Privacy Processing Record
A public RoPA-style record of AIRIN's processing activities, data categories, processors, legal bases, retention posture, and rights paths. This is operational transparency, not a legal opinion.
Scope
This record covers AIRIN's own processing at airinetwork.com: accounts, purchases, reports, subscriptions, inquiries, Ask AI, and first-party telemetry. It does not describe the AI platforms AIRIN analyzes.
The canonical privacy policy remains /privacy. This record gives procurement, privacy, and security reviewers a more structured view of the same operating facts.
Processing activities
| Activity | Data categories | Purpose | Basis | Processors | Retention / rights path |
|---|---|---|---|---|---|
| Newsletter and policy-change email subscriptions | Email address and optional professional role. | Send the alerts, weekly briefings, or launch updates the subscriber requested. | Consent. The unsubscribe link withdraws consent. | Kit | Until unsubscribe or deletion request. Unsubscribe link in every email; privacy@airinetwork.com for access, correction, deletion, or portability. Kit subscriber email/role corrections are handled manually in Kit, with a fresh confirmation link when consent needs to be reconfirmed. |
| Optional user accounts | Email address, OAuth name/avatar if provided by Google, saved stack, watched platforms, alert inbox rows, and API key metadata. API keys are stored only as one-way hashes. | Provide saved stacks, My Reports, watch alerts, API access, account export, and account deletion. | Performance of the service requested by the user. | Supabase | Until account deletion; account deletion removes profile, stack, watches, alerts, reports, and keys through scoped account controls. Self-serve export and deletion in Settings; privacy@airinetwork.com for correction or other DSAR requests. |
| Stack Audit and report purchases | Stripe checkout/payment identifiers, purchased order metadata, selected platform slugs, and report-delivery metadata. AIRIN never receives card numbers. | Process payment, fulfill the purchased Stack Audit, recover purchase access, and attach reports to the buyer's account. | Performance of the purchase contract. | Stripe and Supabase | Purchase/report records are retained for purchase history, redownload, and audit-custody unless deletion is requested where legally available. Purchase recovery flow, My Reports redownload, account export, and privacy@airinetwork.com. |
| Ask AI | The question typed by the user plus retrieved published AIRIN clauses/findings relevant to the answer. Account identity is not sent to the model provider. | Generate cited, evidence-bound answers and refuse unsupported questions. | Performance of the feature requested by the user. | Anthropic | AIRIN stores saved Ask sessions only when the user saves them to an account. Anthropic does not use API inputs to train its models. Delete saved account data through account deletion; privacy@airinetwork.com for DSAR requests. |
| First-party usage telemetry | Path, coarse client class, event type, anonymous per-tab session id, referrer host, UTM tags, and non-identifying detail fields. For consented page views, AIRIN also stores IP address, IP prefix, approximate IP-derived location, network/ASN, and coarse device/browser/OS fields. No cookie, fingerprint, account id, or email is stored with usage events. | Understand which public evidence surfaces, citations, and machine endpoints are useful; attribute campaigns; and detect automated or fraudulent traffic. | Legitimate interest in operating, securing, and improving the service, with consent where required for analytics storage. | Supabase and Vercel hosting logs | Raw IP addresses and raw event rows are retained for a maximum of 90 days before deletion or irreversible aggregation. privacy@airinetwork.com for access, deletion, objection, or other questions about IP-associated usage data. |
| Public inquiry and submission forms | Information the submitter provides, such as work email, organization, role, inquiry details, suggested platform, correction request, or audit request. | Respond to the inquiry, review the submitted platform/correction, or route the requested audit workflow. | Consent and/or pre-contractual steps requested by the submitter. | Supabase, Resend, Kit where the submitter opts into email, and Vercel. | Retained as an operational inquiry record until resolved or deletion is requested where legally available. privacy@airinetwork.com for access, correction, deletion, and objection requests. |
Processor inventory
| Processor | Role |
|---|---|
| Supabase | Authentication, account storage, report history, watch alerts, API key metadata, and first-party operational tables. |
| Stripe | Hosted checkout, payment processing, checkout session metadata, purchase fulfillment, and receipt/payment records. |
| Kit | Newsletter subscription form, consent confirmation, subscriber tags, and unsubscribe handling. |
| Resend | Transactional and operational email delivery, including inquiry notifications and guarded draft workflows. |
| Vercel | Hosting, edge delivery, build/deploy platform, and transient request logs. |
| Anthropic | Ask AI reasoning over the user's question and retrieved published AIRIN evidence. |
Safeguards
- No third-party analytics, advertising pixels, session replay, or cross-site tracking.
- Content-Security-Policy blocks third-party scripts from loading on the public site.
- Usage telemetry is not tied to accounts, emails, cookies, fingerprints, or cross-site identifiers; consented IP-derived fields are retention-bounded to a maximum of 90 days.
- API keys are stored as hashes, not recoverable plaintext.
- Account tables use row-level security and scoped account deletion/export routes.
- Ask answers retrieve from verified AIRIN evidence and include the informational-only, not-legal-advice boundary.
User rights path
Account holders can export or delete account data from Settings. Email subscribers can unsubscribe from any message. Privacy, correction, deletion, access, portability, or objection requests go to privacy@airinetwork.com.
For Kit newsletter records, AIRIN handles rectification manually: the operator updates the subscriber email or role in Kit, or sends a new confirmation flow if the requested change requires renewed consent. This covers subscriber profile fields that are not self-service beyond unsubscribe.
Generated from live pipeline data. Informational only, not legal advice.
AIRIN Brief
Built for compliance officers, legal counsel, and SaaS founders. Subscribe to the email digest — one short brief when a tracked vendor materially changes its terms, training policy, or risk rating. Prefer in-app? Watch platforms in your alerts inbox instead.
