 2.1.)
Analytics: aggregate analytics for our marketing website pages.

4.2 With Frontier AI Providers (Build + Runtime + Consult)

Avery NXR sends prompts to third-party AI providers in three situations, all of which route directly from your device to the provider with Avery.Software not in the path:

App building (Build profile). Every /scaffold.run, /scaffold.fix, and /scaffold.enhance request runs through the cloud provider you select in Settings → AI → Build profile. On each request the Software sends to that provider:

Your natural-language prompt (the description of what to build, or the errors to fix, or the enhancement to add).
The archetype hint + database choice you picked in the scaffold dialog.
The available-generators catalog (names + capability summaries — public metadata from the installed generator plugins, not your code).
During the tool-loop iteration, the paths and contents of files the assistant chose to read from your project root (via the read_file / list_files tools the model invokes), capped to the project directory.
The inputs you pass to invoked generators (entity names, field lists, configuration — whatever you wrote in the scaffold dialog).

App building requires a Build profile. Each request typically costs a few cents to a few dollars depending on the provider + model you chose. Your BYOK key is held in the local keystore; it never reaches Avery.Software.

Agent building & self-improvement (Build profile). When you generate an agent from a prompt, edit it in plain English, run an AI-assisted warmup repair, or accept a feedback-driven improvement, the Software sends to your Build provider: your natural-language prompt / instruction / feedback; the agent's graph — its nodes and their configuration, the edges between them, and (for a repair) the failing node's error plus the run's per-node outcome; the catalog of available node kinds; and a short label for your configured Runtime model (so the agent is designed within that model's reach). It does not send your stored secrets, OAuth tokens, or BYOK keys — those live only in the OS keystore and are never placed in node configuration. As with app building, this routes directly from your device to the provider, with Avery.Software not in the path.

Agent runtime (Runtime profile). Whenever an agent in Settings → Agents calls an LLM node, the call routes through your Runtime profile. If Runtime is local SLM, the prompt never leaves your machine. If Runtime is cloud, the prompt

any agent context goes to the chosen provider on the same direct-from-device path described above.

Consult Mode (deprecated for build; still available for agent runtime). Older versions of the Software exposed a per-request Consult Mode toggle to escalate one call to a cloud provider. With v1.4's separation of Build vs Runtime profiles, Build is always cloud and Runtime is whatever you configured — so Consult Mode is largely subsumed. Where it still appears (e.g., an agent node opting into a one-off cloud upgrade), the same direct-from-device path applies.

The supported frontier providers as of this Policy's Last Updated date are Anthropic (Claude), OpenAI (GPT), Google (Gemini), Azure OpenAI Service, Amazon Bedrock, and Hugging Face (Inference Endpoints). Each is governed by its own privacy policy:

Anthropic: https://www.anthropic.com/privacy
OpenAI: https://openai.com/policies/privacy-policy
Google: https://policies.google.com/privacy
Azure OpenAI: https://www.microsoft.com/en-us/privacy/privacystatement
AWS Bedrock: https://aws.amazon.com/privacy/
Hugging Face: https://huggingface.co/privacy

The list of supported providers may change. Your decision to configure a Build profile (or to point Runtime at a cloud provider) is a decision to share the prompt + tool-call data described above with the chosen provider on the terms set by that provider. If you prefer not to share build prompts with any third party, do not configure a Build profile — the Software will refuse to scaffold and surface a setup prompt.

4.3 With Third-Party Hosting Providers (Only When You Deploy)

When you deploy a generated application to Vercel, Railway, or another host, the Software invokes the hosting provider's CLI or API on your behalf using credentials you supply. Source code, build artifacts, runtime logs, and any data your application processes are handled by the hosting provider under the agreement you have with them. Avery.Software is not a party to that agreement, has no visibility into the deployed environment, and is not a processor of any data your deployed application collects.

