Privacy Policy

This policy explains how Big Ears AI collects, uses, stores, and shares personal data. It covers the people who use our platform, the journalists and influencers whose contact information is in our system, and the visitors to our website.

We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from someone under 18, we will delete it.

We do not sell personal data to anyone. We never have and we never will.

Big Ears AI is the data controller for the personal data described in this policy. When we process data on behalf of our clients (for example, press releases or brand documents they upload), we act as a data processor and our use of that data is governed by our data processing agreement with the client. We are not required to appoint a Data Protection Officer under UK GDPR. The Founder is the point of contact for all data protection matters and can be reached at james@bigears.ai.

Account data

When a client signs up we collect their name, email address, company name, and role. We use this to create their account, manage their subscription, and communicate with them. Providing this information is necessary to use the service. If you do not provide it we cannot create your account. Legal basis: contract performance.

Content uploaded by clients

Clients upload press releases, brand documents, and other materials to the platform. We process this content to power the AI matching engine. We only process the content necessary to deliver the service. We do not use client content for any purpose other than providing and improving the service for that specific client. Legal basis: contract performance.

Monitoring data

Our platform monitors publicly available news articles, social media posts, podcasts, and competitor activity. This content is published publicly by third parties and is accessible to anyone on the internet. We collect article headlines, links to original sources, short excerpts where shown in our product, AI-generated summaries we produce ourselves, social post content from public profiles, podcast metadata, and engagement metrics. We do not store the full text of articles in our product or display full article bodies to clients. We always link to the original source so readers consume the article on the publisher's website. We do not access any content that is behind a login wall, paywall, or otherwise restricted. Legal basis: legitimate interest in providing our clients with relevant intelligence. We have assessed this interest against the rights of the individuals involved and concluded that the processing is proportionate because the content is already publicly available and our use of it does not affect the individuals who created it.

Journalist and influencer data

We hold names, email addresses, publication affiliations, social media handles, and engagement history for journalists and influencers. All of this comes from publicly available sources: published bylines, public author pages, publication contact pages, and publicly posted social media bios. We do not purchase contact data from third party databases, we do not use enrichment services, and we do not access any information that is behind a login wall. Our system uses search tools to find the same information a human PR professional would find by searching the web. Legal basis: legitimate interest. We have conducted a balancing test and concluded that this processing is proportionate and consistent with the reasonable expectations of journalists who publish their contact details for the specific purpose of being contacted by PR and communications professionals. The data is not sensitive, we provide an opt-out mechanism, and the benefit to our clients outweighs any minimal impact on the journalist.

Usage data

We collect information about how people use the platform through Mixpanel, including pages visited, features used, and session recordings. Legal basis: consent (analytics only activated after the user opts in through our cookie banner).

Website visitor data

We use Google Analytics to understand traffic to our website, including pages visited, traffic sources, and anonymised IP addresses. Legal basis: consent.

Legal and compliance processing

We may process and retain personal data where required to comply with a legal obligation, respond to a lawful request from a regulatory body or law enforcement, or exercise or defend legal claims. Legal basis: legal obligation or legitimate interest as applicable.

Our platform monitors publicly available content from news websites, social media platforms, podcasts, and similar public sources. We apply the following principles to how we handle this content:

We only access content that is publicly available on the open web. We do not access any content behind a paywall, login wall, or other restriction.

We do not store the full text of articles in our product. We generate our own short summaries describing what an article is about, and we always link back to the original source so users read the article on the publisher's website.

We do not redistribute, republish, or display the full body of third-party content to our clients. We do not produce press cuttings, PDFs, or clippings.

We honour publisher and platform opt-out mechanisms including robots.txt and AI bot signals (such as GPTBot, Google-Extended, CCBot, ClaudeBot, Perplexity-User, and other recognised signals) where they have been set on a source we would otherwise process.

We retain article summaries and links for as long as they remain relevant to the client's intelligence needs, and we review retention on a rolling basis.

If you are a publisher, rights holder, or platform and you have a concern about how we handle your content, please contact us at james@bigears.ai. We aim to respond within seven days and will work in good faith to resolve any concerns.

Our platform uses artificial intelligence to score and rank content by relevance, suggest journalist contacts, generate summaries and recommendations, and produce draft content. This involves profiling in the sense that we analyse data to evaluate which content is most relevant to a particular client. However, these automated processes only support our clients in making their own decisions. They do not make decisions on behalf of individuals, they do not produce legal effects on anyone, and they do not significantly affect anyone. Clients review and approve all outreach before it is sent. No individual is subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on them.

We use cookies in three categories. Essential cookies are required for the platform to function (login sessions, security tokens) and are always active. Analytics cookies (Mixpanel and Google Analytics) are only activated after you give consent through our cookie banner. Marketing cookies are not currently used. You can change your cookie preferences at any time through the cookie settings on our platform.

We share personal data with the following third party service providers who process data on our behalf. We have or will have data processing agreements in place with each provider before any personal data is processed. We do not share personal data with any third parties for their own marketing or commercial purposes.

We only share personal data with the providers listed above and as otherwise described in this policy. We review this list regularly and will update this policy if we add or remove providers.

Most of our third party providers are based in the US. Supabase is based in the UK (eu-west-2, London) so all client data at rest stays in the UK. Personal data is transferred outside the UK during processing. For providers certified under the UK Extension to the EU-US Data Privacy Framework (including OpenAI, Google, and Perplexity), these transfers are covered by the UK adequacy decision for that framework. For other providers, transfers are protected by the UK International Data Transfer Agreement and standard contractual clauses. We only transfer data to providers who maintain appropriate security standards and who have contractually committed to protecting the data they receive.

Account and platform data

Kept while the client's account is active. After cancellation or pilot end, we keep data for 90 days then delete across all systems. Retention may be extended up to 12 months where required for legal, regulatory, or compliance purposes, in which case the legal basis for continued processing is legal obligation. We will inform the client if we need to extend retention.

Journalist and influencer data

Kept for as long as the information remains relevant and accurate. We review our journalist database at least every 12 months and remove records that are no longer relevant or accurate. Individuals can request deletion at any time.

Analytics data

Mixpanel retains event data for up to 2 years. Google Analytics retains user-level data for up to 14 months.

Under UK data protection law you have the right to: access the personal data we hold about you, request correction of inaccurate data, request deletion, object to processing (including the right to object to processing based on legitimate interest), request restriction of processing, receive a copy of your data in a portable format, and withdraw consent where processing is based on consent.

Where we process your data based on legitimate interest, you have the right to object and we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

To exercise any of these rights, contact us at james@bigears.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk if you believe we have not handled your data properly.

Your contact information is in our system because it was found in publicly available sources. You were not required to provide this data and we did not collect it directly from you. If you do not want us to hold your data, contact us at james@bigears.ai and we will remove it within 30 days. We will add you to a suppression list so your information is not collected again. We will not re-add your data after you opt out.

All data is encrypted at rest using AES-256 encryption and in transit using TLS. Access to client data is controlled at the database level through workspace isolation, ensuring one client cannot access another client's data. We use access controls, monitoring, and logging to protect our systems. We regularly review our security measures and update them as needed.

If Big Ears AI ceases to operate, we will notify all users and data subjects whose information we hold, provide at least 30 days for data export, and then securely delete all personal data from our active systems and instruct our third party providers to do the same. Data in encrypted backup systems may take up to 90 days to be fully purged.

We may update this policy from time to time. If we make significant changes we will notify platform users by email at least 30 days before the changes take effect. The latest version is always available on our website.

Samir James Shamsi, trading as Big Ears AI.
Email: james@bigears.ai