Privacy Policy

Introduction

This Privacy Policy describes how Airnest (the “Company”, “we” or “us”) collects, uses, discloses, and protects personal data in the course of its real estate management and related services. Airnest REIM is the trading name of a European real estate management group comprising MY AIRNEST LTD (United Kingdom), MY AIRNEST SASU (France), and ECLIPSE VENTOSO U. LDA (Portugal). These entities jointly determine the purposes and means of processing personal data and therefore act as joint controllers under the EU General Data Protection Regulation (GDPR) . We have transparently allocated our respective responsibilities for GDPR compliance through an internal arrangement in accordance with Article 26 GDPR, including duties such as handling data subject requests and providing privacy notices . (The essence of this arrangement is available upon request.) Importantly, no matter which Airnest entity you engage with, you can exercise your data protection rights in respect of and against any of us as joint controllers . We have also designated a central contact point for all privacy-related inquiries at contact@airnest-reim.com, which you can use to reach us regarding any questions or requests (see the Contact Us section below) .

Airnest is committed to protecting your personal data and processing it lawfully, fairly, and transparently, in full compliance with the GDPR and applicable data protection laws. This Policy applies to all personal data we process about clients, prospective clients, website users, and other individuals who interact with us (collectively, “data subjects”). Please read it carefully to understand our practices regarding your personal data. By engaging with our services or using our website, you acknowledge the terms of this Privacy Policy. If you do not agree with any aspect of this Policy, please discontinue use of our services or website. We may provide additional privacy notices on specific occasions (for example, particular web forms or contracts), which should be read together with this Policy.

Personal Data We Collect

Personal data means any information relating to an identified or identifiable natural person . We collect various categories of personal data about you, either directly from you (for instance, when you fill out a form or communicate with us) or automatically through your interactions with our website. In particular, the types of personal data we may collect include:

• Identification and Contact Data: Information that helps us identify or contact you, such as your name, postal address, email address, telephone number, and other similar identifiers . This category also encompasses professional identification details if you represent a company (for example, your job title or company name) and any login credentials or account IDs if our services require account creation.

• Project-Related Data: Details you provide or that we obtain in connection with the real estate projects, transactions, or services you are interested in or engage us for. This may include information about properties (e.g., property addresses, descriptions, valuations), investment or project requirements and criteria, tenancy or ownership information, transaction details (such as rental agreements, purchase offers, or contract terms), and any other personal information you share with us about your real estate needs or plans. For example, if you inquire about a property or a management service, we may collect information about that property and your objectives to better serve you.

• Marketing and Communications Data: Your preferences regarding receiving marketing from us and your communication preferences. This includes records of your subscriptions to newsletters or updates, your responses to marketing campaigns, event attendance or participation in any promotions, and information you provide to us for marketing purposes (such as your areas of interest in real estate). We also keep track of whether and how you interact with our marketing communications (for instance, whether you opened an email or clicked a link) to gauge engagement and improve our outreach (only if permitted by applicable law and, where required, based on your consent). Any time you choose to opt out of marketing, we will record and respect that preference.

In addition to the data you actively provide, we collect certain information automatically when you visit our websites or use our online services:

• Technical and Usage Data: Information about your device and how you use our website. This can include your Internet Protocol (IP) address, browser type and version, device type, operating system, language settings, time zone, and other technical information transmitted by your browser. We also gather data about your usage of our site, such as the pages or content you view, the dates and times of your visits, the page response times, download errors, the length of visits on certain pages, page interaction information (like scrolling, clicks, and mouse-overs), and referring/exit URLs . This information helps us understand how users navigate our site and enables us to improve its functionality and performance. Some of this usage data may be collected via cookies and similar tracking technologies (described in more detail in the Cookies and Tracking Technologies section).

• Cookie Data: Data stored in or collected by cookies and similar technologies. Cookies are small text files placed on your device when you visit a website, which allow that website (or a third party) to recognize your device and store some information about your preferences or past actions . The cookie data we collect may include unique identification tokens or codes, browsing preferences (such as your language or region), and information about your interaction with our website or ads. For example, cookies can track which pages you visited and for how long, or remember your login information so you don’t have to re-enter it each time. We use both first-party cookies (set by our own website) and third-party cookies (set by service providers) for various purposes including ensuring the site works properly, analytics, and advertising (see Cookies and Tracking Technologies section below for details). Cookie data, when linked with other information about you (like an IP address or a user account), can be considered personal data, and we treat it as such.

Please note that we do not typically collect any special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data) in the ordinary course of our business. Nor do we intend to collect information from children, as our services are directed at adults in a professional context. If you provide us with personal data of another person (for example, you give us someone’s contact details for a project or refer a client), you must ensure you have that individual’s permission or another valid legal basis to share their data with us. We will handle that data in accordance with this Policy.

Purposes of Data Processing

We use the personal data we collect for a variety of legitimate business purposes, all in accordance with GDPR principles. The specific purposes for which Airnest processes your personal data include:

1. Providing Services and Responding to Inquiries: We process personal data to respond to your requests, inquiries, and applications, and to provide our real estate management and advisory services. For example, if you fill out a contact form on our website or reach out by email/phone, we will use your Identification and Contact Data to communicate with you and address your questions. If you express interest in a property or investment opportunity (a form of lead generation for our services), we will use the information you provided (including Project-Related Data) to assess your needs and provide appropriate proposals or advice. Should you decide to engage our services, we will process necessary personal data to carry out that contract – including handling any bookings, appointments, or property viewings you schedule with us, and managing transactions such as property management agreements or investment deals. In doing so, we keep records of our communications and interactions with you (emails, call logs, meeting notes) to ensure continuity of service and to maintain a professional business relationship.

2. Marketing and Promotional Communications: With your consent or as otherwise permitted by law, we use personal data for marketing purposes. This means we may use your name and contact details to send you newsletters, industry updates, information about real estate projects, or special offers and events related to our services. These communications are intended to inform you about products or services that might interest you, new developments at Airnest, or invitations to seminars and client events. We strive to send communications that are relevant to you; therefore, we may tailor our marketing messages based on your preferences, past interactions, or project history. For instance, if you have indicated an interest in French rental properties, we might send you targeted information about new opportunities in France. We will always honor your choice regarding marketing: if you opt in, you can expect to hear from us periodically, and if you opt out or unsubscribe, we will stop using your data for this purpose. (Each marketing email we send will include an easy way for you to unsubscribe or manage your preferences.) We do not engage in indiscriminate mass-mailing; our marketing efforts are measured and in line with applicable spam and privacy regulations. Note that if you are an existing customer, in some cases we may rely on our legitimate interests to send you marketing about similar services, but you will always have the right to object or unsubscribe, as detailed in the Your Rights section.

