Airefs

Data Controller Policy

This policy sets out Airefs' responsibilities and governance framework as a data controller under GDPR and related laws.

1. Purpose

This policy sets out Airefs' responsibilities and governance framework as a data controller under the General Data Protection Regulation (GDPR) and related laws. It ensures all processing of personal data is lawful, fair, and transparent, and that we uphold the rights of individuals.

2. Scope

This policy applies to:

  • Personal data we collect and control directly (account, billing, employee, and communications data).
  • Personal data provided by customers when using our services (where Airefs may also act as a processor).
  • All Airefs staff, contractors, and subprocessors who handle personal data on our behalf.

3. Roles & Responsibilities

  • Management: Ensures data protection is embedded in all business processes.
  • Employees/Contractors: Must comply with this policy and complete privacy/security training.
  • Data Protection Officer (DPO): paul@getairefs.com is responsible for oversight, audits, and regulatory liaison.

4. Lawful Basis for Processing

We only process personal data where a GDPR-compliant lawful basis exists:

  • Contractual necessity – providing Airefs services.
  • Legitimate interests – improving security and analytics (balanced against data subject rights).
  • Legal obligations – compliance with tax, accounting, and regulatory duties.
  • Consent – when required, e.g., marketing communications.

5. Data Categories & Minimization

We process only the data needed:

  • Customer data: Account, contact, and billing information.
  • Employee/contractor data: HR, payroll, and operational details.
  • Request/analytics data: Metadata, user-agent strings, referrer data, anonymized IPs.

We do not collect special categories of data (Art. 9 GDPR), nor do we store authentication headers or credential data.

6. Retention & Deletion

Data is retained only as long as necessary:

  • Account data: Duration of account + 30 days after closure.
  • Analytics/request data: 24 months, then anonymized or deleted.
  • Server logs: 90 days.
  • Billing/legal data: 7 years (Dutch law).
  • HR data: Per statutory employment law requirements.

Secure deletion/anonymization procedures are applied when data is no longer required.

7. Subprocessors

We carefully select subprocessors and maintain Data Processing Agreements (DPAs) with each:

  • Cloudflare – application hosting, data storage, network delivery and security infrastructure.
  • Convex – primary application data storage and processing (all app data except analytics).
  • Tinybird (AWS EU servers) – analytics processing and storage.
  • Polar – payment processing, subscription management, and related financial operations.

Each subprocessor provides GDPR-compliant safeguards, including SCCs where required.

8. Data Transfers

Most processing occurs within the EEA. If transfers outside the EEA are required, safeguards include:

  • Standard Contractual Clauses (SCCs).
  • Adequacy decisions from the European Commission.
  • Binding Corporate Rules (BCRs) for subprocessors.

Airefs documents transfer impact assessments where appropriate.

9. Security Measures

We employ a layered security strategy:

  • TLS encryption in transit & encryption at rest.
  • IP and user-agent anonymization.
  • Access controls (role-based, logged).
  • Firewalls, monitoring, and DDoS protection via Cloudflare.
  • Staff confidentiality agreements and security training.
  • Vendor risk assessments and least-privilege access.

Security controls are reviewed at least annually and after material changes.

10. Data Breach Procedure

In line with GDPR Articles 33–34:

  • Breaches are logged internally and investigated.
  • Supervisory authority (Autoriteit Persoonsgegevens, NL) notified within 72 hours, if required.
  • Affected individuals notified without undue delay if risk is high.
  • Post-incident reviews ensure corrective actions and lessons learned.
  • Contact: support@getairefs.com

11. Accountability & Compliance

Airefs maintains:

  • Records of Processing Activities (RoPA) in compliance with GDPR Art. 30.
  • Data Protection Impact Assessments (DPIAs) when processing could present high risk.
  • Annual policy reviews and staff training on data protection.
  • Vendor audits and contract reviews.
  • Privacy by design and default in product development.

12. Payment Terms

Airefs uses Polar.sh ("Polar") as its payment and subscription management provider. By subscribing to Airefs services, you agree to the following payment terms:

12.1 Subscription Billing

  • All paid plans are billed through Polar, using the payment method you provide at checkout.
  • Charges recur automatically at the start of each billing cycle (monthly or annually, depending on your chosen plan).
  • You are responsible for ensuring that your payment details remain accurate and up to date.

12.2 Upgrades & Downgrades

  • Upgrades take effect immediately. Polar will prorate charges where applicable, and any incremental cost will be billed immediately.
  • Downgrades take effect at the end of the current billing period unless otherwise specified. No partial refunds are issued for downgrades mid-cycle.

12.3 Cancellations

  • You may cancel your subscription at any time through your Airefs account dashboard.
  • After cancellation, you retain access to your Airefs account.
  • No further charges will be applied unless you re-subscribe or purchase additional services.

12.4 Refund Policy

  • Airefs does not guarantee refunds for partial billing periods, unused services, or failure to use the platform.
  • Any approved refund will be processed through Polar.

12.5 Taxes

  • Prices may exclude applicable taxes (e.g., VAT).
  • Polar automatically calculates and applies required taxes based on your billing location.

12.6 Failed Payments

  • If a payment fails, Polar may attempt to re-collect automatically.
  • Airefs may suspend or restrict service access until payment is resolved.
  • Continued non-payment may result in account termination.

12.7 Currency & Invoicing

  • All payments are processed in the currency displayed at checkout.
  • Invoices and billing history are available via your Airefs account and are issued through Polar.

13. Supervisory Authority

Airefs is subject to the Dutch supervisory authority:

Autoriteit Persoonsgegevens

Website: https://autoriteitpersoonsgegevens.nl

Data subjects may also lodge complaints with their local EU authority.

14. Review & Updates

This policy is reviewed annually or upon legal/operational changes. Updated versions are published on our website with an effective date.

For questions regarding this policy, contact support@getairefs.com