Who we are
AIR (“AIR”, “we”, “us”) is a product of Glowar Ltd, a company registered in England & Wales (company number 14099798) with its registered office at Henge Barn, Pury Hill Business Park, Alderton Road, Towcester, Northamptonshire NN12 7LS. Glowar Ltd is the data controller responsible for personal data processed in connection with AIR and the website at breatheair.ai.
You can reach us at [email protected].
Scope of this policy
This policy covers three contexts in which we may process your personal data:
- Marketing website. The pages at breatheair.ai, including the early-access registration form.
- Early-access programme. The communications and onboarding activities for prospective customers who register interest before general availability.
- The AIR platform. The product itself — once you sign a customer agreement and begin using AIR, we process data on your organisation’s behalf. In that context, Glowar Ltd typically acts as a data processor rather than controller, and the terms of our customer agreement (and Data Processing Agreement) take precedence.
What we collect
From the website
When you browse breatheair.ai we automatically collect:
- IP address (truncated for analytics)
- Browser type and version, operating system, device class
- Pages visited, time on page, referrer
- Cookie identifiers (see section 11)
From the early-access form
When you register interest we collect what you provide: full name, work email, company name, company website (optional), team size band, and the first role you’d hire. We may also collect any additional information you choose to send us by email.
From the AIR platform
Once your organisation is using AIR, we process data your administrators choose to bring into the platform — typically: work email addresses of users, Microsoft 365 directory information, Teams messages and meeting context to the extent your bots participate in them, and operational data generated by AI workers during their engagements. The specific scope is set by your administrator and governed by your customer agreement.
How we use it
We use personal data only for specific, declared purposes:
- To run the website — serve pages, log errors, keep it secure.
- To respond to you — answer enquiries, send early-access updates you’ve signed up for.
- To improve the product — aggregate, de-identified usage analytics. We do not train AI models on identifiable customer data.
- To deliver the AIR platform — under your administrator’s direction and the terms of our customer agreement.
- To meet legal obligations — tax records, compliance with lawful requests.
We do not sell personal data. We do not share it with advertisers. We do not use it for automated decisions that produce legal or similarly significant effects.
Legal bases (UK GDPR / EU GDPR)
| Activity | Lawful basis |
|---|---|
| Running the website & keeping it secure | Legitimate interests |
| Responding to your enquiry / early-access registration | Performance of pre-contractual steps at your request |
| Sending you product updates you signed up for | Consent (you can withdraw at any time) |
| Operating the AIR platform for your organisation | Contract (with your organisation) |
| Complying with legal obligations | Legal obligation |
Who we share it with
We rely on a small number of carefully selected sub-processors. They each have a contract requiring them to keep your data confidential and process it only on our instructions.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure (EKS, RDS, Redis, S3) | EU (eu-west-2 / eu-west-1) |
| Anthropic, OpenAI, Google, AWS Bedrock | Large language model providers | Various — see DPA for region selection |
| Microsoft | M365 identity & Teams integration | Customer-selected region |
| HubSpot | CRM for marketing-site form submissions & opt-in website analytics | US (Standard Contractual Clauses in place) |
| Email delivery provider | Transactional email | EU |
A current, signed list of sub-processors is available on request from [email protected].
Before any data is sent to an LLM provider, AIR’s proxy service runs PII detection and redaction. Identifiable personal data does not leave your infrastructure boundary in plain form.
International transfers
Where we transfer personal data outside the UK / EEA we rely on appropriate safeguards — typically the Standard Contractual Clauses together with supplementary technical measures (encryption in transit and at rest, PII redaction at the proxy, regional pinning where supported).
How long we keep it
- Website analytics: 13 months, then deleted or anonymised.
- Early-access registrations: until you ask us to delete them, or 24 months after our last contact — whichever is sooner.
- Customer data in the platform: as set in your customer agreement; default is for the duration of the contract plus 90 days, after which it is purged.
- Operational logs: 30–90 days depending on category.
- Records we have to keep by law (e.g. financial records): for the legally required period.
Security
AIR is built for enterprise security:
- Tenant isolation — each customer’s data lives in a dedicated database schema and Kubernetes namespace. Cross-tenant access is structurally impossible, not just policy-controlled.
- Encryption — TLS 1.2+ in transit, AES-256 at rest, AWS KMS for key management.
- Access controls — least-privilege IAM, MFA enforced on all internal access, audited.
- PII redaction — outbound LLM requests pass through a proxy that detects and redacts PII before the message leaves your environment.
- Audit trails — every action against your data is logged and exportable.
Your rights
Under UK and EU data protection law you have the right to:
- Ask what personal data we hold about you.
- Have inaccurate data corrected.
- Have your data deleted (subject to legal retention requirements).
- Restrict or object to certain processing.
- Receive a portable copy of data you provided to us.
- Withdraw consent at any time, where consent is the legal basis.
- Lodge a complaint with your supervisory authority — for UK residents, the ICO.
To exercise any of these, email [email protected]. We respond within one month.
Cookies
We use one item of strictly-necessary local storage to remember whether you accepted or declined the cookie banner — without that, the banner would re-appear on every page. It is not a cookie and it is not shared with anyone.
Beyond that, we only set cookies if you click “accept” on the banner. Today that loads the HubSpot tracking script, which sets the cookies below. We do not use advertising or cross-site tracking cookies. You can change your choice at any time via “manage cookies” in the footer.
| Set by | Cookie | Purpose | Lifetime |
|---|---|---|---|
| AIR (first-party, local storage) | air_cookie_consent_v1 | Remembers your accept/decline choice | Until cleared |
| HubSpot (only if you accept) | __hstc | Visitor analytics — first/last visit, session count | 13 months |
| HubSpot (only if you accept) | __hssc | Current session identifier | 30 minutes |
| HubSpot (only if you accept) | __hssrc | Detects whether the visitor restarted their browser session | Session |
| HubSpot (only if you accept) | hubspotutk | Identifies a unique visitor and ties prior page-views to a Contact when a form is submitted | 13 months |
The site works the same whether you accept or decline. Declining means we won’t be able to associate any pre-form browsing with you in our CRM.
Children
AIR is a business product. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us and we will delete it.
Changes to this policy
If we make material changes we will update the “last updated” date at the top of this page and, where appropriate, notify you directly. Continued use of the website after a change means you accept the updated policy.
Contact
Questions, requests, or complaints about this policy:
- Email: [email protected]
- Post: Glowar Ltd, Henge Barn, Pury Hill Business Park, Alderton Road, Towcester, Northamptonshire NN12 7LS, United Kingdom