Legal
Privacy Statement
Contents
- 01Who we are
- 02How does Alirion protect your personal data?
- 03Who does this policy apply to?
- 04What personal data do we collect?
- 05Purposes and legal basis
- 06Will we share your personal data?
- 07What about sensitive data?
- 08What about data security?
- 09Where will your data be processed?
- 10How long will data be retained?
- 11What are your rights?
- 12Personal data on our website
- 13Cookies and tracking technologies
- 14Marketing
- 15How do we use AI tools?
- 16Children's data
- 17Country-specific provisions
- 18Changes to this policy
- 19Contact us
01Who we are
Alirion is a collective of AI and data practitioners helping small and medium-sized enterprises (SMEs) build data pipelines, machine-learning systems, AI agents, and the governance around them. We operate as a collective, meaning individual practitioners collaborate under the Alirion name to deliver services to partners.
In this policy, "personal data" means any information relating to an identified or identifiable natural person.
For the purposes of applicable data protection laws, Alirion acts as the data controller for personal data we collect about website visitors, prospective partners (prospects), and collective members. Where we process personal data on behalf of a partner as part of a services engagement, we act as a data processor, and the partner remains the controller. That processing is governed by the relevant partner agreement and data processing addendum, not this policy.
02How does Alirion protect your personal data?
Alirion attaches great importance to your right to privacy and the protection of your personal data. We protect your personal data in accordance with applicable laws and our internal data privacy practices. We maintain appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, alteration, disclosure, access, or destruction.
The sections below describe in detail:
- Which categories of personal data we collect and how we process them
- For which purposes and on which legal basis we use your personal data
- Whether and how we share your personal data with third parties
- How we handle sensitive data
- Our data security measures
- Where your personal data is processed
- How long we retain your personal data
- Your rights
03Who does this policy apply to?
This policy covers three categories of individuals whose data we process as a controller:
a) Prospects — individuals who visit our website, fill in a contact form, download resources, subscribe to our newsletter, or otherwise express interest in Alirion's services without yet being a partner.
b) Collective members — practitioners who are part of the Alirion collective, whether as founding members, contributors, or associate practitioners.
c) Project end-users — individuals whose personal data is processed by Alirion during the delivery of a project for a partner, where Alirion acts as a data controller in its own right (e.g., when Alirion directly collects survey responses, conducts user research, or builds and operates a tool that processes end-user data). Note: where we act solely as a processor on behalf of a partner, the partner's own privacy policy governs.
This policy does not apply to third-party websites or services we link to, including open-source repositories. Those have their own privacy practices.
04What personal data do we collect, and from whom?
We collect only the personal data we need for the purposes described in this policy. The table below summarizes what we collect by category of person.
4.1 Prospects
| Category | Types of data |
|---|---|
| Identity and contact details | Name, job title, employer/company name, email address, phone number, country |
| Communication data | Messages sent via contact forms, email, or scheduled calls; our responses |
| Usage and device data | IP address, browser type, pages visited, referring URLs, session duration, and similar diagnostic data collected automatically |
| Marketing preferences | Opt-in/opt-out choices for communications |
| Professional context | Information you voluntarily share about your business challenge, sector, or technology stack when making an enquiry |
4.2 Collective members
| Category | Types of data |
|---|---|
| Identity and contact details | Name, email address, phone number, location, LinkedIn or other professional profile URL |
| Professional and skills data | Expertise areas, past projects (described in general terms), certifications, and professional biography |
| Contractual and financial data | Signed agreements, billing details (name, company, bank details for invoicing purposes), tax identification numbers where legally required |
| Collaboration and activity data | Contributions to collective projects, internal communications, participation in collective governance |
| Profile and directory data | Information included in the collective's public or internal member directory, where you have chosen to make it available |
4.3 Project end-users (where Alirion acts as controller)
| Category | Types of data |
|---|---|
| Identity and contact details | Name, email address, job title, employer, as relevant to the project scope |
| Survey and research data | Responses to questionnaires, user research sessions, assessments, or feedback forms conducted as part of a project |
| Usage and behavioral data | Interaction logs, clickstream data, and behavioral signals from tools or platforms built or operated by Alirion under a project |
| Derived and analytical data | Inferences and aggregated insights generated as part of data analysis services |
If data we collect is not listed above, we will give individuals appropriate notice of what other data will be collected and how it will be used.
