UK, GDPR & Data Privacy FAQ
How is my data used? Do you train AI models with it?
No. We maintain a strict separation between customer data and our model development. Our AI is trained exclusively on public datasets and synthetic data. Your inputs, feedback, and transcriptions are used solely for your specific analysis and platform features.
Note: We may use data samples solely to evaluate models and ensure quality and fit, but only with prior client approval.
Can we keep our data within our own region or network?
While our primary cloud storage is located in the US, we support On-Premise or Localized Anonymization to help you comply with data residency requirements. You can run the Birdie anonymizer within your local infrastructure (EU or UK). This ensures that PII is scrubbed before it ever leaves your controlled environment for the US-based analytical platform.
What is the data retention policy?
We retain customer data only for the period necessary to fulfill the services outlined in your contract and to comply with legal obligations. Upon termination of our agreement, all customer data is securely deleted or anonymized within a defined period, in line with your instructions and our internal data deletion protocol.
How do you handle data breaches?
In the unlikely event of a security incident affecting personal data, Birdie AI will take immediate steps to contain the incident and assess the risk. We are committed to notifying the relevant supervisory authority and affected customers without undue delay (within 72 hours), when the breach is likely to result in a risk to your rights and freedoms.
Who oversees security compliance?
Our security posture is validated by a SOC 2 Type II attestation and managed by our Data Protection Officer (DPO), Rafael Libardi, and Security team. You can contact the team at [email protected].
International Data Transfers (EU & UK)
Birdie AI ensures lawful data transfers from Europe to the US through the Data Privacy Framework (DPF) program, enforced by the US Federal Trade Commission (FTC).
EU-U.S. Data Privacy Framework: Active
Status: Birdie AI is certified to transfer HR and Non-HR data from the EU to the US without needing Standard Contractual Clauses (SCCs).
Certification Date: 11/20/2025
UK Extension to the DPF: Active
Status: Birdie AI is certified to transfer data from the UK under the UK Extension.
Certification Date: 11/20/2025
You can verify our active status for both frameworks by searching for "Birdie AI" on the Data Privacy Framework List.
UK Section
How does Birdie AI handle my data under the UK GDPR?
Birdie AI is an active participant in the UK Extension to the EU-U.S. Data Privacy Framework. This means we are legally recognized as providing a level of data protection essentially equivalent to that of the United Kingdom.
Since 2023, the UK has recognized the EU-U.S. Data Privacy Framework (DPF) as a valid transfer mechanism when the UK Extension is applied. Birdie AI maintains an active certification under this extension. This acts as an "Adequacy Decision" for the organization, permitting the transfer of personal data from the UK to US-based cloud infrastructure without the friction of individualized Standard Contractual Clauses (SCCs).
Adequacy via UK Extension: Since 11/20/2025, Birdie AI has maintained an active certification under the UK Extension to the EU-U.S. Data Privacy Framework. This allows for the seamless transfer of personal data from the UK to the US without requiring additional Standard Contractual Clauses (SCCs) in many instances, as the UK government recognizes this framework as providing "essentially equivalent" protection.
Who is the independent recourse mechanism for UK residents?
If a privacy complaint is not resolved by us within 45 days, UK residents have access to free, independent dispute resolution:
For HR Data: The UK Information Commissioner’s Office (ICO).
For Non-HR Data: JAMS (International Arbitration and Mediation Provider).
Additional Sources
Last updated