4.4 With OAuth-Connected Services (Only When You Connect)

When you connect a third-party service through an OAuth connector (Google, Microsoft, Slack, GitHub, etc.), the authentication flow runs locally on your device. The OAuth tokens issued by the connected service are stored in your OS keychain only. Calls to the connected service are made from your device (or from a local agent runtime) using those tokens. Avery.Software's central service is not in the path of those calls.

4.5 With Third-Party A2A Agents (Only When You Add One)

The Software supports the open Agent2Agent (A2A) protocol (an open standard hosted by the Linux Foundation) for interoperating with remote agents built on other platforms. You opt in to this surface explicitly: by pasting an AgentCard URL for a third-party agent into the desktop's "Add external agent" dialog, you authorize the Software to call that URL on your behalf when an agent graph you author contains an external-agent node bound to that record.

Each call sends:

The prompt text you wrote into the agent node's configuration (after any template substitution against upstream node outputs).
The optional configuration block you wrote (accepted output modes, a push-notification webhook URL if you set one).
A call-stack header listing the chain of agent ids visited so far in the current run, used for loop / cycle detection.

Each call does NOT send:

Your connector secrets (SMTP credentials, IMAP passwords, API keys held in the connector keystore).
Your OAuth tokens for connected services.
Your per-agent encrypted secrets referenced via {{secrets.NAME}} templates.
Your project folder paths or appReferences.
Any data outside the prompt + configuration block you authored.

Avery.Software's central service is not in the path of these calls. Traffic flows directly from your device to the AgentCard URL you supplied. The remote agent operator is a separate data controller; their privacy practices are governed by the agreement you have with them, not by this Policy. By default the Software refuses to dial AgentCard URLs that resolve to private / loopback network ranges; users who need to call a self-hosted A2A server on the same network can opt in by setting NXR_ALLOW_PRIVATE_AGENT_URLS=1 in their environment.

4.6 With Third-Party MCP Servers (Only When You Add One)

The Software supports the open Model Context Protocol (MCP) (an open standard governed by the Agentic AI Foundation, a Linux Foundation directed fund) for letting agents call into external tool catalogs published by third parties — for example, GitHub, Linear, Postgres, Brave Search, or any other host that ships an MCP server. You opt in to this surface explicitly by adding an mcp-server connector through the desktop's Connectors page and clicking "Connect" on the Settings → AI → MCP Servers row.

When an agent invokes a tool exposed by a connected MCP server, each call sends:

The tool arguments the agent supplied (after any template substitution against upstream node outputs).
For Streamable HTTP transport: an Authorization: Bearer header carrying the bearer token you saved in the connector form, if you chose Bearer token auth.
For stdio transport: any env vars you declared on the connector form (including the bearer token substituted into {{secret}} placeholders).

Each call does NOT send:

Your other connector secrets (SMTP credentials, IMAP passwords, OAuth tokens for unrelated services).
Your per-agent encrypted secrets referenced via {{secrets.NAME}} templates unless you wrote them into the tool's argument map.
Your project folder paths or appReferences unless you passed them as tool arguments.
Any data outside the tool arguments + the auth shape you configured on the connector.

Avery.Software's central service is not in the path of these calls. Traffic flows directly from your device to the MCP server you configured. For stdio transport, the MCP server process runs locally on your machine as a child process spawned by the Software's mcp-client worker; the binary and its arguments are whatever you specified in the connector form (treat this like installing software — the server can do anything its underlying credentials let it do). For Streamable HTTP transport, traffic flows directly to the URL you specified. The MCP server operator (or, for stdio, the local binary maintainer) is a separate data controller; their privacy practices are governed by the agreement you have with them, not by this Policy.

The Software exposes a per-tool enable/disable toggle (Settings → AI → MCP Servers → expand server row) so you can curtail which tools your agents are allowed to call. Disabled tools are hidden from the agent builder palette and refused at runtime.

