Who We Are
AI Lane Limited (“Ailane”, “we”, “us”, “our”) is the data controller for personal data processed through the Ailane platform. We are incorporated in England and Wales (Company No. 17035654) and registered with the Information Commissioner’s Office (ICO Registration No. 00013389720).
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Ailane platform at ailane.ai, and your rights in relation to that data.
This Policy should be read alongside our Terms of Service, Complaint Handling Policy, and Tribunal Data Privacy Notice (which covers how we process personal data from published Employment Tribunal decisions).
What We Collect
2.1 Account Data
- Identity: name, email address, job title, organisation name.
- Authentication: hashed password, OAuth tokens (where applicable).
- Account preferences: subscription tier, notification settings, language preference.
2.2 Contract and Document Data
Where you upload contracts or documents for compliance analysis, we process the content of those documents. Documents uploaded for one-time scans are not retained after your session findings are generated. Documents stored in the Document Vault (Governance and Institutional tiers) are retained for the duration of your subscription.
We do not use your uploaded documents to train AI models.
2.3 Usage and Analytics Data
- Pages visited, features used, session duration.
- Search queries within the Knowledge Library.
- Index scores and compliance findings generated during your sessions.
- Device type, browser, IP address (anonymised for analytics after 24 hours).
2.4 Communications Data
- Emails and messages you send to us.
- Support and complaint correspondence.
- Feedback submitted through the platform.
2.5 Payment Data
Payment card data is processed by Stripe and is not stored by Ailane. We retain Stripe customer IDs, transaction references, and subscription status records.
2.6 Compliance and Quality Data
We collect aggregate, anonymised performance metrics about our analysis engine — including severity distribution, finding grounding rates, and canonical test suite results. This data does not contain personal information. Where you provide accuracy feedback on specific findings through the platform’s feedback mechanism, this feedback is stored linked to the session record.
2.7 Voice Interaction Data
If you use Eileen’s voice conversation feature (available at Governance tier and above), your speech is streamed in real time to our voice processing provider for recognition and response generation. Your speech audio is processed transiently and is not recorded or stored by Ailane. Our voice provider processes audio in real time and does not retain it after the session ends (subject to their data processing terms on paid API tiers).
2.8 Vision Interaction Data
If you grant screen sharing permission during a voice conversation with Eileen, visual information from your screen is streamed in real time to our voice processing provider to enable context-aware dialogue. Screen visual data is processed transiently, is not stored, and no screenshots or screen captures are retained by Ailane or our providers. Your camera is never accessed — only screen content is shared if you grant permission.
2.9 Persistent Agent Session Data
If you use Eileen in persistent session mode (available at Operational tier and above), session metadata is collected including: session identifier, session mode (onboarding, standard, or proactive), start and end timestamps, tier at session start, and cost attribution data. Query text is not stored by AI Lane Limited. Query content is processed by our AI provider (Anthropic) within the session and is subject to their API data processing terms. We do not retain the content of your queries in any persistent database table.
2.10 Subscriber-Uploaded Document Content
Documents you upload for compliance analysis may contain personal data about your employees or other individuals (for example, names, salaries, job titles, disciplinary records). AI Lane Limited acts as data processor for this employee personal data; you (the subscriber-employer) are the data controller. Document text is processed for the duration of the analysis session. Text is not retained beyond the session unless you save documents to the Document Vault. See §12 for full details.
2.11 Regulatory Intelligence Data Sources
Ailane maintains a regulatory intelligence estate comprising publicly available data from UK government and regulatory sources including: Employment Tribunal decisions published by the GOV.UK Tribunal Decisions service, Health and Safety Executive prosecution records and enforcement notices, coroner Prevention of Future Deaths reports, ACAS and HMCTS statistical publications, and Fair Work Agency published enforcement actions. This data is in the public domain. Where published tribunal decisions contain the names of parties, those names are already public by operation of the judicial publication system. We enrich and structure this data to provide regulatory intelligence. See §5.4.