3. Analytics and Service Improvement: We constantly seek to understand and improve how our services are used. To that end, we process Technical and Usage Data (much of which is collected via cookies or analytic scripts) to perform analytics on our website and business operations. We use analytic tools (for example, Google Analytics or similar platforms) to collect information about website traffic and user behavior. This helps us learn which pages or content are most popular, how users move through our site, and whether our site content is effective. By analyzing this data, we can troubleshoot performance issues (like identifying and fixing pages that load slowly or frequently cause errors) and enhance the user experience. Analytics also guide our decisions on improving features, design, and content to better serve our visitors’ needs. All analysis is done in aggregate or pseudonymized form wherever possible. In addition, we might analyze data about client engagements (for example, the types of projects clients inquire about most) to refine our service offerings and business strategy. Importantly, when using analytics, we do not attempt to identify you individually beyond the scope necessary for our relationship; the insights we derive are generally statistical in nature. If our analytics tools involve the use of non-essential cookies or similar trackers, we will obtain your consent through our cookie banner before deploying them.

4. Advertising and Retargeting: We may use personal data to conduct limited advertising activities for our services. This can include using cookies and third-party advertising networks to show you relevant ads. For example, we might participate in remarketing campaigns so that, after visiting our website, you may see advertisements for Airnest on other websites or social media platforms. These campaigns often involve platforms like Google Ads or social media services (e.g., Facebook/Meta) and rely on cookie identifiers or pixels that track your browser in order to serve ads based on your past interactions with us. Such advertising data is typically pseudonymous (we do not disclose your name to the advertising platforms; instead, a unique code is used). Advertising cookies placed on your device through our site (with your consent) allow our partners to build a profile of your interests and display ads that are more relevant to you . For instance, if you browsed a page about property investments, we might later target you with an advertisement highlighting a new investment opportunity. We ensure that any third-party advertising partners we use are compliant with privacy laws, and we provide you with appropriate controls: you can manage your cookie preferences via our consent banner (to opt in/out of advertising cookies), and you can exercise your right to object to direct marketing at any time (see Your Rights below). Please note that even if you opt out of targeted ads, you may still see non-personalized generic ads from us on other platforms (but they will not be tailored to you).

5. Business Operations and Legal Compliance: Beyond the core service and marketing purposes, we also process personal data as necessary to run and protect our business, and to comply with our legal obligations. This includes using data for internal administration (such as accounting, invoicing, and record-keeping). For example, when you become a client, we will retain transaction records and correspondence as part of our business files, and to comply with financial reporting and audit requirements. We may also need to process certain personal data to fulfill our duties under laws and regulations – for instance, to conduct anti-money laundering (AML) and know-your-customer (KYC) checks as required in real estate transactions, or to report certain information to tax authorities or regulators if the law compels us. Additionally, we process data to ensure the security of our websites, systems, and premises. This can involve activities like monitoring for and preventing fraud, cyber-attacks, or other malicious activities; deploying security measures such as firewalls and access controls that may log user access information; and, if you visit our offices, possibly collecting basic identification details for security or visitor management. If necessary, we will also use personal data to establish, exercise, or defend legal claims. For example, should any dispute arise between you and us, or if we need to enforce our terms and conditions, we may retain and use relevant data (like communications records or contract details) to support our position in legal proceedings. We will only process the necessary data for these compliance and protection purposes and will do so in line with applicable laws.

We will not use your personal data for any purposes that are incompatible with the ones described above. If we ever need to process your data for a new purpose that is not covered by this Privacy Policy, we will, if required by law, inform you and obtain your consent before doing so.

Legal Bases for Processing

Under the GDPR, every processing activity of personal data must have a valid lawful basis. We ensure that we have at least one of the following legal bases in place for each use of your personal data, as appropriate :

• Consent: In certain cases, we rely on your consent. For instance, if you subscribe to our newsletter, fill out optional forms, or accept non-essential cookies, we process the relevant personal data based on your freely given, specific, informed, and unambiguous consent. You have the right to withdraw your consent at any time (see Your Rights below), and we will cease processing your data for the purpose you originally consented to once you have withdrawn consent. Examples of processing based on consent include sending marketing emails to a new prospect (when consent is required by law) or placing analytics/advertising cookies on your device (where you have chosen to “Accept” via our cookie banner). We will make it clear when we are requesting your consent and for what purpose, and we will not assume consent from silence or pre-ticked boxes.

• Contractual Necessity: Much of our data processing is done on the basis that it is necessary to perform a contract with you, or to take steps at your request before entering into a contract. When you become our client (or take concrete steps towards becoming one), a contract is or will be in place – for example, a property management agreement, investment advisory contract, or rental brokerage agreement – and we must process your personal data to fulfill our obligations under that contract. This includes uses of data to provide the services you requested, to communicate with you about those services, and to carry out transactions. Likewise, if you ask us to do something before formally signing a contract (such as providing a consultation or customizing a service proposal), we will process personal data as needed to fulfill your request. Without this data, we would not be able to provide our services or enter into contracts with you. In summary, any processing that is integral to delivering our services and products, or to managing our client relationships and accounts, is grounded in contractual necessity.

• Legal Obligation: Some processing is necessary for us to comply with our legal obligations. As a business operating in multiple jurisdictions, Airnest is subject to various laws (e.g., corporate laws, tax laws, anti-money laundering regulations, employment laws, and others) that may require the processing or retention of personal data. For example, when we process payments or engage in financial transactions, we must comply with laws relating to fraud prevention and financial record-keeping, which might involve verifying identities and keeping transaction records for a certain number of years. If authorities or regulators (such as tax offices or data protection regulators) require us to report or disclose personal data (perhaps in the context of an audit or an investigation), we will do so to the extent the law mandates. Another example is that real estate and property management activities can trigger specific legal requirements (like verifying the identity of buyers or tenants under AML/KYC laws); we process personal data to the extent necessary to meet these requirements. In all such cases, the law is the basis for processing – we will not delete or refuse to collect certain data if doing so would mean we are violating a legal obligation. We only process what is necessary for compliance and ensure we have robust measures to handle the data securely as required by these laws.

• Legitimate Interests: We process some personal data under the legitimate interests legal basis. This means that we have assessed that there is a genuine and legitimate reason for the processing, and that our processing is necessary to achieve it, while also ensuring that your fundamental rights and interests are not overridden. We rely on legitimate interests, for example, to conduct analytics and improvements of our services (as described above), to secure our IT systems and prevent fraud, to send marketing communications to our existing clients about similar services (subject to your right to opt-out), and to share data within the Airnest corporate group for internal administrative purposes. We may also cite legitimate interests when engaging service providers to process data on our behalf, or when communicating with you in the context of a negotiation or potential business relationship (where you would reasonably expect such processing). We carefully consider any potential impact on you (both positive and negative) before relying on legitimate interests, and we will refrain from or limit processing if we determine your interests or rights would outweigh ours. Direct marketing in particular is an interest we may pursue on this basis, and the GDPR (Recital 47) explicitly recognizes that processing personal data for direct marketing may be regarded as carried out for a legitimate interest . If we use legitimate interest for sending you marketing, it would typically apply if you are an existing customer or in a context where you would reasonably expect marketing, and always with a clear opt-out option available. Remember, you have the right to object to any processing we carry out on the grounds of legitimate interests (see Your Rights), and if you do so, we will review your objection seriously and stop or adjust processing unless we have compelling legitimate grounds to continue.