The data above may be collected directly from you (e.g., when you fill in a form) or indirectly through technology (e.g., cookies, analytics tools) or from third parties (e.g., your employer, public business directories, or LinkedIn).
Your decision to provide personal data is generally voluntary. However, if you do not provide certain information, we may not be able to respond to your enquiry, admit you to the collective, or deliver certain project services.
05For which purposes and on which legal basis do we use your personal data?
5.1 Prospects
| Purpose | Legal basis |
|---|---|
| Responding to enquiries and providing requested information | Performance of a contract or pre-contractual steps at your request; or legitimate interests in developing our business |
| Sending newsletters, thought leadership, and marketing communications (where you opted in) | Consent |
| Understanding how prospects engage with our website and content | Legitimate interests in improving our services and communications |
| Managing our CRM and pipeline to follow up on commercial opportunities | Legitimate interests in conducting and growing our business |
| Complying with legal obligations | Legal obligation |
5.2 Collective members
| Purpose | Legal basis |
|---|---|
| Managing the membership relationship, including onboarding, agreements, and offboarding | Performance of a contract |
| Facilitating collaboration between members on projects | Performance of a contract; legitimate interests in operating the collective |
| Invoicing, payments, and tax compliance | Performance of a contract; legal obligation |
| Including your profile in the collective's directory (internal or public) | Consent, or legitimate interests where the directory is internal only |
| Communicating about collective news, projects, and governance | Legitimate interests in running an active and informed collective |
| Improving our operations, tools, and onboarding processes | Legitimate interests |
5.3 Project end-users
| Purpose | Legal basis |
|---|---|
| Conducting user research, surveys, or assessments as part of a partner engagement | Legitimate interests of Alirion and the partner; or consent where required by law or the sensitivity of the data |
| Operating and maintaining tools or platforms that process end-user data | Performance of a contract with the partner; legitimate interests |
| Generating analytical insights and reports for the partner | Legitimate interests; or as directed by the partner |
| Complying with legal obligations | Legal obligation |
We will not use your personal data for purposes incompatible with those described above unless required or authorized by law, or in your own vital interest.
06Will we share your personal data with third parties?
We do not sell personal data.
We may share personal data with:
- Service providers and processors — such as hosting providers, analytics platforms, CRM tools, email delivery services, project management software, and video conferencing tools, who process data on our instructions and under appropriate contractual safeguards (including data processing agreements).
- Fellow collective members — when your data needs to be shared to coordinate delivery of a project or collective activity. We take care to share only what is necessary.
- Professional advisers — such as lawyers, accountants, and insurers, where necessary for their services.
- Partners — where we have collected data on behalf of, or in coordination with, a partner and sharing is part of the agreed project scope.
- Public authorities — where required by law, regulation, legal process, or a lawful request by a public body.
- Business successors — in connection with a merger, acquisition, or sale of the collective's assets, subject to this policy.
Before sharing, we take steps to ensure your personal data receives adequate protection as required by applicable data protection laws.
07What about sensitive data?
We do not generally seek to collect sensitive personal data (also called "special categories of data") through our website or marketing activities.
Sensitive data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or medical information, biometric or genetic data, sexual life or orientation, and criminal convictions or offences.
In limited project contexts, sensitive data may be collected where it is relevant to the project scope (for example, workforce diversity analytics for a partner). In those cases, we will:
- Collect only what is strictly necessary
- Apply a specific lawful basis (typically explicit consent or a legal obligation)
- Implement enhanced security measures
- Document the processing in the relevant data processing addendum
08What about data security?
