airmy.dev/legal/privacy-policy

/ Legal

Privacy Policy

Last updated: 1 March 2026
GDPR · CCPA · HIPAA
Summary
AIRMY is committed to protecting your privacy. We collect the minimum data necessary to operate the platform. We do not sell your personal data. We do not use your Customer Data to train shared AI models. This policy explains in full what we collect, why, and what rights you have over your data. If you have questions, contact our Data Protection Officer at dpo@airmy.dev.

1. Introduction

This Privacy Policy describes how AIRMY Technologies, Inc. ("AIRMY", "we", "us", or "our") collects, uses, stores, and shares personal information when you use the AIRMY platform, API, website at airmy.dev, and related services (collectively, the "Service").

This policy applies to: visitors to our website; individuals who register for an account; API users and developers; enterprise customers and their authorised users; and individuals who contact our sales, support, or marketing teams.

We comply with applicable data protection legislation including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable privacy laws. Where requirements differ across jurisdictions, we apply the more protective standard.

2. Data Controller Identity

For personal data processed in connection with your use of the Service, AIRMY Technologies, Inc. is the data controller, responsible for determining the purposes and means of processing.

For personal data that you submit as part of your Customer Data (i.e., data you send to Agents or store on the platform), you are the data controller and AIRMY acts as a data processor on your instructions. Enterprise customers may execute a separate Data Processing Addendum (DPA) — see Section 12.

Registered address: AIRMY Technologies, Inc., 340 Pine Street, Suite 800, San Francisco, CA 94104, United States.

EU/UK Representative: AIRMY Europe Ltd., 71 Queen Victoria Street, London, EC4V 4AY, United Kingdom.

3. Information We Collect

3.1 Information You Provide

  • Account data: name, work email address, job title, company name, and password (stored as a salted hash) when you register.
  • Billing data: payment card details (tokenised by our payment processor, Stripe), billing address, and purchase history.
  • Communications: messages and attachments you send us via support tickets, email, live chat, or contact forms.
  • Profile data: optional profile picture, preferences, and notification settings you configure.

3.2 Information We Collect Automatically

  • Usage data: pages visited, features used, buttons clicked, search queries, and navigation paths within the dashboard.
  • Technical data: IP address, browser type and version, operating system, device identifiers, time zone, and referring URLs.
  • API telemetry: API call timestamps, endpoint paths, response codes, latency, and call volumes — but not the content of requests or responses unless you opt into enhanced debugging logging.
  • Log data: server logs capturing access timestamps, error events, and performance metrics.
  • Cookie data: see Section 11 for full details on cookies and tracking technologies we use.

3.3 Information From Third Parties

  • Identity providers: if you sign in via GitHub, Google, or another OAuth provider, we receive your name, email address, and profile identifier from that provider.
  • Enterprise SSO: if your organisation uses SAML or OIDC, we receive the attributes your identity provider is configured to share (typically name, email, and group memberships).
  • Payment processors: Stripe provides us with payment status, last-four digits of your card, and card expiry for billing records.
  • Marketing intelligence: if you attend an AIRMY event or fill in a lead form, we may receive contact details from event platforms or marketing tools.

3.4 Customer Data

Customer Data is any content you submit to the Service, including inputs to Agents, uploaded documents, and configurations. AIRMY processes Customer Data solely to provide the Service and as further described in Section 12. We treat Customer Data as confidential.

4. How We Use Your Information

PurposeCategories of data usedLegal basis (see §5)
Providing and operating the ServiceAccount data, API telemetry, Customer DataContract performance
Billing and payment processingAccount data, billing dataContract performance
Security, fraud prevention, abuse detectionTechnical data, log data, usage dataLegitimate interest
Customer support and troubleshootingAccount data, communications, log dataContract performance / legitimate interest
Product analytics and improvementUsage data, technical data (anonymised)Legitimate interest
Sending transactional communicationsAccount data, communicationsContract performance
Marketing and product updatesAccount data, usage dataConsent / legitimate interest
Legal compliance and enforcementAll categories as requiredLegal obligation / legitimate interest
Onboarding and customer successAccount data, usage dataContract performance / legitimate interest

We do not make automated decisions about you that produce significant legal or similarly significant effects without human review, except for automated fraud and abuse detection where we will provide a human review upon request.

If you are in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:

5.1 Contract Performance

Processing necessary to create and manage your account, provide the Service, process payments, and handle support requests.

5.2 Legitimate Interests

Processing necessary for our legitimate business interests, where those interests are not overridden by your rights and interests. These include: operating, securing, and improving the Service; detecting and preventing fraud and abuse; direct marketing to existing customers for similar services; and communicating important product changes.