There may be situations where more than one of the above bases could apply at the same time – for example, we might initially process your data under legitimate interest (to respond to an inquiry), and later that same data is processed under a contract (when you become a client), and some of it might also need to be retained under a legal obligation (for compliance). We ensure that for each purpose, an appropriate legal basis is identified and documented. If we ever need to process your personal data for a purpose that requires your consent and we haven’t already obtained it, we will ask you for consent before proceeding. Conversely, if we rely on legitimate interests and you object, we will either cease the processing or explain why we believe our grounds override your rights (in line with legal requirements). Our aim is to be fully accountable under GDPR for all data processing activities and to give you confidence that your data is handled lawfully at all times.

Third-Party Service Providers and Data Sharing

Airnest may share your personal data with third parties in certain circumstances, but always under controlled conditions and with appropriate safeguards. We do not sell or rent your personal data to unrelated parties for their own use. Any sharing of data is limited to achieving the purposes outlined above or to fulfilling legal obligations. The types of third parties we work with include:

• Service Providers (Processors): We employ trusted third-party companies to perform services on our behalf that involve processing personal data – these include IT and hosting companies, customer relationship management platforms, marketing and analytics providers, and professional advisors. These third parties act as our data processors, meaning they process data only under our instructions and for our specified purposes. For example, we use HubSpot, a customer relationship management (CRM) and marketing automation platform, to manage our client contacts and email communications. When you submit a form on our site or sign up for a newsletter, your information may be stored in HubSpot’s systems. HubSpot processes that data strictly on our behalf and has committed to GDPR compliance in its role as a processor (including by incorporating the latest EU Standard Contractual Clauses for data transfers) . We also utilize analytics services such as Google Analytics (provided by Google) to collect and analyze website usage data; in doing so, Google acts as a processor for us, and we have configured the service in compliance with GDPR (including IP anonymization where applicable and data processing terms with Google). Our website hosting is provided through our web platform (Framer) and underlying cloud infrastructure – when you visit our site or submit information, the data is stored on servers operated by our hosting providers. These providers may process technical data like server logs (which include IP addresses and timestamps) to ensure the site’s stability and security, acting on our behalf. We have entered into Data Processing Agreements (DPAs) or equivalent contractual terms with all our processors, obligating them to safeguard your data, use it only for the agreed purpose, and to maintain confidentiality and appropriate security measures. In the event any processor is located outside the EU (see International Data Transfers below), we ensure lawful transfer mechanisms are in place.

• Airnest Group Companies: As noted, Airnest comprises multiple legal entities in the UK, France, and Portugal. Your personal data may be shared between these affiliated companies as needed to provide services or for internal administration. For instance, if you inquire about a project in France but are initially in contact with our UK office, we might share your details with MY AIRNEST SASU in France to have local experts respond or handle the project. All Airnest entities have agreed to adhere to a uniform level of data protection. We treat intra-group data sharing as processing under joint controller arrangements – each entity is committed to GDPR compliance, and our internal agreements ensure your data will receive the same level of protection regardless of which group member handles it. You can exercise your rights against any branch of Airnest (as detailed in Your Rights), and we will cooperate internally to fulfill your request . Transfers of data between our entities will follow the requirements of GDPR and any national laws (and are covered by appropriate safeguards, especially for UK-EU transfers as described later).

• Professional Advisors and Partners: On occasion, we may need to share certain data with our professional advisors (such as lawyers, accountants, or auditors) or with business partners and consultants. For example, if we are undergoing a financial audit, the auditors might need to review some records that include personal data (e.g. transaction records). Similarly, if you are involved in a real estate transaction that includes third parties (like notaries, insurance brokers, or co-investors), we might share your information with them to facilitate the transaction (with your knowledge or as part of the service). We ensure any such third parties receiving data are bound by confidentiality obligations. In many cases, these recipients will be independent controllers of the data we provide to them (for instance, a law firm advising on a contract will independently be responsible for how it protects your data in its possession). We only share the minimum information necessary in each case and expect these parties to handle the data lawfully.

• Authorities and Legal Disclosure: We may disclose personal data to government bodies, regulatory authorities, courts, or law enforcement agencies if required to do so by law or pursuant to a valid legal process (legal obligation basis). For example, we might receive a court order or subpoena requiring disclosure of certain client records, or we may need to cooperate with data protection authorities or respond to an investigation. We will carefully review each request to ensure it has an appropriate legal basis and only then comply to the extent necessary. Where possible and lawful, we may inform you of such requests. Additionally, if it is necessary to disclose data to protect our rights or the rights of others (for instance, to prevent harm or in the context of a significant corporate transaction like a merger or acquisition), we will do so in accordance with data protection law.

In all cases of data sharing, we adhere to the principle of data minimization – we only share the information that is relevant and necessary for the purpose at hand. We also choose our service providers and partners very carefully. Each of our vendors is evaluated for their data protection posture, and we strive to work only with those who meet high standards of security and privacy. We enter into contracts that impose GDPR-equivalent obligations on them, including keeping data confidential and secure, and assisting us with fulfilling data subject rights requests. We remain responsible for the protection of your data even when it is processed by our service providers, and we monitor and audit their compliance as needed. Our careful selection and oversight of processors ensures that recipients of your personal data are bound to use it only for legitimate purposes in line with this Policy and applicable law .

We also want to be transparent that some of the third parties we use (like certain analytics or advertising providers) might, with your permission, set their own cookies or tracking technologies on our website to assist with their services. These third parties may collect information directly from your browser as you interact with our site (for example, Google Analytics collects usage data, or Facebook might collect data via a “Like” button). Such parties may act as independent controllers for some processing they do (for instance, Google and Facebook have their own responsibilities under GDPR when using the data for their purposes). We encourage you to review the privacy notices of any third-party services we integrate (e.g., HubSpot, Google, Facebook) to familiarize yourself with their practices. However, note that we will never allow third parties to use your data for their own marketing or other purposes without your consent; any third-party collection on our site is only for the purposes we’ve engaged them for (like analytics or social media functionality). If you have questions about our specific service providers or partners, you can contact us for more information.

