Legal

Privacy Policy

Last updated: May 2026

Avalon Systems ("Avalon", "we", "our", "us") respects your privacy. This policy describes the data we handle when you use the Avalon platform, the Avalon Densitometer, the Avalon CR-100 viewer, the Avalon mobile applications, and this website.

What We Collect

The Avalon platform stores information that customers provide while using the product. This includes:

User account information — name, email address, role, and authentication credentials.
Job and inspection records — customer references, locations, methods, technicians, hours, and notes that the customer chooses to enter.
Files uploaded by users — reports, photos, signatures, and DICONDE radiographs.
Device information — browser, operating system, and IP address, used solely for security and diagnostic purposes.
Push-notification tokens and biometric public keys, where the user has opted in.

What We Don't Collect

We don't collect data we don't need. Avalon does not track users across the web, does not load third-party analytics or advertising scripts, and does not sell or rent customer data to anyone, ever.

How We Store Data

The platform's data lives in a PostgreSQL database hosted on infrastructure controlled by Avalon Systems or, in the case of self-hosted deployments, by the customer. Data is encrypted in transit using TLS and at rest using disk-level encryption.

Self-Hosted Deployments

If your organization runs Avalon on your own server, the data is yours alone. Avalon Systems does not have remote access to self-hosted instances except where the customer explicitly grants it for support purposes.

Mobile Applications

The Avalon Systems iOS and iPadOS apps connect to the customer's chosen Avalon deployment. The apps cache data locally on the device for offline use; this cache is encrypted and is purged when the user signs out. Biometric authentication is performed on-device — Avalon never receives the biometric template.

Cookies and Tracking

This website uses no cookies and no tracking pixels. The platform itself uses a single session cookie for authentication, and a small number of preference keys stored in localStorage on the user's device.

Third-Party Services

Where the customer chooses to enable an integration (Gusto, Plaid, QuickBooks, Mirion / Instadose, Microsoft 365), the data exchanged is governed by both this policy and the third party's policy. We never share data with these services beyond what the customer has explicitly authorized.

Children

Avalon is a business-to-business product and is not directed to anyone under sixteen. We do not knowingly collect data from children.

Your Rights

Customers may request a complete export of their data, correction of inaccurate data, or deletion of their account and data at any time, by writing to privacy@avalon-sys.com. Self-hosted customers can perform these operations directly against their own database.

Data Retention

For hosted deployments, customer data is retained for the duration of the customer's active subscription and for thirty days after termination, unless an export and deletion is requested earlier.

Changes

If we change this policy in any material way, we'll publish the new version here, update the "last updated" date, and notify customers by email.

Contact

Questions about this policy? Write to privacy@avalon-sys.com.