1. Who we are
This Privacy Policy explains how Aristral Ltd (“Aristral”, “we”, “us”, or “our”) collects, uses, and safeguards personal data when you use aristral.com or engage our services. We are the data controller for the personal data described below — full controller details are in the card at the top of this page.
2. What we collect
- Contact details you provide via the contact form or booking flow (name, email, phone, company, message content).
- Booking metadata when you schedule a call via Calendly (chosen time, timezone, answers to intake questions).
- Usage data collected by analytics and session-replay tools (pages viewed, referrer, approximate location, device and browser).
- Cookie identifiers placed only after you accept non-essential cookies via the consent banner.
- Engagement records from any project you commission (project briefs, deliverables, invoices, correspondence).
3. Lawful basis
We rely on the following lawful bases under UK GDPR Article 6:
- Consent — analytics and marketing cookies, marketing emails. You can withdraw at any time.
- Legitimate interest — responding to enquiries, securing the site, basic server logs, fraud prevention.
- Contract — delivering services you have commissioned and the related billing.
- Legal obligation — accounting records, tax filings, and statutory retention.
4. Third-party processors
We share personal data with the following processors strictly to deliver the services they support. International transfers are protected by Standard Contractual Clauses (SCCs) where applicable.
| Processor | Purpose | Transfer |
|---|---|---|
| Google Analytics 4 | Aggregated traffic analytics | USA (SCCs) |
| Google Tag Manager | Tag orchestration for analytics and marketing | USA (SCCs) |
| Meta Pixel (Facebook) | Conversion measurement and remarketing | USA (SCCs) |
| Microsoft Clarity | Session replay and heatmap analytics | USA (SCCs) |
| Calendly | Booking and scheduling for strategy calls | USA (SCCs) |
| Formspree | Contact form submission handling | USA (SCCs) |
| Cloudflare | Edge delivery, DDoS protection, and bot management | Global edge network |
See our Cookie Policy for the specific cookies each tool sets.
5. Retention
- Enquiry and booking data: 24 months from last contact, unless we begin a paid engagement.
- Client project and billing records: 6 years from end of engagement (HMRC requirement).
- Analytics data: retention defaults of each platform (typically 14–26 months for GA4).
- Session-replay recordings (Microsoft Clarity): 30 days.
- Marketing email lists: until consent is withdrawn.
6. Your rights
Under UK GDPR you have the following rights. To exercise any of them, email admin@aristral.com. We will respond within one calendar month.
Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Ask us to correct inaccurate or incomplete data.
Right to erasure
Request deletion of your data where there is no overriding lawful basis to retain it.
Right to restrict processing
Limit how we use your data in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interest, including direct marketing.
Right to withdraw consent
Where we rely on consent, you can withdraw it at any time without affecting prior lawful processing.
7. Complaints
If you are unhappy with how we handle your data, please contact us first at admin@aristral.com. You also have the right to lodge a complaint with the UK's data-protection regulator, the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.
8. Security
We use industry-standard technical and organisational measures including TLS 1.3 in transit, encrypted storage, role-based access controls, and least-privilege principles. We are hosted on Cloudflare's edge network with managed DDoS and WAF protection. Where engagements involve sensitive data we agree bespoke security controls in the engagement contract.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email where we hold one, or via a prominent notice on the site. The “last updated” date at the top of this page always reflects the current version.