Who We Are
AI Lane Limited (“Ailane”, “we”, “us”, “our”) is the data controller for personal data processed through the Ailane platform. We are incorporated in England and Wales (Company No. 17035654) and registered with the Information Commissioner’s Office (ICO Registration No. 00013389720).
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Ailane platform at ailane.ai, and your rights in relation to that data.
This Policy should be read alongside our Terms of Service and Complaint Handling Policy.
What We Collect
2.1 Account Data
- Identity: name, email address, job title, organisation name.
- Authentication: hashed password, OAuth tokens (where applicable).
- Account preferences: subscription tier, notification settings, language preference.
2.2 Contract and Document Data
Where you upload contracts or documents for compliance analysis, we process the content of those documents. Documents uploaded for one-time scans are not retained after your session findings are generated. Documents stored in the Document Vault (Governance and Institutional tiers) are retained for the duration of your subscription.
We do not use your uploaded documents to train AI models.
2.3 Usage and Analytics Data
- Pages visited, features used, session duration.
- Search queries within the Knowledge Library.
- Index scores and compliance findings generated during your sessions.
- Device type, browser, IP address (anonymised for analytics after 24 hours).
2.4 Communications Data
- Emails and messages you send to us.
- Support and complaint correspondence.
- Feedback submitted through the platform.
2.5 Payment Data
Payment card data is processed by Stripe and is not stored by Ailane. We retain Stripe customer IDs, transaction references, and subscription status records.
2.6 Compliance and Quality Data
We collect aggregate, anonymised performance metrics about our analysis engine — including severity distribution, finding grounding rates, and canonical test suite results. This data does not contain personal information. Where you provide accuracy feedback on specific findings through the platform’s feedback mechanism, this feedback is stored linked to the session record.
2.7 Voice Interaction Data
If you use Eileen’s voice conversation feature (available at Governance tier and above), your speech is streamed in real time to our voice processing provider for recognition and response generation. Your speech audio is processed transiently and is not recorded or stored by Ailane. Our voice provider processes audio in real time and does not retain it after the session ends (subject to their data processing terms on paid API tiers).
2.8 Vision Interaction Data
If you grant screen sharing permission during a voice conversation with Eileen, visual information from your screen is streamed in real time to our voice processing provider to enable context-aware dialogue. Screen visual data is processed transiently, is not stored, and no screenshots or screen captures are retained by Ailane or our providers. Your camera is never accessed — only screen content is shared if you grant permission.
Lawful Basis for Processing
We process your personal data under UK GDPR on one of the following lawful bases:
| Processing Activity | Lawful Basis | UK GDPR Article | Notes |
|---|---|---|---|
| Account creation & authentication | Contract performance | Art. 6(1)(b) | Necessary to create and deliver the account. |
| Delivering platform services (scans, KL, index scores) | Contract performance | Art. 6(1)(b) | Necessary to deliver the purchased service. |
| Stored contract weekly re-analysis (Governance/Institutional) | Contract performance | Art. 6(1)(b) | Part of the Stored Contract Monitoring service commitment. |
| Voice conversation with Eileen | Contract performance | Art. 6(1)(b) | Real-time voice interaction is part of Governance tier service delivery. Audio streamed transiently, not stored. |
| Vision-aware dialogue with Eileen | Contract performance | Art. 6(1)(b) | Opt-in screen sharing for context-aware Eileen dialogue. Visual data processed transiently, not stored. |
| Finding feedback (accuracy ratings) | Contract performance | Art. 6(1)(b) | Feedback mechanism is part of platform service delivery. |
| Complaint & dispute resolution (ADRA) | Legitimate interests | Art. 6(1)(f) | Fair complaint resolution and consumer protection compliance. LIA conducted. |
| Complaint audit trail (immutable records) | Legitimate interests | Art. 6(1)(f) | Regulatory compliance, chargeback defence, ICO audit. |
| Quality assurance & model performance data | Legitimate interests | Art. 6(1)(f) | Platform quality improvement. Aggregate/anonymised only — no personal data. |
| AI practice layer accumulation (KL) | Legitimate interests | Art. 6(1)(f) | LIA conducted. User creates account expecting AI learns preferences. Overridden by erasure right. |
| Marketing communications | Consent | Art. 6(1)(a) | Separate opt-in checkbox at registration. Recorded in consent log. Withdrawable at any time. |
| Consent log retention (post-deletion) | Legitimate interests | Art. 6(1)(f) | ICO audit compliance only. Minimal data. |
| UTM session parameters (analytics) | Legitimate interests | Art. 6(1)(f) | Tab-scoped, cleared after single use. No personal data persisted to database. |
| Organisational subscription data (Governance) | Contract performance (employer) | Art. 6(1)(b) | Governed by the organisation’s Ailane subscription contract. |
| Individual KL content under org subscription | Contract performance (individual) | Art. 6(1)(b) | Individual’s personal KL data remains governed by individual contract. See §10. |
| Fraud, abuse, and security threat detection | Legitimate interests | Art. 6(1)(f) | Platform security and integrity. LIA conducted. |
| Legal obligations (ICO, tax, audit) | Legal obligation | Art. 6(1)(c) | Compliance with UK law including Companies Act, tax obligations, ICO registration. |
Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment to confirm that our interests do not override your rights and freedoms. You can request a copy of any such assessment by contacting privacy@ailane.ai.
How We Use Your Data
4.1 Providing the Platform
We use your data to: create and manage your account; process payments and manage subscriptions; deliver compliance analysis, index scores, and Knowledge Library services; send service notifications and alerts; and respond to your support requests.
4.2 Quality and Safety
We use aggregate, anonymised data to monitor platform quality, run our weekly audit protocol, and maintain the quality assurance standards set out in our Terms of Service. This processing does not involve personal data in any identifiable form.
4.3 Marketing
Where you have provided consent, we may send you newsletters, product updates, and information about new features. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email, or by contacting privacy@ailane.ai.
4.4 Compliance and Legal
We may process your data to comply with our legal obligations, respond to regulatory requests, defend legal claims, and maintain audit trails for regulatory compliance purposes.
AI-Powered Processing
Ailane uses artificial intelligence to analyse employment documents and provide regulatory intelligence. This section explains how AI is used and what safeguards are in place.
5.1 What AI Does on the Ailane Platform
AI is used for the following purposes: analysing employment contracts and related documents against UK statutory requirements; generating compliance findings and exposure scores (ACEI, RRI, CCI); powering Eileen, our AI intelligence assistant, who provides factual regulatory information in text and voice; and generating structured reports summarising compliance findings.
5.2 What AI Does Not Do
Ailane provides regulatory intelligence. It does not provide legal advice, and its outputs do not constitute a solicitor-client relationship. AI-generated scores and findings are informational tools — they do not constitute automated decisions with legal or similarly significant effects on you under Article 22 of UK GDPR. No automated decision is made about your legal rights, employment, creditworthiness, or similar matters.
5.3 Safeguards
- Personal identifiers are stripped from documents before they are sent to AI providers for analysis.
- Our AI providers operate under contractual data processing terms that prohibit use of your data for model training (on paid API tiers).
- AI-generated findings are traceable to specific statutory provisions and can be reviewed by a qualified professional.
- You have the right to request human review of any AI-generated finding by contacting support@ailane.ai.
5.4 Anonymised Tribunal Data
Ailane maintains a data estate of over 130,000 anonymised UK employment tribunal decisions. This data is publicly available, published by the Employment Tribunal, and contains no personal data after our anonymisation processing (a six-step irreversible protocol). Aggregated statistics derived from this data inform the regulatory intelligence we provide. No individual can be identified from our aggregated outputs.
5.5 AI Error Explanations
Where the analysis pipeline encounters a technical error on a one-off Contract Compliance Check, a plain-language explanation may be generated using the Anthropic Claude API. The technical context passed to this API contains only an anonymised error description — no personal data, no document content, and no information identifying you or your organisation is included. The generated explanation is included solely in the error notification email sent to you and is not stored beyond that transmission.
Voice and Vision Interaction
6.1 Voice Conversations
Eileen’s voice conversation feature allows you to speak with our AI intelligence assistant in real time. When you activate this feature, your device’s microphone captures your speech and streams it to our voice processing provider (Google DeepMind, via the Gemini Live API) for real-time processing.
Your speech audio is processed transiently — it is streamed, not recorded. Neither Ailane nor our voice provider stores your speech audio after the session ends. You control when the microphone is active via an on-screen toggle, and you can end the voice session at any time.
6.2 Vision-Aware Interaction
If you choose to share your screen during a voice conversation, visual information from your screen is streamed to our voice processing provider to enable Eileen to reference visible dashboard content during your conversation. Screen sharing requires a separate, explicit permission grant from you. Visual data is processed transiently and is not stored, captured, or retained. Your camera is never accessed — only screen content is shared if you grant permission.
6.3 Your Controls
Voice interaction is entirely optional. You can use all Ailane platform features via text without ever activating the microphone. Voice is off by default — you must actively enable it. You can stop the voice session at any time. Screen sharing is a separate opt-in that you can revoke at any time during the session.
6.4 Multilingual Voice
The voice feature supports over 90 languages. If you interact with Eileen in a language other than English, your speech in that language is processed under the same terms described above — streamed transiently, not stored.
Complaint, Dispute, and Quality Data
7.1 Complaint Records
When you submit a complaint or refund request, we create a complaint record containing: your identity, the nature of the complaint, the disputed finding or product, timestamps, evidence reviewed, ADRA determination, and resolution outcome.
Lawful basis: Legitimate interests — our interest in resolving disputes fairly, maintaining service quality records, and complying with consumer protection obligations.
Retention: 7 years from case closure, in accordance with statutory limitation periods and audit trail requirements.
7.2 AI-Assisted Dispute Processing
Complaint records are processed by our AI Dispute Resolution Agent (ADRA). ADRA processing is automated but subject to human oversight for complaints classified as Category 3 (data), Category 4 (chargeback), or Category 5 (legal). You have the right to request human review of any ADRA determination.
Lawful basis: Legitimate interests — fair complaint resolution, consumer protection compliance.
7.3 Quality Assurance Data
Our model performance log records aggregate, anonymised platform metrics — severity distribution, finding grounding rates, canonical test suite results. This data contains no personal information. It is retained indefinitely for quality assurance purposes.
Where you provide accuracy feedback on findings through the platform’s feedback mechanism (thumbs up/down), this feedback is stored linked to the session and finding record. It does not contain personal information about third parties mentioned in uploaded contracts.
Retention: 3 years from submission.
International Transfers
Some of our sub-processors are based outside the United Kingdom. Where we transfer personal data to countries outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V.
The safeguards we use include: Standard Contractual Clauses (SCCs) approved by the ICO, where our sub-processors are based in the United States or other countries without an adequacy decision; and data processing within the European Economic Area, which benefits from the UK adequacy decision.
We minimise the personal data included in any cross-border transfer. In particular, personal identifiers are stripped from documents before they are sent to AI providers, and voice audio is streamed transiently without storage.
You can request information about the specific safeguards applied to any transfer by contacting privacy@ailane.ai.
Employer Access to Personal Knowledge Library Content
An employer who takes out a Governance or Institutional subscription for their employees does not acquire any right to access those employees’ personal Knowledge Library content — including projects, session history, vault documents, and reports — created under a personal Knowledge Library subscription.
Such content is processed under a separate contract between AI Lane Limited and the individual user. The employer’s subscription contract governs only content created under the organisational subscription, as designated by the organisation’s visibility settings.
AI Lane Limited will not disclose personal-flagged content to any employer, organisation administrator, or third party without the individual user’s explicit written consent, except as required by law.
10.1 Lawful Basis for Individual vs Organisational Data
Personal Knowledge Library data created under an individual subscription is processed under a contract between Ailane and that individual (Art. 6(1)(b) UK GDPR). The employer’s subscription does not override this lawful basis. The employer has no independent lawful basis to access this data.
10.2 For Legal Professionals
For legal professionals, Ailane’s visibility architecture is designed to protect potentially privileged material from inadvertent employer access. Ailane does not waive, assess, or adjudicate privilege claims. Legal professionals are advised to maintain personal Knowledge Library accounts for privileged research and to exercise explicit control over any sharing decisions.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account profile and authentication data | Duration of account + 30-day grace period | Contract performance. Deleted on verified erasure request after grace period. |
| Knowledge Library session data | Duration of account + 30-day grace period | Contract performance. Personal data. Deleted on erasure request. |
| Document Vault (Governance/Institutional) | Duration of active subscription + 90-day grace on cancellation | Contract performance. You can delete documents at any time. Deleted on subscription termination after grace. |
| Compliance scan findings (one-time scans) | 30 days for findings_json; session metadata retained longer for audit | Contract performance. 30-day purge of detailed findings data. |
| Eileen interaction metadata | 90 days | Service improvement. Category metadata only, no query text. Auto-deleted by scheduled maintenance. |
| Voice session data | Not retained — processed transiently | Real-time processing only. No recording or storage by Ailane or provider. |
| Vision (screen share) data | Not retained — processed transiently | Real-time processing only. No screenshots stored by Ailane or provider. |
| Consent log (marketing) | 7 years from consent event | Legitimate interests — ICO audit compliance. Retained after account deletion. |
| Complaint and refund records | 7 years from case closure | Legitimate interests — statutory limitation periods, regulatory compliance. |
| ADRA determination logs (immutable audit trail) | 7 years — immutable record | Legitimate interests — chargeback defence, ICO audit, regulatory compliance. Cannot be deleted on erasure request. |
| Finding feedback data | 3 years from submission | Contract performance — quality improvement. |
| Model performance log (aggregate, anonymised) | Indefinite | Legitimate interests — quality assurance. No personal data. |
| Payment transaction records | 7 years | Legal obligation — accounting and tax records (Companies Act 2006). |
| DocuSign envelope metadata | 7 years | UK document retention obligations. |
| Authentication and security logs | 7 years | Security audit trail; regulatory compliance. |
| Analytics data (GA4) | 14 months (Google default) | Service improvement. No personal identification. |
When data reaches the end of its retention period, it is securely deleted. Where data is held by a sub-processor, deletion is governed by the applicable data processing agreement.
Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any right, contact privacy@ailane.ai. We will respond within 30 days.
Right of Access (Article 15)
You may request a copy of all personal data we hold about you. We will provide a machine-readable JSON export of all personal data associated with your account, including Knowledge Library sessions, vault documents, account preferences, and consent records.
Right to Erasure (Article 17)
You may request deletion of your account and associated personal data. We operate a 30-day grace period following an erasure request, during which your account is suspended but not deleted. After 30 days, all personal data is hard-deleted including Knowledge Library sessions, vault documents, practice profiles, and reports.
Exceptions to erasure apply to: (i) consent log records retained for ICO audit compliance; (ii) complaint and refund records where retention is required by law or legitimate interests override (7-year retention); (iii) immutable audit trail records; (iv) anonymised aggregate quality data containing no personal information.
Right to Data Portability (Article 20)
You may request your data in a machine-readable format. The export mechanism is the same as for subject access requests — a JSON export of all personal data associated with your account. Workspace content is additionally exportable in DOCX, PDF, and JSON formats.
Right to Object (Article 21)
You may object to processing based on legitimate interests. The AI practice layer (which accumulates preferences from your session history in the Knowledge Library) may be disabled in account settings without affecting core platform functionality. You may also object to direct marketing at any time — we will action objections to direct marketing immediately.
Right to Restrict Processing (Article 18)
You may request that we restrict active processing of your data in certain circumstances (where accuracy is contested, or where processing is unlawful but you prefer restriction to erasure). We operate a 90-day account freeze option that retains your data but suspends active processing.
Right to Rectification (Article 16)
You may ask us to correct inaccurate or incomplete personal data by contacting privacy@ailane.ai or updating your account settings directly.
Automated Decision-Making (Article 22)
Index scores (ACEI, RRI, CCI) are deterministic computed outputs based on mathematical formulae applied to publicly available data. They are analytical outputs, not automated decisions about you as an individual. Article 22 rights do not apply to index computation.
ADRA complaint determinations involve automated initial evaluation but are subject to human oversight for escalated complaint categories (C3 data, C4 chargeback, C5 legal). You have the right to request human review of any ADRA determination by contacting support@ailane.ai.
Right to Withdraw Consent
Where processing is based on consent (marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Use the unsubscribe link in any marketing email, or contact privacy@ailane.ai.
Right to Lodge a Complaint with the ICO
If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
ICO Registration No. 00013389720
ICO website: ico.org.uk/concerns
ICO helpline: 0303 123 1113
Security
We implement technical and organisational security measures appropriate to the nature of the data we process, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256) for all stored data.
- Row-level security (RLS) policies enforced on all database tables, ensuring users can only access their own data.
- JWT-based authentication with short-lived tokens on all authenticated platform functions.
- HMAC signature verification on all webhook endpoints.
- Content Security Policy (CSP) headers on all platform pages.
- Separation of data schemas preventing cross-client data access.
- Supabase EU infrastructure (Frankfurt, Germany) for data residency.
- Regular secret rotation for all API credentials.
- Regular security review as part of our platform development process.
In the event of a personal data breach, we will notify the ICO within 72 hours where required by Article 33 of UK GDPR, and we will notify affected individuals without undue delay where required by Article 34.
To report a security concern, contact security@ailane.ai. We operate a responsible disclosure policy and will acknowledge security reports within 48 hours.
Children
The Ailane platform is designed for use by employers, HR professionals, and workers in a professional capacity. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly.
Changes to This Policy
We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or platform services. We will notify you of material changes by email to your registered address at least 14 days before the changes take effect.
The current version of this Policy, together with its version date, is always available at ailane.ai/privacy/.
Contact and ICO
Data Controller
AI Lane Limited
Company No. 17035654
ICO Registration No. 00013389720
ailane.ai
Privacy Enquiries
For all data protection and privacy enquiries, subject access requests, and rights requests: privacy@ailane.ai
For general support: support@ailane.ai
For security concerns: security@ailane.ai
We aim to respond to all privacy enquiries within 5 business days and will provide a full response within 30 days.
ICO — Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner’s Office at ico.org.uk/concerns or by calling 0303 123 1113.
ICO address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
ICO Reg. No. 00013389720.