5.3 Legal Obligation

Processing necessary to comply with applicable law, court orders, regulatory requirements, or law enforcement requests.

5.4 Consent

For certain processing activities — such as marketing emails to non-customers, placing non-essential cookies, or specific analytical data collection — we rely on your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Information Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share information only in the circumstances below:

6.1 Service Providers

We engage third-party vendors who process data on our behalf under strict data processing agreements, including: cloud infrastructure providers (AWS, GCP, Azure); payment processing (Stripe); customer support tooling; analytics platforms; and email delivery services. All processors are vetted and contractually bound to process data only on our instructions.

6.2 Business Transfers

If AIRMY undergoes a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections. We will notify you via email and a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

6.3 Legal Requirements

We may disclose data where required by law, regulation, court order, or government authority. Where legally permitted, we will provide you with notice before disclosing. We publish a Transparency Report on requests received from government and law enforcement annually.

6.4 Protection of Rights

We may share data to enforce our Terms of Service, protect the rights and safety of AIRMY, our users, or the public, or to investigate fraud, security incidents, or technical issues.

6.5 With Your Consent

We may share data for any other purpose with your explicit consent.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy, subject to our legal and regulatory obligations:

Data categoryRetention periodBasis
Account dataDuration of account + 3 years post-closureLegal obligation, contract
Billing records7 years from transaction dateLegal obligation (tax/accounting)
Customer Data (inputs/outputs)90 days after last use, unless extended by planContract performance
Audit logs (Enterprise)1–10 years (customer-configurable)Contract, compliance
Server & API access logs12 monthsLegitimate interest (security)
Support communications3 years from ticket closureLegitimate interest
Marketing consent records3 years from consent or last interactionLegal obligation (GDPR records)

When your account is closed, we will delete or anonymise your personal data within 90 days, subject to legal hold obligations. You may request earlier deletion as described in Section 10.

8. Data Security

We implement a comprehensive programme of technical and organisational security measures:

  • Encryption at rest: AES-256 encryption for all stored data, with customer-managed encryption keys (CMEK) available for Enterprise customers
  • Encryption in transit: TLS 1.3 for all data in motion; mutual TLS (mTLS) for internal service-to-service communication
  • Access controls: role-based access controls, multi-factor authentication (MFA) enforced for all internal staff, principle of least privilege
  • Network security: VPC isolation, intrusion detection systems, DDoS protection, and web application firewall
  • Penetration testing: quarterly external red-team engagements; continuous automated vulnerability scanning
  • Incident response: documented incident response plan; notification within 72 hours of discovering a personal data breach affecting your data (as required by GDPR Article 33)
  • Employee training: mandatory annual security and privacy training for all staff with access to personal data

Despite these measures, no method of transmission over the internet is 100% secure. You are responsible for maintaining the security of your account credentials and access tokens.

To report a security vulnerability, please contact security@airmy.dev or submit a report via our HackerOne programme.

9. International Data Transfers

AIRMY is headquartered in the United States. If you are in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home jurisdiction.

We use the following safeguards for international transfers:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission's approved SCCs (2021) for transfers from the EEA to third countries. UK-specific International Data Transfer Agreements (IDTAs) are used for transfers from the UK.
  • Adequacy decisions: For transfers to countries covered by an adequacy decision from the European Commission, we rely on that decision.
  • Data residency options: Enterprise customers may elect EU or UK data residency, ensuring their personal data is processed and stored exclusively within those regions.

You may request a copy of the applicable transfer mechanisms by contacting dpo@airmy.dev.

10. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any right, contact privacy@airmy.dev or use the controls in your account dashboard. We will respond within 30 days (extendable by a further 60 days in complex cases with notice).

Right of access

Request a copy of the personal data we hold about you and information about how we use it.

Right to rectification

Request correction of inaccurate or incomplete personal data. You can update most data directly in account settings.

Right to erasure

Request deletion of your personal data where there is no compelling reason for continued processing. We will honour deletion requests subject to legal retention obligations.

Right to restriction

Request that we restrict processing of your data in certain circumstances, such as while contesting its accuracy or our right to process it.

Right to data portability

Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.

Right to object

Object to processing based on our legitimate interests. You can opt out of marketing communications at any time via the unsubscribe link in any email or in account settings.

Rights related to automated processing

Not to be subject to automated decisions with legal or significant effects. Request human review of any automated decision affecting you.

If you are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the EEA, this is the data protection authority in your country of residence. In the UK, this is the Information Commissioner's Office (ICO). In the US, this depends on your state's applicable privacy authority.

