PRIVACY POLICY

ArthOny Media Privacy Policy

1. Introduction

1.1 Who we are

ArthOny™ Media (“we,” “us,” “our“) is a digital content publisher and educator operating in the United Kingdom. We publish ebooks, online courses, Learning Path content, blog articles, and other digital resources through our website at https://arthony.org/ (the “Site“).

Legal Entity: ArthOny™ Media & Publications
Registered Address: Scotland, United Kingdom
Contact Email: privacy@arthony.org

1.2 Our commitment to your privacy

We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our Site, purchase our Products, use our Services, or otherwise interact with us.

This Privacy Policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025 (DUAA), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

1.3 Your rights

You have important rights over your personal data. These include the right to access, correct, delete, restrict, or object to our use of your data, as well as the right to data portability. We explain these rights in detail in Section 9 below.

If you have any questions about this Privacy Policy or how we handle your data, please contact us using the details in Section 12.

2. Information We Collect

We collect and process several categories of personal data about you, depending on how you interact with us.

2.1 Information you provide directly

Account and registration information:

  • Name, email address, username, password (stored in hashed form)
  • Postal address, billing address, phone number (if you provide them)
  • Date of birth or age confirmation (to verify you are 18+)
  • Communication preferences and account settings

Purchase and transaction information:

  • Order history, product selections, and purchase dates
  • Billing and payment information (processed securely by third‑party payment processors—we do not store full credit card details on our servers)
  • VAT number or business details (if purchasing as a business)

Communications and support:

  • Messages you send us via email, contact forms, support tickets, or live chat
  • Survey responses, feedback, reviews, testimonials
  • Information you provide when entering competitions, promotions, or events

User‑Generated Content (UGC):

  • Comments, reviews, forum posts, course submissions, and discussion board contributions
  • Profile pictures, bios, or other content you upload to your public profile

2.2 Information we collect automatically

Technical and usage data:

When you visit our Site, we automatically collect certain information through cookies, log files, and similar technologies:

  • Device information: IP address, browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution
  • Usage information: Pages visited, time and date of visits, time spent on pages, referring website or URL, search terms used, download history
  • Location data: Approximate geographic location inferred from IP address (city/country level, not precise location)
  • Cookies and tracking technologies: Information collected via cookies, web beacons, pixels, and similar technologies (see our separate Cookie Policy for full details)

Email and marketing analytics:

  • Email open rates, click‑through rates, bounce rates, unsubscribe actions
  • Interaction with marketing campaigns and newsletters

2.3 Information from third parties

Payment processors:

  • Transaction confirmation, payment status, and refund information from Stripe, PayPal, or other payment providers

Social media and authentication services:

  • If you register or log in using a third‑party service (e.g., Google, Facebook, Apple), we may receive your name, email address, and profile picture from that service, subject to your privacy settings with that provider

Affiliate and advertising partners:

  • Anonymised or aggregated analytics and attribution data from affiliate networks, advertising platforms, and analytics providers (e.g., Google Analytics, Meta Pixel)

Public sources:

  • Publicly available information (e.g., from business directories, social media profiles), where relevant to our business relationship with you

2.4 Special category data

We do not intentionally collect or process special category (sensitive) personal data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

If you voluntarily provide such information (e.g., in a support message or course submission), we will handle it with appropriate safeguards and only use it to respond to your specific request.

2.5 Children’s data

Our Site, Products, and Services are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately, and we will delete the information.

3. How and Why We Use Your Information

We use your personal data for the purposes described below, based on one or more lawful bases under UK GDPR.

3.1 To provide our Products and Services (Contract Performance)

Lawful basis: Processing is necessary to perform our contract with you (Article 6(1)(b) UK GDPR)

  • Process your orders and deliver digital content (ebooks, courses, downloads)
  • Create and manage your account
  • Process payments and issue invoices/receipts
  • Provide customer support and respond to your enquiries
  • Deliver subscription content and manage renewals
  • Authenticate your identity and manage account security

Lawful basis: Processing is necessary to comply with a legal obligation (Article 6(1)(c) UK GDPR)

  • Maintain accounting, tax, and business records as required by UK law (Companies Act 2006, HMRC regulations)
  • Comply with court orders, legal processes, or regulatory requests
  • Prevent fraud, money laundering, and other illegal activity
  • Respond to data subject access requests and other statutory rights

Retention: Financial and tax records are retained for 6 years plus the current year in accordance with HMRC and Companies Act requirements.

