What we collect, why, and what we don't.

AIR-Tools B.V. ("we", "our") is the controller of personal data we process to operate this website and the AIR-Tools service. Registered at Midden Engweg 31-33, 3882 TS Putten, the Netherlands (KvK 93535716). For data-protection questions, mail privacy@air-tools.nl — our data-protection contact point.

Account data (name, email, organisation, password hash). Organisational data you provide or connect (domains and URLs to scan, supplier lists, integration configurations, uploaded documents and policy drafts). Service usage events generated by your activity (scan runs, AI conversations, action completions, page views). Billing data when you subscribe (limited to what Stripe shares back: customer ID, subscription status, last 4 of card). We do not collect special-category data, and we ask you not to upload it. Fully anonymised or aggregated data that cannot be traced back to you or any individual falls outside this notice; we may use it to secure, analyse, and further develop the service. We are the controller for this account, billing, website, and usage data. For the organisational and personal data you upload or connect — supplier lists, uploaded documents, scan targets, and the people referenced in them — we act as your processor under the Data Processing Agreement, not as controller; that agreement governs how we handle it.

Contract performance (Art. 6(1)(b) GDPR) for everything required to deliver the service to you. Legitimate interest (Art. 6(1)(f)) for security logging, fraud prevention, and aggregate product analytics. Legal obligation (Art. 6(1)(c)) for tax, accounting, and any incident-notification duties. Consent (Art. 6(1)(a)) for anything outside these bases — asked explicitly, recorded, and revocable any time.

Account and organisational data: for as long as your account is active, plus a 90-day export window after cancellation, then deleted from primary storage. Backups: encrypted, 35-day rolling retention, then overwritten. Server and audit logs: 90 days. AI conversation transcripts: retained with the originating organisation and removed on the same schedule. Billing records: 7 years (Dutch tax retention obligation). Marketing-list opt-ins: until you unsubscribe.

We use a small set of sub-processors to run the service. The full current list — Vercel, Supabase, OpenAI, Anthropic, Firecrawl, Brave Search, Stripe, Resend, Sentry, HubSpot — is published on the transparency page with region, purpose, and DPA status. For US-based providers we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where the provider is certified. We give you 30 days' notice before any sub-processor change so you can object.

All operational storage is EU (Vercel EU-Frankfurt, Supabase EU-Frankfurt). Some processing — large-language-model inference (OpenAI, Anthropic), web crawling (Firecrawl), search (Brave Search) — runs on US-based providers. Each transfer relies on SCCs (Module 2: controller-to-processor) and supplementary measures (encryption in transit, no-train tiers where available, minimum-necessary data). The full transfer mechanism per provider is on the transparency page. Mail privacy@air-tools.nl for a copy of the relevant Standard Contractual Clauses.

When Clair generates text, the prompt sent to the LLM provider can include: the URL or document you asked her about, the organisation context she needs to answer, and the question you typed. Customer organisational data is sent only as needed for the specific request and is not used by providers to train their models — we use no-train API tiers where the provider's terms support it (the Anthropic and OpenAI API tiers we use both do).

You can ask us to: give you a copy of your personal data (access), correct it (rectification), delete it (erasure), restrict our use of it, take it elsewhere (portability), or object to our processing. Mail privacy@air-tools.nl. We respond within one month, usually within a week. We don't charge for the first request in any 12-month window.

Clair generates suggestions, draft text, and risk scores using AI. None of these are automated decisions with legal or similarly significant effect on you under Art. 22 GDPR — every output is advisory and a human (you) decides what to act on.

Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag. autoriteitpersoonsgegevens.nl. We'd rather you mail us first — most things get fixed faster that way — but you keep the right to complain at any time.

privacy@air-tools.nl. Subject line "privacy" gets to the right person.