Privacy Policy
The Foundation for Artificial Intelligence Rights (“FAIR”, “we”, “our”, “us”) is committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains what personal data we collect when you visit airights.org.uk, why we collect it, how we use and share it, and the rights you have under the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
1. Who we are (Data Controller)
FAIR is a UK organisation (registration pending). Scott McCulloch, Founder, is the data controller for personal data collected through this website.
Contact for data-protection enquiries: info@airights.org.uk
2. What personal data we collect, and why
We only collect personal data that you provide voluntarily, plus a small amount of technical information needed to operate the site securely.
| Data | Source | Purpose | Lawful basis (UK GDPR) |
|---|---|---|---|
| Name, email address, organisation, message content | You, when you submit a contact form or write to one of our published email addresses | To respond to your enquiry, register your interest in a programme, or process a Trustee application | Article 6(1)(b) - performance of pre-contractual steps at your request, and Article 6(1)(f) - legitimate interests in operating the charity |
| Trustee declarations (e.g. confirmation you are not disqualified under the Charities Act 2011) | You, on the Trustee application form | To meet our statutory obligations to the Charity Commission | Article 6(1)(c) - legal obligation |
| Aggregate, anonymous traffic statistics (page views, country, device type, referrer) | Plausible Analytics and Cloudflare Web Analytics, automatically | To understand which content is useful and to improve the site | Article 6(1)(f) - legitimate interests |
| Anti-spam signals (e.g. risk score, basic browser characteristics) | Google reCAPTCHA v3, automatically when the contact form is used | To detect and prevent abusive submissions | Article 6(1)(f) - legitimate interests in network and information security |
| Buttondown (Buttondown Inc. - Newsletter) | Stores subscriber email addresses and delivers the FAIR Briefings newsletter | Email address you provide on the subscribe form, the time you subscribed, your subscription status, and aggregate (non-identifying) sending statistics. We do not use tracking pixels or click-tracking | United States, with appropriate UK GDPR transfer safeguards. Lawful basis: your consent |
3. We do not use cookies for tracking
This website does not use any cookies for advertising, profiling, or cross-site tracking. The cookie banner you see on first visit is recording a single preference in your browser’s local storage - not a cookie - so we do not ask you again on every visit. You can clear it at any time from your browser settings.
Strictly necessary technical storage
The accessibility widget (UserWay) and the Google reCAPTCHA service may set their own cookies or use local storage when their respective features are active. These are required for those features to function and are described in Section 5.
4. How we use your data
- To reply to enquiries you send to ask@airights.org.uk, info@airights.org.uk, press@airights.org.uk, or partners@airights.org.uk.
- To process and assess applications to join the Board of Trustees, Working Groups, or as Project Leads.
- To register interest from prospective supporters, partners, volunteers, and donors (donations open after Charity Commission registration).
- To analyse aggregate, non-identifying traffic patterns and improve the website.
- To prevent and investigate spam, abuse, and unauthorised use of our forms.
- To meet our statutory and regulatory obligations as a charitable organisation in formation.
We will never sell, rent, or share your personal data with third parties for their own marketing purposes.
Newsletter (FAIR Briefings). If you subscribe to FAIR Briefings, we use your email address only to send you the newsletter. The lawful basis is your consent. You may withdraw consent at any time by clicking the unsubscribe link in any issue, or by emailing info@airights.org.uk.
4a. Report Your Experience data (special category)
FAIR operates a Report Your Experience channel (/report) through which members of the public can tell us about an experience they have had with AI in a UK public service, school, workplace, or app. Reports submitted through this channel may include special-category data within the meaning of Article 9 UK GDPR (for example, health information, ethnic origin, immigration status, or information about a child).
For Report Your Experience submissions specifically:
- Lawful basis (Article 6): consent (you choose to submit) and legitimate interests (FAIR’s public-interest research mission).
- Special-category condition (Article 9): Article 9(2)(a) explicit consent, supplemented by Article 9(2)(j) and Schedule 1 paragraph 4 of the Data Protection Act 2018 (research in the public interest, with appropriate safeguards).
- Anonymisation: we anonymise and aggregate reports before using them in research, briefings, or campaigns. We do not publish individual reports without your explicit consent.
- Retention: raw submissions are retained for up to 24 months, then deleted. You can request deletion at any time by emailing delete@airights.org.uk.
- Sharing: we do not share your information with the body you are reporting on without your explicit consent. Where a submission discloses a child or vulnerable adult at risk, we will follow our safeguarding policy and may contact the police, NSPCC, or IWF as appropriate (see Safeguarding).
4b. Automated decision-making (DUAA Articles 22A-22D)
FAIR does not make automated decisions about you within the meaning of UK GDPR Article 22A (in force 5 February 2026 under the Data (Use and Access) Act 2025). reCAPTCHA produces a behaviour-based risk score that is reviewed by a human before any decision affecting you is made; the spam filter on our forms is the only automated step, and a human reviews any submission flagged for follow-up. If FAIR ever introduces a system that does carry out solely automated decision-making with significant effects, we will update this notice and provide you with the rights set out in Articles 22B-22D, including the right to be told meaningful information about the logic involved, to make representations, to obtain human intervention, and to contest the decision.
