Stirling Access

Privacy Policy

Last updated: 30 March 2026

Your privacy is built into how we work. We build our own technology rather than relying on third-party tools, so your data stays with us — not with ad networks, analytics companies, or data brokers. No tracking cookies, no third-party analytics, no data sharing. Just a private, personal service.

1. Who We Are

Stirling Access (stirlingaccess.com) is operated by Ant vs Bear Ltd, a private limited company registered in England and Wales.

Company number: 15391307
Registered address: 128 City Road, London, EC1V 2NX
Privacy contact: privacy@stirlingaccess.com
Phone: +44 20 XXXX XXXX

For the purposes of UK GDPR and the Data Protection Act 2018, Ant vs Bear Ltd is the data controller. We have not appointed a Data Protection Officer as we are not required to do so under Article 37. For all data protection queries, contact us at privacy@stirlingaccess.com.

This policy explains what personal data we collect, why, how we use it, who we share it with, and your rights.

Stirling Access is a luxury concierge platform that helps clients source, compare, and book premium travel and lifestyle services. Our services include private aviation, commercial flights, accommodation, ground transport, and experiences. We may expand to additional categories in the future — when we do, this policy will be updated.

2. How You Interact With Us

You may interact with Stirling Access through the following channels:

  • Website — stirlingaccess.com (quote requests, calculator tools, contact forms, account registration)
  • WhatsApp — via our AI concierge assistant, accessible from the website or by messaging our WhatsApp Business number directly
  • Email — direct correspondence and transactional notifications

Each channel collects different data, described below.

3. Data We Collect

3.1 Website — data you provide

  • Quote requests: name, email address, travel route, dates, passenger count, budget range, and any additional information you choose to provide.
  • Account registration: name, email address, password (hashed — never stored in plain text), and account preferences.
  • Contact form: name, email address, and the content of your message.
  • Newsletter subscription: email address only.
  • Booking data: when you book a service through Stirling Access, we collect the information necessary to fulfil that booking. This may include: full name, email, phone number, passport or ID details (for flights and some accommodation), payment card details (processed by Stripe — see Section 8.2), dietary or medical requirements, and any special requests.

Is providing your data required? Providing your name and contact details is necessary to use our concierge service — without them, we cannot process your enquiry or make a booking. Passport details are required by airlines and some hotels — if you choose not to provide them, we cannot complete those bookings. Preference profiles, dietary information, and newsletter subscriptions are entirely voluntary.

3.2 WhatsApp AI Concierge — data collected during conversations

When you engage with our WhatsApp AI concierge, we collect and store the following, with your knowledge and agreement to these terms:

  • WhatsApp profile data: your phone number and display name as provided by WhatsApp/Meta.
  • Message content: the full text of messages you send to our concierge, and the replies sent to you. These are stored to maintain conversation continuity.
  • Travel requirements: origin, destination, travel dates, passenger count, budget, and timing flexibility — as disclosed during conversation.
  • Service routing: which service provider category best suits your needs, as determined through conversation.
  • Preference profile (with your explicit consent): your usual travel patterns, preferred aircraft types, preferred travel days, regular companions, catering or dietary requirements, special requirements, and price sensitivity — built up over time as you engage with the assistant. This constitutes profiling under UK GDPR — it is used solely to improve our recommendations to you and does not produce legal or similarly significant effects.
  • Third-party details you provide: you may share the names, phone numbers, email addresses, or other personal details of other people during your conversations with our concierge — for example, travel companions, personal assistants, family members, or guests. This may happen when you ask us to send someone flight details, make a restaurant booking under another person's name, add passengers to a booking, or contact someone on your behalf.
  • Sensitive personal information you choose to share: if, in the course of making a booking or completing travel arrangements, you send us identification documents (such as passport details), home address, or other sensitive personal information via WhatsApp, we will store this data securely to fulfil your request. We will never ask for this information unprompted — only to complete a specific service you have requested.
  • Stored travel documents (at your request): if you ask us to keep your passport details, frequent flyer numbers, or other travel documents on file for future bookings, we will do so with your explicit consent. This data is stored securely and used only to expedite future bookings. You may request deletion of stored documents at any time.

3.3 Data collected automatically

We use a lightweight, first-party analytics system that does not use cookies and does not collect personal data. It uses browser session storage (cleared when you close the tab) to group pageviews into a single visit. Data gathered is fully anonymous and aggregated (pages visited, referral source, device type, browser). This data cannot identify you and is stored in our own database — it is never shared with third parties. See our Cookie Policy for full details.

Standard server logs (IP address, request time, browser type) are retained for up to 30 days for security and operational purposes.

