Privacy Policy

Aromathy Ltd
Last updated: 22 February 2026

1. Introduction

Aromathy Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Aromathy platform ("Service").

Aromathy Ltd is registered in Northern Ireland (company number NI738147) with its registered office at Ground Floor, Gallery Building, 65-69 Dublin Road, Belfast, BT2 7HG. We are the data controller for the purposes of UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

2.1 Account Information

When you create an account, we collect:

Your name
Email address
Password (stored in hashed form only - we never store your actual password)

2.2 Business Information

To provide the Service, we collect:

Business name
Business address (used as the responsible person on CLP labels)
Phone number
Website URL (if provided)

2.3 Product and Formula Data

When you use the Service, we store:

Product names, descriptions, types, and weights
Formula compositions (ingredient names, percentages, and CAS numbers)
Safety Data Sheet documents (PDFs uploaded by you)
Parsed SDS data (hazard classifications, H-statements, P-statements, allergens)
Generated CLP labels
UFI codes
Supplier names, product catalogues, and pricing

2.4 Payment Information

Payment is processed by Stripe. We do not store your full credit or debit card details. Stripe provides us with a token, the last four digits of your card, the card brand, and the expiry date for display purposes. For full details of how Stripe handles your payment data, see Stripe's privacy policy at https://stripe.com/privacy.

2.5 Usage Data

We collect information about how you use the Service, including:

Pages visited and features used
Number of labels generated
Login dates and times
Browser type and device information
IP address

2.6 Communications

If you contact us by email, we retain the content of those communications.

3. How We Use Your Data

We use your data for the following purposes:

Purpose	Legal basis (UK GDPR)
Providing the Service (label generation, SDS parsing, formula management)	Performance of contract (Article 6(1)(b))
Processing payments	Performance of contract (Article 6(1)(b))
Sending service-related communications (billing, account changes, important updates)	Performance of contract (Article 6(1)(b))
Improving the Service and fixing bugs	Legitimate interests (Article 6(1)(f))
Preventing fraud and abuse	Legitimate interests (Article 6(1)(f))
Complying with legal obligations	Legal obligation (Article 6(1)(c))
Sending marketing communications (only with your consent)	Consent (Article 6(1)(a))

We do not sell your personal data to third parties. We do not use your formula or product data for any purpose other than providing the Service to you.

4. Safety Data Sheets

SDS documents you upload contain chemical safety information provided by your suppliers. We process these documents solely to extract hazard classification data for your CLP labels. We do not share your SDS documents with other users or third parties. SDS documents are stored securely in encrypted cloud storage.

5. Who We Share Your Data With

We share your data only with the following categories of third parties, and only as necessary to provide the Service:

Stripe - payment processing
Cloudflare - hosting, content delivery, and security
Anthropic (Claude AI) - SDS document parsing (SDS content is sent to the AI for data extraction; no personal data is included in these requests)

We do not share your data with advertisers, data brokers, or any other third parties for marketing purposes.

If we are required by law to disclose your data (for example, in response to a court order or regulatory request), we will do so, and we will notify you where legally permitted.

6. Where Your Data Is Stored

Your data is stored on servers operated by Cloudflare. Data may be processed in the United Kingdom, the European Economic Area, and the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Cloudflare's standard contractual clauses and their compliance with relevant data protection frameworks.

7. How Long We Keep Your Data

Data type	Retention period
Account and business information	Duration of account plus 90 days after cancellation
Product and formula data	Duration of account plus 90 days after cancellation
Safety Data Sheets	Duration of account plus 90 days after cancellation
Generated CLP labels	Duration of account plus 90 days after cancellation
Payment records	7 years (legal requirement for financial records)
Usage data	26 months
Communications	3 years

If your account is terminated for breach of our Terms of Service, data is retained for 30 days before deletion.

8. How We Protect Your Data

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (TLS/HTTPS)
Encryption at rest for stored data
Password hashing (we never store plaintext passwords)
Access controls limiting who can access your data
Regular security reviews

While we take reasonable steps to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

9. Your Rights

Under UK GDPR, you have the following rights:

Right of access - request a copy of the personal data we hold about you
Right to rectification - request correction of inaccurate data
Right to erasure - request deletion of your data (subject to legal retention requirements)
Right to restrict processing - request that we limit how we use your data
Right to data portability - request your data in a structured, commonly used format
Right to object - object to processing based on legitimate interests
Right to withdraw consent - where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within one month.

10. Cookies

The Service uses cookies to maintain your login session and remember your preferences. We use:

Cookie	Purpose	Type	Duration
Session cookie	Keeps you logged in	Essential	Browser session
Authentication token	Authenticates your requests	Essential	30 days

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not use Google Analytics or similar tracking services.

If we introduce any non-essential cookies in the future, we will obtain your consent before setting them.

11. Marketing Communications

We will only send you marketing emails if you have given your explicit consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.

Service-related communications (such as billing confirmations, important account notices, and security alerts) are not marketing and will be sent regardless of your marketing preferences, as they are necessary for the performance of our contract with you.

12. Children

The Service is not directed at individuals under 18 years of age. We do not knowingly collect data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email or a prominent notice within the Service. The "last updated" date at the top of this policy indicates when it was last revised.

14. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
https://ico.org.uk
Telephone: 0303 123 1113

15. Contact

For any questions about this Privacy Policy or your personal data, contact:

Aromathy Ltd
Ground Floor, Gallery Building
65-69 Dublin Road
Belfast, BT2 7HG
Email: [email protected]