Privacy Policy
Last updated: 30 April 2026
Effective date: 30 April 2026
1. Who We Are
ai.verest is a software-as-a-service CRM and AI workforce platform available at https://aiverest.io, operated by Tamir Spiegel Ltd (trading as ai.verest) ("we", "us", "our").
We are the data controller in respect of personal data you provide to us directly, and a data processor in respect of personal data your business uploads or generates within the platform (such as leads and contact records).
Data Controller contact:
Company: Tamir Spiegel Ltd (trading as ai.verest)
Email: info@aiverest.io
Website: https://aiverest.io
Jurisdiction: United Kingdom
We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO Registration Number: ZB785465.
2. Personal Data We Collect
2.1 Account and Identity Data
- Full name and email address (provided at registration)
- Profile preferences and dashboard configuration
- Authentication credentials managed via Kinde Auth (we do not store passwords directly)
- Biometric/passkey authentication data (processed locally on your device via WebAuthn; we store only public key references)
2.2 Subscription and Billing Data
- Subscription plan (Free, Pro, Max)
- Billing name and address
- Payment method details (handled entirely by Stripe; we do not store card numbers)
- Transaction history and invoice records
- Credit balance and usage history
2.3 Platform Usage Data
- Leads, contacts, and pipeline records you create within the platform
- Tasks, calendar events, notes, and whiteboard content you create
- Chat messages sent within the platform
- AI Agent prompts, instructions, and generated outputs (email campaigns, content)
- Pages and workspace content you create
2.4 Technical and Log Data
- IP address and device type at login
- Browser type and version
- Session timestamps and duration
- Error logs and performance data
2.5 Communications Data
- Support requests and correspondence
- Feedback you submit to us
3. How and Why We Use Your Personal Data
We process personal data only where we have a valid lawful basis under applicable data protection laws, including Article 6 of the UK GDPR and any equivalent or corresponding laws in other jurisdictions (such as the General Data Protection Regulation), depending on where you are located.
Where required, we rely on one or more of the following lawful bases (or their equivalent under applicable law):
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Providing the platform and your account | Account data, usage data | Contract (Art. 6(1)(b)) or equivalent |
| Processing subscription payments | Billing data | Contract (Art. 6(1)(b)) or equivalent |
| Sending transactional emails (receipts, alerts) | Email address | Contract (Art. 6(1)(b)) or equivalent |
| Security, fraud prevention, abuse detection | Technical/log data (1–90 days*) | Legitimate interests (Art. 6(1)(f)) or equivalent |
| Improving platform performance and features | Aggregated usage data | Legitimate interests (Art. 6(1)(f)) or equivalent |
| Sending product updates and marketing | Email address | Legitimate interests (Art. 6(1)(f)) (where permitted, e.g. soft opt-in) or consent |
| Complying with legal obligations (e.g. tax records) | Billing data | Legal obligation (Art. 6(1)(c)) or equivalent |
| Responding to support requests | Communications data | Contract or legitimate interests, as applicable |
Legitimate Interests Assessments
Where we rely on legitimate interests, we have carried out a three-part Legitimate Interests Assessment (LIA) confirming that our interests are not overridden by your rights. Copies are available on request at info@aiverest.io.
AI Processing of Leads Data
Our AI Agents (Sales Agent, Marketing Agent) process lead and contact data you upload in order to generate email campaigns and content on your instruction. This processing is carried out as a data processor acting on your instructions as data controller. We do not use your customers' personal data to train AI models. See the Data Processing Agreement for full details.
4. Data Retention
We retain personal data only for as long as necessary.
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of account |
| Billing records and invoices | 7 years (UK tax and accounting obligations) |
| Leads and CRM data | Duration of account |
| Chat messages | Duration of account |
| Technical/log data | 1–90 days* |
| Support correspondence | On request |
| Backup copies | Up to 90 days after deletion from live systems |
Upon account deletion, we will purge your personal data from live systems instantly and from backups within 90 days, except where retention is required by law.
*Retention varies by data type: Operational system logs (e.g., Supabase, Kinde, OpenAI) are typically retained for 1–30 days for security and debugging. Full database snapshots and encrypted backups are maintained for 90 days solely for disaster recovery and data integrity purposes.