Lawful Basis for Processing
We process your personal data under UK GDPR on one of the following lawful bases:
| Processing Activity | Lawful Basis | UK GDPR Article | Notes |
|---|---|---|---|
| Account creation & authentication | Contract performance | Art. 6(1)(b) | Necessary to create and deliver the account. |
| Delivering platform services (scans, KL, index scores) | Contract performance | Art. 6(1)(b) | Necessary to deliver the purchased service. |
| Stored contract weekly re-analysis (Governance/Institutional) | Contract performance | Art. 6(1)(b) | Part of the Stored Contract Monitoring service commitment. |
| Voice conversation with Eileen | Contract performance | Art. 6(1)(b) | Real-time voice interaction is part of Governance tier service delivery. Audio streamed transiently, not stored. |
| Vision-aware dialogue with Eileen | Contract performance | Art. 6(1)(b) | Opt-in screen sharing for context-aware Eileen dialogue. Visual data processed transiently, not stored. |
| Persistent Eileen agent sessions (onboarding, standard, proactive modes) | Contract performance | Art. 6(1)(b) | Persistent sessions are a contracted feature for Operational tier and above. Session metadata stored; query text not retained by AI Lane Limited. |
| Eileen Proactive Mode — autonomous regulatory intelligence sessions | Contract performance | Art. 6(1)(b) | Proactive Mode processes the subscriber’s regulatory exposure profile only. No query text or document content involved. Right to object preserved — see §14. |
| Agent audit log maintenance (session metadata, 7-year retention) | Legitimate interests | Art. 6(1)(f) | Security, constitutional compliance verification, and financial accountability. LIA conducted. Log contains metadata only — no query text or document content. Anonymised on account deletion. |
| Agent cost attribution records (7-year financial retention) | Legal obligation and contract performance | Art. 6(1)(c) and Art. 6(1)(b) | Financial record-keeping obligations under Companies Act 2006 and HMRC requirements. Contains session identifiers and numerical cost data only. |
| Processing of employee personal data in subscriber-uploaded documents (as data processor) | Contract performance on behalf of the subscriber as data controller | Art. 6(1)(b) (subscriber’s lawful basis) | AI Lane Limited acts as data processor. The subscriber-employer is the data controller for employee personal data in uploaded documents. See §12. |
| Tribunal decision enrichment (published judicial records) | Legitimate interests | Art. 6(1)(f) | Structuring publicly available tribunal decisions for regulatory intelligence. Art. 9(2)(e) applies where decisions contain protected characteristic data — manifestly made public by the judicial publication system. LIA conducted. No personal profiles created. |
| Finding feedback (accuracy ratings) | Contract performance | Art. 6(1)(b) | Feedback mechanism is part of platform service delivery. |
| Complaint & dispute resolution (ADRA) | Legitimate interests | Art. 6(1)(f) | Fair complaint resolution and consumer protection compliance. LIA conducted. |
| Complaint audit trail (immutable records) | Legitimate interests | Art. 6(1)(f) | Regulatory compliance, chargeback defence, ICO audit. |
| Quality assurance & model performance data | Legitimate interests | Art. 6(1)(f) | Platform quality improvement. Aggregate/anonymised only — no personal data. |
| AI practice layer accumulation (KL) | Legitimate interests | Art. 6(1)(f) | LIA conducted. User creates account expecting AI learns preferences. Overridden by erasure right. |
| Marketing communications | Consent | Art. 6(1)(a) | Separate opt-in checkbox at registration. Recorded in consent log. Withdrawable at any time. |
| Consent log retention (post-deletion) | Legitimate interests | Art. 6(1)(f) | ICO audit compliance only. Minimal data. |
| UTM session parameters (analytics) | Legitimate interests | Art. 6(1)(f) | Tab-scoped, cleared after single use. No personal data persisted to database. |
| Organisational subscription data (Governance) | Contract performance (employer) | Art. 6(1)(b) | Governed by the organisation’s Ailane subscription contract. |
| Individual KL content under org subscription | Contract performance (individual) | Art. 6(1)(b) | Individual’s personal KL data remains governed by individual contract. See §11. |
| Fraud, abuse, and security threat detection | Legitimate interests | Art. 6(1)(f) | Platform security and integrity. LIA conducted. |
| Legal obligations (ICO, tax, audit) | Legal obligation | Art. 6(1)(c) | Compliance with UK law including Companies Act, tax obligations, ICO registration. |
Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment to confirm that our interests do not override your rights and freedoms. You can request a copy of any such assessment by contacting privacy@ailane.ai.