We maintain technical, physical, and organizational security arrangements for all personal data we hold. These include:
- Access controls limiting who within the collective can access different categories of data
- Encryption in transit and at rest for sensitive data
- Use of reputable, security-certified cloud infrastructure providers
- Regular review of our third-party processors' security practices
- Clear incident response procedures to detect, contain, and notify in the event of a data breach
No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we work continuously to protect your data and will respond promptly to any incident.
09Where will your personal data be processed?
Alirion operates as a distributed collective and may process or store personal data in multiple countries, depending on the location of collective members and the infrastructure we use.
Where personal data is transferred outside the country in which you are located, we take reasonable steps to ensure the recipient is bound to protect it to a standard comparable to that required under applicable law — for example through standard contractual clauses, adequacy decisions, or contractual commitments in our service provider agreements.
10How long will your personal data be retained?
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required to meet legal, contractual, or reporting obligations.
| Category | Indicative retention period |
|---|---|
| Prospect data (no contract formed) | Up to 3 years from last interaction, or until you unsubscribe or request erasure |
| Prospect data (contract formed) | Duration of the relationship + up to 7 years for legal/tax purposes |
| Collective member data | Duration of membership + up to 7 years for contractual/legal purposes |
| Project end-user data | As defined in the partner agreement and data processing addendum; generally not longer than the project plus any statutory retention obligations |
| Marketing opt-out records | Indefinitely (to honor your preference) |
When personal data is no longer required, we will securely delete it or anonymize it so it can no longer be associated with you.
11What are your rights?
Subject to the law that applies to you, you have the following rights in relation to your personal data:
- Access — to know whether we hold personal data about you and, if so, to obtain a copy and information about how we use it.
- Rectification — to have inaccurate or incomplete data corrected.
- Erasure — to request deletion of your personal data in certain circumstances (e.g., it is no longer necessary for the purpose it was collected, or you withdraw consent).
- Restriction — to request that we limit processing in certain circumstances (e.g., while we verify the accuracy of data you have challenged).
- Objection — to object to processing based on legitimate interests, or to object to direct marketing at any time.
- Portability — to receive a copy of personal data you have provided to us in a structured, commonly used, machine-readable format, or to have it transmitted to another controller.
- Withdraw consent — at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Lodge a complaint — with the relevant supervisory authority in your jurisdiction (see Section 17 for country-specific contacts).
To exercise any of these rights, contact us using the details in Section 19. We may need to verify your identity before responding, and we will reply within the timeframe required by applicable law.
12How do we use personal data when you visit our website?
What personal data do we gather?
We collect personal data on our website in two ways: (1) directly, when you fill in a form or contact us; and (2) indirectly, through our website's technology.
Directly collected data may include your name, email address, company name, role, and the content of your message when you use a contact form, subscribe to a newsletter, or request information.
Indirectly collected data includes your IP address, browser type, operating system, pages visited, session duration, referring URLs, and similar diagnostic data. This data is used for system administration, traffic analysis, and improving the website experience.
Third-party links
Our website may include links to third-party websites, tools, or repositories (including open-source projects). We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing any information.
How we use website data
We use the above data to respond to your enquiries, improve our website, and (where you have opted in) send you relevant communications. See Section 5 and Section 13 for more detail.
13Cookies and tracking technologies
Our website uses cookies and similar technologies to make the site function correctly, remember your preferences, and understand how it is used.
We use:
- Strictly necessary cookies — required for the website to operate; no consent needed.
- Analytics cookies — to understand traffic and usage patterns (e.g., page views, session length). We request your consent before setting these.
- Marketing cookies — to track engagement with our communications and, where relevant, deliver tailored content. We request your consent before setting these.
You can control cookies through your browser settings at any time. Where required by law, we will request your consent before setting non-essential cookies via a cookie consent banner.
14How do we use personal data for marketing purposes?
