Privacy Policy

1. About this Policy

This Privacy Policy explains how Aromathy collects, uses, stores, and shares personal data when you use our service. It applies to anyone who creates an account, starts a trial, or otherwise uses Aromathy.

It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). UK and EU users have substantively the same rights under these regulations.

2. Who we are

aromathy Ltd (company number NI738147) is the data controller for personal data processed through the service.

• Registered office: Ground Floor, Gallery Building, 65-69 Dublin Road, Belfast, BT2 7HG
• Contact for data protection matters: [email protected]

Our processing does not currently meet the thresholds in UK GDPR Article 37 or EU GDPR Article 37 that would require appointment of a designated Data Protection Officer. We will reassess if our processing volumes or activities change. The contact above is monitored and responsive to data protection enquiries.

3. What data we collect

We collect the following categories of personal data:

3.1 Account data, provided by you at signup or through your account settings:

• Name
• Email address
• Business name
• Business address
• Phone number (where you choose to provide it)

3.2 Service data, generated through your use of the service:

• Safety Data Sheet (SDS) PDFs you upload
• Supplier and material records you create
• Formulas you build, including ingredients and percentages
• CLP labels you generate
• Burn and safety testing records, including any photos you upload
• Test cycles, observations, and notes

3.3 Payment data:

• Subscription status and tier
• Stripe customer ID and subscription ID
• Billing history (amounts and dates)

We never see or store your card number, CVV, or full card details. These are handled directly by Stripe under their own security and privacy controls.

3.4 Usage data:

• Which features you use and when
• Counts of SDS parses, label generations, and other rate-limited operations
• Login timestamps and session activity
• Error logs that may include the actions you took before an error

3.5 Technical data:

• IP address (anonymised in analytics where used)
• Browser type and version
• Device type and screen resolution
• Operating system

4. Legal basis for processing

We rely on the following legal bases under UK GDPR / EU GDPR Article 6:

4.1 Performance of a contract (Article 6(1)(b)) for: account data, service data, and payment data. This is the data we need to provide the service to you under the contract created by your acceptance of our Terms.

4.2 Legitimate interests (Article 6(1)(f)) for: usage data and technical data. Our legitimate interests are improving the service, monitoring for security incidents and abuse, and operating the platform reliably. We have considered the impact on you and believe these uses do not override your rights.

4.3 Consent (Article 6(1)(a)) for: any analytics or marketing cookies. As of this Policy's effective date, no analytics cookies are set, and no marketing cookies will ever be set. When analytics cookies are introduced, they will require explicit opt-in via a cookie banner.

4.4 Legal obligation (Article 6(1)(c)) for: any data we are required to retain for tax, accounting, or product safety regulation purposes.

5. Where data is stored

Your data is stored across the following infrastructure providers:

• Application data, files, and databases: Cloudflare (D1 databases, R2 object storage, Workers compute), with primary regions in the UK and EU
• Payment data: Stripe, with processing in the UK and EU
• Email delivery: Resend, for transactional emails (account verification, billing notifications, GDPR confirmation emails)
• AI processing of SDS uploads: Anthropic, the provider of the AI model used to extract hazard data from your uploaded SDSs (see section 8)

6. Subprocessors

We use the following third-party services to provide the platform. Each is contractually bound to handle personal data in accordance with applicable data protection law.

• Cloudflare, Inc.: hosting, storage, database, edge compute (UK, EU, global edge)
• Stripe: payment processing and subscription billing (UK, EU)
• Anthropic, PBC: AI-assisted SDS parsing (US, see section 7)
• Resend, Inc.: transactional email delivery (EU, US)
• Google Analytics (planned): anonymised usage analytics, opt-in only (EU, US)

We will update this list when subprocessors change. Material changes will be communicated by email or in-app notification.

7. International data transfers

Most of your data is processed within the UK and EU. Two transfers outside this region currently occur:

7.1 Anthropic (United States). When you upload an SDS, the document is sent to Anthropic's API to extract hazard data. Anthropic processes this transfer under Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. This transfer is necessary because the AI parsing capability that the platform depends on is currently available only via Anthropic's US-hosted API.

7.2 Resend (US edge regions). Transactional email delivery may route through US infrastructure for global delivery efficiency. This transfer is covered by SCCs.

We periodically review these transfers and will update this Policy when arrangements change (including if we move SDS parsing to a UK or EU AI provider).

