Legal & compliance at Airwork
Legal & compliance at Airwork
Legal & compliance at Airwork
Your privacy matters to us at Airwork AI. To make our policies easy to understand and access, we’ve organized our documentation into the sections below.
Terms of services
Privacy policy
Refund policy
GDPR compliance
Data deletion policy
Airwork Privacy Policy
Last updated: May 1, 2026
Who we are
Airwork is a hiring platform operated by Remotely Technologies Inc., a Delaware corporation registered at 600 North Broad Street, Suite 5, Middletown, DE 19709, USA. We refer to ourselves in this policy as Airwork, we, us, or our.
This policy explains how we collect, use, share, and protect personal data when you use airwork.ai and our hiring services. It applies to candidates who create profiles, clients who post jobs and review applicants, visitors browsing the site, and anyone who contacts us.
How candidate data and client data are organised
Two layers of data live in Airwork. They are governed differently. This is the most important section of this policy.
Candidate data is part of the Airwork talent network
When a candidate signs up and creates a profile, that profile becomes part of the Airwork talent network. We control candidate profiles. When a candidate applies to a client's job:
The profile does not transfer to the client account.
The profile does not become a record owned by the client.
The profile remains searchable and reusable across all clients on the Airwork platform.
Candidates manage their own profile data directly with Airwork. Candidates can update, export, or delete their profile at any time through their account settings or by contacting support@airwork.ai. Candidates exercise their privacy rights (access, rectification, erasure, portability, objection) directly with us, not through any client.
We do not sell candidate data to third parties.
Client data belongs to the client
Client data includes company information, job posts, pipeline notes, billing records, team member accounts, custom screening questions, and custom assessments. Clients control this data and can request its deletion at any time by contacting support@airwork.ai.
What clients can do with candidate data
Clients can view profiles of candidates who apply to their jobs. Clients can interact with applicants through messaging, scheduling, and pipeline movement. Clients can export profiles and application details for candidates who applied to their jobs, including submissions, assessment results, and pipeline notes. Exports create working copies. The underlying records remain in the Airwork talent network.
What clients cannot do with candidate data
Clients cannot delete candidate records. Only the candidate or Airwork can. Clients cannot claim ownership of candidate profiles. Clients cannot remove the underlying profile records from the talent network.
What we collect
Information you give us
When you sign up, complete a profile, post a job, apply to a job, contact support, or otherwise use the services, we collect the information you provide. Depending on whether you are a candidate or a client, this can include:
Name, email address, password
Phone number, country, time zone
Profile information (skills, experience, portfolio, certifications, education, languages)
Resume or CV
Profile photo
Identity verification documents where requested
Company name, business address, billing details, team member accounts
Job posts, screening questions, assessment configurations, pipeline notes
Messages and files exchanged with other users
Payment method information processed by our payment provider
If you sign in with a third-party service like Google or LinkedIn, we receive the registration and profile information that service shares with us based on your privacy settings there.
Information we collect automatically
When you use the site, we collect technical information about your device and how you interact with us:
IP address, browser type, device type, operating system
Pages viewed, searches run, actions taken
Approximate location based on IP
Cookies, pixels, and similar tracking identifiers
Logs of API calls and platform events
Information from third parties
We receive information from third parties in limited cases. We get identity and fraud signals from verification providers. We receive authentication details from Google or LinkedIn when you choose to sign in with them. We receive referral information when another user invites you. We may receive enrichment data from public professional sources to keep candidate profiles current.
Why we process your data and on what legal basis
For users in the European Economic Area, the United Kingdom, and other jurisdictions where it applies, we rely on the following GDPR legal bases.
