1.What we collect

Email addresses

When you subscribe to our policy-change alerts or weekly digest, we collect your email address (and, optionally, your professional role) via a form embedded on this site. The form submits directly to Kit.com (formerly ConvertKit), which acts as our email delivery processor. We use this only to send the updates you asked for.

Legal basis (GDPR): consent. You can withdraw consent at any time by clicking the unsubscribe link in any email we send you.

Analytics data

We do not use any third-party analytics. No Google Analytics, no Microsoft Clarity, no session recording, no fingerprinting — our Content-Security-Policy structurally blocks third-party scripts from loading at all. The only usage measurement on this site is the first-party, anonymous event log described below, which contains no personal data.

No advertising tracking is used. No cross-site tracking is used. No consent banner is needed, because there is nothing to consent to.

Citation & API usage events

We record which verified citations get consumed (when a "jump to exact text" link or citation anchor is followed) and which of our machine/API endpoints are requested. Each event contains only the page or endpoint path, the platform and citation identifier involved, and a coarse client class derived from the User-Agent header (browser / AI agent / bot / API client). No IP address, cookie, account, or any other identifier is stored with these events — they measure which parts of the evidence base are useful, not who you are, and they require no consent banner because they contain no personal data.

Admin access logs

A small number of authorized administrators access internal, access-controlled management interfaces that let them review citations and exclude individual clauses from a platform's score. Those write operations are appended to an internal audit log with the timestamp, action, and citation identifier. This log contains no personal data about visitors — only what an administrator did and when. These internal interfaces are excluded from the usage event log.

2.What we do not collect

• No account required to read anything on this site. An optional account (see §2a) unlocks saved stacks, alerts, and API keys.
• No passwords — accounts use Google sign-in or a one-time email link; we never store a password.
• No payment information — purchases are handled entirely by Stripe; we never see your card.
• No biometric data.
• No advertising identifiers.
• We do not sell data to third parties.
• We do not use your data for advertising — ours or anyone else's.

2a.If you create an account

Accounts are optional. If you sign in (Google OAuth or a one-time email link), we store the minimum needed to provide the account features:

• Your email address and, for Google sign-in, your name and avatar URL (from Google).
• Your saved platform stack and the platforms you watch for policy-change alerts.
• API keys you create — stored only as a one-way hash, never the key itself.

Authentication is handled by Supabase (our processor). You can export everything tied to your account, or delete your account entirely, at any time from Settings — deletion immediately removes your profile, stack, watches, alerts, and keys. Watching a platform delivers alerts to your in-app inbox only; it never emails you unless you separately subscribe to the email digest.

3.Cookies

We use two categories of cookies / local storage:

• Essential: a few localStorage entries that store your compare-tray selection, saved stack, and bookmarks. These never leave your browser and don't require consent.
• No analytics cookies. We run no third-party analytics, so no analytics cookies are ever set — and there is no consent banner because there is nothing to consent to.
• No advertising cookies. Ever.

See the Cookie Policy for the full inventory of what is stored locally.

4.Third-party processors

We rely on four third-party services. Each has its own privacy policy; if you have a question about how any of them handles your data, the linked policy is authoritative.

5.Your rights (GDPR — EU users)

If you're in the EU, EEA, UK, or Switzerland, you have the following rights under the GDPR (and equivalent local laws). To exercise any of them, email privacy@airinetwork.com.

• Access: get a copy of any personal data we hold about you (in practice: your email address and subscription preferences).
• Erasure: ask us to delete it. For email subscriptions, the unsubscribe link in any email handles this immediately. For accounts, delete everything yourself from Settings.
• Rectification: ask us to correct anything that's wrong.
• Restriction: ask us to pause processing while a dispute is resolved.
• Portability: get a structured copy of your data you can take elsewhere.
• Objection: object to processing on legitimate-interest grounds. (All our processing is consent-based, so this rarely applies.)
• Withdrawal of consent: at any time, with no effect on processing that was lawful before withdrawal.
• Lodge a complaint: with your national data protection authority if you believe we've handled your data improperly.

6.Your rights (CCPA — California users)

If you're a California resident, you have these rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA. To exercise any of them, email privacy@airinetwork.com.

• Right to know: what personal information we collect, where we got it, why we collect it, and who (if anyone) we share it with.
• Right to delete: ask us to delete the personal information we have about you.
• Right to correct: ask us to fix inaccurate personal information.
• Right to opt-out of sale or sharing: we do not sell or share personal information — see Section 7 below.
• Right to non-discrimination: we won't treat you differently for exercising any of these rights.

7.Do Not Sell My Personal Information

We collect only the data described in Section 1, use it only for the purpose it was collected (sending the emails you asked for; providing your account features; understanding how visitors use the site through identity-free aggregates), and share it only with the processors named in Section 4 — each of whom acts on our behalf under a written processor agreement, not for their own purposes.

8.Data retention

• Email subscriptions: retained for as long as you stay subscribed. When you unsubscribe via the link in any email, the deletion is processed by Kit.com.
• Usage events: the first-party, identity-free usage log (Section 1) carries no account, cookie, or IP — it is retained in aggregate and cannot be tied back to a person.
• Account data: retained for as long as your account exists, and deleted immediately when you delete your account from Settings. If you never create an account, none is held.

9.Children

AIRIN is built for legal, privacy, and product professionals — not children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, email privacy@airinetwork.com and we will delete it promptly.

10.Changes to this policy

We may update this policy from time to time. When we do, we'll update the “Last updated” date at the top of the page and, for material changes, note the change on the Updates page. Continued use of the site after the change means you've accepted the revised policy. If you don't, stop using the site and (if subscribed) unsubscribe.

11.Contact

Questions, requests, or complaints about privacy go to privacy@airinetwork.com. We aim to respond within 30 days; for GDPR / CCPA requests we respond within the deadlines those laws set (one month / 45 days respectively).