AI Voice Agent Privacy & Data Protection | AIRAYFLOW

AIRAYFLOW AI LTD Privacy Policy

Last Updated: February 2026

At Airayflow AI Ltd, we respect your privacy and are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy explains how we collect, use, store, and safeguard your information when you visit our website or interact with our services.

1. Who We Are 

Airayflow AI Ltd acts as a Data Controller in respect of personal data collected through this website and in the course of our business activities, including enquiry forms, analytics, and direct communications.

We build and configure AI voice systems for clients. In our standard setup we do not access or store our clients' live customer data; our clients remain responsible for any personal data processed through those systems under their own privacy notices.

Airayflow AI Ltd 

Company Number: 16926357 

ICO Registration Number: ZC071653 

167–169 Great Portland Street, 

5th Floor, 

London, 

W1W 5PF, 

United Kingdom

Email: info@airayflow.com

For data protection enquiries, contact: info@airayflow.com

2. Information We Collect

Information you provide directly:

• Name, business name, and contact details (email, phone number)
• Messages and enquiries submitted via contact forms
• Marketing consent preferences
• Any other information you choose to provide

Information collected automatically:

• IP address and device information
• Browser type and version
• Pages visited and time spent on our website
• Referring website addresses
• Usage data through cookies and analytics tools (see Section 10)

3. How We Use Your Information

We process your personal data for the following purposes:

• Responding to enquiries and providing customer support — Legitimate interest
• Sending marketing communications (where consent is given) — Consent
• Improving our website and services — Legitimate interest
• Complying with legal obligations — Legal obligation
• Preventing fraud and ensuring security — Legitimate interest

We will only send marketing communications if you have given explicit consent. You may withdraw consent at any time by clicking "unsubscribe" in any marketing email, emailing info@airayflow.com with "OPT OUT" in the subject line, or contacting us directly. Once withdrawn, we will stop marketing communications but retain a minimal record of your opt-out to ensure compliance.

4. What Information We Collect, Use, and Why

We collect or use the following information to provide and improve products and services for clients:

• Names and contact details
• Addresses
• Occupation
• Payment details (including card or bank information for transfers and direct debits)
• Transaction data (including details about payments to and from you and details of products and services you have purchased)
• Usage data (including information about how you interact with and use our website, products and services)
• Information relating to compliments or complaints
• Audio recordings of demo, sales, or onboarding calls with prospective or existing business clients
• Website user information

Where demo calls are recorded, we inform participants at the start of the call that recording is taking place and why.

We collect or use the following personal information to comply with legal requirements:

• Name
• Contact information
• Client account information
• Any other personal information required to comply with legal obligations

We collect or use the following personal information for dealing with queries, complaints or claims:

• Names and contact details
• Demo call recordings where relevant
• Customer or client accounts and records
• Correspondence

5. Lawful Bases and Data Protection Rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

• Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
• Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure – You have the right to ask us to delete your personal information.
• Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.
• Your right to object to processing – You have the right to object to the processing of your personal data.
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide and improve products and services for clients are:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We process personal information to deliver AI-powered call handling and booking services to small business clients. This processing benefits callers by ensuring their enquiries are handled promptly, accurately, and professionally, and benefits our clients by reducing missed calls and booking opportunities. We may also record demo calls with prospective or existing business clients so we can demonstrate our services, improve and document our offerings, and follow up accurately on discussions. Our legitimate interests include operating our business efficiently, maintaining and improving service quality, and developing and enhancing our technology to better serve users. We have balanced these interests against the rights and freedoms of individuals by limiting processing to what is strictly necessary for service delivery, implementing appropriate technical and organisational security measures, restricting data retention periods, and maintaining transparency about how personal data is used. We consider that the benefits of efficient call handling and booking services are proportionate to the limited and controlled processing of personal data involved, and that this processing does not override the rights or reasonable expectations of individuals. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information to comply with legal requirements:

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We process personal information to investigate and resolve queries, complaints, and claims in an effective, consistent, and fair manner. This processing serves the legitimate interests of both individuals and our organisation by ensuring that concerns are properly assessed and appropriately resolved. Our legitimate interests include responding to issues raised by individuals, investigating the circumstances surrounding complaints or claims, resolving disputes fairly, protecting our business reputation, meeting our service quality standards, and identifying opportunities to improve our services. This processing benefits individuals by providing a clear and effective mechanism to raise concerns and seek resolution. It also benefits our organisation by enabling us to address issues promptly, maintain trust and service quality, and protect against unfounded or fraudulent claims. We have balanced these interests against the rights and freedoms of individuals by limiting processing to information that is necessary to understand and resolve the specific matter, applying appropriate technical and organisational security measures, retaining records only for as long as reasonably necessary to resolve the issue and for a proportionate period thereafter, and ensuring that investigations are conducted fairly and transparently. We consider that the processing of personal information for complaint handling is necessary, proportionate, and aligned with individuals' reasonable expectations when they contact us to raise a concern or make a complaint. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