Purpose: Operating your account, providing the services, processing applications
Legal Basis: Performance of a contract
Purpose: Sending product updates and transactional notifications
Legal Basis: Performance of a contract
Purpose: Sending marketing communications you can opt out of
Legal Basis: Legitimate interest, or consent where required
Purpose: Personalising candidate matching and search results
Legal Basis: Legitimate interest
Purpose: Detecting fraud, abuse, and security threats
Legal Basis: Legitimate interest, legal obligation
Purpose: Complying with tax, accounting, and other laws
Legal Basis: Legal obligation
Purpose: Using AI to assist hiring (Aria and related features)
Legal Basis: Legitimate interest, or consent where required
Purpose: Using your name, logo, photo, or testimonial for promotion and job circulation
Legal Basis: Consent, which you can withdraw at any time
Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect processing carried out before withdrawal.
Who we share data with
We do not sell personal data. We share it with the following categories of recipients.
Other users in the normal flow of the platform
When candidates apply to a client's job, the client sees the candidate's profile, application, assessment results, and pipeline notes. When clients post jobs, candidates see the public parts of the listing and the company name. Messages between candidates and clients are visible to both parties.
Service providers and sub-processors
We use the following sub-processors. Each processes specific categories of data on our behalf under written agreements that require them to protect that data and use it only to provide services to us.
Sub-processor: Amazon Web Services (AWS)
Purpose: Cloud hosting and storage
Region: Singapore
Sub-processor: Amazon CloudFront
Purpose: Content delivery network
Region: Global
Sub-processor: OpenAI
Purpose: AI features including Aria search and matching
Region: USA
Sub-processor: Anthropic
Purpose: AI features including Aria search and matching
Region: USA
Sub-processor: PostHog
Purpose: Product analytics
Region: USA / EU
Sub-processor: Google Analytics (GA4)
Purpose: Website analytics
Region: USA
Sub-processor: Google Tag Manager
Purpose: Tag deployment
Region: USA
Sub-processor: LinkedIn Insight Tag
Purpose: Marketing analytics
Region: USA
Sub-processor: Meta Pixel
Purpose: Marketing analytics
Region: USA
Sub-processor: Stripe
Purpose: Payment processing
Region: USA
Sub-processor: AppSumo
Purpose: Lifetime Deal purchase fulfilment
Region: USA
We update this list when sub-processors change. Material changes are reflected here before the new sub-processor goes live.
Neither OpenAI nor Anthropic trains models on data sent through our use of their APIs. Airwork does not opt in to any program that would use your data to train general-purpose AI models.
Legal and safety reasons
We share data when we believe in good faith that it is necessary to comply with a law, regulation, court order, or valid legal request. We share data to investigate or prevent fraud, security threats, or abuse of the platform. We share data to protect the rights, property, or safety of Airwork, our users, or the public.
Business transactions
If Remotely Technologies Inc. is involved in a merger, acquisition, financing, or sale of assets, your data may be shared with the parties to that transaction under confidentiality protections. We will notify you of any change of ownership that materially affects how your data is processed.
International data transfers
Airwork is a US company. Our production infrastructure runs on AWS in Singapore. Our core team is based in Bangladesh. Personal data, including data of users in the EEA and UK, is transferred outside the country where it was collected.
When we transfer EEA or UK personal data outside those regions, we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism. We supplement these with technical and organisational measures including encryption in transit and at rest, role-based access controls, and confidentiality obligations on every employee and contractor who can access personal data.
How long we keep your data
We keep personal data only for as long as we need it.
Data category: Active candidate profile
Retention: While the account is active
Data category: Inactive candidate profile (no login for 24 months)
Retention: We email a reminder. If there is no response within 30 days, we anonymise or delete the profile.
Data category: Active client account
Retention: While the account is active
Data category: Closed client account
Retention: 30 days for removal from active systems, then anonymisation or deletion
Data category: Backups
Retention: Up to 90 days, after which deleted data is overwritten
Data category: Communications between users
Retention: 12 months after the account closes
Data category: Job posts
Retention: Until the client deletes them, or 24 months after the job closes
Data category: Billing and tax records
Retention: 7 years (US tax requirement)
Data category: Fraud, abuse, and security records
Retention: Up to 5 years
Data category: Cookies
Retention: See cookie durations in our cookie banner
Data category: Anonymised or aggregated data
Retention: No fixed retention. This data cannot identify individuals.
Some data may be retained longer if required by law, to enforce our agreements, or to defend legal claims.
