Can I request a copy of all my data?

Yes. Under GDPR, you have the right to data portability. Contact us at privacy@air-tools.nl and we will provide a complete export of your organization’s data in a machine-readable format within 30 days.

Can I delete my account and all associated data?

Yes. You can request full account deletion at any time. We will remove all your organization data, findings, policies, and personal information from our systems within 30 days of your request.

Does the AI make decisions automatically?

No. The AI generates suggestions, drafts, and recommendations, but you always review and approve before anything is applied. AI never changes your settings, publishes policies, or takes actions without your explicit confirmation.

How often do you update your sub-processor list?

We update this page whenever we add or remove a sub-processor. Significant changes are communicated to active users via email. You can always find the current list here.

Where can I report a vulnerability?

Please check our security.txt file at /.well-known/security.txt for contact details and our responsible disclosure policy. We appreciate security researchers who help us keep the platform safe.

Transparency — How AIR Tools Uses AI & Protects Your Data

Transparency at AIR Tools

We believe you deserve to know exactly how your data is handled. Here is everything about our AI, data storage, sub-processors, and protective measures. No fine print, no surprises.

How We Use Artificial Intelligence

AI powers the core of AIR Tools, but always under your control

AIR Tools uses Google Gemini via Firebase Genkit to analyze your security posture, generate findings, draft policies, and provide recommendations. Every AI feature uses structured output with strict schemas, so you always get consistent, predictable results. Never hallucinated data presented as fact.

What AI Sees

The AI processes your organization profile (industry, size, tools used), publicly available website information, and your compliance findings and risks. It uses this context to generate personalized, relevant advice for your specific business.

What AI Does Not See

The AI never has access to your raw passwords, payment details, or personal employee data beyond what is needed for team management. AI-generated content (policies, recommendations) is always presented as drafts for your review and never applied automatically.

Where Your Data Lives

Your data stays in the European Union

EU Data Residency

All data is stored in Google Cloud data centers within the European Union (eur3 multi-region). Your data never leaves the EU for processing or storage.

Encryption at Rest & in Transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database backups are encrypted with the same standards.

Tenant Isolation

Each organization’s data is logically isolated using Firestore security rules. No organization can access another’s data. This is enforced at the database level, not just the application level.

Sub-Processors

Every third party that touches your data

Google Cloud Platform

Infrastructure, compute, and database hosting. Data stored in EU (eur3). Processes organization data, compliance findings, and AI analysis.

Firebase (Google)

Authentication, Firestore database, Cloud Functions, and Hosting. Handles user accounts, organization data, and serverless backend logic.

Stripe

Payment processing for premium subscriptions. Processes billing information only. Stripe never sees your compliance data or organization details.

Google Analytics 4

Anonymous usage analytics to improve the product. Only activated with your explicit cookie consent. No personal data is shared and all tracking is anonymized.

Protective Measures

How we protect your data

Authentication & Access Control

Firebase Authentication with secure password hashing. Role-based access control (owner/member) enforced at database and application level.

Database Security Rules

Granular Firestore security rules ensure every read and write is authorized. Rules are version-controlled and tested with automated unit tests.

Continuous Monitoring

Automated dependency scanning, code quality checks, and security reviews on every code change. Regular check-ups verify your security posture stays current.

Incident Response

Documented incident response procedures with defined roles and communication channels. Issues are triaged and addressed according to severity.

Secure Development

All code goes through automated review, type checking, and testing before deployment. Dependencies are audited for known vulnerabilities.

Responsible Disclosure

We maintain a security.txt file at /.well-known/security.txt with contact information for reporting vulnerabilities. We welcome responsible disclosure.

Our Commitment

Transparency is not a feature. It is how we operate. We use AI to help you, store your data in the EU, work with trusted sub-processors only, and apply best practices at every layer. If you have questions about any of this, we are happy to talk.

Frequently Asked Questions

Questions about our practices?

We are happy to explain anything in more detail. Reach out to our team or start a free account to see our transparency in action.