How We Handle Your Data
Client data notice and sub-processor list
This notice explains what data we collect during an audit engagement, who processes it, where it is stored, and how long we keep it. It supplements our Privacy Policy and the Data Processing Agreement we sign with every client.
What we collect during an engagement
Kick-off questionnaire: your services, brand names, competitor names, and details of key personnel (names, roles, credentials, LinkedIn URLs) that you choose to share.
Website data: a crawl of your publicly accessible website content and technical configuration.
Google Search Console and Bing Webmaster Tools: read-only access you grant us, used to analyse search queries and page performance. We never modify your properties, and access is revoked when the engagement ends.
Analytics data: only where you grant access, and only what is needed for the audit.
Who is responsible
You remain the data controller of all data you provide or grant access to. AireStream Ltd acts as your data processor, under a signed Data Processing Agreement. We are ICO-registered (registration ZC103113). For our own records (contracts, invoices, contact details) we act as an independent controller under our Privacy Policy.
Who touches your data (sub-processors)
We use a small set of vetted providers. Every AI provider below is used via commercial API terms that prohibit training on your data.
| Provider | What they do | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Hosts our audit engine and working data | Germany / Finland (EEA) | UK adequacy for the EEA; Art. 28 DPA; ISO 27001; TOMs independently audited (TUV Rheinland) |
| Anthropic | AI analysis (Claude API) | USA | Data Processing Addendum with UK transfer safeguards; no training on API data; 7-day retention |
| OpenAI | AI analysis (API) | USA | Executed Data Processing Addendum; no training on API data; 30-day retention |
| AI analysis (Gemini API, paid tier) | USA | Cloud Data Processing Addendum; paid-tier data is not used to improve Google products | |
| Perplexity AI | AI search visibility testing (API) | USA | Data Processing Addendum with UK Addendum; no training on API data |
| Microsoft | Document storage and productivity (Microsoft 365) | USA / EU | Microsoft Data Protection Addendum |
| Supabase | Database infrastructure | EU | UK adequacy for the EEA; provider DPA |
We give clients at least 30 days' written notice before adding or replacing a sub-processor.
Within AireStream
Only our three founders access client data, on a need-to-know basis, with multi-factor authentication. We never enter your personal data or confidential information into consumer AI tools. Our internal AI Usage Policy restricts client data to the commercial API channels listed above.
How long we keep it
| Data | Retention |
|---|---|
| Search Console / Bing / analytics access | Revoked at the end of the engagement |
| Questionnaire responses, crawl data, analysis working data | 12 months after delivery (so a re-audit can measure progress), then deleted or anonymised |
| Data held by AI providers | Anthropic 7 days; OpenAI 30 days; Google limited abuse-monitoring logs; Perplexity zero-retention |
| Audit deliverables and contractual records | 6 years (contract and tax requirements) |
You can request earlier deletion of engagement data at any time, subject to legal retention requirements.