5. Third parties that process data on our behalf
We rely on a small number of established providers (“data processors”) to operate this website. Each is bound by appropriate data-protection terms.
| Provider | Function | Data involved | Location |
|---|---|---|---|
| GitHub Pages (GitHub, Inc.) | Hosts the static website files | Standard server logs, including IP addresses, for security and abuse-prevention purposes | United States, with safeguards under the EU-US Data Privacy Framework / UK Extension |
| Plausible Analytics (Plausible Insights OÜ) | Privacy-friendly, cookieless aggregate site analytics | Anonymised page-view data; no cookies, no personal data, and IP addresses are processed only to derive country and then discarded. Visitors are not tracked across sessions or across other websites. | European Union (Tallinn, Estonia); EU GDPR / UK GDPR safeguards in place |
| Cloudflare (Cloudflare, Inc. - Web Analytics) | Privacy-friendly, cookieless aggregate site analytics (secondary; runs alongside Plausible) | Anonymised page-view data; IP addresses are not stored, and individual visitors are not tracked across sessions | Global edge network with EU/UK endpoints; UK GDPR safeguards in place |
| Formspree (Formspree Inc.) | Receives and forwards contact-form submissions to our email | The information you submit through the contact form (name, email, message) | United States, with appropriate safeguards |
| Google reCAPTCHA v3 (Google LLC) | Protects the contact form from automated spam | Browser characteristics, mouse/keyboard signals, and a behaviour-based risk score; subject to Google’s Privacy Policy and Terms of Service | Global, primarily United States |
| UserWay (UserWay Inc.) | Accessibility widget allowing visitors to adjust contrast, text size, and similar preferences | Anonymous configuration data and, where the visitor activates the widget, a small amount of preference storage | United States / Israel |
| Microsoft 365 (Microsoft Corporation) | Hosts the email accounts that receive your enquiries | Your email content and metadata, once it reaches our inbox | United Kingdom and European data centres |
| Google Search Console (Google LLC) | Reports search-engine indexing and crawl status of our pages | Aggregate, non-identifying search query and impression data; no individual visitor data | Global, primarily United States |
6. International transfers
Some of the providers above are based outside the United Kingdom. Where personal data is transferred internationally, we rely on transfer mechanisms recognised under the UK GDPR - including the UK’s International Data Transfer Agreement, the UK Extension to the EU-US Data Privacy Framework, or Standard Contractual Clauses with appropriate supplementary measures. You can request a copy of the relevant transfer documentation by writing to info@airights.org.uk.
7. How long we keep your data
- Enquiry correspondence - retained while your matter is open and for up to 3 years afterwards, then deleted.
- Trustee applications - successful applications are kept for the duration of the appointment plus 7 years (Charity Commission record-keeping). Unsuccessful applications are deleted within 12 months unless you ask us to keep them on file.
- Membership and partner registrations of interest - retained for 3 years from last contact, then reviewed.
- Aggregate traffic analytics - retained by Plausible and Cloudflare in anonymised, non-identifying form (Plausible typically holds aggregate page-view counts indefinitely as no personal data is collected; Cloudflare retains anonymised counts on a rolling basis, typically 6 months). FAIR does not hold an identifiable copy.
- Server and security logs - retained for the period set by the relevant provider for security and abuse-prevention purposes.
We may retain certain records for longer where required to comply with a legal obligation or to establish, exercise, or defend legal claims.
8. How we protect your data
We use HTTPS across the entire website, restrict access to enquiry inboxes to named individuals, enable multi-factor authentication on all administrative accounts, and choose providers that maintain industry-standard information-security practices. No system is ever completely secure, and we will notify you and the Information Commissioner’s Office (ICO) without undue delay if a personal-data breach is likely to result in a risk to your rights and freedoms, in accordance with Article 33 UK GDPR.
9. Your rights
Under the UK GDPR you have the right to:
- Be informed about how we use your data - this Policy is our way of doing that.
- Access a copy of the personal data we hold about you.
- Rectify any inaccurate or incomplete data.
- Erase your data (“the right to be forgotten”), where the lawful basis for our processing no longer applies.
- Restrict our processing of your data in certain circumstances.
- Object to processing carried out on the basis of legitimate interests.
- Data portability: receive your data in a structured, machine-readable format.
- Withdraw consent at any time, where consent is the lawful basis for processing.
- Lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk, 0303 123 1113).
To exercise any of these rights, contact info@airights.org.uk. We will respond within one calendar month.
10. Children
Our website is intended for adults working in or with an interest in AI policy, law, and governance. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have done so, please contact us and we will delete it.
11. External links
The website contains links to external sites (including news outlets, partner organisations, and document resources). We are not responsible for the privacy practices of those sites, so please consult their own privacy notices.
12. Changes to this Policy
We may update this Privacy Policy from time to time, for example when we add new functionality or change a provider. The “Last updated” date at the top of this page will reflect the most recent revision. Material changes will be flagged on the homepage and, where appropriate, notified to you by email.
13. Contact
Questions, requests, or complaints about this Privacy Policy or our handling of your data can be sent to:
Scott McCulloch, Founder & Data Controller
The Foundation for Artificial Intelligence Rights (FAIR)
Email: info@airights.org.uk