8. AI processing of SDS uploads

8.1 Aromathy uses an AI model (currently Anthropic's Claude) to extract structured hazard data from the SDS PDFs you upload. This is the "AI-assisted SDS parsing" feature.

8.2 We use Anthropic's commercial API. Under Anthropic's commercial terms, Anthropic does not train its models on customer API content. Anthropic retains API request content for the period necessary to operate the service and detect misuse, in accordance with their published privacy policy at privacy.claude.com.

8.3 Reference: Anthropic's commercial terms and trust portal at anthropic.com/legal describe their data handling for API requests in detail.

8.4 The AI extracts hazard classifications, H/P statements, components, concentrations, flash points, and similar regulatory data from your SDS, and may include physical-chemical properties, ecological information, and disposal recommendations where present in the SDS. We then store the extracted structured data in our database alongside the original SDS PDF.

8.5 You retain ownership of the SDS you upload and the data extracted from it. We use it only to provide the CLP calculation and label generation services to you.

9. Retention periods

9.1 Active accounts. We retain your data for the duration of your active subscription.

9.2 Cancelled accounts (no deletion request). Data is retained for up to 90 days after cancellation, after which it is deleted unless you have re-subscribed.

9.3 Deleted accounts. After the 14-day deletion grace period (during which you can cancel the deletion), your account and personal data are deleted, subject to the CLP traceability exception in section 10.

9.4 Encrypted backups. Data may persist in encrypted, access-controlled backups for up to 30 days after deletion before being purged from the backup rotation.

9.5 Legal holds. Data subject to a legitimate legal hold, regulatory requirement, or accounting obligation may be retained for the period required by the relevant law.

10. CLP traceability exception

Where you have generated CLP-compliant labels for products you have placed on the market, we may retain anonymised label data, formula references, and traceability records for the period required by applicable UK and EU product safety regulations. This retention applies even after you have deleted your account or requested erasure of your personal data. We will minimise this retained data to what is strictly necessary for regulatory traceability and remove all directly identifying information where possible.

11. Your rights

Under UK GDPR and EU GDPR you have the following rights. You can exercise any of these rights, regardless of your subscription state, by emailing [email protected] or, where indicated, using the self-service tools in your account.

11.1 Right of access (Article 15). Request a copy of the personal data we hold about you. Use the data export endpoint in your account settings, or email us. The export is delivered as a ZIP archive containing structured JSON, your uploaded SDSs, generated label PDFs, and any photos you have uploaded.

11.2 Right to rectification (Article 16). Correct inaccurate or incomplete personal data. Most data is editable directly in your account settings; for anything you cannot edit, email us.

11.3 Right to erasure (Article 17). Request deletion of your personal data. Use the account deletion endpoint in your settings, or email us. This right is subject to the CLP traceability exception in section 10.

11.4 Right to data portability (Article 20). Receive your data in a structured, commonly used, machine-readable format. Our self-service export delivers a ZIP including JSON files for this purpose.

11.5 Right to restriction of processing (Article 18). Ask us to limit how we use your data while a question about it is resolved. Email us.

11.6 Right to object (Article 21). Object to processing based on legitimate interests, or to direct marketing (we do not currently send any). Email us.

11.7 Right to withdraw consent (Article 7(3)). Where we rely on your consent, you can withdraw it at any time. For analytics cookies (when introduced), use the cookie banner. For other consent-based processing, email us. Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew it.

11.8 Response time. We aim to respond to all requests within one month, in line with UK GDPR Article 12. Where a request is complex or we receive several from you, we may extend this by a further two months and will tell you in the first month.

12. Cookies

12.1 Essential cookies. We set cookies necessary for the service to function, including:

• Session authentication cookies (keep you logged in)
• CSRF protection tokens (prevent cross-site request forgery)
• Security cookies (rate limiting, abuse detection)

These do not require consent under UK GDPR / EU GDPR because they are strictly necessary for the service you have requested.

12.2 Analytics cookies (planned). We intend to introduce Google Analytics for anonymised usage analytics. Analytics cookies will require your explicit opt-in via a cookie banner. Until that banner is implemented and the consent flow is live, no analytics cookies are set on your device. When the banner ships, you will be able to opt in or opt out at any time, and changing your choice will take effect immediately.

12.3 Marketing cookies. We do not set marketing or advertising cookies and have no current plans to do so.

13. Data breach notification

In the unlikely event of a personal data breach likely to result in a high risk to your rights and freedoms, we will:

13.1 Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33.

