Privacy Policy

1. Introduction

AuxilAI Limited ("AuxilAI", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our global mobility compliance platform and related services (the "Service").

We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

2. Data Controller and Data Processor

AuxilAI Limited acts as a data processor when processing employee data on behalf of subscribing organisations (your employer), who are the data controller. For account data and usage data collected directly from platform users, AuxilAI Limited is the data controller.

We enter into Data Processing Agreements (DPAs) with subscribing organisations to govern the processing of employee personal data in accordance with UK and EU GDPR requirements.

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: info@auxilai.com
Address: AuxilAI Limited, United Kingdom

3. Personal Data We Collect

We collect personal data in the following categories:

3.1 Employee Data (provided by your employer)

• Full name and work email address
• Nationality and country of residence
• Passport expiry date and issuing country (not passport number)
• Visa and work permit information (type, status, expiry)
• Employment details (job title, department, work location)
• Travel history and planned travel itineraries
• Tax residency country
• Family member details (where relevant to immigration compliance)

3.2 Account Data

• Name and business email address
• Company name and role
• Account credentials (passwords are hashed and never stored in plain text)

3.3 Usage Data

• Pages visited and features used
• Time spent on pages and interaction data
• Device type and browser type
• IP address (recorded in security audit logs)
• Chat queries and compliance questions submitted to the AI assistant

All usage data is collected and stored on our own servers. We do not use third-party analytics services. For full details on browser storage mechanisms, see our Cookie Policy.

4. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract Performance: To provide the Service as agreed with your employer under the terms of our subscription agreement.
• Legitimate Interests: To improve our Service, ensure platform security, maintain audit logs, and prevent unauthorised access.
• Legal Obligation: To comply with applicable laws and regulations, including tax, immigration, and employment law requirements.

5. How We Use Your Data

We use personal data to:

• Provide travel readiness and compliance assessments
• Generate immigration, tax, and social security compliance reports
• Track document validity and expiration dates
• Facilitate A1 certificate and posted worker notification workflows
• Respond to AI-assisted chat queries about compliance matters (see Section 6)
• Pre-fill compliance forms using employee data
• Send service notifications and alerts
• Improve and develop our Service through internal analytics
• Maintain security audit logs for data access and modifications

6. AI and Automated Processing

Our Service uses artificial intelligence to provide compliance assessments, answer compliance questions, extract information from documents, and assist with form completion. This involves sending data to third-party AI providers for processing. Before any data is sent, personally identifiable information (PII) is masked or removed to protect employee privacy.

6.1 AI Providers

We use the following AI providers:

6.2 PII Masking for AI Processing

Before employee data is sent to any AI provider, we apply PII masking to strip or anonymise identifying information. The following categories of data are masked:

• Employee names (replaced with anonymised identifiers)
• Email addresses
• Family member names (replaced with anonymised identifiers)

The AI provider receives only the non-identifying information necessary for accurate compliance analysis, such as nationality, visa type and status, passport expiry date, tax residency country, job role, travel dates, and family member nationality where relevant.

6.3 Additional AI Safeguards

• Data sent to AI providers is used solely to generate responses for your queries and is not used by the providers to train their models.
• We do not store AI-generated responses beyond the conversation session unless required for compliance record-keeping.
• All AI API calls are logged with usage tracking, including which feature initiated the call, token counts, and associated company identifier, to maintain accountability and cost control.
• AI processing is subject to the same multi-tenant data isolation as the rest of the platform — data from one organisation is never included in queries for another.

7. Data Sharing and Disclosure

We may share personal data with:

• Your Employer: As the subscribing organisation and data controller, they have access to their employees' compliance data within the platform.
• AI Provider: Anthropic, as described in Section 6, under a data processing agreement that prohibits the use of your data for model training.
• Cloud Infrastructure Provider: Amazon Web Services (AWS), which hosts our application servers and database within EU data centres, under a data processing agreement.
• Legal Authorities: When required by law or to protect our legal rights.

We do not sell personal data to third parties. We do not share personal data with advertising networks or third-party analytics providers.

7.1 Sub-Processors

The following sub-processors may process personal data on our behalf:

8. International Data Transfers

Our database and application servers are hosted within the European Union. However, when personal data is processed by our AI provider (Anthropic), it may be transferred to the United States for the duration of the API request.

These transfers are protected by appropriate safeguards in accordance with UK and EU GDPR, including Standard Contractual Clauses (SCCs) and the providers' data processing agreements, which ensure that your data receives an adequate level of protection regardless of where it is processed.

9. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with legal obligations:

• Employee data: Retained for the duration of your employer's subscription plus 12 months, unless longer retention is required by law.
• Account data: Retained for the duration of the account plus 12 months after deletion.
• Usage and analytics data: Retained for up to 24 months for service improvement purposes.
• Security audit logs: Retained for 24 months to support security investigations and compliance requirements.
• AI API usage logs: Retained for 12 months for cost tracking and accountability purposes.

You may request earlier deletion subject to legal requirements. Contact us at info@auxilai.com to make a request.

10. Your Data Protection Rights

Under UK and EU GDPR, you have the following rights:

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your data (subject to legal obligations).
• Right to Restrict Processing: Request limitation of processing.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.

For employees: If your employer uses our Service and you wish to exercise your data rights, please contact your employer in the first instance as they are the data controller. You may also contact us directly and we will work with your employer to fulfil your request.

For platform users: To exercise these rights, contact us at info@auxilai.com. We will respond within 30 days.

11. Data Security

We implement technical and organisational measures to protect personal data, including:

• Encryption at rest: Sensitive personal data (passport numbers, visa numbers, social security numbers, tax IDs, bank details) is encrypted using AES-256-GCM with PBKDF2 key derivation.
• Encryption in transit: All data transmitted between your device and our servers is protected using TLS encryption.
• Data masking: Sensitive fields are masked in the application interface using role-based masking policies (e.g., passport numbers displayed as ****1234).
• Multi-tenant data isolation: All database queries are filtered by company identifier, ensuring that one organisation cannot access another's data.
• Role-based access controls: Platform access is restricted based on user roles and permissions.
• Security audit logging: All access to and modifications of sensitive personal data are recorded in audit logs, including the user, action, timestamp, and IP address.
• Automatic session cleanup: Authentication tokens and session data are cleared on logout.

12. Children's Privacy

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date and, where appropriate, by notifying subscribing organisations directly.

14. Complaints

If you have concerns about how we handle your personal data, please contact us first at info@auxilai.com. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority.

15. Contact Us

For privacy-related enquiries:

Email: info@auxilai.com
Website: www.auxilai.com