International Data Transfers

Given the international scope of our operations and the location of some third-party service providers, your personal data may be transferred to, and stored or processed in, countries outside the European Economic Area (EEA). In particular, two scenarios warrant attention: (1) transfers within our own corporate group between the EU and the UK, and (2) transfers to our external service providers in non-EEA countries (notably the United States).

UK-EU Data Transfers: One of our group companies, MY AIRNEST LTD, is based in the United Kingdom. Although the UK is no longer part of the EU, the European Commission has formally decided that the UK’s data protection regime is adequate to allow the free flow of personal data from the EU/EEA to the UK . In other words, data transfers from our EU entities (like the French or Portuguese subsidiaries) to our UK entity (or vice versa) are permitted under GDPR on the basis of this adequacy decision, as the UK is recognized as providing an essentially equivalent level of data protection to that of the EU. This adequacy finding took effect on 28 June 2021 and, under the current terms, is expected to last until at least 27 June 2025 (subject to renewal or revocation by the European Commission). We continuously monitor the legal status of UK-EU data flows and, should the adequacy status change, we will implement alternative safeguards (such as Standard Contractual Clauses) to ensure continuity of compliant transfers. For completeness, we note that data transferred within our group is protected by internal agreements binding all Airnest entities to respect EU data protection standards, so whether your data is handled in Lisbon, Paris, or London, it will receive the same level of protection.

Transfers to Other Third Countries (e.g., U.S.): Some of our external partners and service providers are located outside the EEA (or may process data outside the EEA). For example, as mentioned, we use HubSpot and Google Analytics – services provided by companies headquartered in the United States – which means personal data (such as contact details or website usage data) might be transferred to servers in the U.S. or otherwise accessed from the U.S. The GDPR requires that when personal data is exported from the EU/EEA to a country that has not been deemed adequate by the European Commission (the U.S., for instance, did not have a blanket adequacy until recently), the data must still be afforded an EU-standard of protection through appropriate safeguards. Airnest employs the following safeguards for international transfers in absence of an adequacy decision:

• Standard Contractual Clauses (SCCs): We incorporate the European Commission’s approved Standard Contractual Clauses into our contracts with non-EEA data recipients wherever required . These SCCs are legal instruments that obligate the foreign recipient to protect personal data in line with EU data protection principles and grant enforceable rights to data subjects. Following the Schrems II decision and subsequent updates, we use the modern EU SCCs (as updated in 2021) for our new contracts and have updated existing contracts accordingly. For example, our Data Processing Agreement with HubSpot includes the latest SCCs, which means HubSpot is contractually bound to uphold EU privacy standards when it processes European personal data . Similarly, for any other U.S.-based vendor (such as cloud storage or IT support services), we ensure SCCs are in place unless the vendor can rely on an alternative approved mechanism.

• Data Privacy Framework and Other Certification Mechanisms: We acknowledge the introduction of the EU-U.S. Data Privacy Framework (DPF) in 2023, which provides a new mechanism for EU-U.S. data transfers for certified companies. Where our U.S. partners have certified to the DPF principles, we consider this an additional layer of protection. For instance, HubSpot has self-certified under the EU-U.S. DPF, affirming that it adheres to the principles for data received from the EU and UK . In practice, this means there are governmentally recognized safeguards and oversight in how HubSpot handles EU personal data, and an avenue for you to seek recourse if needed. We will similarly favor vendors who are part of such frameworks or who offer robust commitments to data protection. (Should the Privacy Framework or any certification be invalidated or withdrawn, we will fall back on SCCs or other solutions to maintain compliance.)

• Binding Corporate Rules and Others: In some cases, large multinational service providers may have Binding Corporate Rules (BCRs) approved by EU authorities, which allow intra-company transfers globally. If any of our processors or partners rely on BCRs, we treat that as a valid safeguard as well. For example, a global cloud provider might operate under BCRs for its group entities worldwide – in such cases, transferring data to their infrastructure is covered by those rules that ensure GDPR-level protections. We also remain attentive to any other mechanisms provided under Article 46 GDPR, such as codes of conduct or certification schemes (though these are less common so far).

Before transferring any personal data internationally, we evaluate the legal context and practical circumstances of the transfer. This often involves conducting a transfer impact assessment to determine whether additional supplementary measures are needed to protect the data (for instance, encryption in transit and at rest, minimizing the data leaving the EEA, etc.). Our goal is to ensure that, wherever your data travels, it remains secure and your privacy rights are preserved.

If in the future we wish to transfer personal data to a country that does not offer an adequate level of protection and none of the above safeguards are feasible, we would only do so under the narrow derogations allowed by GDPR Article 49 (such as with your explicit consent or if the transfer is necessary for the performance of a contract at your request, etc.). Such cases are rare and would be clearly communicated to you.

You have the right to request more information about our international data transfers and the safeguards we have put in place. For instance, we can provide copies of the relevant contractual clauses or point you to relevant certification references (subject to redacting commercial sensitive information). To make such an inquiry, please contact us at our provided contact points. Rest assured, regardless of where your data is processed, Airnest will ensure it benefits from a high standard of protection consistent with EU law.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, as outlined in this Privacy Policy, and to satisfy any legal, accounting, or reporting requirements . In practice, this means that different types of data may be kept for different periods, depending on the purpose and context of their processing. We have established internal data retention guidelines that classify personal data into categories and assign retention periods for each, taking into account the principle of storage limitation under GDPR.

For example, personal data related to a contract and service delivery (such as your identity, contact details, and records of the services provided) will typically be kept for the duration of the contractual relationship and thereafter for a certain period required or allowed by law. This post-contract retention period might be dictated by statutes of limitation (to defend against any legal claims) or by regulatory retention obligations. For instance, financial and transaction records are often required by tax laws to be retained for X number of years (exact duration varies by country; commonly 6-10 years) – we will retain relevant data at least for such minimum periods . Correspondence and project files may likewise be archived for a period after our engagement ends, in case follow-up queries or issues arise.

Personal data collected for marketing purposes (such as your email address for newsletters) will be kept until you unsubscribe or otherwise object to marketing, or until it’s clear that our communications are inactive. If you opt out of marketing, we may keep your contact details on a suppression list indefinitely to ensure we respect your no-contact request. If you have given consent for marketing and then withdraw it, we will document the withdrawal and cease marketing processing for you, but we may retain a record of your consent withdrawal (email, date, etc.) as proof of compliance. In the absence of an opt-out, we periodically cleanse our marketing lists to remove contacts who have not engaged with our communications for a long time (we define an appropriate inactivity period for this and will remove or anonymize data accordingly).

