Does airtee.ai use tracking cookies or third-party analytics?

No. We do not run Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, or any other third-party tracking script on airtee.ai. There is no advertising or cross-site tracking. No cookie banner is required because no consent-bearing cookies are set.

Are any cookies set at all?

Only strictly-necessary cookies set by our hosting platform (Cloudflare) for bot mitigation and load balancing — for example __cf_bm, which expires in 30 minutes. No analytics, advertising or persistent identifiers are stored on your device by AirTee.

What happens to data I submit via the demo request form?

It is stored in our backend database (single-tenant in our region) and is used only to respond to your request. It is retained for 24 months and deleted on request. It is never sold, shared with advertisers, or used for any third-party marketing.

Is my form submission encrypted?

Yes. All requests to airtee.ai are served exclusively over HTTPS (TLS 1.3) and HSTS is enabled with a 2-year max-age and preload. Form payloads are validated server-side and inserted via a parameterised query — no string concatenation, no client-trusted SQL.

Can airtee.ai be embedded in an iframe?

No. We set X-Frame-Options: DENY and frame-ancestors 'none' in our Content-Security-Policy. This prevents clickjacking and unauthorised embedding of any AirTee page.

SSecurity · this website

What airtee.ai sets, stores, and sends.

This page documents the security posture of the marketing site itself — headers, cookies, analytics, and how form submissions are handled. For platform-level posture (the SaaS itself), see the Trust Center.

01Transport

Encrypted, only.

▍TLS 1.3 enforced for every request — HTTP is 301-redirected to HTTPS at the edge.
▍HSTS: max-age=63072000; includeSubDomains; preload (2 years, all subdomains, browser preload list eligible).
▍Edge served by Cloudflare; origin handled by Lovable Cloud (UK/EU residency).

02Security headers

Defence-in-depth at the response layer.

Every response from airtee.ai carries the following headers. They are applied uniformly via server middleware — there is no per-page exception.

Content-Security-Policy

Locks scripts, styles, fonts, images and connections to airtee.ai plus the hosts the site genuinely uses (Google Fonts, Calendly, Lovable Cloud, the OG image host). object-src 'none', base-uri 'self', form-action 'self'.

Strict-Transport-Security

max-age=63072000; includeSubDomains; preload — forces HTTPS for two years, including subdomains, eligible for the browser preload list.

X-Frame-Options & frame-ancestors

DENY plus frame-ancestors 'none' in the CSP. The site cannot be embedded in any iframe — clickjacking is structurally impossible.

X-Content-Type-Options

nosniff — browsers must respect declared MIME types and cannot guess executable content.

Referrer-Policy

strict-origin-when-cross-origin — outbound links leak only the origin, never the path or query, when crossing sites.

Permissions-Policy

Disables camera, microphone, geolocation, payment, USB, accelerometer, gyroscope, magnetometer and FLoC (interest-cohort=()).

Cross-Origin-Opener-Policy

same-origin — isolates the browsing context group, blocking cross-origin window references and Spectre-class side-channel attacks.

X-DNS-Prefetch-Control

on — opts in to DNS prefetching for faster outbound navigation, no privacy regression because no third-party trackers are present.

03Cookies

The full list. It is short.

AirTee sets no first-party tracking cookies, no advertising cookies, and no persistent identifiers. The only cookies you may see in browser devtools are operational cookies set by our hosting layer.

__cf_bm · Cloudflare

Strictly necessary. Bot management. Set by Cloudflare's edge — not by AirTee. Expires in 30 minutes. No personal data, no cross-site tracking.

__cf_clearance · Cloudflare (occasional)

Strictly necessary. Issued only when a visitor passes a Cloudflare challenge. Confirms the visitor is not a bot for the duration of the session.

Nothing else

No Google Analytics. No Meta Pixel. No LinkedIn Insight Tag. No Hotjar. No A/B-testing cookies. No marketing-automation pixels. No advertising IDs. No localStorage tracking.

04Analytics

What we measure, and how.

▍We rely on Cloudflare's server-side request logs (anonymised aggregates) and our hosting platform's request metrics. No JavaScript beacon is loaded in your browser for analytics.
▍We do not link visit data to any individual. We do not enrich visit data with third-party identity graphs.
▍We do not run cross-device tracking, retargeting pixels, or audience syncing.
▍If we ever add a privacy-respecting analytics tool (e.g. Plausible, Fathom), it will be cookieless and disclosed on this page before deployment.

05Data you submit

How form data is handled.

What we collect

On the demo-request form: full name, work email, company, role (optional), company size (optional), free-text scenario description (optional), and the page you submitted from.

How it is validated

Validated server-side with a strict schema (length and type checks) before being written. Inputs are inserted via parameterised queries — no SQL is built from string concatenation.

Where it is stored

In our Lovable Cloud (Supabase) database, single-tenant for AirTee, with row-level security and access restricted to AirTee personnel with a need to know.

How it is used

Solely to respond to your enquiry, qualify the conversation, and schedule a demo. We do not enrich it through third-party data brokers and we do not share it with advertisers.

How long we keep it

24 months from last contact, then deleted. You can request earlier deletion at any time by emailing privacy@airtee.ai.

Your rights

Access, rectification, portability, restriction, objection, and erasure under UK & EU GDPR. Email privacy@airtee.ai and we'll respond within 30 days.

06Bots & AI crawlers

What we allow.

▍robots.txt explicitly allows reputable AI search and answer engines (GPTBot, OAI-SearchBot, ChatGPT-User, PerplexityBot, ClaudeBot, Google-Extended, Applebot-Extended, CCBot, MistralAI-User and others) so we can be cited correctly.
▍We publish /llms.txt and /llms-full.txt — canonical, machine-readable descriptions of the product for grounded LLM answers.
▍Legal pages (/legal/privacy, /legal/terms) are disallowed in robots.txt to avoid them ranking ahead of product pages.

07Reporting an issue

Responsible disclosure.

If you believe you have found a vulnerability in airtee.ai or the AirTee platform, please email security@airtee.ai. We acknowledge within one business day, triage within five, and credit reporters who request it. Please give us a reasonable window to remediate before public disclosure.

FAQ

Quick answers

Does airtee.ai use tracking cookies or third-party analytics?: No. We do not run Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, or any other third-party tracking script on airtee.ai. There is no advertising or cross-site tracking. No cookie banner is required because no consent-bearing cookies are set.
Are any cookies set at all?: Only strictly-necessary cookies set by our hosting platform (Cloudflare) for bot mitigation and load balancing — for example __cf_bm, which expires in 30 minutes. No analytics, advertising or persistent identifiers are stored on your device by AirTee.
What happens to data I submit via the demo request form?: It is stored in our backend database (single-tenant in our region) and is used only to respond to your request. It is retained for 24 months and deleted on request. It is never sold, shared with advertisers, or used for any third-party marketing.
Is my form submission encrypted?: Yes. All requests to airtee.ai are served exclusively over HTTPS (TLS 1.3) and HSTS is enabled with a 2-year max-age and preload. Form payloads are validated server-side and inserted via a parameterised query — no string concatenation, no client-trusted SQL.
Can airtee.ai be embedded in an iframe?: No. We set X-Frame-Options: DENY and frame-ancestors 'none' in our Content-Security-Policy. This prevents clickjacking and unauthorised embedding of any AirTee page.

— next step

Procurement, security or DPA questions?

Email security@airtee.ai. Most security-questionnaire turnarounds complete within 24 hours.

Request a demo →Book intro call