Privacy Notice

Last Updated: April 2026

1. Introduction

AirCEO ("we", "our", "us") is committed to protecting your privacy. This Privacy Notice explains how we collect, use, and safeguard personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

AirCEO is a trading name of Tarquin Barnsby, a sole trader based in England. For all data protection enquiries, contact us at privacy@airceo.uk.

2. Data We Collect

We collect intelligence strictly necessary for providing our autonomous outbound services:

  • Account Data: Names, email addresses, and cryptographic authentication tokens provided during registration.
  • Operational Data: B2B contact lists, campaign sequencing logs, reply classifications, and engagement telemetry configured within your dashboard.
  • Financial Data: Processed securely via our payment gateway (Stripe). We do not store full card numbers.
  • Technical Data: IP addresses, browser type, device information, and usage analytics collected via essential cookies and server logs.
  • Voice Data: If you use our Voice OS, audio recordings of demo sessions and call transcripts may be temporarily processed for AI classification. Recordings are not stored beyond the session unless explicitly configured.

3. Lawful Basis for Processing

We process your data under the following lawful bases (Article 6, UK GDPR):

  • Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the AirCEO platform and fulfil our subscription agreement with you.
  • Legitimate Interests (Art. 6(1)(f)): Fraud prevention, system security, platform improvement, and anonymous aggregate analytics.
  • Legal Obligation (Art. 6(1)(c)): Compliance with UK tax, anti-money laundering, and regulatory requirements.
  • Consent (Art. 6(1)(a)): Where applicable, for optional marketing communications. You may withdraw consent at any time.

When AirCEO acts as a Data Processor on your behalf (dispatching outreach to your leads), you act as the Data Controller. Processing is governed by our Data Processing Agreement.

4. Data Retention

  • Account data: Retained for the duration of your subscription plus 30 days after cancellation, unless deletion is requested sooner.
  • Operational data (leads, campaigns): Retained for the duration of your subscription. Upon termination, data is purged within 90 days unless a legal retention obligation applies.
  • Financial records: Retained for 7 years as required by UK tax legislation (HMRC).
  • Server logs and analytics: Retained for up to 90 days for security and debugging purposes.
  • Unsubscribed leads: Personal data is scrubbed immediately upon unsubscribe. Only a hashed suppression record is retained to prevent re-contact.

5. International Data Transfers

Some of our sub-processors operate outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

  • Stripe (US): Payment processing — UK GDPR Adequacy / Standard Contractual Clauses (SCCs).
  • OpenAI (US): AI text generation — SCCs in place. Data is processed transiently and not used for model training under our enterprise agreement.
  • Clerk (US): Authentication — SCCs in place.
  • Supabase (EU/US): Primary database — data hosted in EU region.
  • Inngest (US): Background job orchestration — SCCs in place. Processes metadata only.
  • Resend (US): Transactional email delivery — SCCs in place.

A full sub-processor list is maintained in our Data Processing Agreement.

6. Automated Decision-Making

AirCEO uses artificial intelligence to generate email copy, classify reply intent, score lead engagement, and optimise campaign performance. These automated processes do not produce legal effects or similarly significant effects on individuals. All AI-generated outbound communications are sent on behalf of and under the control of the Data Controller (you, the customer).

7. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data.
  • Right to Rectification (Art. 16): Correct inaccurate personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Art. 18): Restrict processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting prior processing.

To exercise any of these rights, email privacy@airceo.uk. We will respond within 30 days.

8. Cookies

AirCEO uses only strictly necessary cookies for authentication session management. We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are loaded. You can manage cookies via your browser settings.

9. Data Security

We implement industry-standard security measures including AES-256-GCM encryption for sensitive credentials, TLS 1.3 for data in transit, Row-Level Security (RLS) for tenant isolation, and regular access auditing. All API keys stored in our vault are encrypted at rest with unique initialisation vectors.

10. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Contact

For any questions about this Privacy Notice or our data practices: