Privacy policy.

This Privacy Policy describes how iaai.work (“we”, “us”, “our”, “the Company”) collects, uses, discloses, and protects personal information when you visit our website, use our services, or interact with us in any way.

We are committed to maintaining the highest levels of transparency, privacy, and security, trusted by global organizations including corporations, universities, law firms, energy companies, retail organizations, and public-sector institutions.

1. Who We Are

iaai.work provides software and services for:

  • AI-powered discovery and governance of web estates

  • PDF and digital content remediation

  • Accessibility, security, privacy, and compliance scoring

  • Data governance workflows

  • Metadata automation and quality assurance

  • Enterprise reporting and versioning

  • Web inventory and site ownership mapping

  • Decommissioning and lifecycle management

We operate globally and serve customers across multiple sectors including energy, financial services, gaming, higher education, and law firms.

If you are in the EU or UK, we operate as the Data Controller for the personal information we process.

2. Scope of This Policy

This Privacy Policy applies to:

  • our website (iaai.work and subdomains)

  • our products, platforms, and SaaS applications

  • support interactions

  • sales and marketing communications

  • professional services and consultancy

  • events, webinars, and training sessions

  • API usage

  • AI features and data processing

This Policy applies whether you access the platform directly, via an API, through a partner, or through embedded integrations.

3. Personal Data We Collect

We collect personal data in the following categories:

3.1 Information You Provide to Us

  • Account details: name, email, job title, department, organization

  • Authentication data: login credentials, 2FA preferences

  • Support queries: chat logs, email correspondence, tickets

  • Uploaded files or data: PDFs, documents, web pages, reports

  • Form submissions: demo bookings, newsletter signups, feedback

  • Payment & billing details: payment method (tokenised), billing address

  • Survey responses and feedback

3.2 Information Collected Automatically

When you visit or use our products, we automatically collect:

  • IP address & geolocation (coarse, anonymised where possible)

  • Browser type, device information, OS, screen size

  • Cookies & tracking technologies (see Cookie Policy)

  • Usage logs: pages viewed, actions taken

  • Performance and diagnostic data

  • API request logs

  • Error logs and crash analytics

  • Accessibility scanning telemetry (non-PII)

3.3 Information We Process on Behalf of Customers (Data Processor Role)

When customers use iaai.work to audit or remediate content, we may process:

  • Website URLs

  • HTML, CSS, JS, and metadata

  • PDF files and associated tags

  • Accessibility error reports

  • Security and privacy scoring data

  • Text and images extracted for automated analysis

  • User IDs and site ownership metadata provided by customers

In these scenarios, the customer remains the Data Controller, and we act strictly as a Data Processor.

3.4 Information from Third Parties

We may receive data from:

  • CRM systems (e.g., HubSpot)

  • Customer identity providers (e.g., Azure AD, Okta, Google Workspace)

  • Partners and resellers

  • Public sources (WHOIS, DNS, SSL certificate metadata, web registries)

  • Marketing platforms (anonymised analytics)

4. How We Use Personal Data

We use data for the following purposes:

4.1 Service Delivery

  • Create and manage user accounts

  • Provide platform functionality

  • Run website accessibility/security/privacy scoring

  • Provide automated PDF remediation

  • Provide AI insights and content summaries

  • Maintain system interoperability (APIs, integrations, authentication)

4.2 Customer Support & Communication

  • Respond to support tickets

  • Provide onboarding and training

  • Send system notifications and operational updates

  • Manage incidents and service outages

4.3 Product Development and AI Improvements

  • Improve our AI models using strictly anonymised data

  • Enhance features, accuracy, and performance

  • Debugging and troubleshooting

  • Usage analytics to optimize UX

We never use customer-provided content (e.g., PDFs, proprietary documents, data extracts) to train public AI models. We may train isolated, private models with explicit customer agreement.

4.4 Security, Compliance & Fraud Prevention

  • Monitoring for anomalies

  • Protecting systems from misuse

  • Maintaining audit trails

  • Enforcing regulatory requirements

  • Data retention and deletion governance

4.5 Marketing (Opt-In Only in Applicable Regions)

  • Email newsletters

  • Product updates

  • Event invitations

  • Case studies and testimonials (only with consent)

5. Legal Bases for Processing (GDPR & UK GDPR)

We rely on the following legal bases:

  • Contract performance – delivering our services

  • Legitimate interests – security, fraud detection, service improvements

  • Consent – marketing, cookies, optional analytics

  • Legal obligations – tax, financial, and regulatory requirements

6. Sharing Your Information

We never sell or rent personal data.

We may share data with:

6.1 Service Providers (Subprocessors)

Such as:

  • Hosting (DigitalOcean, AWS, Azure)

  • Email (SendGrid, Gmail Workspace)

  • Analytics (with anonymisation)

  • Support tools (Jira, Zendesk)

  • AI providers (OpenAI, Anthropic, Cohere – with strict data controls)

All subprocessors must comply with strict contractual, technical, and security requirements.

6.2 Legal & Regulatory Bodies

Only when required by:

  • Law

  • Court orders

  • National security

  • GDPR/ICO investigations

  • Compliance with DPA, GDPR, UK GDPR, or other regulations

6.3 Partner Organizations

Only with your permission (e.g., joint delivery projects).

7. International Data Transfers

We process data globally. When transferring personal data outside the UK/EU, we use:

  • UK International Data Transfer Agreements (IDTA)

  • EU Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Additional encryption standards

Customers can request a list of data transfer safeguards anytime.

8. Data Retention

We retain data based on:

  • legal requirements

  • contractual commitments

  • operational needs

  • customer instructions

Default retention periods:

  • Account data: retained while active

  • Audit logs: 12–24 months

  • Uploaded files (PDFs, HTML snapshots): only for the processing period

  • Backups: 30–90 days depending on environment

  • Marketing data: until opt-out

You can request deletion at any time.

9. Your Rights

Depending on your region, you may have the right to:

  • Access your data

  • Rectify inaccurate information

  • Delete your data (“right to be forgotten”)

  • Restrict processing

  • Object to processing

  • Port personal data

  • Withdraw consent

  • Opt-out of marketing

  • Opt-out of data sale/share (CCPA/CPRA)

  • Request human review of AI decisions

Requests are responded to within 30 days.

Submit a request to: privacy@iaai.work

10. Cookies & Tracking Technologies

We use:

  • Essential cookies (authentication, session management)

  • Functional cookies (preferences)

  • Analytics cookies (optional, anonymised)

  • Third-party cookies for login integrations

See our Cookie Policy for full details.

Users can reject optional cookies at any time.

11. Security

We maintain enterprise-grade security, including:

  • Zero-trust access principles

  • Encryption in transit (TLS 1.2+)

  • Encryption at rest (AES-256)

  • Role-based access control (RBAC)

  • Multi-factor authentication

  • Network firewalls and WAF

  • Regular penetration testing

  • Code reviews and secure SDLC

  • Disaster recovery and high-availability

  • Continuous monitoring and logging

  • Least-privilege permissioning

  • Private VPCs and environment isolation

For sensitive clients (law, finance, energy), dedicated environments and custom encryption models are available.

12. AI Processing Transparency

Our AI features may include:

  • Content summarisation

  • Accessibility scoring

  • Metadata extraction

  • Decomposition analysis

  • Remediation suggestions

  • Risk classification

  • Ownership prediction

  • PDF structure modelling

We do not use customer materials to train public AI models.

We may train private, isolated models under:

  • DPA addenda

  • Confidentiality agreements

  • Customer-specific instructions

13. Children’s Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from minors.

14. Third-Party Links

Our websites may link to third-party sites (partners, universities, vendors, etc.). We are not responsible for their privacy practices.

15. Changes to This Privacy Policy

We may update this Policy from time to time to reflect:

  • legal changes

  • product updates

  • operational improvements

  • industry standards

We will notify you if material changes occur.

16. Contact Us

For questions, DSR requests, security concerns, or complaints:

Email: privacy@iaai.work

If you are in the EU/UK, you may contact your supervisory authority (ICO, CNIL, etc.) if you believe your rights are not being respected.