Personal data used for analytics is often aggregated or anonymized after collection, and in such form, it may be kept indefinitely since it no longer identifies you. Raw analytic logs or identifiable data (like full IP addresses in server logs) are retained for a shorter period – typically just a few months – unless we need to keep them longer to investigate security incidents or improve the service. For example, web server logs containing IP addresses might be kept for, say, 90 days for troubleshooting, then automatically deleted or anonymized, unless an issue under investigation requires extending retention temporarily.

When personal data reaches the end of its retention period, or if we determine that we no longer need it (whichever comes first), we will take steps to securely dispose of it. This means that we will either delete the data from our active systems and backups or irreversibly anonymize it so that it can no longer be associated with an individual. We use appropriate deletion techniques, and where third-party processors are involved, we require them to delete or return the data as well. In cases where data cannot be completely erased from backups or archives, we ensure it is isolated and protected from any further use until those systems eventually cycle out the information .

It’s important to note that in some circumstances, we may retain data for longer than the default periods: for instance, if a litigation hold or similar legal preservation order is in place (meaning we are aware of potential legal proceedings requiring evidence to be preserved), we will retain the data until that issue is resolved, even if it exceeds our normal schedule. Another example is if you exercise your right to erasure – we will delete the data requested unless an exemption applies (e.g., we need to keep it to comply with a legal obligation); we will inform you if such an exemption is the reason for not fully complying with an erasure request.

In summary, we implement a policy of not keeping personal data in identifiable form for longer than necessary. We balance our need to fulfill the purpose, our clients’ expectations, and our legal duties with the impact on your privacy. By doing so, we reduce the risk of outdated or irrelevant data being kept and ensure that we’re not holding large amounts of data without justification. If you have specific questions about how long we keep a particular type of data, you are welcome to contact us for more information.

Your Rights as a Data Subject

As an individual whose personal data is processed by Airnest, you are a “data subject” under the GDPR (and analogous laws) and enjoy specific rights aimed at giving you control over your personal data. We respect and uphold these rights. They include :

• Right of Access: You have the right to request confirmation as to whether we are processing personal data about you, and if so, to access that personal data . This is often called a “Data Subject Access Request.” You may ask for a copy of the personal data we hold on you, and we will provide it to you along with information about what we use it for, who we disclose it to, how long we intend to store it, and the safeguards we apply if we transfer it abroad, among other details mandated by Article 15 GDPR. We will provide the first copy free of charge, but as permitted by law, we may charge a reasonable fee for additional copies or repetitive requests. We may also ask for more information to verify your identity or to clarify the scope of your request (for example, if you only want info related to a specific interaction).

• Right to Rectification: If you believe that any personal data we hold about you is incorrect or incomplete, you have the right to request that we correct (rectify) it . This includes the ability to have incomplete data completed (you can provide a supplementary statement to do so). For example, if we have the wrong spelling of your name or an outdated phone number, please inform us and we will update it. We strive to keep data accurate and up-to-date, and appreciate your assistance in maintaining the correctness of your records.

• Right to Erasure: Commonly known as the “right to be forgotten,” this right entitles you to request the deletion of your personal data in certain circumstances . You can ask us to erase your personal data if: (a) it is no longer necessary for us to hold that data in relation to the purposes for which it was originally collected or processed; (b) you originally gave consent to processing and have now withdrawn consent, and we have no other lawful basis to continue processing; (c) you have objected to processing (see the “Right to Object” below) and we have no overriding legitimate grounds to continue; (d) we have processed your data unlawfully; or (e) the data must be erased to comply with a legal obligation. We will assess your request against the criteria in Article 17 GDPR, and if one of these grounds applies, we will erase the data. However, please be aware that the right to erasure is not absolute – there are exceptions. For example, we might retain certain data if needed to comply with a legal obligation (e.g., we cannot delete data that we are required to keep by law, such as certain finance records) or to establish, exercise, or defend legal claims. When responding, if we cannot fulfill part of your request due to an exception, we will inform you about it.

• Right to Restriction of Processing: You have the right to request that we restrict (i.e., suspend) the processing of your personal data in certain scenarios . This means that while we would store your data, we would temporarily stop doing anything else with it. You can ask for restriction if: (a) you contest the accuracy of your personal data – in this case, we’ll restrict processing while we verify the accuracy; (b) the processing is unlawful, but you prefer restriction over erasure; (c) we no longer need the data but you need us to keep it for the establishment, exercise, or defense of legal claims; or (d) you have objected to processing (see below), and verification of overriding grounds is pending. If processing is restricted, we will mark the data as such and only process it (aside from storing it) with your consent, or for legal claims, or for protecting the rights of another person, or for important public interest reasons. We will also inform you before lifting a restriction.

• Right to Data Portability: To the extent that we process your personal data by automated means based on your consent or on a contract with you, you have the right to receive that personal data from us in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller . In practice, this means you can ask us to provide you (or a third party you designate) with an electronic file of the personal data that you have provided to us and that we process electronically on the aforementioned bases. For example, if you provided us with a set of data as part of a contract and we process it in our systems, you may request a copy of that in a CSV or JSON format to transfer to a new service provider. Where technically feasible, you may also request that we transfer the data directly to another company, if our systems support such direct interoperability. Please note that the right to portability applies to the data you actively provided, and also to data generated by your activity (e.g., raw usage logs tied to your account), but it does not apply to data we derive or infer about you (like internal analyses or notes).

• Right to Object: You have the right to object to certain types of processing of your personal data, on grounds relating to your particular situation . The two main situations where this applies are: (a) Direct Marketing – You can object at any time to processing of your personal data for direct marketing purposes, including any profiling related to such direct marketing. If you object, we will cease using your data for marketing purposes immediately, as this is an absolute right. For example, if you object to receiving marketing emails or targeted ads, we will remove you from our marketing lists (note: for emails you can also directly unsubscribe). (b) Legitimate Interests Processing – When we process data on the basis of our legitimate interests (or those of a third party), you have the right to object if you feel our processing impacts your rights or freedoms. Upon your objection, we will stop processing the personal data in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or if the processing is for the establishment, exercise, or defense of legal claims. In other words, if you object to something like data analytics that we justify by legitimate interest, we will evaluate whether our reasons (e.g., ensuring our website’s functionality and security, or improving our services) outweigh your privacy concerns. If they do not, we will accommodate your objection (for instance, by excluding your data from the analysis). In any event, we will respond to inform you of what action we have taken or the justification if we continue processing.

• Right not to be subject to Automated Decision-Making: The GDPR gives you the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects concerning you or similarly significantly affects you. In simple terms, this means that if we ever were to use algorithms or AI to make important decisions about you without human intervention, you would have the right to challenge those decisions or request human review. However, Airnest currently does not make any solely automated decisions that have legal or significant effects on individuals. Any important decision regarding our relationship (such as onboarding you as a client or customizing a service offering) involves human deliberation. We will notify you if this policy changes and ensure compliance with Article 22 GDPR.

• Right to Withdraw Consent: Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing done before you withdrew, but it means we will stop the specific processing going forward. For example, if you gave consent for receiving our newsletter, you can withdraw it by unsubscribing, after which we will cease sending you the newsletter. There is no formal requirement for how to withdraw consent – you can contact us through any channel to let us know (though we recommend writing so we have a record). Some services also provide easy technical means, e.g., toggling off certain settings or using the unsubscribe link. We will honor the withdrawal promptly and update our systems accordingly.

To exercise any of your rights, please contact us using the information provided in the Contact Us section below (email is preferred for a clear record). We may ask you to verify your identity (to ensure we don’t disclose data to the wrong person) and to clarify your request if it’s not specific. We will respond without undue delay and in any event within one month, as required by GDPR, although we may extend this period by two further months for complex or numerous requests (we will inform you if an extension is needed and explain why).

Please note that some rights are subject to qualifications and exceptions under the law. If we decline to act on your request, either in full or in part, we will explain the reason to you (e.g., if you request deletion of data which we are required by law to keep, we will inform you of that obligation). Typically, however, we try to accommodate rights requests to the fullest extent possible.

Right to Complain: If you are dissatisfied with how we have handled your personal data or any request or inquiry related to your personal data, you have the right to lodge a complaint with a Data Protection Supervisory Authority. You may do so in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (you have a choice). For instance, a French resident can complain to the CNIL (Commission Nationale de l’Informatique et des Libertés), a Portuguese resident to the CNPD (Comissão Nacional de Proteção de Dados), a UK resident to the ICO (Information Commissioner’s Office), etc. If you reside elsewhere, you can contact the relevant authority in that jurisdiction. We would, however, appreciate the chance to address your concerns before you approach a regulator – so please consider reaching out to us first, and we will do our best to resolve any issue. Nonetheless, you always have the right to complain directly to a supervisory authority, and if you believe we are not complying with our obligations, we encourage you to exercise that right .

We take your rights seriously and have internal processes to ensure we can respond to rights requests efficiently. Our team is trained to recognize and handle requests in line with legal requirements. There is no fee for making a request to exercise your rights (except in the rare case of manifestly unfounded or excessive/repetitive requests, where we might charge a reasonable fee or refuse, as permitted by law). We are committed to facilitating your control over your personal data. If you have any questions about your rights or how to exercise them, please do not hesitate to contact us.

Cookies and Tracking Technologies

As mentioned in earlier sections, our website uses cookies and similar tracking technologies to distinguish you from other users and to provide certain functionalities. This section explains in detail how we use these technologies, what choices you have, and how we obtain your consent.

What Cookies Are: Cookies are small text files that websites place on your device’s browser. Cookies have various uses – they can enable core site functionality, remember your preferences, and collect information about your interaction with the site. When you return to a site, your browser sends back the cookies that belong to that site, allowing the site to recognize you and load your preferences. Other tracking technologies related to cookies include things like pixels, web beacons, or tags (small invisible images or code snippets that do a similar job, often used in emails or on websites to track when something has been viewed) and device identifiers for mobile apps. In this Policy, when we refer to “cookies,” we include these analogous technologies for simplicity, unless context requires differentiation.

Types of Cookies We Use: Our website may use several categories of cookies to achieve different purposes, including:

• Strictly Necessary Cookies: These are essential cookies without which the website cannot function properly. They include, for example, cookies that ensure your preferences (like privacy settings or language selection) are remembered as you navigate the site, or cookies that keep you logged in to a secure account area. Without these cookies, services you have asked for (such as remembering that you are logged in) cannot be provided. Importantly, strictly necessary cookies do not require your consent under applicable law – we rely on our legitimate interest to use them since they are needed for the operation of the site. We only use these in a limited manner, and they are usually first-party cookies (set by Airnest’s domain).

• Functionality Cookies: These cookies allow the website to provide enhanced features and personalization. They may be set by us or by third-party providers whose services we have added to our pages. For instance, if we embed a video player or have a chat support widget, that service might set a cookie to remember your interactions or preferences. Functionality cookies might remember choices you make (like your region or other custom settings) to provide a more tailored experience. While not strictly necessary, these cookies generally exist to improve your experience. Where required, we will treat them as non-essential and obtain consent, though some may argue legitimate interest if they are truly minimal and service-requested.

• Analytics/Performance Cookies: These cookies collect information about how visitors use our website, in order to help us understand website traffic and usage patterns. For example, they allow us to recognize and count the number of visitors and to see how visitors move around the site. The data obtained is typically aggregated and anonymized (for instance, we might see that X% of our users visit the “Services” page or that a certain campaign brought Y number of new visitors). Analytics cookies help us improve the way our website works, for example by ensuring that users are finding what they need easily and by identifying any parts of the site that are underperforming. We currently use third-party analytics services such as Google Analytics; these services may set their own cookies (third-party cookies) through our site. Any analytics on our site is set up not to collect directly identifiable information like names or emails – they focus on technical and usage data. Additionally, we have configured Google Analytics to respect “Do Not Track” settings where feasible and IP anonymization features so that the last octet of your IP is masked (reducing accuracy of geo-location to city level and enhancing privacy). Analytics cookies are not deployed unless you have given consent via our cookie banner.

• Advertising/Targeting Cookies: Our site, from time to time, may use advertising cookies, especially if we run marketing campaigns. These cookies record your visit to our site, the pages you have visited, and the links you have followed, as well as information about your browser, device and IP address. They are usually placed by advertising networks (third parties) with our permission. The information collected is used to serve you with interest-based ads on other websites, and to measure the effectiveness of our ad campaigns. For example, if we advertise on Google or social media platforms, those platforms might drop a cookie when you visit our site so that they recognize your browser later and can include you in an “audience” to receive our ads, or to avoid showing our ad to you if you’ve already converted. These cookies effectively build a profile of your browsing behavior and interests . While they do not store directly identifying information like your name, they can identify your browser and internet device, and if you have a profile on those advertising platforms, it could be linked. We only use advertising cookies if you opt-in via the cookie consent mechanism. If you do not consent, our site either will not load these trackers or will actively disable them.

In addition to cookies, we may use technologies like Facebook Pixel or LinkedIn Insight Tag on our site for advertising analytics – these tools function similarly to cookies, but are snippets of code that, when loaded, allow the respective platform to drop a cookie or record a visit. We will include these only if you have consented to marketing cookies, as they are part of advertising tracking.