4. How Our AI Concierge Works

Our WhatsApp concierge is powered by an AI language model (see Section 8.2 for sub-processor details). This means:

  • Your messages are processed by an automated AI system, not a human, on initial contact.
  • The AI analyses what you write and generates replies based on your stated needs.
  • Information from your conversations (such as travel requirements and preferences) may be saved to your profile to improve future interactions.
  • A human at Stirling Access may review conversation transcripts for quality assurance, complaint handling, or to fulfil a specific service request.

Under UK GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing if that decision produces significant legal or similarly significant effects. The routing decisions made by our AI are preparatory actions (selecting which category of provider to approach) — they do not constitute legally significant decisions. You may always request human review by emailing privacy@stirlingaccess.com.

5. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract (Article 6(1)(b)): processing necessary to fulfil a service you have requested — quote submissions, booking assistance, account management.
  • Legitimate interests (Article 6(1)(f)): operating and improving the concierge service, routing enquiries to the most suitable providers, maintaining conversation continuity, security monitoring. We have balanced these interests against your rights and determined the processing is proportionate.
  • Consent (Article 6(1)(a)): building and retaining a preference profile; sending WhatsApp messages to travel companions you name; email newsletter subscriptions. You may withdraw consent at any time (see Section 12).
  • Legal obligation (Article 6(1)(c)): where we are required by law to retain or disclose data.

Where you choose to share sensitive personal data (such as identification documents or health/dietary information relevant to a booking), we process this on the basis of your explicit consent and, where applicable, because processing is necessary for the performance of a contract (Article 9(2)(a) and (b)). You are never required to share such data — it is offered only where you wish to use an advanced booking or fulfilment service.

6. How We Use Your Data

  • To provide the concierge service: understanding your needs and routing your enquiry to the appropriate service provider category.
  • To connect you with providers: sharing your relevant travel details with the broker, operator, or programme provider best matched to your needs (see Section 8).
  • To maintain continuity: storing conversation history and preference profiles so that returning clients do not need to repeat themselves.
  • To notify companions: sending opt-in WhatsApp messages to travel companions you name, so they receive flight details directly.
  • To manage your account: if you register an account, to provide access to your quote history, active enquiries, and saved preferences.
  • To communicate with you: transactional emails (quote status, booking updates), and newsletter content where you have subscribed.
  • To improve our service: reviewing anonymised conversation patterns to improve the concierge's accuracy and response quality.
  • For security and fraud prevention: detecting and preventing misuse of our platform.

7. When You Share Other People's Data With Us

During conversations with our concierge, you may share the personal data of other people — for example, a travel companion's name and phone number, a guest's dietary requirements, a PA's email address, or passport details for other passengers on a booking.

Your responsibility: By sharing another person's data with us, you confirm that you have their permission to do so, or that you are otherwise entitled to share it (for example, as a parent providing a child's details, or an employer providing an employee's travel details with their knowledge). You should make the other person aware that their data has been shared with Stirling Access and direct them to this privacy policy.

What we do with it: We use third-party data only for the specific purpose you have instructed — for example, adding them to a booking, sending them flight details, or making a reservation in their name. We do not add them to marketing lists, build profiles on them, or use their data for any purpose other than fulfilling your request.

How we handle it: When we first contact a third party on your behalf (for example, sending them a WhatsApp message with flight details), we will identify ourselves as Stirling Access acting on your instruction. If they ask us to stop contacting them or to delete their data, we will do so promptly.

Retention: Third-party data shared for a specific booking is retained only as long as necessary to fulfil that booking, then deleted within 30 days of the service date. We do not retain third-party data beyond this unless the third party becomes a client in their own right.

8. Data Sharing

We share personal data only in the following circumstances. We never sell personal data, and we never share it with third parties for advertising or marketing purposes.

7.1 Service providers and booking suppliers

When you use our concierge or booking service, we share the personal data necessary to fulfil your booking with the relevant provider. We only share the minimum data necessary for each booking. Here is what is shared with each type of provider:

  • Hotels and accommodation: your name, email, phone number, check-in and check-out dates, number of guests, and any special requests (accessibility needs, dietary requirements, room preferences). For some properties, passport or ID details may be required at check-in.
  • Airlines and flight booking platforms: your full name (as on passport), date of birth, passport number and expiry, nationality, email, phone number, and any special assistance requirements. This data is required by airlines and is mandatory for ticketing.
  • Private aviation brokers and operators: your name, contact details, route, dates, passenger count, and any specific requirements.
  • Ground transport (chauffeur and transfers): your name, phone number, pickup and drop-off locations, flight details (for airport transfers), and number of passengers.
  • Restaurants and dining venues: your name, phone number, number of guests, date and time, and any dietary requirements or allergies.
  • Experience and activity providers: your name, email, phone number, number of participants, and any relevant health, dietary, or accessibility information.
  • Property managers (villa and estate rentals): your name, contact details, dates, number of guests, and any special requirements.