Security
We protect personal data with administrative, technical, and physical measures appropriate to the sensitivity of the data. Data is encrypted in transit using TLS 1.2 or higher. Data is encrypted at rest using AES-256. Production infrastructure runs on AWS, which holds independent security certifications including SOC 2 and ISO 27001. Access to production data is restricted to authorised personnel and logged. Employees and contractors sign confidentiality and invention assignment agreements. We follow the principle of least privilege for internal access.
No system is perfectly secure. If you suspect your account has been compromised, contact support@airwork.ai.
Breach notification
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in line with GDPR Article 33. We will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Your rights
You can access, correct, export, or delete your personal data through your account settings. If you cannot complete a request through the account, contact support@airwork.ai. We will respond within 30 days. If we need more time or if we cannot fulfil the request, we will tell you why.
Rights under GDPR (EEA, UK, Switzerland)
If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR and equivalent laws:
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object to processing based on legitimate interest, including direct marketing
Right to withdraw consent at any time where processing is based on consent
Right to lodge a complaint with your local data protection authority
Rights under US state privacy laws
If you are a resident of California, Colorado, Connecticut, Texas, Virginia, or another US state with a privacy statute, you have the right to know what personal information we collect, use, and share. You have the right to access, correct, and request deletion of your personal information. You have the right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. You have the right to limit the use of sensitive personal information. You have the right to be free from retaliation for exercising your rights.
We do not sell personal data in the conventional sense. Our use of advertising pixels (Meta, LinkedIn, Google) may qualify as sharing under California's CPRA. You can opt out through the cookie banner or by emailing support@airwork.ai.
To exercise any of these rights, contact support@airwork.ai. We will verify your identity before acting on your request.
Cookies and tracking
We use cookies and similar technologies on airwork.ai. The categories include strictly necessary cookies for sign-in, security, and core platform function. Analytics cookies (PostHog, Google Analytics) help us understand how the site is used. Marketing cookies (Meta Pixel, LinkedIn Insight Tag, Google Tag Manager) measure advertising performance. Preference cookies remember settings like language and time zone.
You can manage cookies through our cookie banner and through your browser settings. Blocking strictly necessary cookies will break sign-in and other core features.
AI features and Aria
Airwork uses AI to help candidates and clients move faster. Today, this includes Aria, our natural-language search assistant for the talent network. Over time, AI features may help post jobs, run assessments, and contact candidates on a user's behalf.
When AI features process your data, we use OpenAI and Anthropic as sub-processors. Both have contractual commitments under their API terms not to train models on data sent through their APIs. We disclose new AI sub-processors in this policy before they go live.
Promotional use of names, logos, and photos
By using the services, you grant Airwork a limited, revocable, royalty-free licence to use your name, photo, company name, or logo to identify you as a customer or talent on the platform, distribute job posts to candidate audiences, and promote Airwork in marketing materials, case studies, social media, and partner channels.
You can withdraw this permission at any time by emailing support@airwork.ai. Withdrawal applies prospectively and does not require us to recall materials already in distribution.
Children
The services are intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from someone under 16, contact support@airwork.ai and we will delete it.
GDPR posture
We follow GDPR principles and are working toward full certification. We are not currently certified under GDPR, SOC 2, HIPAA, PIPEDA, or ISO 27001. Our cloud infrastructure provider (AWS) holds SOC 2 and ISO 27001 certifications.
Data Protection Officer
Our Data Protection Officer is Sayem Faruk, CEO. You can reach the DPO at support@airwork.ai.
Data Processing Agreement
A Data Processing Agreement is available to enterprise clients on request. Contact support@airwork.ai to begin the process.
How to contact us
For privacy questions, requests, or complaints:
Email: support@airwork.ai
Postal address: Remotely Technologies Inc., 600 North Broad Street, Suite 5, Middletown, DE 19709, USA
If you are in the EEA or UK and are not satisfied with our response, you can file a complaint with your local data protection authority.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the Last updated date at the top of the policy. We will notify active users by email or in-product notification at least 14 days before the change takes effect, where the change materially affects user rights.