4.7 With External MCP Hosts (Only When You Enable the Outbound Server)

The Software optionally exposes the Avery local service as a Model Context Protocol server. When you turn this on (Settings → AI → MCP Server → "Enable outbound server"), the Software binds a localhost HTTP endpoint (http://127.0.0.1:19274/mcp) that external MCP hosts — Claude Desktop, Cursor, Continue, Zed, ChatGPT, or any other host you point at it — can call to invoke Avery capabilities and run Avery agents on your behalf. This is the inverse of §4.6: instead of Avery calling out to a third party, a third party calls in to Avery, with you holding the bearer token that authorises the connection.

Authentication: a bearer token minted at enable time (visible once on the same page) gates every inbound request. The token is stored locally in the same OS-keychain-or-file keystore that holds your other connector credentials; it never leaves your machine except in the configuration line you paste into the external host. You can rotate the token at any time ("Rotate token") and revoke external access by clicking "Disable" — both flip the running state immediately + the external host returns to its pre-Avery state on its next call.

The outbound server NEVER:

Listens on any address other than 127.0.0.1 (the loopback interface). Remote machines cannot reach it without an explicit tunnel you set up yourself (e.g., your own SSH forward or WireGuard tunnel).
Auto-exposes any capability or agent. The list of exposed items defaults to empty — you opt in per item via the same Settings page. An external host calling tools/list on a freshly-enabled server sees zero tools until you add some.
Sends data to Avery.Software's central service. The audit log visible on the Settings page is in-memory + local-only.
Uses your central-service license credentials for inbound authentication. The outbound-server bearer is a separate secret distinct from your licensing flow.

When an external MCP host calls tools/call on an exposed capability or agent, the Software:

Verifies the bearer matches.
Confirms the requested tool is in your opt-in list (refuses otherwise with E_MCP_HOST_TOOL_DISABLED).
Executes the capability or agent locally using the same runtime path your in-app agents already use — so the same per-agent secrets, per-connector OAuth bundles, file-system scopes, and consent prompts apply.
Appends one entry to the local audit log (verb / tool / peer IP / outcome / duration). The log is capped at 1,000 entries FIFO and never persisted across restarts.

If a tool you expose itself invokes a third-party service (for example, exposing the email.send capability lets an external host send email through your configured Gmail / SMTP / Resend connector), the privacy implications of that third-party hop are covered by §4.6 (third-party MCP servers) or the relevant provider-specific section, not by this paragraph. The outbound server is a forwarding surface, not a data store.

Pro and Enterprise tier subscribers get the outbound MCP server as part of their plan; Free tier does not include this surface (the Settings page is visible but the "Enable" button surfaces a "Pro+ feature" notice). Tier gating is enforced locally against your license map; no third party sees that you have or have not turned the feature on.

4.8 In Connection with a Business Transaction

If Avery.Software is involved in a merger, acquisition, financing, due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your information may be transferred as part of such a transaction, subject to standard confidentiality protections and any applicable legal requirements. We will notify you (where practical) of any such change.

4.9 To Comply With Law and Protect Rights

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with a law, regulation, legal process, or government request; (b) enforce our Terms of Use; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect against harm to the rights, property, or safety of Avery.Software, our users, or the public.

4.10 With Your Consent

We may share information for any other purpose with your explicit consent.

4.11 We Do Not Sell Personal Information

We do not sell your personal information, nor do we share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA / CPRA).

5. Information We Do NOT Collect or Receive

For clarity, we do not collect or have access to:

The contents of your prompts to local SLMs.
The contents of your Consult Mode prompts to frontier providers (these flow direct from your device to the provider).
The source code we help you generate.
The contents of your project files, schemas, agent definitions, or knowledge-base documents.
Your BYOK Keys (stored in your OS keychain only).
Your OAuth refresh tokens (stored in your OS keychain only).
Your deploy tokens (stored in your OS keychain only).
Logs your generated application produces in production.
Data your generated application processes about its end users.

6. Data Retention

We retain information only for as long as necessary for the purposes described in this Policy or as required by law.

