This is the plain-English version of how we handle data. It is also the legal-record version — there is no separate fine print. If anything here is unclear, email support@aiautomation.ng and we'll explain in writing.
Business intake — business name, industry, team size, country, monthly revenue band, selected pain points, and your free-text "biggest leak" description.
Contact details — your name, role, work email, and phone number.
Booking metadata — preferred kickoff slot and urgency.
From the Skills + Guides waitlist forms
Your email address, the product slug you signed up for, and (optionally) your business name.
UTM source if you arrived from a paid ad (Instagram / Facebook / Google) — for attribution only, never sold or shared.
Captured by /api/waitlist, written to our Vercel function logs, and used solely to email you when the product you joined ships. One email per product, ever. No newsletter.
From server logs (automatic)
IP address, user-agent string, request path, timestamp, and response status — standard web-server telemetry.
Logs are retained for 30 days on Vercel's edge platform, then rotated out automatically.
From your browser (no server transmission)
sessionStorage.aiautoSeenBoot — a single flag so the boot animation only shows once per visit. Cleared when you close the tab.
localStorage.aiautoTheme — your dark/light preference. Persists until you clear browser storage.
Neither value is transmitted to our servers or any third party. See the Cookies Policy for details.
What we don't collect
We do not run Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any third-party tracking script.
We do not use advertising cookies, retargeting pixels, or fingerprinting libraries.
We will never ask you for: bank account numbers, debit/credit card details, NIN, BVN, or government IDs through this website. Any service that requires those will be transacted under a separate signed agreement, not via web form.
We do not sell, rent, or trade personal data to anyone — ever.
How we use what we collect
Business intake is used solely to generate your personalized audit blueprint and to staff your kickoff call.
Contact details are used to email you the blueprint, the calendar invite, and follow-up scoping questions.
Server logs are used for security, abuse detection, and basic uptime monitoring. We do not build behavioral profiles from them.
Lawful basis (NDPR Art. 2.2)
Legitimate interest — for receiving and responding to your service inquiry.
Consent — for sending your intake to our AI sub-processor (DeepSeek) to draft the blueprint. You consent by submitting the audit modal after seeing the explicit disclosure.
Contract — once you sign an engagement letter, processing your business data to deliver the service.
Legal obligation — retaining tax-relevant records under FIRS rules (7 years).
Sub-processors (cross-border transfer disclosure · NDPR Art. 41)
To deliver the service, we transmit data to the following processors. Each is named so you can independently verify them:
DeepSeek (Hangzhou DeepSeek AI Co., Ltd · China) — receives your intake fields (business, industry, team size, country, revenue band, pain points, hours wasted, urgency) one time to generate your blueprint. We do not send your name, email, or phone. DeepSeek's terms: deepseek.com.
Vercel (Vercel Inc. · United States) — hosts this website and runs the edge functions. Standard request logs only.
GitHub (GitHub Inc. · United States) — hosts our source code. No customer data flows through this.
If you object to cross-border transfer to either country, email us before submitting the audit form and we'll process your inquiry by email only (no AI blueprint generated).
Retention
Intake data — retained 90 days, then permanently deleted. We re-prompt you if you re-engage after that window.
Contact details — retained for the duration of our commercial relationship plus 12 months.
Request portability — export in a machine-readable format
Object to specific processing
Withdraw consent at any time
Lodge a complaint with the Nigerian Data Protection Commission (NDPC)
How to make a request
Email support@aiautomation.ng with subject line "DSAR Request". We respond inside 30 days, free of charge. We may ask one verification question to confirm you are the data subject.
Data Protection Officer (DPO)
We are engaging a NITDA-licensed DPO partner firm this quarter. Until that engagement closes, the Data Controller (Ranked Technologies Limited) is the direct point of contact for all data-protection matters. We will name the DPO firm publicly on this page within 14 days of signing.
This is honest forward-looking language, not a commitment to compliance we have not yet earned. If DPO-mediated escalation is a procurement requirement for you, email us and we will introduce you to our outside counsel directly.
Security
All traffic is TLS-encrypted (HTTPS) with HSTS preloaded.
No customer data is stored in browser-accessible storage.
API endpoints rate-limit by request size and timeout aggressively.
We have not yet completed a SOC 2 audit — that is on our roadmap for 2027. We do not claim certifications we do not hold.
Children
This service is for businesses and is not directed at anyone under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, email us and we will delete it.
Changes to this policy
If we make material changes, we will post the updated policy here and update the "Last updated" date at the top. For substantive changes (new sub-processor, new data category, changed retention) we will email all active engagement contacts before the change takes effect.
Governing law
This policy is governed by the laws of the Federal Republic of Nigeria. Disputes are subject to the exclusive jurisdiction of the Lagos State High Court, except where mandatory NDPR-derived rights provide a different forum.