Your continued use of the services after the new policy takes effect means you accept the updated terms.
Terms of services
Privacy policy
Refund policy
GDPR compliance
Data deletion policy
Airwork Privacy Policy
Last updated: May 1, 2026
Who we are
Airwork is a hiring platform operated by Remotely Technologies Inc., a Delaware corporation registered at 600 North Broad Street, Suite 5, Middletown, DE 19709, USA. We refer to ourselves in this policy as Airwork, we, us, or our.
This policy explains how we collect, use, share, and protect personal data when you use airwork.ai and our hiring services. It applies to candidates who create profiles, clients who post jobs and review applicants, visitors browsing the site, and anyone who contacts us.
How candidate data and client data are organised
Two layers of data live in Airwork. They are governed differently. This is the most important section of this policy.
Candidate data is part of the Airwork talent network
When a candidate signs up and creates a profile, that profile becomes part of the Airwork talent network. We control candidate profiles. When a candidate applies to a client's job:
The profile does not transfer to the client account.
The profile does not become a record owned by the client.
The profile remains searchable and reusable across all clients on the Airwork platform.
Candidates manage their own profile data directly with Airwork. Candidates can update, export, or delete their profile at any time through their account settings or by contacting support@airwork.ai. Candidates exercise their privacy rights (access, rectification, erasure, portability, objection) directly with us, not through any client.
We do not sell candidate data to third parties.
Client data belongs to the client
Client data includes company information, job posts, pipeline notes, billing records, team member accounts, custom screening questions, and custom assessments. Clients control this data and can request its deletion at any time by contacting support@airwork.ai.
What clients can do with candidate data
Clients can view profiles of candidates who apply to their jobs. Clients can interact with applicants through messaging, scheduling, and pipeline movement. Clients can export profiles and application details for candidates who applied to their jobs, including submissions, assessment results, and pipeline notes. Exports create working copies. The underlying records remain in the Airwork talent network.
What clients cannot do with candidate data
Clients cannot delete candidate records. Only the candidate or Airwork can. Clients cannot claim ownership of candidate profiles. Clients cannot remove the underlying profile records from the talent network.
What we collect
Information you give us
When you sign up, complete a profile, post a job, apply to a job, contact support, or otherwise use the services, we collect the information you provide. Depending on whether you are a candidate or a client, this can include:
Name, email address, password
Phone number, country, time zone
Profile information (skills, experience, portfolio, certifications, education, languages)
Resume or CV
Profile photo
Identity verification documents where requested
Company name, business address, billing details, team member accounts
Job posts, screening questions, assessment configurations, pipeline notes
Messages and files exchanged with other users
Payment method information processed by our payment provider
If you sign in with a third-party service like Google or LinkedIn, we receive the registration and profile information that service shares with us based on your privacy settings there.
Information we collect automatically
When you use the site, we collect technical information about your device and how you interact with us:
IP address, browser type, device type, operating system
Pages viewed, searches run, actions taken
Approximate location based on IP
Cookies, pixels, and similar tracking identifiers
Logs of API calls and platform events
Information from third parties
We receive information from third parties in limited cases. We get identity and fraud signals from verification providers. We receive authentication details from Google or LinkedIn when you choose to sign in with them. We receive referral information when another user invites you. We may receive enrichment data from public professional sources to keep candidate profiles current.
Why we process your data and on what legal basis
For users in the European Economic Area, the United Kingdom, and other jurisdictions where it applies, we rely on the following GDPR legal bases.
Purpose: Operating your account, providing the services, processing applications
Legal Basis: Performance of a contract
Purpose: Sending product updates and transactional notifications
Legal Basis: Performance of a contract
Purpose: Sending marketing communications you can opt out of
Legal Basis: Legitimate interest, or consent where required
Purpose: Personalising candidate matching and search results
Legal Basis: Legitimate interest
Purpose: Detecting fraud, abuse, and security threats
Legal Basis: Legitimate interest, legal obligation
Purpose: Complying with tax, accounting, and other laws
Legal Basis: Legal obligation
Purpose: Using AI to assist hiring (Aria and related features)
Legal Basis: Legitimate interest, or consent where required
Purpose: Using your name, logo, photo, or testimonial for promotion and job circulation
Legal Basis: Consent, which you can withdraw at any time
Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect processing carried out before withdrawal.