5. Who We Share Your Data With
We do not sell your personal data. We share it only with trusted sub-processors necessary to deliver the service.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Database and backend storage | UK (London) | No transfer — UK region |
| Stripe Payments UK Ltd / Stripe Inc. | Payment processing | UK / US | UK entity: no transfer; US entity: UK IDTA |
| Kinde Pty Ltd | Authentication and user management | US / AU | UK IDTA |
| OpenAI Inc. | AI content generation (Agent features) | US | UK IDTA |
| Hostinger International Ltd | Application hosting and infrastructure | EU / US | UK IDTA (US) / UK adequacy (EU) |
| Cybot A/S (Cookiebot) | Cookie consent management | EU (Denmark) | UK adequacy (EEA) |
| Simple Analytics B.V. | Privacy-friendly website analytics (no cookies, no IP stored) | EU (Netherlands) | UK adequacy (EEA) |
| Apollo.io Inc. | Lead intelligence and contact enrichment (OAuth integration) | US | UK IDTA |
We require all sub-processors to process data only on our documented instructions and to maintain appropriate security measures. A full, up-to-date sub-processor list is available at /legal/sub-processors.
6. International Transfers
Some of our sub-processors (OpenAI, Kinde, Stripe Inc., Hostinger, Apollo.io) are based in the United States. The UK does not have an adequacy decision covering the US.
We transfer personal data to the US only where we have put in place appropriate safeguards, specifically the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, in compliance with Chapter V of the UK GDPR.
You may request a copy of the relevant transfer mechanisms by contacting info@aiverest.io.
7. Your Rights Under Data Protection Laws
Depending on your location, you may have rights under the UK GDPR, EU GDPR, and other applicable data protection laws. You can exercise most of these rights directly and instantly through your account settings. Right of Access (Article 15) You can view and download a copy of your personal data directly from your account settings at any time. Right to Rectification (Article 16) You can update and correct your personal data instantly through your account settings. Right to Erasure (Article 17) You can delete your account and associated personal data instantly via your account settings. Some data may be retained where required by law, such as financial, tax, or regulatory records. Right to Restriction of Processing (Article 18) You can restrict certain processing of your data directly through your account settings where applicable. Right to Data Portability (Article 20) You can export your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) directly from your account settings. Right to Object (Article 21) You may object to certain types of data processing (such as processing based on legitimate interests) through your account settings. Where applicable, processing will stop unless we have compelling legal grounds to continue. Rights Related to Automated Decision-Making (Article 22) Our AI systems generate outputs based on your instructions. They do not make automated decisions that produce legal or similarly significant effects on individuals without meaningful human oversight. Right to Withdraw Consent Where processing is based on consent (for example, marketing communications), you can withdraw consent instantly via your account settings or unsubscribe options in communications.
International Data Protection and Transfers We operate globally and may process data in the United Kingdom, the European Economic Area (EEA), and other jurisdictions. Where personal data is transferred internationally, we apply appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent legal protections to ensure your data remains protected.
Exercising Your Rights All available privacy controls are accessible directly within your account settings and take effect instantly.
8. Cookies
We use cookies and similar tracking technologies. Please see our Cookie Policy for full details. You can manage your cookie preferences at any time via the CookieBot consent banner.
9. Children's Data
Our platform is intended for business use by persons aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact info@aiverest.io and we will delete it promptly.
10. Marketing Communications
We may send product updates and feature announcements to existing customers under the soft opt-in provision of the Privacy and Electronic Communications Regulations (PECR). You may opt out at any time by clicking "Unsubscribe" in any email or contacting info@aiverest.io. We will process opt-out requests within 5 business days.
We do not send unsolicited marketing to non-customers.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. See our Security Annex for full details.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
12. Data Protection for Business Customers (Processor Role)
Where your business uses ai.verest to process the personal data of your own customers and contacts (e.g. leads you import), you are the data controller and we act as your data processor.
We process such data only on your documented instructions, as set out in our Data Processing Agreement (DPA). We do not use third-party personal data you upload for our own purposes or to train AI models.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to registered account holders at least 14 days before taking effect. The current version is always available at https://aiverest.io/legal/privacy-policy.
14. How to Complain
If you have a concern about how we handle your personal data, please contact us first at info@aiverest.io.
If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
This Privacy Policy is governed by the laws of England and Wales.