Legal
Privacy Policy
Last updated: 26 May 2026
This Privacy Policy explains how Tholendal Advisors Ltd, trading as Wolfox AI (“Wolfox”, “we”, “us”, “our”), collects, uses, and protects your personal data when you use the Wolfox AI platform and related services (the “Service”).
We are committed to processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Irish Data Protection Act 2018.
This Privacy Policy should be read alongside our Terms of Service.
1. Who We Are
For the purposes of GDPR, the data controller of your personal data is:
Tholendal Advisors Ltd, trading as Wolfox AI
Email: contact@wolfox.ai
We are an Irish-registered company providing AI-generated audio intelligence content focused on financial and regulatory news.
2. What Personal Data We Collect
We collect the following categories of personal data:
2.1 Information You Provide Directly
- Account information: name, email address, organisation/company name, professional role
- Authentication credentials: encrypted passwords, or third-party authentication tokens if you sign in via Google or another identity provider
- Billing information: where you subscribe to a paid tier, your billing name, billing address, country, and (where applicable) VAT identification number
- Communications: any messages, feedback, or support requests you send us
- Account preferences: focus areas, notification settings, content preferences
2.2 Payment Information
We do not store your full payment card details on our systems. Payment card information is collected and processed directly by Stripe Payments Europe Ltd (“Stripe”), our payment processing partner. We receive only a limited set of payment metadata from Stripe (e.g. last four digits of card, card brand, billing country, transaction status) for our records.
2.3 Information Collected Automatically
- Usage data: information about how you interact with the Service, including which briefings you access, focus areas you select, features you use, and time spent
- Device and technical data: IP address, browser type, operating system, device identifiers, time zone, language preferences
- Log data: server logs containing access times, request paths, error events, and similar operational information
- Cookies and similar technologies: see Section 10
2.4 Information from Third Parties
If you sign in via a third-party identity provider (e.g. Google), we receive your basic profile information (name, email, profile picture) from that provider in accordance with the permissions you grant.
3. How We Collect Your Personal Data
We collect personal data:
- When you create an Account or subscribe to the Service
- When you use, navigate, or interact with the Service
- When you contact us by email or other means
- Through automated technologies (cookies, server logs, analytics)
- From third-party services you choose to connect (e.g. payment processor, identity providers)
4. Legal Bases for Processing
We process your personal data on one or more of the following legal bases under GDPR Article 6:
| Processing | Legal Basis |
|---|---|
| Providing the Service to you (account, content, subscription) | Performance of a contract (Article 6(1)(b)) |
| Billing, invoicing, fraud prevention | Performance of a contract + Legal obligation (Article 6(1)(b), 6(1)(c)) |
| Tax and accounting records | Legal obligation under Irish and EU law (Article 6(1)(c)) |
| Service improvement, security monitoring, analytics | Legitimate interests (Article 6(1)(f)) |
| Customer support and communications | Performance of a contract + Legitimate interests |
| Marketing communications (where applicable) | Consent (Article 6(1)(a)) — you can withdraw at any time |
| Compliance with legal requests or court orders | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, our interests are: providing a reliable and secure Service, preventing fraud and abuse, improving the Service based on usage patterns, and operating our business. We balance these against your rights and freedoms.
5. How We Use Your Personal Data
We use your personal data to:
- Provide and operate the Service, including authenticating your Account, delivering subscribed content, processing payments, and providing customer support
- Personalise your experience, including remembering your focus areas, preferences, and subscription tier
- Improve and develop the Service, including analysing usage patterns, debugging issues, and developing new features
- Communicate with you, including service announcements, billing notifications, support responses, and (with your consent) marketing communications
- Ensure security, including detecting fraud, preventing unauthorised access, and protecting against malicious activity
- Comply with legal obligations, including tax records, regulatory enquiries, and lawful requests from authorities
We do not sell your personal data to third parties.
6. Who We Share Your Personal Data With
We share personal data with the following categories of recipients, all of whom act as our processors (or independent controllers where indicated) and are contractually bound to protect your data:
| Category | Examples | Purpose |
|---|---|---|
| Cloud infrastructure providers | Amazon Web Services (AWS) | Hosting, storage, compute, authentication, email delivery |
| Payment processing | Stripe Payments Europe Ltd | Processing subscription payments, billing, fraud detection |
| AI and content generation providers | Including but not limited to Google (Gemini), OpenAI, ElevenLabs, Amazon (Polly), Perplexity | Generating audio briefings, summarising content, analytical features |
| Source intelligence providers | Including but not limited to Firecrawler and similar web-content services | Sourcing and aggregating publicly available content |
| Identity providers | Where you choose to use them, e.g. Google Sign-In | Authentication |
| Communications providers | Email delivery services | Sending transactional emails (e.g. billing receipts, password resets) |
| Professional advisors | Our accountants, auditors, legal advisors | Where strictly necessary for compliance and business operations |
| Authorities and law enforcement | Courts, tax authorities, regulators | Where required by law or to respond to lawful requests |
We do not share more personal data than necessary for each processor to perform its function. You may request an up-to-date list of our subprocessors by contacting contact@wolfox.ai.