How We Use Your Data
4.1 Providing the Platform
We use your data to: create and manage your account; process payments and manage subscriptions; deliver compliance analysis, index scores, and Knowledge Library services; send service notifications and alerts; and respond to your support requests.
4.2 Quality and Safety
We use aggregate, anonymised data to monitor platform quality, run our weekly audit protocol, and maintain the quality assurance standards set out in our Terms of Service. This processing does not involve personal data in any identifiable form.
4.3 Marketing
Where you have provided consent, we may send you newsletters, product updates, and information about new features. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email, or by contacting privacy@ailane.ai.
4.4 Compliance and Legal
We may process your data to comply with our legal obligations, respond to regulatory requests, defend legal claims, and maintain audit trails for regulatory compliance purposes.
AI-Powered Processing
Ailane uses artificial intelligence to analyse employment documents and provide regulatory intelligence. This section explains how AI is used and what safeguards are in place.
5.1 What AI Does on the Ailane Platform
AI is used for the following purposes: analysing employment contracts and related documents against UK statutory requirements; generating compliance findings and exposure scores (ACEI, RRI, CCI); powering Eileen, our AI intelligence assistant, who provides factual regulatory information in text, voice, and persistent session modes; generating structured reports summarising compliance findings; and enriching publicly available tribunal decisions and regulatory records to provide structured intelligence.
5.2 What AI Does Not Do
Ailane provides regulatory intelligence. It does not provide legal advice, and its outputs do not constitute a solicitor-client relationship. AI-generated scores and findings are informational tools — they do not constitute automated decisions with legal or similarly significant effects on you under Article 22 of UK GDPR. No automated decision is made about your legal rights, employment, creditworthiness, or similar matters.
5.3 Safeguards
- Personal identifiers are stripped from documents before they are sent to AI providers for analysis.
- Our AI providers operate under contractual data processing terms that prohibit use of your data for model training (on paid API tiers).
- AI-generated findings are traceable to specific statutory provisions and can be reviewed by a qualified professional.
- You have the right to request human review of any AI-generated finding by contacting support@ailane.ai.
5.4 Anonymised Tribunal Data and Judicial Pattern Analysis
Ailane maintains a regulatory intelligence estate derived from over 131,000 published UK Employment Tribunal decisions. These decisions are published by HMCTS and are Crown copyright material available under the Open Government Licence v3.0. The underlying decision records contain personal data — including claimant and respondent names, case outcomes, and in discrimination cases, special category data (protected characteristics, disability status) within the meaning of UK GDPR Article 9. Employer-level aggregate intelligence (company names, case counts, outcome statistics, ACEI category distributions) is corporate data and is not personal data. For full details of how we process tribunal personal data, including your rights if you are named in a published decision, see our Tribunal Data Privacy Notice.
We use AI to enrich and structure these published tribunal decisions, extracting intelligence such as claim categories, outcome patterns, award ranges, and judicial reasoning themes. This enrichment processes published public records only and does not create personal profiles of any individual. Where published decisions contain names of parties, those names are already in the public domain by operation of the judicial publication system (Art. 9(2)(e) UK GDPR). See §2.11.
5.5 AI Error Explanations
Where the analysis pipeline encounters a technical error on a one-off Contract Compliance Check, a plain-language explanation may be generated using the Anthropic Claude API. The technical context passed to this API contains only an anonymised error description — no personal data, no document content, and no information identifying you or your organisation is included. The generated explanation is included solely in the error notification email sent to you and is not stored beyond that transmission.
