GDPR & Privacy

Warm AI is built around a B2B-only premise: we identify companies, and (where permitted) the individuals at those companies, visiting our customer's websites. We're explicitly not a consumer-marketing tool, and our product design reflects that.

Lawful basis

For customers in the UK / EEA:

• Company-level identification (IP → company match): we rely on the legitimate interest of the customer (the website operator) to understand which businesses visit their B2B website, balanced against the rights of the visitor. No personal data of the visitor is processed at this stage — we identify an organisation, not a human.
• Person-level identification (US visitors only): this requires consent. Our tracker integrates with major Consent Management Platforms (Cookiebot, OneTrust, Termly, Transcend) and Google Consent Mode v2, so person-level identification only fires when the visitor has granted consent. Non-US visitors are not processed at this layer (server-side geofence).

For customers in the US:

• We rely on the customer's posted privacy notice and the visitor's right to opt out via CCPA. Our tracker honours opt-out via getwarmai.com/ccpa-opt-out and via Retention.com / RB2B's global opt-out at app.retention.com/optout/.

What we do — practical commitments

1. Default-safe tracker. Our tracker (pulse.js and equivalents) uses sessionStorage only, sets no persistent device identifiers, and does not perform canvas, WebGL, or font fingerprinting in its own code. Form input is never read or transmitted.
2. Consent-aware loading. Our tracker integrates natively with Cookiebot, OneTrust, Termly, Transcend, and Google Consent Mode v2. Person-level identification (RB2B / Retention.com) defers until consent is granted on sites where a CMP is present.
3. EU-first data residency. Application data lives in the EU (Supabase Frankfurt). Edge delivery preferences EU Cloudflare nodes.
4. Sub-processor transparency. Our current sub-processor list is public at getwarmai.com/sub-processors, with 30 days' advance notice before any new sub-processor.
5. Pre-executed DPA. Customers can rely on our Data Processing Addendum without negotiation.
6. Honest about person-level limits. Person-level identification is US-only and geofenced server-side. We don't claim EU person-level identification.

What we don't do

• We don't sell data to third parties.
• We don't use customer or visitor data to train external AI models.
• We don't enrich visitor profiles via data brokers beyond what's listed in our sub-processor disclosure.
• We don't store form-input data, sensitive personal data (health, financial, political), or contents of email fields.

When you install our tracker on your website, you are the data controller; we're your processor.

You're responsible for:

• Telling visitors what's collected in your privacy notice. Sample language is available in our cookies & consent integration guide.
• Configuring your CMP to gate our tracker appropriately. We support Cookiebot, OneTrust, Termly, Transcend, and Google Consent Mode v2 natively — the integration guide walks through each.
• Handling visitor opt-out requests for company-level data (we don't have a direct visitor-to-Warm-AI relationship). For person-level (RB2B) opt-out, link visitors to our CCPA opt-out page.
• Honouring data subject rights for visitors who interact with your business — we'll assist you with access, rectification, erasure requests within 30 days.

If you're a visitor to a website using Warm AI and want to:

• Know what data we hold about you → email compliance@warmai.uk with your IP address and approximate date range; we'll respond within 30 days.
• Have your data deleted → same email address. We can issue a deletion request to all relevant sub-processors.
• Opt out of person-level identification (California) → use getwarmai.com/ccpa-opt-out.
• Lodge a complaint → you can complain to the UK ICO or your local Data Protection Authority.

Are you GDPR-compliant?
GDPR compliance is a property of how the tracker is deployed, not just how it's built. Our tracker is designed to make compliance straightforward — sessionStorage only, native CMP integration, no fingerprinting — but the customer (controller) is ultimately responsible for the deployment configuration on their site. Our integration guide walks through what they need to do.

Where is data stored?
Primary application data: Supabase, Frankfurt (EU). Edge delivery: Cloudflare, preferring EU edge nodes. Person-level matches via Retention.com (RB2B) are processed in the US under their applicable DPA, but only for US-located visitors (server-side geofence).

Can I get a signed copy of your DPA?
Yes — email compliance@warmai.uk and we'll counter-sign your version or return our pre-executed copy within 2 business days.

Do you have ISO 27001 / SOC 2?
Not currently. Our underlying infrastructure providers (Supabase, Cloudflare, Stripe) hold the major certifications. We're evaluating an external Trust Center / SOC attestation as we scale.

Are you on the EU-US Data Privacy Framework?
Our US-located sub-processors (Retention.com, Mandrill, Stripe, Vercel, Rewardful) are or are working towards DPF certification. Where DPF certification is not in place, we rely on Standard Contractual Clauses for transfers.

• Data Processing Addendum (DPA) — signing-ready contractual template
• Sub-processor list — full current list with DPA links
• CCPA opt-out — for California visitors
• Cookies & Consent integration guide — per-CMP customer setup