Account data: retained while your Account is active and for a reasonable period after deletion to satisfy legal, audit, and dispute-resolution obligations.
Subscription and billing records: retained for the period required by tax and accounting laws (typically seven years).
Telemetry: retained in detailed form for up to twelve (12) months and may be aggregated indefinitely thereafter in a form that cannot be associated with any particular install.
Support communications: retained for as long as necessary to handle and resolve your inquiry, plus a reasonable period thereafter.
Forge plugin metadata: retained while the plugin is available in the catalog, plus a reasonable archival period.
Local data on your device: retained until you delete it. We have no role in your local retention.

7. Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, loss, misuse, and alteration. Examples include:

Encryption in transit (TLS) for all communication with the central service.
Encryption at rest for sensitive central-service data.
Cryptographic signing of license tokens (Ed25519) and Software / Plugin update payloads.
BYOK Keys, OAuth tokens, license tokens, and other secrets on your device are stored either in the OS keychain (macOS Security framework, Windows Credential Manager, or libsecret) or, where the OS keychain is unavailable, in an AES-256-GCM-encrypted file vault under ~/.nxr/keystore/ with a 32-byte master key in a sibling 0600-permission file.
Principle of least privilege for personnel access.
Routine security review and patching.

No security measure is perfect. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your local device, your account credentials, and any BYOK Keys you supply. Notify us immediately at legal@avery.software if you suspect any unauthorized use of your Account.

8. International Data Transfers

Avery.Software is headquartered in California. Information we collect may be processed in the United States and in any other country where we or our service providers operate. By using the Software, you understand your information may be transferred to the U.S., which may have different data-protection laws than your country of residence. Where required by law, we use appropriate transfer mechanisms (such as Standard Contractual Clauses) for international transfers.

9. Your Privacy Rights

The rights described below depend on the laws applicable to you. To exercise any right, contact us at legal@avery.software. We may need to verify your identity before responding.

9.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights with respect to personal information we collect about you:

Right to Know. Request the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we share it.
Right to Delete. Request deletion of personal information we have collected about you, subject to certain exceptions (e.g., legal obligations, security).
Right to Correct. Request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information. We do not collect categories of sensitive personal information for purposes other than those permitted by law without limitation.
Right to Opt Out of Sale or Sharing. We do not sell or share personal information for cross-context behavioral advertising purposes.
Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

To exercise these rights, email legal@avery.software with a clear description of your request. You may designate an authorized agent to make a request on your behalf, subject to verification.

9.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, the UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

Right of access to your personal data.
Right to rectification of inaccurate personal data.
Right to erasure ("right to be forgotten") in certain circumstances.
Right to restriction of processing in certain circumstances.
Right to data portability for data you have provided to us in a structured, commonly used, machine-readable format.
Right to object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decision-making, including the right not to be subject to a decision based solely on automated processing that produces legal effects on you or similarly significantly affects you. The Software does not make such decisions about you.
Right to withdraw consent at any time, where processing is based on consent.
Right to lodge a complaint with your local data protection authority.

Legal bases. We process personal data on one or more of the following bases: (a) performance of a contract with you (operating the Software, billing); (b) legitimate interests (securing and improving the Software, fraud prevention, internal analytics on aggregated telemetry); (c) consent (telemetry collection where you have not opted out, marketing emails, optional crash reports); and (d) legal obligation (tax, accounting, response to lawful requests).

Data protection contact. All privacy-related requests — including requests under Articles 12–22 of the GDPR, requests that would otherwise be directed to a designated EU or UK representative under Article 27, requests for information about our cross-border transfer mechanisms, and complaints — should be sent to legal@avery.software. We do not currently maintain a separately designated EU or UK representative; until we do, this email address is the single point of contact for all such requests, and we will respond within the timeframes required by applicable law. If we later designate a formal representative, the designation will be published on our website and incorporated into this Policy by an update.

9.3 Other U.S. State Privacy Laws

A growing number of U.S. states have enacted comprehensive consumer privacy laws. The rights granted under those laws are substantially similar to one another and to the California rights described in §9.1, with some state-by-state variations in scope, thresholds, response windows, opt-out mechanisms, and appeal procedures.