Voice and Vision Interaction
6.1 Voice Conversations
Eileen’s voice conversation feature allows you to speak with our AI intelligence assistant in real time. When you activate this feature, your device’s microphone captures your speech and streams it to our voice processing provider (Google DeepMind, via the Gemini Live API) for real-time processing.
Your speech audio is processed transiently — it is streamed, not recorded. Neither Ailane nor our voice provider stores your speech audio after the session ends. You control when the microphone is active via an on-screen toggle, and you can end the voice session at any time.
6.2 Vision-Aware Interaction
If you choose to share your screen during a voice conversation, visual information from your screen is streamed to our voice processing provider to enable Eileen to reference visible dashboard content during your conversation. Screen sharing requires a separate, explicit permission grant from you. Visual data is processed transiently and is not stored, captured, or retained. Your camera is never accessed — only screen content is shared if you grant permission.
6.3 Your Controls
Voice interaction is entirely optional. You can use all Ailane platform features via text without ever activating the microphone. Voice is off by default — you must actively enable it. You can stop the voice session at any time. Screen sharing is a separate opt-in that you can revoke at any time during the session.
6.4 Multilingual Voice
The voice feature supports over 90 languages. If you interact with Eileen in a language other than English, your speech in that language is processed under the same terms described above — streamed transiently, not stored.
Persistent Agent Sessions
This section describes how Eileen’s persistent session modes process your data. These features are available at Operational tier and above.
7.1 Session Modes
Eileen operates in three persistent session modes, each with different data processing characteristics:
- Onboarding Mode: A guided introductory session for new subscribers. Processes your organisation metadata and subscription tier to personalise the onboarding experience. Session context is not retained after the onboarding is complete.
- Standard Mode: The primary intelligence interaction mode. You ask questions about employment law and regulatory exposure. Your queries are processed by our AI provider (Anthropic) within a persistent session that maintains conversational context for the duration of the session (up to 60 minutes). AI Lane Limited stores session metadata (timestamps, mode, cost) but does not store the content of your queries in any persistent database.
- Proactive Mode: An autonomous mode where Eileen monitors your regulatory exposure profile and delivers intelligence updates without you initiating a query. Proactive sessions process your regulatory profile data only — no query text is involved because you do not submit queries. You can disable Proactive Mode at any time in your account settings.
7.2 Data Processed in Sessions
During a persistent session, the following data may be processed by our AI provider: your regulatory exposure profile (tier, sector, jurisdiction), your query content (Standard Mode only), references to Knowledge Library content relevant to your query, and system instructions that include your organisation metadata. No payment data, no authentication credentials, and no full uploaded documents are included in session context.
7.3 Agent Audit Log
We maintain an audit log of all agent sessions containing: session identifier, subscriber identifier, session mode, start and end timestamps, AI provider cost data, and session outcome status. This log contains metadata only — no query text, no document content, and no AI-generated response content. The audit log is retained for 7 years for financial accountability and regulatory compliance purposes. On account deletion, the subscriber identity reference is anonymised; the session and cost data are retained in anonymised form.
7.4 AI Provider Disclosure
Persistent agent sessions are powered by the Anthropic Claude API. Your query content within a session is transmitted to Anthropic for processing. Anthropic’s commercial API terms confirm that inputs to the commercial API are not used to train their models. AI Lane Limited does not store your query content — it exists only within the Anthropic session for the duration of the interaction. Anthropic may retain API inputs for a limited operational period in accordance with their API terms.
7.5 Your Controls
You can disable Proactive Mode at any time in your account settings. You can end any Standard Mode session at any time. You can request deletion of your agent audit log metadata (subject to the 7-year retention period for financial records). You can object to any persistent session processing by contacting privacy@ailane.ai — see §14 (Right to Object).
Complaint, Dispute, and Quality Data
8.1 Complaint Records
When you submit a complaint or refund request, we create a complaint record containing: your identity, the nature of the complaint, the disputed finding or product, timestamps, evidence reviewed, ADRA determination, and resolution outcome.
