Legal

Privacy & Terms

Last updated 9 April 2026 · Applies to aerlou.com and all Aerlou products

Privacy Policy

Effective date: 9 April 2026 · Last updated: 9 April 2026
Applies to: aerlou.com and all Aerlou products and services

This Privacy Policy explains how Aerlou ("Aerlou", "we", "our", or "us") collects, uses, stores, and protects personal data when you use our platform. By using Aerlou, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

1. Who We Are

Aerlou is a personal AI assistant that works inside WhatsApp, operated through aerlou.com. Our registered place of business is in the United Arab Emirates. For all privacy-related enquiries, contact us at:

2. Legal Framework

Aerlou processes personal data in compliance with the following applicable laws and regulations:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), the primary data protection law of the United Arab Emirates.
  • UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021), governing unlawful access and misuse of data and electronic systems.
  • Meta WhatsApp Business Platform Policies, governing our use of the WhatsApp Business API as an authorised integration partner.
  • Where users are located in or interact with individuals from the European Economic Area, we additionally observe the principles of the General Data Protection Regulation (GDPR) as a matter of best practice.

3. What Data We Collect

3.1 Data You Provide Directly

  • Full name, email address, and phone number provided during account registration
  • Optional profile details such as your display name, time zone, and preferences
  • Payment information (processed via our payment provider; we do not store raw card data)
  • Communications you send to Aerlou through WhatsApp, email, or our web dashboard
  • Voice notes submitted to the platform (transcribed and processed; original audio may be retained for quality assurance for up to 30 days)
  • Documents you upload or forward to the platform (PDFs, images, receipts, forms, and bills)

3.2 Contact and Personal Data You Input

  • Names, phone numbers, email addresses, and notes about the people you choose to keep track of, which you provide to Aerlou for reminders and follow-ups
  • Conversation history and context that you share with Aerlou about those contacts
  • Personal details, preferences, dates, lists, and small commitments you ask Aerlou to remember
You are responsible for ensuring you have an appropriate basis to record information about other people in Aerlou. We process that data solely on your instruction and do not use it for any other purpose.

3.3 Data Generated Through Use

  • Usage logs, interaction timestamps, feature access patterns, and session data
  • Device type, operating system, browser type, and IP address
  • WhatsApp message metadata (message timestamps, delivery status) processed via the WhatsApp Business API
  • AI interaction transcripts and task execution logs for the purpose of quality, safety, and service improvement

3.4 Data From Integrations

If you connect third-party services (such as Google Calendar or an email account), we access only the data necessary to fulfil the integration function you have requested. We do not access or store data beyond the scope of the connected integration.

4. How We Use Your Data

PurposeLegal Basis
Providing and operating the Aerlou platform and its featuresPerformance of contract
Processing voice notes, documents, and messages to generate AI outputsPerformance of contract
Maintaining your reminders, notes, lists, and contact memoryPerformance of contract
Sending service notifications, reminders, and follow-up messages on your behalfPerformance of contract / Legitimate interest
Improving model accuracy, safety, and platform performanceLegitimate interest
Billing, subscription management, and fraud preventionLegal obligation / Performance of contract
Responding to support requests and customer communicationsPerformance of contract
Complying with legal obligations and regulatory requirements in the UAELegal obligation
Sending product updates and communications (you may opt out at any time)Consent / Legitimate interest

We do not use your personal data or your contacts' data to train third-party AI models. We do not sell, rent, or share personal data with advertisers or data brokers.

5. AI Processing and Data Use

Aerlou uses large language models (LLMs) from third-party AI providers to generate responses and execute tasks. The following applies to all AI processing:

  • Your messages, voice notes, and documents are transmitted to LLM providers under data processing agreements that prohibit those providers from using your data to train their models.
  • We use a hybrid routing model in which different tasks may be processed by different AI providers based on task complexity. All providers are bound by equivalent data protection commitments.
  • We apply prompt caching, which stores non-sensitive system context (such as general assistant instructions) to reduce latency and cost. Cached content does not include your personal data or contact data.
  • AI-generated outputs are provided as informational assistance. You retain full responsibility for reviewing and approving any action taken on the basis of AI outputs, particularly actions that affect you or other people.