If you are a resident of any state listed in §9.3.2 below, Avery.Software extends the following common rights to you, subject to the limits and exceptions of your state's law:

9.3.1 Common Rights Across U.S. State Laws

Right to Confirm and Access. Confirm whether we are processing your personal data and obtain a copy in a portable, commonly used, machine-readable format.
Right to Correct. Request correction of inaccurate personal data (where the law in your state recognizes this right).
Right to Delete. Request deletion of personal data we have collected from or about you, subject to exceptions for legal obligations, security, completing a transaction, etc.
Right to Opt Out of Sale or Sharing. Direct us not to sell or share your personal data for cross-context behavioral advertising. Avery.Software does not sell personal data and does not share personal data for cross-context behavioral advertising as those terms are defined under any applicable U.S. state law.
Right to Opt Out of Targeted Advertising. Direct us not to use your personal data for targeted advertising. (We do not engage in targeted advertising; this right is therefore a no-op for us, but it remains available to exercise.)
Right to Opt Out of Profiling Decisions. Where the law in your state recognizes this right, opt out of profiling that produces legal or similarly significant effects. The Software does not make such decisions about you.
Right to Limit Use of Sensitive Personal Information. We do not collect categories of sensitive personal information for purposes other than those permitted by law without limitation.
Right to Appeal. If we deny a privacy request, you may appeal that denial by replying to our denial email or by emailing legal@avery.software with the subject "Privacy Appeal." We will substantively respond to the appeal within the timeframe required by your state's law (typically 45 to 60 days).
Right to Non-Discrimination / No Retaliation. We will not discriminate against you for exercising any of these rights.
Authorized Agents. You may designate an authorized agent to make a request on your behalf, subject to verification.

To exercise any of these rights, email legal@avery.software with (a) a clear description of the request, (b) the state in which you reside, and (c) sufficient information for us to verify your identity. We will respond within the timeframe required by your state's law.

9.3.2 States Currently Covered by §9.3

The following table lists the U.S. states whose comprehensive privacy laws apply to Avery.Software's processing of personal data of state residents (as of this Policy's Last Updated date). This list will grow as additional state laws come into force; we extend the §9.3.1 common rights to residents of any state with a comparable law in effect, whether or not the state is explicitly listed here.

State	Statute (Common Name)	Right to Correct	Right to Appeal
California	CCPA / CPRA	yes	n/a (DPA path)
Colorado	CPA	yes	yes
Connecticut	CTDPA	yes	yes
Delaware	DPDPA	yes	yes
Indiana	INCDPA	yes	yes
Iowa	ICDPA	no	no
Kentucky	KCDPA	yes	yes
Maryland	MODPA	yes	yes
Minnesota	MCDPA	yes	yes
Montana	MTCDPA	yes	yes
Nebraska	NDPA	yes	yes
New Hampshire	NHPA	yes	yes
New Jersey	NJDPA	yes	yes
Oregon	OCPA	yes	yes
Rhode Island	RIDTPPA	yes	yes
Tennessee	TIPA	yes	yes
Texas	TDPSA	yes	yes
Utah	UCPA	no	no
Virginia	VCDPA	yes	yes

If your state passes a comprehensive privacy law after this Policy's Last Updated date, your rights under that law take effect on its statutory effective date even if this Policy has not yet been amended to add your state to the table.

9.3.3 California-Specific Notice

If you are a California resident, see §9.1 above for the full description of your rights under the CCPA / CPRA, including the rights to know specific pieces of personal information, to limit use of sensitive personal information, and to non-discrimination for exercising rights.

9.3.4 Texas-Specific Notice

For Texas residents under the Texas Data Privacy and Security Act (TDPSA): we do not engage in targeted advertising, do not sell personal data, and do not engage in profiling that produces legal effects. The mechanisms above (email to legal@avery.software) are the supported channels for exercising rights under TDPSA.