Lawful basis: Legitimate interests — our interest in resolving disputes fairly, maintaining service quality records, and complying with consumer protection obligations.
Retention: 7 years from case closure, in accordance with statutory limitation periods and audit trail requirements.
8.2 AI-Assisted Dispute Processing
Complaint records are processed by our AI Dispute Resolution Agent (ADRA). ADRA processing is automated but subject to human oversight for complaints classified as Category 3 (data), Category 4 (chargeback), or Category 5 (legal). You have the right to request human review of any ADRA determination.
Lawful basis: Legitimate interests — fair complaint resolution, consumer protection compliance.
8.3 Quality Assurance Data
Our model performance log records aggregate, anonymised platform metrics — severity distribution, finding grounding rates, canonical test suite results. This data contains no personal information. It is retained indefinitely for quality assurance purposes.
Where you provide accuracy feedback on findings through the platform’s feedback mechanism (thumbs up/down), this feedback is stored linked to the session and finding record. It does not contain personal information about third parties mentioned in uploaded contracts.
Retention: 3 years from submission.
International Transfers
Some of our sub-processors are based outside the United Kingdom. Where we transfer personal data to countries outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V.
The safeguards we use include: the UK-US Data Privacy Framework adequacy arrangement (where applicable), Standard Contractual Clauses (SCCs) approved by the ICO, and UK International Data Transfer Agreements (IDTAs) where required. Data processing within the European Economic Area benefits from the UK adequacy decision.
For persistent agent sessions processed by Anthropic (USA), the international transfer mechanism is confirmed before any subscriber-facing session is deployed. We minimise the personal data included in any cross-border transfer. In particular, personal identifiers are stripped from documents before they are sent to AI providers, voice audio is streamed transiently without storage, and the Knowledge Library embedding pipeline transmits only published statutory text with no personal data.
You can request information about the specific safeguards applied to any transfer by contacting privacy@ailane.ai.
Employer Access to Personal Knowledge Library Content
An employer who takes out a Governance or Institutional subscription for their employees does not acquire any right to access those employees’ personal Knowledge Library content — including projects, session history, vault documents, and reports — created under a personal Knowledge Library subscription.
Such content is processed under a separate contract between AI Lane Limited and the individual user. The employer’s subscription contract governs only content created under the organisational subscription, as designated by the organisation’s visibility settings.
AI Lane Limited will not disclose personal-flagged content to any employer, organisation administrator, or third party without the individual user’s explicit written consent, except as required by law.
11.1 Lawful Basis for Individual vs Organisational Data
Personal Knowledge Library data created under an individual subscription is processed under a contract between Ailane and that individual (Art. 6(1)(b) UK GDPR). The employer’s subscription does not override this lawful basis. The employer has no independent lawful basis to access this data.
11.2 For Legal Professionals
For legal professionals, Ailane’s visibility architecture is designed to protect potentially privileged material from inadvertent employer access. Ailane does not waive, assess, or adjudicate privilege claims. Legal professionals are advised to maintain personal Knowledge Library accounts for privileged research and to exercise explicit control over any sharing decisions.
Subscriber Document Uploads
12.1 Controller and Processor Roles
When you upload employment contracts, handbooks, or other documents containing personal data about your employees, you (the subscriber-employer) are the data controller for the employee personal data in those documents. AI Lane Limited acts as data processor, processing that data solely for the purpose of delivering the compliance analysis you have requested.
12.2 What We Process
Document text is extracted and analysed during the compliance session. Personal identifiers are stripped before document clauses are sent to our AI provider. We do not independently hold employee personal data beyond the active document analysis session, unless you choose to save documents to the Document Vault (Governance and Institutional tiers).
12.3 Subscriber Obligations
By uploading documents containing employee personal data, you confirm that you have a lawful basis for doing so (typically contract performance or legitimate interests as an employer). You are responsible for fulfilling your own transparency obligations to the data subjects (employees) whose data appears in uploaded documents.
