Legal

Privacy Policy.

Last updated: June 24, 2026

1. Who we are

This Privacy Policy is issued by Airlock BV, a Belgian limited company having its seat at Colmarstraat 38, 9100 Sint-Niklaas, Belgium, registered with the Crossroad Bank of Enterprises under number 1037836652 ("airlock"). The Service is operated from the European Union and hosted on AWS in Frankfurt (eu-central-1).

This policy explains what personal data we collect from visitors to our website and from customers of the airlock Service (including the Control Room and the MCP proxy), how we use it, and the choices you have.

For the purposes of the GDPR, airlock acts as a data controller for account, marketing, billing, and website-analytics data, and as a data processor for the Customer Data your organization sends through the Service (including audit logs, approval records, and connected-API credentials). Processing on your behalf is governed by our Data Processing Agreement.

2. Information we collect

Account and organization data

  • Account information: name, work email, and organization details when you create an account in the Control Room.
  • Authentication data: OAuth tokens and session identifiers used to authenticate you with the Service and with third-party APIs you connect. Passwords are not stored by airlock. Authentication is handled by AWS Cognito (OAuth 2.0 with PKCE), with optional federation to Google Workspace and Microsoft Entra ID.
  • Billing data: for paid subscriptions, we collect the billing details needed to issue invoices and process payments (organization name, billing address, VAT number where applicable, contact details, subscription tier and status). Payment instrument details are handled by our payment provider and are not stored by airlock.

API and proxy data

  • API credentials: credentials you supply to connect third-party services (API keys, OAuth tokens). Encrypted at rest using AES-256-GCM and only decrypted at the moment of API execution.
  • Request metadata: when AI agents call third-party APIs through airlock we log metadata such as the tool invoked, timestamp, organization, and approval status, along with redacted and truncated copies of the request and response bodies so you can audit and replay execution. Sensitive fields are stripped before storage.
  • Approval records: when a request requires approval, the request payload and tool arguments are stored to drive the workflow.

Audit log data

airlock writes an audit log for each customer organization. These logs are for your auditing. airlock personnel do not read the contents of your audit logs, approval payloads, or proxied request/response data unless you have given us explicit, written approval: for example, when you open a support ticket that asks us to investigate. Limited exceptions apply where strictly required to maintain the security or integrity of the Service, or where compelled by law.

Website and usage data

  • Anonymous behavioural analytics: we monitor how visitors interact with the website and the Control Room (pages viewed, features used, session length) in anonymized form, to improve the product. See "Cookies and Analytics" below.
  • Technical data: browser type, operating system, approximate region derived from IP, and device identifiers, used for security, debugging, and abuse prevention.

3. How we use your information

  • Provide, maintain, and improve the Service, including proxying API requests on your behalf and enforcing your configured policies and approval workflows.
  • Authenticate you and authorize access to the third-party APIs you have connected.
  • Communicate with you about updates, security alerts, and support.
  • Monitor for abuse, enforce rate limits, and maintain system security.
  • Generate aggregated, anonymized usage analytics to improve the Service.
  • Comply with legal obligations.

We do not use your data to train AI models. Your API credentials, request data, and response data are never used for machine-learning training by airlock or shared with third parties for that purpose. We do not sell your personal information.

Derived data. Aggregated and anonymized usage analytics, model and policy performance metrics, and similar derived data generated by the Service belong to airlock. To the extent such derived data, after de-identification, no longer constitutes personal data, it falls outside the scope of our Data Processing Agreement and may be retained and used to operate and improve the Service.

4. Legal bases (GDPR)

We process personal data under the following legal bases:

  • Contract: to provide the Service to you (account, authentication, proxy, audit log).
  • Legitimate interest: for security, abuse prevention, anonymized product analytics, defence of legal claims, and limited service-related communications.
  • Consent: for optional marketing emails and any cookies that are not strictly necessary or are not in anonymized form.
  • Legal obligation: for tax, accounting, and compliance with lawful requests.

5. Data storage and security

All data is stored on AWS in the EU (Frankfurt, eu-central-1). We implement, among other measures:

  • Encryption at rest: API credentials and sensitive fields encrypted with AES-256-GCM under AWS KMS envelope encryption (per-record data keys wrapped by a customer master key); all database tables use AWS-managed encryption at rest.
  • Encryption in transit: TLS 1.2+ everywhere; calls to third-party services use HTTPS.
  • Authentication: AWS Cognito with OAuth 2.0 and PKCE. Passwords are not stored by airlock.
  • Tenant isolation: each organization's data is logically separated and access is enforced at the application and database layer.
  • Audit trail of staff access: any airlock-personnel access to a tenant's environment is itself logged.
  • Personal Data Breach notification: where airlock acts as processor, we will notify your designated administrators without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting your Customer Data, and assist you in meeting your notification obligations under the GDPR.

No transmission over the Internet or electronic storage is 100% secure; we cannot guarantee absolute security.

6. Cookies and analytics

Strictly necessary cookies. The website and Control Room set a small number of cookies and similar storage items required to keep you signed in, remember your theme/preferences, and maintain session security. These are essential to the Service and cannot be disabled.

Usage analytics (with your consent). We use PostHog (EU-hosted) to understand how visitors and customers use the site and product. Page views, click events, and session data are captured to PostHog's EU project. We display a cookie consent banner on first visit; analytics only load after you click Accept.