13.2 Notify affected users without undue delay, in accordance with UK GDPR Article 34, with information about the nature of the breach, the likely consequences, and the steps we are taking in response.

EU users will be notified through the same process. The ICO acts as the lead supervisory authority for UK-established controllers; EU-based users retain the right to complain to their local supervisory authority.

14. Complaints

14.1 If you have a complaint about how we handle your personal data, please contact us first at [email protected] so we can attempt to resolve it.

14.2 You have the right to complain to a supervisory authority. The relevant authority depends on where you live:

• UK users: Information Commissioner's Office (ICO), ico.org.uk
• EU users: your local data protection authority. The European Data Protection Board (EDPB) maintains a directory of national authorities at edpb.europa.eu.

15. Changes to this Policy

15.1 We may update this Policy from time to time.

15.2 For material changes (changes that affect your rights, the categories of data we collect, or the legal bases on which we process), we will notify you by email at least 30 days before the new Policy takes effect.

15.3 The version date and effective date at the top of this document indicate when it was last updated. Continued use of the service after the effective date constitutes acknowledgement of the updated Policy.

16. Contact

For all data protection matters:

17. Founding Test Phase data

This section covers the additional data we collect when you apply to the Founding Test Phase via aromathy.com/founding, which runs alongside our Cricut Joy Xtra giveaway. The general terms in Sections 1-16 still apply; this section adds the specifics.

17.1 What we collect via the founding form.

• Your name and email address (required)
• Your business or brand name (optional)
• What you create (candles, wax melts, diffusers, room sprays, soap, or other)
• Your business stage (just starting through to established)
• Your top operational pain points (up to three from a fixed list)
• Your self-attestation that you follow the Aromathy Facebook page and have joined the Aromathy Makers group
• An auto-generated referral code, and, if you arrived via someone else's referral link, the code that brought you in
• The IP address used to submit the form, for abuse protection only (see 17.5)

17.2 Why we process this data.

• To review and approve your founding tester application (contract / legitimate interests, Art. 6(1)(b) and (f) UK GDPR)
• To send you operational emails about your application, account activation, and (if applicable) the prize draw outcome (contract, Art. 6(1)(b))
• To run the Cricut Joy Xtra giveaway including referral attribution and the weighted random draw (contract; the giveaway terms at /competition-terms are the agreement)
• To inform the early product roadmap: your "what slows you down most" answers are aggregated to prioritise inventory, production, and compliance features (legitimate interests, Art. 6(1)(f))

17.3 Facebook follow / group membership verification. We ask you to confirm you follow the Aromathy page and have joined the Aromathy Makers group as part of the application. Facebook removed the relevant Graph API permissions in 2019, so we cannot programmatically check this. Verification is by self-attestation at the form, and by manual review against the group's member list before approval. If a founding tester or prize winner is found not to be a member, we may rescind the approval or the prize per the competition terms.

17.4 Marketing. Applying to the Founding Test Phase enrols you in operational and product-update emails about Aromathy. We send these sparingly. You can unsubscribe at any time using the link at the bottom of any such email. Unsubscribing does not affect operational emails about your tester account or the prize draw.

17.5 Abuse protection. We record the IP address you submit from and apply a per-IP rate limit to the application form to deter scripted abuse. IP addresses used purely for this purpose are not used for marketing and are discarded after 30 days.

17.6 Referral attribution. If you applied via someone else's referral link, your application is linked to their referral code so they can be credited (one entry per approved referral, capped at ten). The referrer does not see any of your personal data: they only see their own referral count and total weighted entries in their own account, after they are approved.

17.7 Winner publication. If you win the prize draw we may, with your separate consent given when we contact you, publish your first name and city or country in the Aromathy Makers group and on the Aromathy Facebook page. No publication happens without your reply confirming you are happy for it to.

17.8 Retention. If you are approved as a founding tester your application data is retained alongside your account for as long as the account is active. If your application is rejected, the application row is retained for 6 months (to prevent re-applying with a known-ineligible address and to maintain a clear audit trail for the prize draw) and then deleted. Withdrawn or unsuccessful applications can be deleted on request at any time by emailing [email protected].

17.9 Your rights. Section 11 of this Policy lists your full rights under UK and EU GDPR. They all apply to data collected via the founding flow, including the right of access, erasure, and to object to processing.