Tracker Privacy & Compliance

1) Identity of the controller / processor

Warm AI Ltd, a company registered in England and Wales. When the script collects personal data on behalf of a customer site, Warm AI Ltd acts as a processor for that customer (the controller).

• Registered office: 107 Highfield Lane, Oving, Chichester, PO20 2NN, United Kingdom.
• ICO registration: ZC135250 (registered 28 April 2026, valid to 27 April 2027).
• Data Protection contact: support@getwarmai.com.

2) Purpose of the script

warm.js enables Warm AI's customers to identify the companiesvisiting their websites, so their B2B sales teams can prioritise outreach. It does not identify named individuals on the safe variant. The script is loaded by Warm AI's paying customers on their own websites under contract.

3) What warm.js collects

• A session token (UUID v4) stored in sessionStorage, 30-minute idle TTL, cleared automatically when the browser tab closes.
• Page view events: URL, path, page title, referrer.
• Active time on page (only counted when the tab is visible and the visitor has interacted within the last 30 seconds).
• UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) read from the URL only.
• User agent string (client side).
• IP address (server side only, used to perform company-level identification via the providers listed below).

4) What warm.js does NOT do

• No persistent cookies. warm.js does not set document.cookie at all.
• No reading of form-input values, no email capture, no field scraping.
• No fingerprinting — no canvas, WebGL, font enumeration, or audio fingerprinting.
• No third-party network calls — beacons go only to Warm AI's own infrastructure (track.getwarmai.com and a Supabase fallback).
• No cross-site tracking — each customer's data is siloed by tracking ID.

The full source of warm.js is published atgithub.com/Nudge-AI-UK/warmai-trackerso any of these claims can be independently verified by reading the code.

5) Lawful basis (UK GDPR / EU GDPR Article 6)

Customer sites loading warm.js rely on Article 6(1)(f) — legitimate interest: B2B identification of company-level visitors for the customer's sales workflow. The balancing test we and our customers rely on is summarised:

• Data minimised — only what is necessary for company-level identification.
• No profiling of individuals beyond their company affiliation.
• B2B context — visitors interacting with a B2B website have a reasonable expectation of being contacted in connection with their employer.
• Easy opt-out via DNT, GPC, browser-level controls, or contacting the customer site or Warm AI directly.

6) Cookies and storage notice (PECR / ePrivacy)

warm.js uses sessionStorage only. sessionStorage is cleared when the browser tab closes and is treated as "necessary / strictly necessary" by every cookie consent law we are aware of (UK PECR, EU ePrivacy Directive, CCPA).

No cookie banner is required for warm.js. No cookies are set; no fingerprinting is performed. A separate variant, warm-pro.js — which sets a cross-session cookie and captures form events — does require consent and is gated on the customer's CMP (Cookiebot, OneTrust, Transcend) or an explicit data-consent="granted" attribute.warm-pro.js is not in general release at this page's publication date.

7) Data retention

Per-session event data is retained on Warm AI's infrastructure for the duration of the customer's contract plus the period required to honour data-subject rights requests, after which it is deleted. Aggregate (non-identifying) analytics may be retained indefinitely. Specific retention periods can be obtained from the customer site or from Warm AI directly at support@getwarmai.com.

8) Sub-processors and infrastructure

When the script fires, the following sub-processors may receive data:

• Cloudflare, Inc. — DNS, R2 storage (script delivery), Workers (edge proxy and beacon ingestion). Global edge network.
• Supabase, Inc. — Postgres database and edge functions, used for event storage and processing.
• RB2B — IP-to-company waterfall provider (US visitor identification).
• Snitcher — IP-to-company waterfall provider.
• Apollo — Decision-maker enrichment (only on warm-pro.js or when a customer explicitly enables it; not used by safe warm.js).

This list is maintained as new providers are added or removed. Last reviewed: 28 April 2026.

9) International transfers

Warm AI Ltd is established in the UK. Some sub-processors are established in the United States. Transfers from the UK and the EEA to the US are made under the applicable adequacy mechanism — UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses, and where applicable the EU-US and UK-US Data Privacy Framework.

10) Data subject rights

Visitors and identified individuals have the right to:

• Access the personal data held about them (Article 15).
• Rectify inaccurate data (Article 16).
• Erase their data (Article 17).
• Restrict processing (Article 18).
• Object to processing based on legitimate interest (Article 21).
• Receive their data in portable form (Article 20).

Send a request to support@getwarmai.com — we acknowledge within 5 working days and respond in full within 30 days. Where Warm AI acts as processor for a customer, we will route the request to the relevant customer (controller) and support their response.

You also have the right to lodge a complaint with the UK Information Commissioner's Office: ico.org.uk/make-a-complaint.

11) Visitor-side opt-out

warm.js automatically honours Do Not Track (DNT) and Global Privacy Control (GPC). If your browser sends either signal, the script returns immediately and fires no beacons.

• Enable DNT: most browser privacy settings include a "Send Do Not Track request" toggle.
• Enable GPC: extensions such as the official GPC extension, or browsers that send GPC by default (Brave, DuckDuckGo).

12) Customer-side opt-out

Customers can stop loading warm.js at any time by removing the script tag from their site. There is no friction, no contractual lock-in, and no residual tracking after removal. Existing event data can be deleted on request viasupport@getwarmai.com.

13) Children's data

Warm AI's product is for B2B websites and is not designed for or directed at children. We do not knowingly collect data about children.

14) Changes to the script

When warm.js changes in a way that affects what data it collects or how, we update this page. Changelog:

• safe-2.0.0 (2026-04-28) — first release on assets.warmai.uk. Added DNT/GPC respect.
• safe-1.0.1 (2026-04-27) — split safe variant from full-featured pro variant; removed all form-input reading from the safe variant. Hosted at the legacy cdn.warmai.uk.

15) Security

• Security policy: assets.warmai.uk/.well-known/security.txt
• Public source: github.com/Nudge-AI-UK/warmai-tracker
• Subresource Integrity: per-version SRI hashes are available on the GitHub repo's release notes. We do not recommend using SRI on the floating /warm.js URL because it would break customer sites on every behaviour-affecting update.

16) Contact

For all queries — privacy, security, data subject rights, regulatory:support@getwarmai.com. We respond within 48 hours UK business days.