Cookie Consent and Control: Your consent is obtained before we set any non-essential cookies or tracking technologies on your device. When you first visit our site (and periodically thereafter, as required or if you clear your cookies), you will see a cookie consent banner. This banner is implemented via our website-building platform (Framer) and possibly integrated with tools like Google Tag Manager to manage the deployment of tags. The banner will inform you that we use cookies, briefly explain categories (or link to this Privacy Policy or a dedicated Cookie Policy for details), and give you options to Accept or Decline certain cookies. We aim to offer a granular choice, meaning you can choose to enable or disable different types of cookies (e.g., “Analytics”, “Marketing”) rather than a simple all-or-nothing. If you choose “Accept All”, you are giving us permission to use all cookie categories we have listed (beyond strictly necessary). If you choose to decline or to only accept some types, we will honor that. Our cookie management system is configured such that if you Decline, those scripts for analytics/advertising will not load, ensuring no data is sent to those third parties . We do not sneak non-essential cookies in without consent – any initial non-essential cookies will be in a dormant state pending your choice.

Our cookie banner (the “Framer banner”) is designed to appear in a clear manner (usually at the bottom or top of the page) and will continue to be shown until you interact with it. It uses a cookie itself to remember your preferences (so that, for example, once you’ve made a choice, you won’t be asked again on every page or on every visit, unless your cookie/cache is cleared or until a significant change in cookie usage prompts us to ask again). If at any time you want to change or withdraw your consent, you can do so. We provide a mechanism (often a small icon or link on the site labeled “Cookie Settings” or “Privacy Settings”) for you to reopen the consent banner and adjust your preferences. Alternatively, if you have deleted the consent cookie, the banner will reappear on your next visit allowing you to make a new choice.

It’s worth noting that under some interpretations of law (like certain EU member states’ implementations), strictly necessary cookies can be set without consent, but analytic cookies, even if “anonymous”, generally require consent unless they meet strict criteria. We err on the side of caution by seeking consent for analytics and advertising cookies. By giving consent, you enable us to use tools that greatly help our business improve and reach interested audiences, but the choice is entirely yours – our site is designed to function sufficiently even if you opt out of these.

Managing Cookies via Browser: In addition to our site’s controls, you have the ability to control cookies through your browser settings. Most web browsers allow you to view the cookies stored on your device and delete them individually or all at once. They also typically offer options to block cookies from specific sites or from all sites. For example, you can usually configure your browser to refuse all third-party cookies (which will affect advertising and social media cookies in particular) or to prompt you each time a site tries to set a cookie. You can find these settings in your browser’s Options or Preferences menu (each browser is different; use the Help function if needed to locate “cookie settings” or “privacy settings”). Additionally, there are third-party tools and extensions that can help you manage or block trackers.

Be aware that if you disable cookies entirely, our website (like many others) may not function optimally. Some functionality (like maintaining a login session or remembering items in a form as you navigate) may rely on cookies. Strictly necessary cookies are crucial to core features, and if you block them via browser settings, parts of the site might not work at all. Therefore, we recommend a balanced approach: use our consent banner to control optional cookies and use browser controls mainly if you want to override choices or clear out cookies periodically.

Do Not Track and Global Privacy Controls: “Do Not Track” (DNT) is a setting available in most browsers that signals to websites that you do not want to be tracked. However, there is currently no standardized way that websites must respond to DNT, and many sites (and third-party services) do not honor it. We respect privacy signals to the extent feasible – for instance, if our analytics software detects a DNT signal, we configure it not to track that session in detail. There are also emerging signals like the Global Privacy Control (GPC) which is a browser-based or extension-based header indicating a user’s opt-out of sale/sharing under laws like CCPA (California) – while this is U.S.-centric, it aligns with giving users more automated control. We are monitoring these developments and will honor such signals where legally required and technically possible.

Cookies in Emails: Apart from website cookies, note that if we send you marketing emails, those emails might contain a tiny tracking pixel (or similar technology) that tells us whether you have opened the email or clicked on links. This is a common practice to gauge engagement. The data obtained in this manner is used in an aggregated way (e.g., to measure open rates) and sometimes at an individual level to understand your interaction (so we can, for example, resend or follow up differently if an email was ignored). You can disable this kind of tracking by not downloading images in the email (many email clients let you choose to block external images) or by unsubscribing from the emails altogether. We mention this here for completeness about “tracking technologies.” We treat such information with the same care as other personal data and use it only to improve our communication with you.

Further Information: For more detailed information about the cookies and trackers we use, you can refer to our Cookie Policy (if we maintain a separate one, it will be available on our website – currently this Privacy Policy covers it comprehensively). If you have any questions or concerns about our use of cookies, feel free to contact us. We can provide you with a list of all the cookies in use and their purposes upon request.

In summary, cookies and tracking technologies help us provide a better online experience and relevant content to our users, but we recognize the importance of transparency and choice in their usage. We are committed to implementing cookies in a privacy-conscious manner – through obtaining consent when required , limiting third-party access without approval, and giving you controls to opt out. By following the guidelines above, you can navigate our website with confidence and manage your personal data footprint according to your comfort level.

Data Security

We take the security of your personal data very seriously at Airnest. We have implemented a wide range of technical and organizational measures to ensure that your data is protected from unauthorized access, alteration, disclosure, or destruction . Our goal is to safeguard the confidentiality, integrity, and availability of the personal data we handle. Here are some key aspects of our security framework:

• Technical Security Measures: We utilize industry-standard security technologies to protect data. All personal data that you provide through our website is transmitted over secure connections using TLS/SSL encryption (you’ll notice the padlock in your browser indicating an HTTPS connection). This encryption helps prevent eavesdropping on data as it travels over the internet. The data is stored on secure servers, which are in controlled facilities with measures like firewalls, intrusion detection systems, and regular virus/malware scanning. We employ access control mechanisms to ensure that only authorized personnel and services can access our systems – for example, unique user IDs, strong passwords (with required updates and complexity), two-factor authentication where appropriate, and role-based access privileges that limit each user to only the data and systems necessary for their role . We also use encryption at rest for particularly sensitive datasets and regularly backup data securely to prevent accidental loss. Our IT infrastructure is kept updated with security patches to protect against known vulnerabilities, and we actively monitor the infrastructure for suspicious activities.

• Organizational Measures and Policies: Airnest has put in place internal policies and procedures governing how personal data should be handled and protected by our team. All employees and contractors receive training on data protection and information security, both at onboarding and periodically (so they stay aware of their responsibilities and the latest best practices). We have a designated team or officer overseeing information security and compliance, ensuring that policies are followed. Our staff is instructed to follow clean desk and screen-lock practices, use company-approved secure tools for communication, and to report any security incidents or potential weaknesses immediately. We limit access to personal data strictly to personnel who need that access for their job (“need-to-know” principle). For example, a property manager might have access to client contact details and project info, but not to HR data, etc. When employees leave or change roles, we promptly adjust or revoke access to ensure no unauthorized data access occurs.

