Skip to content
Live · docs.airwai.com Last update 2026-05-17

Data Privacy

The call center will handle customer prospect data and customer payment data. Both have specific legal obligations.

This document is the operating rules. For legal advice, escalate to Amir + counsel.

The two data classes

Class What it is Regulatory framework
Prospect data Names, emails, phones, titles, employers of people not yet customers GDPR (EU), CCPA / CPRA (California), CAN-SPAM (US), CASL (Canada), and similar national laws
Customer data Same as above plus payment details, subscription history, app usage Above + PCI-DSS via Stripe

GDPR — for EU prospects + customers

GDPR applies if the prospect / customer is in the EU, regardless of where the call center is.

For B2B outreach to EU prospects, two acceptable legal bases:

  1. Legitimate interest — when you're targeting prospects whose job role makes LAIRA directly relevant (e.g., a city PW Pavement Inspector). Must pass the LIA (Legitimate Interest Assessment) — is the outreach reasonable, proportionate, and not surprising to the recipient?
  2. Consent — when the prospect has opted in (e.g., downloaded a whitepaper, attended a webinar).

For most LAIRA cold outbound to working AEC professionals, legitimate interest applies. Document the legitimate-interest assessment for the campaign before launch.

Right to opt out

Every email must include: - A clear "unsubscribe" link OR clear opt-out instructions - Identification of the sender (Airwai) - A physical mailing address

Honor opt-outs within 24 hours. Add to suppression list in HubSpot. No further contact for 12 months minimum.

Data subject rights

EU prospects / customers have the right to: - Access — see what we have on them - Rectification — correct errors - Erasure — delete (the "right to be forgotten") - Portability — get their data in a portable format - Objection — opt out of processing

Route any data-subject request to Amir within 24 hours of receipt. Airwai responds within 30 days (legal requirement).

Data minimization

Collect the minimum prospect data needed for outreach. Do not collect: - Personal phone numbers (residential) - Personal email addresses (Gmail / Yahoo / Hotmail) - Sensitive personal data (health, religion, political view, etc.) - Spouse / family information

Use work emails and work phones only.

EU storage requirements

  • Customer data may be stored outside the EU only with appropriate safeguards (SCCs - Standard Contractual Clauses, which Stripe and HubSpot have in place).
  • Document where each system stores EU customer data.

CCPA / CPRA — for California prospects + customers

CCPA applies to California residents. CPRA expanded the rules.

Notice at collection

Tell California residents what data you're collecting, why, and how to opt out. Standard: include a Privacy Policy link in every outbound email and a "Do Not Sell My Information" link if applicable (LAIRA does NOT sell prospect data, but the link is best-practice).

Right to opt out of "sale" of personal information

LAIRA does not sell personal information. State this in the Privacy Policy.

Data subject rights

California residents have rights similar to GDPR. Route requests to Amir.

CAN-SPAM (US) and CASL (Canada)

CAN-SPAM requirements (US)

  1. Don't use false / misleading header info
  2. Don't use deceptive subject lines
  3. Identify the email as an ad (implicit through commercial purpose)
  4. Tell recipients where you're located (physical mailing address)
  5. Tell recipients how to opt out of future emails
  6. Honor opt-out requests within 10 business days
  7. Monitor what others do on your behalf (if you use a third-party email service, you're still responsible)

CASL requirements (Canada)

  1. Express or implied consent required for commercial electronic messages
  2. Identification of the sender
  3. Clear unsubscribe mechanism that works
  4. Unsubscribe processed within 10 business days

Stricter than US CAN-SPAM. If targeting Canadian prospects, default to higher standard.

Payment data — PCI-DSS via Stripe

The call center does NOT touch raw payment card data. Stripe handles all payment processing under Stripe's PCI-DSS Level 1 certification. The call center generates payment links (which Stripe-hosts the actual checkout); customers pay through Stripe-hosted pages.

The call center may NEVER: - Ask a customer to read their credit card number over the phone - Enter a credit card number into HubSpot - Save card details in a spreadsheet, email, or text file - Send card details to Airwai or anyone else

If a customer offers to share card details verbally, redirect:

"I'm not allowed to take card details. I'm going to send you a Stripe payment link in 30 seconds — you'll enter your card details on Stripe's secure page. Same outcome, much safer for both of us."

App-level customer data — Airwai's responsibility, not the call center's

Once a customer is paying and using the app, their inspection data is governed by: - Airwai's Privacy Policy (public) - Airwai's standard Data Processing Addendum (available on request) - Customer's own ArcGIS tenant security (since inspection data lives there)

The call center does not need to memorize or quote the privacy policy. If a prospect asks about data handling, summarize:

"Inspection scan data lives in the customer's own ArcGIS tenant — we don't host it. Detection inference runs on our servers; we don't retain the raw scans after processing. We have a standard SOC-2-track DPA available, and our Privacy Policy is published at airwai.com/privacy."

For deeper questions, route to Amir.

Practical do's and don'ts

DO

  • Use HubSpot to track all prospect / customer data — it's GDPR-aware
  • Honor opt-out requests within 24 hours
  • Validate email lists before sending to avoid bouncing (deliverability + reputation)
  • Document legitimate-interest assessments for EU campaigns
  • Train every agent on these rules before live calls

DON'T

  • Buy or use unverified email lists
  • Store prospect data outside HubSpot (no spreadsheets, no personal Google Sheets)
  • Share prospect data with third parties without explicit permission
  • Continue contacting a prospect after they've opted out
  • Take credit card details outside Stripe
  • Send unencrypted customer data via email

Breach response

If you suspect a data breach (lost laptop, suspicious email access, prospect data exposed):

  1. Immediate: notify Amir via phone + Slack + email
  2. Within 4 hours: isolate affected accounts; revoke access if needed
  3. Within 24 hours: Airwai assesses the breach scope
  4. Within 72 hours (GDPR requirement if EU data affected): notify supervisory authority
  5. Within reasonable time: notify affected customers

Don't try to handle a breach yourself. Escalate immediately.

Training requirement

Every call-center agent must complete privacy training before live calls: - Read this document - Pass a 10-question quiz (in training/quiz-and-certification.md) - Re-train annually

Recurring privacy training is part of the engagement. Audit-trail of completion lives in HubSpot.