3.3 For our legitimate interests (Legitimate Interests)

Lawful basis: Processing is necessary for our legitimate interests or those of a third party, provided your rights and freedoms do not override those interests (Article 6(1)(f) UK GDPR)

Our legitimate interests include:

Improving and personalising the Site and Services:

  • Analyse usage patterns and user behaviour to improve content, layout, and functionality
  • Personalise your experience, recommend relevant products and content
  • Conduct A/B testing and user experience research

Marketing and business development:

  • Send service‑related communications (transactional emails, account updates, security alerts)
  • Promote our Products, Services, blog content, and special offers to existing customers (where permitted under PECR)
  • Analyse the effectiveness of our marketing campaigns
  • Develop new products, features, and services

Security, fraud prevention, and legal defence:

  • Protect the Site from security threats, hacking, and abuse
  • Detect and prevent fraudulent transactions and payment disputes
  • Enforce our Terms and Conditions and other policies
  • Defend or pursue legal claims

Business operations and administration:

  • Manage internal record‑keeping, reporting, and business analysis
  • Facilitate mergers, acquisitions, or sales of business assets
  • Communicate with suppliers, partners, and professional advisers

We have carefully balanced our legitimate interests against your rights and freedoms. You have the right to object to processing based on legitimate interests—see Section 9.5 below.

Lawful basis: You have given clear, affirmative consent (Article 6(1)(a) UK GDPR)

  • Marketing emails and newsletters: We will send you promotional emails, newsletters, and special offers only if you have opted in (or, for existing customers, under the “soft opt‑in” rule where relevant under PECR)
  • Optional cookies and tracking technologies: Non‑essential cookies (analytics, advertising, personalisation) are placed only with your explicit consent via our cookie policy
  • User‑Generated Content publication: Displaying your name, profile, or content publicly (e.g., publishing testimonials or reviews with your name)

You may withdraw your consent at any time by unsubscribing from emails, adjusting your cookie preferences, or contacting us. Withdrawal does not affect the lawfulness of processing before

3.5 Summary table: Purposes and lawful bases

PurposeLawful Basis
Order fulfilment, account management, customer supportContract performance (Art. 6(1)(b))
Payment processing, invoicingContract performance (Art. 6(1)(b))
Tax, accounting, and legal complianceLegal obligation (Art. 6(1)(c))
Fraud prevention, security, and legal defenceLegitimate interests (Art. 6(1)(f))
Site analytics, improvement, and personalisationLegitimate interests (Art. 6(1)(f)) or Consent (Art. 6(1)(a))
Marketing to existing customers (soft opt‑in)Legitimate interests (Art. 6(1)(f)) under PECR
Marketing to new prospects, promotional emailsConsent (Art. 6(1)(a))
Optional cookies (analytics, advertising)Consent (Art. 6(1)(a))

4. How We Share Your Information

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

We share your personal data only in the limited circumstances described below, and only with appropriate safeguards in place.

4.1 Service providers and processors

We engage trusted third‑party service providers to help us operate the Site and deliver our Services. These providers act as data processors on our behalf and are contractually obliged to process your data only as instructed by us and in compliance with UK GDPR.

Categories of processors include:

  • Payment processors: Stripe, PayPal, or other payment gateways (to process transactions securely)
  • Email and marketing platforms: Mailchimp, SendGrid, or similar (to send transactional and marketing emails)
  • Hosting and cloud infrastructure: Amazon Web Services (AWS), Google Cloud, DigitalOcean, or similar (to host the Site and store data)
  • Content delivery networks (CDNs): Cloudflare or similar (to deliver content quickly and securely)
  • Analytics and tracking services: Google Analytics, Meta Pixel, Hotjar (to analyse usage and improve the Site)
  • Customer support tools: Zendesk, Intercom, or similar (to manage support tickets and live chat)
  • Affiliate and advertising platforms: Amazon Associates, Google AdSense, Facebook Ads, impact.com (to manage affiliate links and advertising campaigns)

We may disclose your personal data to law enforcement, regulatory bodies, courts, or government agencies when required or permitted by law, including:

  • In response to a court order, subpoena, or legal process
  • To comply with legal or regulatory obligations (e.g., tax authorities, Information Commissioner’s Office)
  • To protect our rights, property, safety, or that of our users or the public
  • To detect, prevent, or investigate fraud, security breaches, or illegal activity

4.3 Business transfers

If ArthOny Media is involved in a merger, acquisition, asset sale, reorganisation, or similar transaction, your personal data may be transferred to the acquiring entity or successor, subject to the same protections as set out in this Privacy Policy. We will notify you of any such change via email or prominent notice on the Site.