6. Where We Get Personal Information From

• Directly from you
• Publicly available sources
• Suppliers and service providers

7. How Long We Keep Your Data

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, or reporting requirements. Our standard retention periods are:

• Demo call recordings: 12 months from date of call (used for internal review, training, and evidencing our services), then securely deleted or anonymised
• Client contracts and account records: Duration of service + 6 years
• Payment and transaction data: 6 years (HMRC requirements)
• Marketing consent records: 3 years from withdrawal
• Enquiry and correspondence data: 12 months from last contact
• Complaint and query records: 3 years from resolution
• Website analytics data: 12 months
• Opt-out records: Indefinitely (suppression only)

Data is securely deleted or anonymised once no longer required. For more information on how long we store your personal information please contact us using the details provided above.

8. Who We Share Information With

We may share personal data with trusted third-party service providers who assist us in operating our website and delivering our AI call handling services. These may include:

• AI and voice processing providers (to power demo environments and trial use of our AI call handling technology)
• Telecommunications infrastructure providers (to route and manage calls during demos)
• Cloud hosting and storage providers
• Payment processing providers
• Customer relationship management (CRM) and workflow automation providers
• Analytics providers
• Professional advisers, including accountants, insurers, and legal advisers
• Regulators or authorities where required by law

All third-party service providers process data only on our instructions, are subject to contractual data protection obligations, implement appropriate technical and organisational security measures, and comply with UK GDPR requirements.

We do not sell personal data.

We use AI and telecommunications providers to power demo environments and trial use of our AI call handling technology for business clients. We do not operate a live call handling service for end customers ourselves; any production use by clients is governed by their own systems and privacy notices.

Data processors

• Retell AI – Voice AI platform that processes telephone calls, converts speech to text, handles conversations, and manages call recordings on our behalf.
• Anthropic – AI service provider that processes conversation data to generate intelligent responses through their Claude AI technology.
• Twilio – Telecommunications and cloud communications provider that routes and manages phone calls on our behalf.
• Stripe – Payment processing provider that handles payment transactions on our behalf.
• n8n GmbH – Workflow automation platform that manages data flows and service integrations on our behalf.
• Airtable – Cloud-based database and CRM platform used to store and manage client and contact records on our behalf.
• Google – Used for website analytics (Google Analytics) to understand website usage, and for business communications and documentation (Google Workspace).

Others we share personal information with

• Insurance companies, brokers or other intermediaries
• Professional or legal advisors
• Organisations we're legally obliged to share personal information with

9. International Data Transfers

Some of our service providers are located outside the United Kingdom, including in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. These safeguards may include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or transfers to countries recognised by the UK as providing adequate protection.

Organisation name: Anthropic Category of recipient: AI technology provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: Retell AI Category of recipient: Voice AI and telecommunications platform provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: Twilio Category of recipient: Telecommunications and cloud communications provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: Stripe Category of recipient: Payment processing provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: n8n GmbH Category of recipient: Workflow automation platform provider Country the personal information is sent to: Germany How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

Organisation name: Airtable Category of recipient: Cloud database and CRM provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: Google Category of recipient: Analytics and workspace services provider Country the personal information is sent to: United States How the transfer complies with UK data protection law: UK Addendum to the EU Standard Contractual Clauses (SCCs)

For further information or to obtain a copy of the appropriate safeguard please contact us using the contact information provided above.

10. Cookies and Tracking Technologies

We use cookies to ensure website functionality, analyse traffic and performance, and improve user experience. Cookie types include essential cookies, analytics cookies, and marketing cookies (consent-based only). You can manage cookies via your browser settings. Disabling cookies may affect functionality.

11. Data Security

We use appropriate security measures including encrypted connections (HTTPS), access-controlled systems, regular security reviews, and staff data protection training. While no system is completely secure, we take all reasonable steps to protect your data.

12. Third-Party Links

We are not responsible for the privacy practices of third-party websites linked from our site. Please review their policies separately.

13. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be posted with a revised "Last Updated" date.

15. How to Complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.

The ICO's address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline number: 0303 123 1113 Website: https://www.ico.org.uk/make-a-complaint

16. Contact Us

Airayflow AI Ltd 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom Email: info@airayflow.comCompany Number: 16926357 ICO Registration Number: ZC071653

We aim to respond within 5 working days.

Last Updated: February 2026