7. International Data Transfers
Some of the recipients in Section 6 are located outside the European Economic Area (EEA), including in the United States, the United Kingdom, and other jurisdictions.
Where personal data is transferred outside the EEA, we rely on appropriate safeguards under GDPR Chapter V, including:
- EU-US Data Privacy Framework certification, where the recipient is a certified US organisation
- Standard Contractual Clauses (SCCs) adopted by the European Commission, where the recipient is not covered by an adequacy decision
- UK Addendum to SCCs or UK IDTA for transfers involving the United Kingdom
You may request a copy of the safeguards in place for a particular transfer by contacting contact@wolfox.ai.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or regulatory requirements.
Indicative retention periods:
| Data Type | Retention Period |
|---|---|
| Active Account data | While your Account is active |
| Account data after closure | Up to 12 months following Account closure, except where longer retention is required by law |
| Billing and tax records | At least 7 years from the end of the relevant tax year, as required by Irish tax law |
| Subscription metadata (Stripe customer ID, subscription ID, payment status) | While your Account is active and for as long as required for accounting purposes |
| Server logs and security data | Up to 12 months from generation |
| Marketing consents and records of consent | Until consent is withdrawn or for evidence of consent for as long as legally required |
| Backups | Up to 90 days after deletion from active systems |
After the relevant retention period, personal data is securely deleted or anonymised.
9. Your Rights Under GDPR
You have the following rights in respect of your personal data:
9.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it.
9.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate or incomplete personal data we hold about you. You can update much of your information directly through your Account settings.
9.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis for processing.
Note that we may retain certain data where required by law (e.g. for tax records) or for the establishment, exercise, or defence of legal claims.
9.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances.
9.5 Right to Data Portability (Article 20)
For data we process based on your consent or contract performance and by automated means, you have the right to request that we provide it to you (or transmit it directly to another controller where technically feasible) in a structured, commonly used, machine-readable format.
9.6 Right to Object (Article 21)
You have the right to object to processing of your personal data based on legitimate interests, including profiling. Where you object to direct marketing, we will stop processing your data for that purpose.
9.7 Right to Withdraw Consent
Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
9.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of an alleged infringement.
For Ireland, the relevant supervisory authority is:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
9.9 How to Exercise Your Rights
To exercise any of these rights, contact us at contact@wolfox.ai. We will respond to your request within one month, as required by GDPR. In complex cases, we may extend this period by up to two further months and will notify you accordingly.
We may need to verify your identity before responding to your request. We will not charge a fee for handling rights requests, except where requests are manifestly unfounded or excessive.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to provide and improve the Service. Categories of cookies we use:
- Strictly necessary cookies: required for the Service to function (e.g. authentication, session management). These do not require consent.
- Functional cookies: remember preferences such as language or focus areas. Used to personalise your experience.
- Analytics cookies (where used): help us understand how visitors interact with the Service. We use these only with your consent where required.
You can control cookies through your browser settings. Disabling certain cookies may affect Service functionality.
Where required by law (e.g. EU ePrivacy Directive), we will obtain your consent before placing non-essential cookies.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:
- Encryption of data in transit using industry-standard protocols (TLS)
- Encryption of data at rest in our database and storage systems
- Strict access controls, with personal data accessible only to authorised personnel on a need-to-know basis
- Use of trusted, GDPR-compliant infrastructure providers (Amazon Web Services)
- Regular security reviews of our systems and processes
While we take reasonable steps to protect personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of the breach, and we will notify you directly without undue delay where the breach is likely to result in a high risk to your rights.
12. Children’s Data
The Service is intended for use by professionals aged 18 or older. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child, we will delete it as soon as practicable.
If you believe we may have collected data about a child, please contact us at contact@wolfox.ai.
13. Automated Decision-Making and Profiling
We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you, as defined in GDPR Article 22.
The Service uses AI to generate content (audio briefings, summaries, analyses) based on aggregated and public sources, not on individual profiling of you for legal or significant decisions about you.
We may use limited automated processing to personalise your experience (e.g. presenting briefings relevant to your selected focus areas), but you remain free to choose and configure your preferences manually at any time.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email or through the Service and update the “Last updated” date at the top of this Policy.
We encourage you to review this Privacy Policy periodically.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us:
Tholendal Advisors Ltd, trading as Wolfox AI
Email: contact@wolfox.ai
We will respond to your enquiry within a reasonable timeframe, and in any case within the timeframes required by GDPR for data subject rights requests.