12.4 Employee Rights Requests
Rights requests from employees regarding personal data contained in subscriber-uploaded documents should be directed to the employer (subscriber) as data controller. AI Lane Limited will cooperate with any such request within the limits of its processor role.
12.5 Data Processing Agreement
The subscriber Terms of Service incorporate data processing terms that govern AI Lane Limited’s processing of employee personal data as processor. These terms address: the subject matter and duration of processing, the nature and purpose of processing, the categories of data subjects and personal data, and the obligations and rights of the controller.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account profile and authentication data | Duration of account + 30-day grace period | Contract performance. Deleted on verified erasure request after grace period. |
| Knowledge Library session data | Duration of account + 30-day grace period | Contract performance. Personal data. Deleted on erasure request. |
| Document Vault (Governance/Institutional) | Duration of active subscription + 90-day grace on cancellation | Contract performance. You can delete documents at any time. Deleted on subscription termination after grace. |
| Compliance scan findings (one-time scans) | 30 days for findings_json; session metadata retained longer for audit | Contract performance. 30-day purge of detailed findings data. |
| Eileen interaction metadata | 90 days | Service improvement. Category metadata only, no query text. Auto-deleted by scheduled maintenance. |
| Agent session query context (within Anthropic session) | Session duration only — not stored by AI Lane Limited | Processed transiently by Anthropic within the session. AI Lane Limited does not retain query text in any persistent database. Anthropic operational retention per their API terms. |
| Agent audit log (session metadata) | 7 years | Legitimate interests — financial accountability, regulatory compliance. Anonymised on account deletion (subscriber identity removed; session ID and cost data retained). |
| Agent cost attribution records | 7 years | Legal obligation — Companies Act 2006, HMRC financial record-keeping. Contains session identifiers and numerical cost data only. Anonymised on account deletion. |
| Voice session data | Not retained — processed transiently | Real-time processing only. No recording or storage by Ailane or provider. |
| Vision (screen share) data | Not retained — processed transiently | Real-time processing only. No screenshots stored by Ailane or provider. |
| Consent log (marketing) | 7 years from consent event | Legitimate interests — ICO audit compliance. Retained after account deletion. |
| Complaint and refund records | 7 years from case closure | Legitimate interests — statutory limitation periods, regulatory compliance. |
| ADRA determination logs (immutable audit trail) | 7 years — immutable record | Legitimate interests — chargeback defence, ICO audit, regulatory compliance. Cannot be deleted on erasure request. |
| Finding feedback data | 3 years from submission | Contract performance — quality improvement. |
| Model performance log (aggregate, anonymised) | Indefinite | Legitimate interests — quality assurance. No personal data. |
| Payment transaction records | 7 years | Legal obligation — accounting and tax records (Companies Act 2006). |
| DocuSign envelope metadata | 7 years | UK document retention obligations. |
| Authentication and security logs | 7 years | Security audit trail; regulatory compliance. |
| Tribunal enrichment records (published legal intelligence) | Indefinite | Published legal records structured for regulatory intelligence. No personal data beyond public domain content. Removed only if underlying published judgment is withdrawn. |
| Analytics data (GA4) | 14 months (Google default) | Service improvement. No personal identification. |
When data reaches the end of its retention period, it is securely deleted. Where data is held by a sub-processor, deletion is governed by the applicable data processing agreement.
Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any right, contact privacy@ailane.ai. We will respond within 30 days.
Right of Access (Article 15)
You may request a copy of all personal data we hold about you. We will provide a machine-readable JSON export of all personal data associated with your account, including Knowledge Library sessions, vault documents, account preferences, agent session metadata, and consent records.
Right to Erasure (Article 17)
You may request deletion of your account and associated personal data. We operate a 30-day grace period following an erasure request, during which your account is suspended but not deleted. After 30 days, all personal data is hard-deleted including Knowledge Library sessions, vault documents, practice profiles, and reports.