9.3.5 Connecticut, Colorado, Oregon, and Other Universal-Opt-Out States

Where your state's law recognizes universal opt-out signals (for example, the Global Privacy Control), we will treat a recognized signal as an opt-out request to the extent required by that law. Because the Avery NXR desktop application is not a web browser, GPC signals primarily affect our marketing website and central-service web pages.

9.4 Other Jurisdictions

If you reside in a jurisdiction with applicable data-protection law not addressed in §9.1, §9.2, or §9.3 — for example, Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, or South Korea's PIPA — you may have rights similar to those described above. Contact us at legal@avery.software with a description of your request and the law under which you assert the right, and we will respond consistent with that law.

10. Children's Privacy

The Software is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information to us, contact legal@avery.software and we will take appropriate steps to delete it.

11. Do Not Track

The Avery NXR desktop application does not respond to "Do Not Track" browser signals because it is not a web browser. Our marketing website and central-service web pages may respond to such signals where required by applicable law.

12. Third-Party Links and Services

The Software and our website may contain links to third-party websites or services (including links into frontier-provider consoles, plugin source repositories, hosting-provider dashboards, payment processor portals, and OAuth provider consent pages). Those websites and services are not operated by us, and this Policy does not apply to them. Review the privacy policy of any third party before sharing information with them.

13. Plugins (Forge and Otherwise)

Third-Party Plugins distributed through Forge or otherwise installed into the Software may collect, transmit, or process data as part of their function (for example, a plugin might make network calls during code generation, or a connector plugin might mirror data into a third-party service). Avery.Software does not control how Third-Party Plugins handle data. You are responsible for reviewing the privacy and security implications of any Plugin you install. The signature verification Avery.Software applies to plugins distributed through Forge confirms the bytes you receive match what the publisher signed; it does not certify the plugin's data practices.

14. Generated Applications

Applications you generate with the Software run independently of the Software once deployed. You — not Avery.Software — are the controller (or business, under the CCPA) of any data your deployed application processes about its end users. It is your responsibility to:

Provide an appropriate privacy policy for your deployed application.
Comply with applicable data-protection laws.
Configure security and access controls.
Honor data-subject requests directed at your application.
Choose and configure your hosting environment securely.

15. Aggregated and De-Identified Data

We may create aggregated, de-identified, or anonymized data from information we collect (including telemetry) and use that data for any lawful purpose, including improving the Software, publishing benchmarks, or sharing trend insights. Such data will not be used in a way that identifies you or your install.

16. Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date at the top of this document reflects the most recent change.

For material changes, we will provide reasonable advance notice through (a) an in-product notification, (b) email to the address associated with your Account, and/or (c) the central service login flow. Other changes are effective when posted.

Your continued use of the Software after the effective date of a change constitutes acceptance of the updated Policy. If you do not agree to a change, stop using the Software before the effective date.

We will not retroactively reduce your rights without your consent.

17. Contact Us

If you have questions about this Policy, want to exercise a privacy right, or want to raise a complaint, contact us:

GoodGist, Inc. (doing business as Avery.Software) 1825 S. Grant St., Suite 200 San Mateo, CA 94404, USA

Email: legal@avery.software

All privacy-related requests — including requests that would otherwise be directed to a designated EU or UK representative — should be sent to legal@avery.software. We do not currently maintain a separately designated representative; this email address is the single point of contact for all such requests until we publish a formal designation.

We respond to verified privacy requests within the timeframes required by applicable law. If you are not satisfied with our response, you may have a right to lodge a complaint with your local data-protection authority.

Trademark and Copyright Notice

Avery.Software®, Avery NXR®, the lime spark logo, and related trade dress are trademarks of GoodGist, Inc. All other product names, brand names, logos, and trademarks referenced in this Policy or in the Software are the property of their respective owners and are used for identification purposes only.

By using the Software you acknowledge that you have read, understood, and consent to the collection, use, and sharing of information as described in this Privacy Policy.