• Third-Party and Supplier Security: When we engage third-party service providers (processors) that handle personal data, we thoroughly vet them for strong security measures. We enter into contracts requiring them to implement appropriate technical and organizational measures to protect the data (essentially mirroring GDPR’s requirements). We often review their security certifications or audit reports (many credible vendors have ISO 27001 certification, SOC 2 reports, or similar attestations). If a provider has a sub-processor (like our hosting provider using a data center), similar requirements flow down to those sub-processors. We avoid using providers that cannot meet our security expectations. Additionally, if we ever transfer data to external parties (as discussed earlier), we’ll use secure transfer methods (such as encrypted channels or secure file exchange protocols) to prevent interception.

• Physical Security: While much of our data is digital, any physical records or devices are also secured. Our offices (and any filing systems) have appropriate physical security controls – this can include locked cabinets for paper files, alarm systems, and controlled entry to premises (keys, access cards, visitor logs). Workstations and devices issued by Airnest are encrypted and require authentication; they auto-lock when not in use. We have policies against removing personal data from the premises unless absolutely necessary and with equivalent safeguards (like not downloading data to personal devices or using unsecured USB drives).

• Testing and Auditing: We regularly test and evaluate our security measures to ensure they are effective. This may involve routine security audits, vulnerability assessments, and penetration testing by external experts. We fix any findings on priority. We also keep logs of access and changes to critical systems to have an audit trail of data access – this helps in detecting any unusual access patterns. If any system or software we use reaches end-of-life or no longer receives updates, we upgrade or replace it to maintain security.

• Incident Response: Despite best efforts, no system can be guaranteed 100% secure. Recognizing this, we have an incident response plan in place for dealing with potential data breaches or security incidents. Our staff is trained to escalate incidents to our security team immediately. If a personal data breach were to occur (meaning a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we will contain and investigate it promptly. We will assess the scope and impact, and take necessary remedial actions. In line with GDPR requirements, if the breach is likely to result in a risk to your rights and freedoms (for example, potential for identity theft or fraud, or harm to reputation), we will notify the relevant Supervisory Authority within 72 hours of becoming aware of it . If the risk to you is high, we will also inform you without undue delay, in clear terms about what happened and what steps you should take to protect yourself. We document all incidents, even small ones, to learn and improve from them.

To bolster our security stance, we stay informed about new threats and continuously improve our defenses. We adhere to the principle of privacy by design and by default, meaning that when we develop or adopt new systems or processes involving personal data, we incorporate data protection considerations from the start (for example, using pseudonymization techniques in analytics, or ensuring new databases have encryption enabled). We also follow relevant guidance from data protection authorities and standard frameworks for cybersecurity.

In summary, Airnest has implemented appropriate technical and organizational security measures as required by Article 32 of the GDPR, including measures such as encryption, access control, and regular security audits . While no organization can guarantee absolute security, we want to assure you that we deploy a level of security appropriate to the risk presented by the processing of your personal data. We also regularly review our security practices to adapt to new risks or technological advancements. We appreciate your understanding and cooperation – for instance, keeping your own login credentials confidential and alerting us if you suspect any unauthorized use of your information – as security is a shared responsibility to some degree. If you have further questions about our security measures, feel free to contact us. We may not divulge all specifics (since that could itself be a security risk), but we can answer general questions to give you confidence that your data is in safe hands with Airnest.

Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, to keep up with legal or regulatory requirements, or to incorporate new services or features. If we make changes, we will notify you in a manner appropriate to the significance of the changes. Minor changes (e.g., clarifying language or updating contact information) will be posted by updating the Policy on our website with a new effective date. For substantial changes that affect your rights or the ways we use personal data, we will provide a more prominent notice – for example, by posting a notice on our website’s homepage or within the relevant service, and/or by contacting you directly via email to inform you . We will do this in advance when required by law, or otherwise at the time the revised Policy becomes effective.

Whenever we update this Policy, we will revise the “Last Updated” date at the top of the document. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data. If you do not agree with the changes in a revised Privacy Policy, you should consider stopping using our services or interacting with us, and you may always exercise your rights (such as the right to deletion or to withdraw consent, where applicable). We will not reduce your rights under this Privacy Policy without your explicit consent.

For significant changes, especially those that might require your consent (if, for example, we were to introduce a new purpose for processing that originally you didn’t agree to), we will seek consent where needed. In any event, we will never materially weaken the level of privacy protection we provide without notifying affected individuals.

If you have any questions about the changes made in any update, please contact us using the information below. This will allow you to get clarity on any point that seems unclear.

Contact Us

Airnest has a dedicated point of contact for all privacy and data protection matters. If you wish to exercise any of your rights (as described in the Your Rights section), or if you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please reach out to us:

Email: contact@airnest-reim.com

Using email is usually the quickest way to reach us and receive a response . Please include in your email attention that it is a data protection query (for example, you can write “Data Protection Request” in the subject line) and clearly state your request or question. If you are making a rights request, you may need to provide information to verify your identity (for instance, we might ask you to write back from the email address associated with your data or provide a piece of info we have on file) – this is to ensure we don’t inadvertently disclose your data to someone else.

Postal Mail: If you prefer to contact us via traditional mail, you can send correspondence to any of our group’s business addresses. Please direct it to the attention of “Privacy Officer” or “Data Protection” at the appropriate address. (For example, you may send it to our headquarters at MY AIRNEST LTD in the UK, or to our offices in France or Portugal – the addresses can be found on our website or corporate materials. Marking it as privacy-related will help route it correctly internally.) Note that postal inquiries may take longer to receive and respond to, and we will reply via your preferred contact method.

Telephone: While you may call our offices via the phone numbers listed on our website for general inquiries, please understand that for privacy requests we will likely ask you to put your request in writing (email or mail). This is so we have a clear record of your request and can verify identity in writing. However, you can certainly call for general questions and we will do our best to assist or guide you on next steps.

We are committed to resolving any issues or concerns you may have. If you contact us, we will acknowledge receipt of your inquiry and aim to provide a substantive response within one month or sooner if possible (for simple queries, expect a faster turnaround). For complex issues or multiple requests, we may take up to two months and will inform you of the need for an extension.

In all communications, please avoid sending more personal information than necessary (for example, do not include sensitive personal details in a contact form or email beyond what is needed to address your issue). Once we finish addressing your inquiry or request, we will retain the correspondence and related data only as long as needed to close the matter and as required by law or our internal policies (for instance, we might keep a log of rights requests fulfilled, as we are obliged to under GDPR accountability).

Thank you for taking the time to read our Privacy Policy. We value your privacy and trust. We invite you to reach out anytime you have questions or need assistance regarding your personal data or this Policy – Airnest’s privacy team is here to help ensure that your experience with us is not only productive but also safe and respectful of your personal information.