Privacy Policy
1. Introduction
Aromathy Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Aromathy platform ("Service").
Aromathy Ltd is registered in Northern Ireland (company number NI738147) with its registered office at Ground Floor, Gallery Building, 65-69 Dublin Road, Belfast, BT2 7HG. We are the data controller for the purposes of UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Data We Collect
2.1 Account Information
When you create an account, we collect:
- Your name
- Email address
- Password (stored in hashed form only - we never store your actual password)
2.2 Business Information
To provide the Service, we collect:
- Business name
- Business address (used as the responsible person on CLP labels)
- Phone number
- Website URL (if provided)
2.3 Product and Formula Data
When you use the Service, we store:
- Product names, descriptions, types, and weights
- Formula compositions (ingredient names, percentages, and CAS numbers)
- Safety Data Sheet documents (PDFs uploaded by you)
- Parsed SDS data (hazard classifications, H-statements, P-statements, allergens)
- Generated CLP labels
- UFI codes
- Supplier names, product catalogues, and pricing
2.4 Payment Information
Payment is processed by Stripe. We do not store your full credit or debit card details. Stripe provides us with a token, the last four digits of your card, the card brand, and the expiry date for display purposes. For full details of how Stripe handles your payment data, see Stripe's privacy policy at https://stripe.com/privacy.
2.5 Usage Data
We collect information about how you use the Service, including:
- Pages visited and features used
- Number of labels generated
- Login dates and times
- Browser type and device information
- IP address
2.6 Communications
If you contact us by email, we retain the content of those communications.
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing the Service (label generation, SDS parsing, formula management) | Performance of contract (Article 6(1)(b)) |
| Processing payments | Performance of contract (Article 6(1)(b)) |
| Sending service-related communications (billing, account changes, important updates) | Performance of contract (Article 6(1)(b)) |
| Improving the Service and fixing bugs | Legitimate interests (Article 6(1)(f)) |
| Preventing fraud and abuse | Legitimate interests (Article 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
| Sending marketing communications (only with your consent) | Consent (Article 6(1)(a)) |
We do not sell your personal data to third parties. We do not use your formula or product data for any purpose other than providing the Service to you.
4. Safety Data Sheets
SDS documents you upload contain chemical safety information provided by your suppliers. We process these documents solely to extract hazard classification data for your CLP labels. We do not share your SDS documents with other users or third parties. SDS documents are stored securely in encrypted cloud storage.
5. Who We Share Your Data With
We share your data only with the following categories of third parties, and only as necessary to provide the Service:
- Stripe - payment processing
- Cloudflare - hosting, content delivery, and security
- Anthropic (Claude AI) - SDS document parsing (SDS content is sent to the AI for data extraction; no personal data is included in these requests)
We do not share your data with advertisers, data brokers, or any other third parties for marketing purposes.
If we are required by law to disclose your data (for example, in response to a court order or regulatory request), we will do so, and we will notify you where legally permitted.
6. Where Your Data Is Stored
Your data is stored on servers operated by Cloudflare. Data may be processed in the United Kingdom, the European Economic Area, and the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Cloudflare's standard contractual clauses and their compliance with relevant data protection frameworks.
7. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account and business information | Duration of account plus 90 days after cancellation |
| Product and formula data | Duration of account plus 90 days after cancellation |
| Safety Data Sheets | Duration of account plus 90 days after cancellation |
| Generated CLP labels | Duration of account plus 90 days after cancellation |
| Payment records | 7 years (legal requirement for financial records) |
| Usage data | 26 months |
| Communications | 3 years |
If your account is terminated for breach of our Terms of Service, data is retained for 30 days before deletion.
8. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest for stored data
- Password hashing (we never store plaintext passwords)
- Access controls limiting who can access your data
- Regular security reviews
While we take reasonable steps to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
9. Your Rights
Under UK GDPR, you have the following rights:
- Right of access - request a copy of the personal data we hold about you
- Right to rectification - request correction of inaccurate data
- Right to erasure - request deletion of your data (subject to legal retention requirements)
- Right to restrict processing - request that we limit how we use your data
- Right to data portability - request your data in a structured, commonly used format
- Right to object - object to processing based on legitimate interests
- Right to withdraw consent - where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
10. Cookies
The Service uses cookies to maintain your login session and remember your preferences. We use:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Keeps you logged in | Essential | Browser session |
| Authentication token | Authenticates your requests | Essential | 30 days |
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not use Google Analytics or similar tracking services.
If we introduce any non-essential cookies in the future, we will obtain your consent before setting them.
11. Marketing Communications
We will only send you marketing emails if you have given your explicit consent. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.
Service-related communications (such as billing confirmations, important account notices, and security alerts) are not marketing and will be sent regardless of your marketing preferences, as they are necessary for the performance of our contract with you.
12. Children
The Service is not directed at individuals under 18 years of age. We do not knowingly collect data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to you via email or a prominent notice within the Service. The "last updated" date at the top of this policy indicates when it was last revised.
14. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's OfficeWycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
https://ico.org.uk
Telephone: 0303 123 1113
15. Contact
For any questions about this Privacy Policy or your personal data, contact:
Aromathy LtdGround Floor, Gallery Building
65-69 Dublin Road
Belfast, BT2 7HG
Email: [email protected]