Form submissions. When you submit the beta application form, the fields you enter (name, work email, company, company size, AI tools, governance pain) are sent directly to PostHog as a beta_application_submitted event with your email as the identifier. When you submit the Teams subscription form, the fields you enter (name, work email, phone, company, number of users, location, and any additional info) are sent the same way as a team_subscription_requested event. Both happen regardless of cookie consent, because you are explicitly providing this information to us. We use it to contact you about your beta application or subscription and to maintain our prospect pipeline.

No advertising cookies. airlock does not run advertising, retargeting pixels, or third-party marketing trackers on this site.

7. Sub-processors and connected integrations

Sub-processors. We rely on the following categories of sub-processors engaged by airlock to deliver the Service:

  • Cloud infrastructure: Amazon Web Services (AWS) for hosting, database, authentication (Cognito), serverless compute, transactional email (Amazon SES), and the AWS Bedrock embedding models used to index code you connect for search. All AWS services are in the EU.
  • Runtime application security: Aikido Zen Firewall, which receives runtime telemetry from our Lambda functions (route, request shape, suspicious-traffic signals) to detect and block attacks against the Service.
  • Product analytics: PostHog, anonymized product analytics.
  • Customer Relationship Management (Attio): used to manage prospect and customer contact details and our sales pipeline. Stores name, work email, organization, and notes about our interactions with you.
  • Transactional and marketing email (Brevo): used to send signup confirmations, security alerts, support replies, and (with your consent) product updates and newsletters.
  • Embedded video: some blog posts embed YouTube videos via Google's privacy-enhanced domain (youtube-nocookie.com). The video player only loads, and Google may only then set cookies, after you click play. Nothing is requested from Google before that. Playback is governed by Google's privacy policy.

Where airlock acts as processor, we will give you at least 15 days prior written notice of any intended addition or replacement of a sub-processor. You may object on reasonable data-protection grounds within that period. A current sub-processor list is available on request from privacy@air-lock.ai.

Connected integrations are not airlock sub-processors. When you connect third-party services (for example: GitHub, Google Workspace, Datadog, Zoom, Slack, OpenAPI endpoints, or MCP servers you supply), airlock acts as an authorized proxy and forwards requests using credentials you supplied. Those connected services are your tools, operated under your exclusive responsibility. Their use does not constitute the engagement of those providers as airlock sub-processors. airlock is not responsible for the availability, accuracy, security, or behavior of any third-party service, MCP server, or AI provider you choose to connect through the Service, and we share data with them only on your instruction through tool execution.

We do not sell your personal information. We share data with third parties only as described above or when required by law.

8. International data transfers

Customer Data and personal data are stored and processed in the EU. Where a sub-processor processes personal data outside the EEA (for example, support tooling hosted in the United States), the transfer is governed by Standard Contractual Clauses and, where applicable, additional safeguards such as pseudonymization or encryption.

9. Customer responsibilities for high-risk processing

airlock provides an infrastructure-level service. Whether your deployment involves higher-risk categories of processing depends entirely on the agents, business applications, and APIs you connect to it. As controller, you are responsible for determining, before deployment, and where applicable documenting:

  • whether special category data (Art. 9 GDPR) or criminal-offence data (Art. 10 GDPR) will flow through the Service, and whether an applicable exception applies;
  • whether a Data Protection Impact Assessment (Art. 35 GDPR) is required (note that use of AI agents acting on your behalf may meet several EDPB criteria for likely high-risk processing: innovative technology, systematic monitoring, automated decision-making, large-scale processing);
  • whether routed requests result in automated decisions with legal or similarly significant effects on individuals, in which case you implement the safeguards required by Art. 22 GDPR;
  • whether any AI system you operate through the Service qualifies as a high-risk AI system under the EU AI Act (Regulation (EU) 2024/1689), in which case the Fundamental Rights Impact Assessment (FRIA) and the transparency obligations applicable to deployers are your sole responsibility.

airlock will provide reasonable assistance under Art. 28(3)(f) GDPR on request.

10. Data retention

  • Account data: retained while your account is active. Personal data is deleted within 30 days of account closure (longer retention may apply where required by law).
  • API credentials: retained while the connected service is active; deleted immediately when you disconnect that service.
  • Audit logs and approval records: retained for 90 days from creation, then automatically deleted. Contact us if you need a longer retention window for compliance.
  • OAuth client registrations: dynamically registered OAuth clients expire 90 days after registration.
  • Session data: Cognito access and ID tokens expire after 8 hours; refresh tokens expire after 30 days.
  • Anonymized analytics and derived data: may be retained indefinitely in aggregated form (it contains no personal identifiers).
  • End of service: on termination of your subscription, Customer Data is made available for export for at least 60 days, after which it is deleted, except for data we are legally required to retain (such as billing records) and aggregated/anonymized derived data.
  • Defence of claims: we may retain personal data relating to Authorized Representatives for up to 10 years after the end of your subscription to the extent necessary to defend against legal claims or to comply with legal obligations.

11. Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal information; to object to or restrict processing; and to withdraw consent at any time where processing is based on consent. EU/EEA residents may lodge a complaint with their local data protection authority. In Belgium, this is the Gegevensbeschermingsautoriteit (Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be).

Where airlock acts as processor, any rights request relating to Customer Data should be directed to the customer organization that controls the data. If a data subject contacts us directly about Customer Data, we will forward the request to the relevant customer without undue delay and acknowledge receipt to the data subject, without otherwise responding substantively.

To exercise any rights where airlock is controller, or for any other privacy question, contact privacy@air-lock.ai.

12. Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn we have collected such data, we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by updating the "Last updated" date and, where appropriate, by direct notice. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

For privacy questions or to exercise your rights, contact privacy@air-lock.ai.