International transfers: Where you book accommodation, flights, or experiences in countries outside the UK, your personal data will be transferred to providers in those countries to fulfil the booking. This transfer is necessary to perform the contract you have requested (UK GDPR Article 49(1)(b)). Once your data is with an overseas provider, it is subject to the data protection laws of that country. We will inform you before confirming any booking if your data will be transferred to a country without a UK adequacy decision.

Each provider operates under their own privacy policy and is independently responsible for their handling of your data once received. We do not control how providers use your data after it has been shared for the purpose of fulfilling your booking.

7.2 Technology and infrastructure sub-processors

We use the following sub-processors to operate Stirling Access:

  • Stripe, Inc. (USA) — Payment processing. When you make a payment, your card details are processed directly by Stripe. We do not store your full card number — Stripe handles this under PCI DSS compliance. Stripe is certified under the UK Extension to the EU-US Data Privacy Framework.
  • Twilio, Inc. (USA) — WhatsApp Business API and messaging infrastructure. Message delivery, phone number verification, and messaging metadata are processed by Twilio. Twilio is certified under the UK Extension to the EU-US Data Privacy Framework.
  • AI language model provider (USA) — Our concierge is powered by a large language model. Message content is processed via the provider's API to generate responses. The provider operates under a data processing agreement and does not use API inputs to train models.
  • Meta Platforms, Inc. (USA) — WhatsApp platform provider. Message metadata is processed by Meta in accordance with their WhatsApp Privacy Policy and Meta's Business Terms. Meta is certified under the EU-US Data Privacy Framework.
  • Cloud database provider (EU-hosted) — All client data, conversation histories, and preference profiles are stored in a cloud database hosted in EU infrastructure. The provider is a US-incorporated company operating under a data processing agreement.
  • Vercel, Inc. (USA) — Website hosting and serverless infrastructure. Data transits Vercel's edge network; no personal data is persistently stored at Vercel beyond standard request logs (30 days).
  • Resend, Inc. (USA) — Transactional email delivery. Email addresses and the content of transactional emails are processed by Resend to deliver notifications.
  • First-party analytics — Anonymous, cookieless website analytics built and operated by Ant vs Bear Ltd. All data stored in our own database. No personal data processed. No third-party analytics providers.

All sub-processors are bound by data processing agreements. Where data is transferred outside the UK, appropriate safeguards are in place including: the UK Extension to the EU-US Data Privacy Framework (for certified US companies), UK International Data Transfer Agreements, or Standard Contractual Clauses (UK Addendum). Supabase data is hosted in EU infrastructure (eu-west-2).

7.3 Legal disclosure

We will disclose personal data if required to do so by applicable law, court order, or regulatory authority, or where necessary to protect the safety of any person or the integrity of our systems.

9. WhatsApp — Specific Notice

Our WhatsApp concierge operates via the Meta WhatsApp Business API. By messaging our WhatsApp number, you acknowledge:

  • Your phone number, WhatsApp display name, and message content are transmitted to and processed by Meta Platforms under Meta's terms of service and privacy policy.
  • Message content is also received and processed by Stirling Access (via Ant vs Bear Ltd) and our AI sub-processor (Anthropic) as described in this policy.
  • End-to-end encryption applies between your device and Meta's servers. Message content is decrypted by Meta for delivery to the Business API and is then transmitted to our servers over TLS.
  • You may opt out of WhatsApp communications from Stirling Access at any time by sending the word STOP to our WhatsApp number, or by contacting us at privacy@stirlingaccess.com. Opting out will stop further proactive messages but will not delete your existing data (see Section 12 for erasure requests).