Sources of marketing data
Most marketing data we hold relates to individuals at companies with which we have an existing or potential business relationship. We may also obtain contact information from public sources such as LinkedIn or company websites, to reach out to individuals who may be interested in our services.
Email communications
We send commercial email only where we have your consent or a legitimate interest basis under applicable law. Our emails may include tracking pixels or links that allow us to know whether you opened the message or clicked on a link, to help us improve our communications.
You can unsubscribe from marketing emails at any time using the unsubscribe link in each message, or by contacting us directly (see Section 19). We will retain a record of your opt-out to avoid contacting you again.
CRM
We use a CRM system to manage our relationships with prospects and clients. The data in our CRM includes contact details, notes from interactions, and records of communications, used solely to manage and develop our business relationships.
15How do we use AI tools in our communications and services?
As a collective of AI practitioners, we use AI tools both internally and in the services we deliver. When these tools involve processing personal data, we apply the same data protection principles as to any other processing.
In our internal communications
We may use AI-powered tools to assist with drafting communications, summarizing meetings, or organizing information. We use these tools in a way that minimizes personal data exposure — for example, avoiding inputting partner or end-user personal data into AI systems without appropriate safeguards.
Where we use AI tools that may process the content of meetings or correspondence (e.g., transcription, meeting summaries), we will inform participants at the outset and obtain consent where required.
In project delivery
When AI tools are used as part of a project and process personal data, this is governed by the partner's data processing addendum. We will document the AI tools used, their data handling practices, and any relevant risks in the project documentation.
Transparency commitment: We will always make it clear when you are interacting with an automated system (such as a chatbot or AI-generated response) rather than a human.
AI training: We do not use your personal data to train, fine-tune, or improve third-party AI models without your explicit consent and appropriate contractual and technical safeguards.
16Children's data
Our website and services are directed at businesses and professional individuals, not children. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction). If you believe a child has provided us with personal data, please contact us (Section 19) and we will delete it promptly.
17Country-specific provisions
The following provisions supplement this policy for individuals in specific jurisdictions. In case of conflict, the jurisdiction-specific provisions prevail for residents of that jurisdiction.
European Union / European Economic Area — GDPR
We comply with Regulation (EU) 2016/679 (the General Data Protection Regulation). The legal bases described in Section 5 (consent, contract, legitimate interests, legal obligation) correspond to Article 6 GDPR (and Article 9 GDPR for sensitive data).
You may lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or where you believe an infringement occurred.
United Kingdom — UK GDPR
We comply with the UK GDPR and the Data Protection Act 2018. Your rights and our obligations mirror those described above. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
France — RGPD / Loi Informatique et Libertés
In addition to the GDPR provisions above, if you are located in France, you have the right to give instructions about what happens to your personal data after your death. You may lodge a complaint with the CNIL at cnil.fr.
Singapore — PDPA
We comply with the Personal Data Protection Act 2012 (PDPA). We have appointed a Data Protection Officer (see Section 19). You may request access to or correction of your personal data and may withdraw consent on reasonable notice. Complaints may be submitted to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
Other jurisdictions
If you are located in another jurisdiction with specific data protection requirements and believe those are not addressed above, please contact our Data Protection Officer (Section 19) and we will endeavor to address your specific rights under applicable local law.
18Changes to this policy
We may update this policy from time to time to reflect changes in our practices, the services we offer, or the law. We will post the updated version at alirion.io/privacy and revise the "Last updated" date. Where a change is significant, we will provide a more prominent notice or, where required by law, seek your consent before the change takes effect.
19Contact us
For any question about this policy, to exercise your rights, or to reach our Data Protection Officer, please contact:
Alirion — Data Protection Officer
Website: alirion.io. Use the provided form to contact us.
Postal: Smitchlabs Pte Ltd, 24 Sin Ming Lane, #03-99 Midview City, Singapore 573970
We will respond within the timeframe required by the applicable data protection law (generally within 30 days, or within any shorter period required by your local law).