Who we share data with
We do not sell personal data. We share it with the following categories of recipients.
Other users in the normal flow of the platform
When candidates apply to a client's job, the client sees the candidate's profile, application, assessment results, and pipeline notes. When clients post jobs, candidates see the public parts of the listing and the company name. Messages between candidates and clients are visible to both parties.
Service providers and sub-processors
We use the following sub-processors. Each processes specific categories of data on our behalf under written agreements that require them to protect that data and use it only to provide services to us.
Sub-processor: Amazon Web Services (AWS)
Purpose: Cloud hosting and storage
Region: Singapore
Sub-processor: Amazon CloudFront
Purpose: Content delivery network
Region: Global
Sub-processor: OpenAI
Purpose: AI features including Aria search and matching
Region: USA
Sub-processor: Anthropic
Purpose: AI features including Aria search and matching
Region: USA
Sub-processor: PostHog
Purpose: Product analytics
Region: USA / EU
Sub-processor: Google Analytics (GA4)
Purpose: Website analytics
Region: USA
Sub-processor: Google Tag Manager
Purpose: Tag deployment
Region: USA
Sub-processor: LinkedIn Insight Tag
Purpose: Marketing analytics
Region: USA
Sub-processor: Meta Pixel
Purpose: Marketing analytics
Region: USA
Sub-processor: Stripe
Purpose: Payment processing
Region: USA
Sub-processor: AppSumo
Purpose: Lifetime Deal purchase fulfilment
Region: USA
We update this list when sub-processors change. Material changes are reflected here before the new sub-processor goes live.
Neither OpenAI nor Anthropic trains models on data sent through our use of their APIs. Airwork does not opt in to any program that would use your data to train general-purpose AI models.
Legal and safety reasons
We share data when we believe in good faith that it is necessary to comply with a law, regulation, court order, or valid legal request. We share data to investigate or prevent fraud, security threats, or abuse of the platform. We share data to protect the rights, property, or safety of Airwork, our users, or the public.
Business transactions
If Remotely Technologies Inc. is involved in a merger, acquisition, financing, or sale of assets, your data may be shared with the parties to that transaction under confidentiality protections. We will notify you of any change of ownership that materially affects how your data is processed.
International data transfers
Airwork is a US company. Our production infrastructure runs on AWS in Singapore. Our core team is based in Bangladesh. Personal data, including data of users in the EEA and UK, is transferred outside the country where it was collected.
When we transfer EEA or UK personal data outside those regions, we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism. We supplement these with technical and organisational measures including encryption in transit and at rest, role-based access controls, and confidentiality obligations on every employee and contractor who can access personal data.
How long we keep your data
We keep personal data only for as long as we need it.
Data category: Active candidate profile
Retention: While the account is active
Data category: Inactive candidate profile (no login for 24 months)
Retention: We email a reminder. If there is no response within 30 days, we anonymise or delete the profile.
Data category: Active client account
Retention: While the account is active
Data category: Closed client account
Retention: 30 days for removal from active systems, then anonymisation or deletion
Data category: Backups
Retention: Up to 90 days, after which deleted data is overwritten
Data category: Communications between users
Retention: 12 months after the account closes
Data category: Job posts
Retention: Until the client deletes them, or 24 months after the job closes
Data category: Billing and tax records
Retention: 7 years (US tax requirement)
Data category: Fraud, abuse, and security records
Retention: Up to 5 years
Data category: Cookies
Retention: See cookie durations in our cookie banner
Data category: Anonymised or aggregated data
Retention: No fixed retention. This data cannot identify individuals.
Some data may be retained longer if required by law, to enforce our agreements, or to defend legal claims.