10. Data Retention

  • WhatsApp conversation history: retained for 36 months from your last active conversation, then deleted.
  • Preference profiles: retained while your profile is active. If you have not engaged with Stirling Access for 36 months, your profile is automatically deleted.
  • Companion passenger data: retained for 12 months from the date of the trip or from the date of consent request, whichever is later, then deleted.
  • Sensitive personal data (e.g. identification documents): retained only as long as necessary to fulfil the specific request for which it was provided, and deleted within 90 days of completion unless legal obligations require otherwise.
  • Booking records and transaction history: retained for 6 years after completion of the booking, as required for tax records (HMRC) and contractual claims (Limitation Act 1980), then deleted.
  • Payment records: retained for 6 years after the transaction for tax and legal compliance purposes.
  • Quote records (non-booked): retained for 36 months for operational purposes, then deleted.
  • Account data: retained while your account is active, plus 12 months after account closure.
  • Passport and ID documents (per-booking): deleted within 30 days of the travel date or booking completion, unless required by law.
  • Stored travel documents (at your request): retained while you have an active account and have consented to storage. Deleted on request, on account closure, or after 36 months of inactivity.
  • Contact form enquiries: retained for 12 months, then deleted.
  • Email subscriptions: retained until you unsubscribe.
  • Server logs: retained for 30 days, then automatically purged.
  • Anonymous analytics: aggregated, non-personal — retained indefinitely.

11. Security

We take the security of your personal data seriously. Our technical and organisational measures include:

  • All data in transit encrypted via TLS 1.2 or higher.
  • Database encryption at rest (Supabase AES-256).
  • Access controls: only authorised Ant vs Bear Ltd personnel may access personal data, and only for the purposes described in this policy.
  • Webhook signature verification for all inbound WhatsApp messages (HMAC-SHA256).
  • No plain-text storage of passwords or sensitive credentials.

No method of transmission or storage is completely secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33.

12. Your Rights Under UK GDPR

You have the following rights regarding your personal data, exercisable by contacting privacy@stirlingaccess.com:

  • Right of access (Article 15): to receive a copy of the personal data we hold about you.
  • Right to rectification (Article 16): to have inaccurate or incomplete data corrected.
  • Right to erasure (Article 17): to request deletion of your data, subject to legal obligations. To delete your WhatsApp profile and conversation history, email us or send DELETE MY DATA to our WhatsApp number.
  • Right to restrict processing (Article 18): to limit how we process your data while a dispute is resolved.
  • Right to data portability (Article 20): to receive your data in a structured, machine-readable format.
  • Right to object (Article 21): to processing based on legitimate interests. Where you object to processing for direct marketing purposes, we will stop immediately — this right is absolute.
  • Right to withdraw consent (Article 7(3)): at any time, for any processing based on consent (preference profiling, newsletter, WhatsApp outreach). Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Rights related to automated decision-making (Article 22): to request human review of any automated routing or profiling decision.

All rights requests are free of charge. We will respond within 30 days. In complex cases we may extend this by a further 60 days with notice. We may ask for identification to verify your request.

If you are dissatisfied with our handling of your data or your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Children

Stirling Access is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. Where we process a child's data as part of a family booking (for example, a minor's name and passport details for a flight booking), we do so on the basis of the parent or guardian's contract with us and with their consent. If you believe we have inadvertently collected data from a minor without parental consent, please contact us immediately at privacy@stirlingaccess.com.

14. Cookies

Stirling Access does not use advertising or tracking cookies. We use session cookies for account login functionality only. Our analytics are first-party and cookieless. For full details of all cookies and similar technologies used on this site, see our Cookie Policy.

15. Data From Third Parties

In some cases, we may receive personal data about you from sources other than you directly. This may include:

  • Referral partners: if another person or business refers you to Stirling Access, we may receive your name and contact details.
  • Booking platforms: when we book a service on your behalf, the supplier may share booking confirmation details back with us.
  • Travel companions: if another client names you as a travel companion, we may receive your name and contact details from them.

Where we receive your data from a third party, we will inform you of the source and the purposes of processing within one month or at the time of first contact, whichever is sooner, as required by UK GDPR Article 14.

16. Marketing Communications

We may send you marketing communications about Stirling Access services where:

  • You have given your consent (for example, subscribing to our newsletter); or
  • You are an existing client and the marketing relates to similar services to those you have previously used or enquired about (soft opt-in under the Privacy and Electronic Communications Regulations 2003).

Every marketing message includes an unsubscribe option. You can opt out at any time by clicking unsubscribe, emailing hello@stirlingaccess.com, or sending STOP to our WhatsApp number. Service messages relating to active bookings (confirmations, updates, changes) are not marketing and will continue regardless of your marketing preferences.

17. Changes to This Policy

We may update this policy as our services evolve or as legal requirements change. When we make material changes, we will:

  • Update the "last updated" date at the top of this page.
  • Notify active WhatsApp users via a message to their WhatsApp number.
  • Notify registered account holders via email.

Continued use of Stirling Access after a policy update constitutes acceptance of the revised terms.

18. Contact

For all privacy-related enquiries, rights requests, or concerns:

Ant vs Bear Ltd
128 City Road
London, EC1V 2NX
United Kingdom
privacy@stirlingaccess.com