Exceptions to erasure apply to: (i) consent log records retained for ICO audit compliance; (ii) complaint and refund records where retention is required by law or legitimate interests override (7-year retention); (iii) immutable audit trail records; (iv) anonymised aggregate quality data containing no personal information; (v) agent audit log entries retained for financial accountability (anonymised on account deletion — subscriber identity removed, session and cost metadata retained in anonymised form for the 7-year retention period).
Right to Data Portability (Article 20)
You may request your data in a machine-readable format. The export mechanism is the same as for subject access requests — a JSON export of all personal data associated with your account. Workspace content is additionally exportable in DOCX, PDF, and JSON formats.
Right to Object (Article 21)
You may object to processing based on legitimate interests. The AI practice layer (which accumulates preferences from your session history in the Knowledge Library) may be disabled in account settings without affecting core platform functionality. You may also object to direct marketing at any time — we will action objections to direct marketing immediately.
You may object to Proactive Mode at any time by disabling it in your account settings. When Proactive Mode is disabled, no autonomous background sessions will be initiated. Objection to Proactive Mode does not affect your access to Standard Mode or any other contracted service feature.
Right to Restrict Processing (Article 18)
You may request that we restrict active processing of your data in certain circumstances (where accuracy is contested, or where processing is unlawful but you prefer restriction to erasure). We operate a 90-day account freeze option that retains your data but suspends active processing.
Right to Rectification (Article 16)
You may ask us to correct inaccurate or incomplete personal data by contacting privacy@ailane.ai or updating your account settings directly.
Automated Decision-Making (Article 22)
Index scores (ACEI, RRI, CCI) are deterministic computed outputs based on mathematical formulae applied to publicly available data. They are analytical outputs, not automated decisions about you as an individual. Article 22 rights do not apply to index computation.
ADRA complaint determinations involve automated initial evaluation but are subject to human oversight for escalated complaint categories (C3 data, C4 chargeback, C5 legal). You have the right to request human review of any ADRA determination by contacting support@ailane.ai.
Right to Withdraw Consent
Where processing is based on consent (marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Use the unsubscribe link in any marketing email, or contact privacy@ailane.ai.
Right to Lodge a Complaint with the ICO
If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
ICO Registration No. 00013389720
ICO website: ico.org.uk/concerns
ICO helpline: 0303 123 1113
Security
We implement technical and organisational security measures appropriate to the nature of the data we process, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256) for all stored data.
- Row-level security (RLS) policies enforced on all database tables, ensuring users can only access their own data.
- JWT-based authentication with short-lived tokens on all authenticated platform functions.
- HMAC signature verification on all webhook endpoints.
- Content Security Policy (CSP) headers on all platform pages.
- Separation of data schemas preventing cross-client data access.
- Supabase EU infrastructure (Frankfurt, Germany) for data residency.
- Regular secret rotation for all API credentials.
- Regular security review as part of our platform development process.
- Service-role-only access policies on sensitive operational tables (agent audit logs, cost attribution) with no subscriber-facing RLS exposure.
In the event of a personal data breach, we will notify the ICO within 72 hours where required by Article 33 of UK GDPR, and we will notify affected individuals without undue delay where required by Article 34.
To report a security concern, contact security@ailane.ai. We operate a responsible disclosure policy and will acknowledge security reports within 48 hours.
Children
The Ailane platform is designed for use by employers, HR professionals, and workers in a professional capacity. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or platform services. We will notify you of material changes by email to your registered address at least 14 days before the changes take effect.
The current version of this Policy, together with its version date, is always available at ailane.ai/privacy/.
Contact and ICO
Data Controller
AI Lane Limited
Company No. 17035654
ICO Registration No. 00013389720
ailane.ai
Privacy Enquiries
For all data protection and privacy enquiries, subject access requests, and rights requests: privacy@ailane.ai
For general support: support@ailane.ai
For security concerns: security@ailane.ai
We aim to respond to all privacy enquiries within 5 business days and will provide a full response within 30 days.
ICO — Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner’s Office at ico.org.uk/concerns or by calling 0303 123 1113.
ICO address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
ICO Reg. No. 00013389720.