Security
We protect personal data with administrative, technical, and physical measures appropriate to the sensitivity of the data. Data is encrypted in transit using TLS 1.2 or higher. Data is encrypted at rest using AES-256. Production infrastructure runs on AWS, which holds independent security certifications including SOC 2 and ISO 27001. Access to production data is restricted to authorised personnel and logged. Employees and contractors sign confidentiality and invention assignment agreements. We follow the principle of least privilege for internal access.
No system is perfectly secure. If you suspect your account has been compromised, contact support@airwork.ai.
Breach notification
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in line with GDPR Article 33. We will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Your rights
You can access, correct, export, or delete your personal data through your account settings. If you cannot complete a request through the account, contact support@airwork.ai. We will respond within 30 days. If we need more time or if we cannot fulfil the request, we will tell you why.
Rights under GDPR (EEA, UK, Switzerland)
If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR and equivalent laws:
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object to processing based on legitimate interest, including direct marketing
Right to withdraw consent at any time where processing is based on consent
Right to lodge a complaint with your local data protection authority
Rights under US state privacy laws
If you are a resident of California, Colorado, Connecticut, Texas, Virginia, or another US state with a privacy statute, you have the right to know what personal information we collect, use, and share. You have the right to access, correct, and request deletion of your personal information. You have the right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. You have the right to limit the use of sensitive personal information. You have the right to be free from retaliation for exercising your rights.
We do not sell personal data in the conventional sense. Our use of advertising pixels (Meta, LinkedIn, Google) may qualify as sharing under California's CPRA. You can opt out through the cookie banner or by emailing support@airwork.ai.
To exercise any of these rights, contact support@airwork.ai. We will verify your identity before acting on your request.
Cookies and tracking
We use cookies and similar technologies on airwork.ai. The categories include strictly necessary cookies for sign-in, security, and core platform function. Analytics cookies (PostHog, Google Analytics) help us understand how the site is used. Marketing cookies (Meta Pixel, LinkedIn Insight Tag, Google Tag Manager) measure advertising performance. Preference cookies remember settings like language and time zone.
You can manage cookies through our cookie banner and through your browser settings. Blocking strictly necessary cookies will break sign-in and other core features.
AI features and Aria
Airwork uses AI to help candidates and clients move faster. Today, this includes Aria, our natural-language search assistant for the talent network. Over time, AI features may help post jobs, run assessments, and contact candidates on a user's behalf.
When AI features process your data, we use OpenAI and Anthropic as sub-processors. Both have contractual commitments under their API terms not to train models on data sent through their APIs. We disclose new AI sub-processors in this policy before they go live.
Promotional use of names, logos, and photos
By using the services, you grant Airwork a limited, revocable, royalty-free licence to use your name, photo, company name, or logo to identify you as a customer or talent on the platform, distribute job posts to candidate audiences, and promote Airwork in marketing materials, case studies, social media, and partner channels.
You can withdraw this permission at any time by emailing support@airwork.ai. Withdrawal applies prospectively and does not require us to recall materials already in distribution.
Children
The services are intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from someone under 16, contact support@airwork.ai and we will delete it.
GDPR posture
We follow GDPR principles and are working toward full certification. We are not currently certified under GDPR, SOC 2, HIPAA, PIPEDA, or ISO 27001. Our cloud infrastructure provider (AWS) holds SOC 2 and ISO 27001 certifications.
Data Protection Officer
Our Data Protection Officer is Sayem Faruk, CEO. You can reach the DPO at support@airwork.ai.
Data Processing Agreement
A Data Processing Agreement is available to enterprise clients on request. Contact support@airwork.ai to begin the process.
How to contact us
For privacy questions, requests, or complaints:
Email: support@airwork.ai
Postal address: Remotely Technologies Inc., 600 North Broad Street, Suite 5, Middletown, DE 19709, USA
If you are in the EEA or UK and are not satisfied with our response, you can file a complaint with your local data protection authority.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the Last updated date at the top of the policy. We will notify active users by email or in-product notification at least 14 days before the change takes effect, where the change materially affects user rights.