6. WhatsApp and Meta Data Handling

Aerlou integrates with the WhatsApp Business API operated by Meta Platforms Ireland Limited. The following applies:

  • We are an independent controller of personal data processed through our WhatsApp integration. We are not an agent of Meta in respect of that data.
  • WhatsApp message content processed through the Business API is subject to Meta's Business Messaging Terms in addition to this Privacy Policy.
  • WhatsApp messages sent on your behalf by Aerlou use pre-approved message templates for outbound communications outside the 24-hour service window, in compliance with Meta's policies.
  • We do not store WhatsApp message content beyond the period necessary to provide the service, subject to the retention periods set out in Section 10 below.
  • End-to-end encryption applies to messages between users on the standard WhatsApp personal platform but does not apply to WhatsApp Business API communications, which are processed in decrypted form by our systems to enable AI functionality. You should make the people you message aware of this where relevant.

7. Your Account and Account Security

Aerlou is a personal assistant tied to a single subscriber. The following applies to your account:

  • Your account, your conversations with Aerlou, and the information you ask it to remember are private to you.
  • You are responsible for keeping your account credentials and the device where you use WhatsApp secure.
  • If you share a device, anyone with access to your WhatsApp may be able to see your conversations with Aerlou.
  • You may request a copy of your data, or its deletion, in accordance with Section 11 at any time.

8. Data Sharing and Third Parties

We share personal data only in the following circumstances:

8.1 Service Providers (Processors)

We share data with third-party service providers who assist us in operating the platform. All providers are bound by data processing agreements and are permitted to use data only for the specific purpose for which it was shared. These include:

  • Cloud infrastructure and hosting providers
  • AI model providers (for language model inference)
  • WhatsApp Business Solution Provider (BSP)
  • Payment processing providers
  • Customer support and communications tools
  • Analytics and error monitoring services

8.2 Integration Partners

Where you have authorised a third-party integration (such as Google Calendar or an email account), we transmit the data required to fulfil that integration on your instruction. You should review the privacy policies of any third-party platforms you connect.

8.3 Legal Obligations

We may disclose personal data to government authorities, regulators, or law enforcement where we are legally required to do so under UAE law or applicable international obligations. We will notify you of any such disclosure where legally permitted to do so.

8.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify users prior to such a transfer taking effect and ensure that the receiving entity is bound by equivalent data protection obligations.

9. International Data Transfers

Aerlou's primary infrastructure is hosted within cloud data centres. Data may be processed outside the UAE where our AI providers or infrastructure partners operate data centres in other jurisdictions, including the European Union and the United States. Where such transfers occur, we ensure they are conducted under appropriate safeguards, including standard contractual clauses or equivalent mechanisms recognised under the UAE PDPL.

10. Data Retention

Data TypeRetention Period
Account and profile dataDuration of subscription plus 90 days following account closure
Reminders, notes, and contact memoryDuration of subscription; exportable on request before closure
AI interaction transcripts12 months from date of interaction
Voice note originals30 days from submission (transcripts retained per above)
Uploaded documentsDuration of subscription; deleted within 30 days of account closure
Payment and billing records7 years from transaction date (UAE regulatory requirement)
Support communications3 years from last interaction
Usage and access logs12 months

Following the applicable retention period, data is securely deleted or anonymised. Anonymised or aggregated data that cannot be used to identify any individual may be retained indefinitely for product analytics purposes.

11. Your Rights

Under the UAE PDPL and applicable data protection law, you have the following rights in respect of your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to correction: Request that inaccurate or incomplete data be corrected.
  • Right to deletion: Request deletion of your personal data, subject to legal retention obligations.
  • Right to portability: Request your data in a structured, machine-readable format where technically feasible.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@aerlou.com. We will respond within 30 days. We may require verification of your identity before fulfilling a request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

12. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256 or equivalent
  • Role-based access controls limiting internal access to personal data
  • Regular security assessments and vulnerability testing
  • Multi-factor authentication for all administrative system access
  • Incident response procedures and breach notification protocols

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority, within the timeframes prescribed by applicable law.

13. Cookies and Tracking

Our website at aerlou.com uses cookies and similar technologies for the following purposes:

  • Strictly necessary cookies: Required for the website and platform to function. Cannot be disabled.
  • Performance cookies: Help us understand how users interact with our website (anonymous analytics). You may opt out.
  • Functional cookies: Remember your preferences and settings. You may opt out.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings or our cookie preference centre on the website.

14. Children

Aerlou is intended for use by individuals aged 18 and over. We do not knowingly collect personal data from persons under the age of 18. If we become aware that a minor has provided personal data, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify registered users of material changes by email or through the platform at least 14 days before the changes take effect. The updated policy will be published at aerlou.com/privacy with the revised effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

16. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, contact us at privacy@aerlou.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (dataoffice.ae) or the relevant supervisory authority in your jurisdiction.

© 2026 aerlou. All rights reserved.