11. Cookies & Tracking Technologies

11.1 What We Use

We use cookies and similar technologies (local storage, session storage, pixel tags) for the following purposes:

CategoryPurposeExamplesRequired?
Strictly necessaryAuthentication, session management, CSRF protection, load balancingairmy_session, _csrfYes — no consent needed
FunctionalRemembering preferences (language, theme, layout)airmy_prefsOptional
AnalyticsAggregate usage measurement, funnel analysis, error trackingPlausible Analytics (cookie-free), SentryOptional
MarketingMeasuring campaign effectiveness, retargetingSegment (server-side only)Consent required

11.2 Cookie Consent

On your first visit, we present a cookie consent banner where you can accept or decline non-essential cookies. You may update your preferences at any time via the Cookie Settings link in the footer. Note that AIRMY's primary analytics tool (Plausible) operates without cookies or cross-site tracking.

11.3 Do Not Track

We respect browser-level Do Not Track (DNT) signals. When DNT is enabled, we disable all non-essential analytics and marketing scripts for your session.

12. Enterprise Data Processing (DPA)

Enterprise customers for whom AIRMY processes personal data on their behalf may execute a Data Processing Addendum (DPA) with AIRMY. The DPA governs our processing as a data processor under GDPR Article 28 and equivalent provisions under other applicable laws.

The standard AIRMY DPA includes:

  • A description of processing activities, data categories, and purposes
  • Sub-processor list and notification obligations for sub-processor changes
  • Technical and organisational security measures (TOMs)
  • Data subject request handling and cooperation procedures
  • Breach notification obligations and timelines
  • Standard Contractual Clauses (EU 2021/914 and UK IDTA) as applicable
  • HIPAA Business Associate Agreement (BAA) addendum for healthcare customers

To request a DPA, contact legal@airmy.dev. Our standard DPA is available for review before signature at airmy.dev/legal/dpa.

13. Children's Privacy

The Service is not directed to or intended for use by individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact privacy@airmy.dev.

14. Third-Party Services & Links

The Service may contain links to third-party websites, integrations, or services. This Privacy Policy applies only to AIRMY. We are not responsible for the privacy practices of any third party, and we encourage you to review their privacy policies before sharing any personal data.

When you use AIRMY integrations (e.g., connecting to GitHub, Slack, or Salesforce), you authorise those services to share certain information with AIRMY as described during the integration setup. That information is governed by this policy once received.

Our current list of sub-processors — companies we engage to process data on your behalf as part of providing the Service — is published at airmy.dev/legal/sub-processors and is updated within 30 days of any addition. Enterprise customers receive 30 days' advance notice of material sub-processor changes.

15. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

15.1 Categories of Personal Information Collected

In the past 12 months we have collected: identifiers (name, email, IP address); commercial information (purchase history); internet activity (usage logs, API telemetry); and professional information (job title, employer). We have not collected sensitive personal information as defined under CPRA except as necessary to process payments (limited financial data handled by Stripe).

15.2 No Sale or Sharing for Cross-Context Advertising

AIRMY does not sell personal information, and does not share personal information for cross-context behavioural advertising purposes. We have no actual knowledge of selling or sharing the personal information of minors under 16 years of age.

15.3 California-Specific Rights

In addition to the rights in Section 10, California residents may:

  • Request disclosure of the categories and specific pieces of personal information collected about you
  • Request disclosure of the categories of third parties with whom we share personal information
  • Request correction of inaccurate personal information
  • Opt out of automated decision-making technology
  • Limit the use of sensitive personal information (we use none beyond card processing)

To exercise California rights, contact privacy@airmy.dev with the subject line "CCPA Request". We will not discriminate against you for exercising your rights.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

  • Sending an email to your registered email address at least 30 days before the change takes effect
  • Displaying a prominent notice in the dashboard
  • Updating the "Last updated" date at the top of this page

For non-material changes (e.g., formatting corrections or clarifications that do not affect your rights), we may update this page without specific notice. We encourage you to review this policy periodically.

Prior versions of this policy are archived at airmy.dev/legal/privacy-archive.

17. Contact & Data Protection Officer

For questions, requests, or complaints regarding this Privacy Policy or AIRMY's data practices, please contact:

Privacy Contacts
General privacy enquiries: privacy@airmy.dev
Data Protection Officer (DPO): dpo@airmy.dev
Security incidents: security@airmy.dev
Enterprise / DPA requests: legal@airmy.dev

Our Data Protection Officer is responsible for overseeing AIRMY's compliance with data protection obligations and serves as the point of contact for supervisory authorities and data subjects on all matters relating to the processing of personal data.

Postal address:
Data Protection Officer
AIRMY Technologies, Inc.
340 Pine Street, Suite 800
San Francisco, CA 94104
United States

EU/UK representative postal address:
Data Protection Representative
AIRMY Europe Ltd.
71 Queen Victoria Street
London, EC4V 4AY
United Kingdom

We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 calendar days.