Privacy Policy

1. Who we are

This Privacy Policy describes how Autara Ltd ("Autara", "we", "us", or "our") collects, uses, and protects personal data when you use the AIOS platform at autara.co.

Autara Ltd is incorporated in England and Wales (company number 16680749), with registered office at 124 City Road, London, United Kingdom, EC1V 2NX.

Autara is registered with the Information Commissioner's Office (ICO) under the Data Protection Act 2018. ICO Registration Number: ZC108838.

For data protection enquiries, contact: privacy@autara.co

2. What data we collect

Account and profile data

When you register for an account, we collect your name, email address, and password (stored as a hashed credential). Business account holders may also provide a company name and billing contact details.

Usage data

We collect information about how you interact with the platform, including pages visited, features used, actions taken, and timestamps. This helps us operate and improve the Service.

Communications data

If you use the messaging or workflow features of the Service (including WhatsApp Business and SMS via our AI conversation agent), the content of those communications is processed through the platform on your behalf. We process this data as a data processor acting on your instructions.

Billing data

Payment transactions are processed by Stripe. We receive confirmation of payment status and billing contact information, but we do not receive or store your full payment card details.

Technical data

We collect standard technical information, including IP address, browser type, device identifiers, and session data, for security, fraud prevention, and service operation purposes.

3. How we use your data

We use your personal data for the following purposes and on the following legal bases:

To provide and operate the Service (legal basis: performance of a contract)

We process account data, usage data, and communications data to deliver the features you have subscribed to, manage your account, and respond to support requests.

To process payments (legal basis: performance of a contract)

We share billing contact information with Stripe to process subscription payments.

To improve the Service (legal basis: legitimate interests)

We analyse aggregated usage data to understand how the Service is used and to improve its features and performance. We do not use individual customer content for this purpose without your consent.

To comply with legal obligations (legal basis: legal obligation)

We retain certain records to comply with tax, accounting, and regulatory requirements, and to respond to lawful requests from regulatory authorities.

To send service communications (legal basis: legitimate interests / contract)

We send transactional emails related to your account, including confirmations, invoices, and security alerts. You cannot opt out of transactional communications while your account is active.

To send marketing communications (legal basis: consent or legitimate interests)

With your consent, or where permitted under PECR, we may send you information about new features and updates. You may opt out at any time by clicking unsubscribe in any marketing email.

4. AI features and your data

AIOS includes AI-assisted conversation agents that route messages to third-party AI inference providers via OpenRouter. The following commitments apply to all AI processing:

• Customer conversation messages and business content are not used to train AI models.
• Third-party AI provider contracts explicitly prohibit use of customer data for model training or improvement.
• Personal data is redacted from messages before dispatch to AI inference endpoints using Presidio PII detection.
• AI outputs are returned to your account only and are not shared with other customers.
• Uncertain AI drafts are routed to a human approval queue (HOTL) before sending — no message is sent without either AI confidence or explicit human approval.

5. Data sharing and sub-processors

We share personal data with the following categories of recipients:

Sub-processors — third-party services that process data on our behalf to deliver the Service. Our current sub-processors are:

• Supabase — Database and authentication — EU (Ireland)
• Cloudflare — Edge network, DDoS protection, SSL — Global (EU edge priority)
• Stripe — Billing and payment processing — US/EU (PCI DSS Level 1)
• Twilio — SMS and WhatsApp messaging — EU
• OpenRouter — AI inference routing — US
• Hetzner — Cloud compute (workflow orchestration) — EU (Germany)
• Vercel — Application hosting — Global (EU edge)
• PostHog — Product analytics — US (UK-US Data Bridge; client IP discarded before transmission)

OpenRouter routes to AI model providers (including Anthropic, OpenAI, and Google). These are sub-processors of OpenRouter, not Autara. See trust.openrouter.ai for OpenRouter's current sub-processor list.

Legal and regulatory authorities — we may disclose personal data to law enforcement or regulatory bodies where required by law or where necessary to protect our legal rights.

We do not sell personal data to third parties.

6. International data transfers

Some of our sub-processors operate outside the UK and European Economic Area, including in the United States (Stripe, OpenRouter, PostHog). Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46, including standard contractual clauses and the UK-US Data Bridge (PostHog is a certified participant). PostHog analytics data is transmitted with client IP addresses discarded prior to processing. On autara.co, PostHog is only initialised after explicit cookie consent. On aios.autara.co, analytics events are associated with a pseudonymous UUID only — no email, name, or contact details are sent.

7. Data retention

We retain personal data for as long as necessary to provide the Service and to comply with our legal obligations. Specific retention periods:

• Account data: retained for the duration of your subscription and for 7 years following account closure to comply with financial record-keeping requirements.
• Usage logs: retained for 12 months.
• Communications processed through the Service: retained in accordance with your account configuration; deleted within 30 days of account closure.
• Billing records: retained for 7 years in accordance with HMRC requirements.

8. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may ask us to correct inaccurate or incomplete data.
• Right to erasure — you may ask us to delete your personal data where there is no longer a lawful basis for us to retain it.
• Right to restriction — you may ask us to restrict processing of your data in certain circumstances.
• Right to data portability — you may request a machine-readable copy of your personal data in certain circumstances.
• Right to object — you may object to processing based on legitimate interests.

To exercise any of these rights, use the data subject request form or contact privacy@autara.co. We will respond within 30 days. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been infringed.

9. Security

We use a range of technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS/SSL via Cloudflare) and at rest
• Row-Level Security at the database layer, preventing cross-tenant data access
• Three-tier secrets management — no production credentials accessible to team members
• CI secret scanning on all repositories
• PII redaction before AI processing (Presidio)

In the event of a personal data breach, we will notify the ICO within 72 hours of becoming aware (UK GDPR Article 33) and notify affected individuals without undue delay where required.

10. Cookies

We use cookies and similar technologies to operate the Service, including strictly necessary session cookies, preference cookies, and analytics cookies (PostHog). For full details, see our Cookie Policy.

11. Changes to this policy

We may update this Privacy Policy from time to time. Where we make a material change, we will notify you by email or via an in-product notice before the change takes effect.

12. Contact

Autara Ltd, 124 City Road, London, EC1V 2NX

Email: privacy@autara.co

ICO Registration: ZC108838