We may share your personal data with third parties when you have given explicit consent or when you direct us to do so (e.g., by authorising integration with a third‑party app or service).

4.5 Aggregated and anonymised data

We may share aggregated, anonymised, or de‑identified data that does not identify you personally with partners, advertisers, researchers, or the public (e.g., “50% of our users are from the UK”). Such data is not considered personal data under UK GDPR.

5. International Data Transfers

5.1 Where your data is processed

ArthOny Media is based in the United Kingdom. However, some of our service providers and processors may be located in, or process data in, countries outside the UK and European Economic Area (EEA), including the United States.

5.2 Safeguards for international transfers

Where we transfer your personal data outside the UK/EEA, we ensure appropriate safeguards are in place, including:twobirds+2

  • Adequacy decisions: Transferring data to countries that the UK Government or European Commission has deemed to provide an adequate level of data protection (e.g., EEA countries, certain approved countries)
  • Standard Contractual Clauses (SCCs): Using UK GDPR‑approved Standard Contractual Clauses with processors in third countries
  • Binding Corporate Rules (BCRs): Where processors have approved BCRs in place
  • Processor certifications: Ensuring processors comply with recognised frameworks such as the EU‑U.S. Data Privacy Framework (where applicable)

You have the right to request further information about the safeguards we use for international transfers—contact us at mail@arthony.org.

6. Data Retention: How Long We Keep Your Information

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to resolve disputes.

6.1 Retention periods by data type

Data TypeRetention PeriodReason
Account and profile dataAs long as your account is active, plus 6 months after account closureTo provide Services and allow reactivation
Purchase and transaction records6 years plus the current year after the transaction dateHMRC and Companies Act requirementsyousign+1
Payment informationNot stored (handled by payment processors); transaction logs retained for 6 yearsLegal and accounting obligations
Marketing and communications dataUntil you unsubscribe or withdraw consent, then 6 months for suppression listsTo honour opt‑out preferences and prevent re‑contact
Support and correspondence3 years after the last interactionTo maintain service quality and resolve disputes
Technical logs and analytics12–24 monthsTo improve Site performance and security
Cookie dataVaries by cookie type: strictly necessary (session/1 year), analytics/advertising (upon withdrawal of consent or 13 months max)See Cookie Policy
Legal and compliance records6 years or longer if required by an ongoing legal matterLegal defence and regulatory compliance

6.2 Deletion and anonymisation

After the applicable retention period, we will:

  • Securely delete your personal data from our active systems, or
  • Anonymise it so that it can no longer identify you (anonymised data may be retained indefinitely for research and analytics)

6.3 Your right to request early deletion

You have the right to request deletion of your personal data before the end of the retention period, subject to our legal obligations and legitimate interests (see Section 9.3 below).

7. Data Security

7.1 How we protect your data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure.

Our security measures include:

  • Encryption: Sensitive data (including passwords) is encrypted in transit (using SSL/TLS) and at rest
  • Access controls: Role‑based access controls ensure that only authorised personnel can access personal data on a need‑to‑know basis
  • Secure infrastructure: Hosting with reputable, security‑certified cloud providers (e.g., AWS, Google Cloud)
  • Regular security testing: Vulnerability scanning, penetration testing, and security audits
  • Employee training: Staff are trained on data protection principles and security best practices
  • Incident response: We have procedures in place to detect, respond to, and report data breaches

7.2 Your responsibilities

You are responsible for:

  • Keeping your account password secure and confidential
  • Using strong, unique passwords
  • Logging out of your account when using shared or public devices
  • Notifying us immediately if you suspect unauthorised access to your account

7.3 No absolute security

While we take all reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you provide information at your own risk.

7.4 Data breach notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, and within 72 hours of becoming aware of the breach (where required by UK GDPR), and will report the breach to the Information Commissioner’s Office (ICO) as required by law.

8. Your Rights Under UK GDPR

You have the following rights over your personal data under UK GDPR. These rights are subject to certain conditions and exemptions.

8.1 Right of access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you, along with information about how we use it.

How to exercise: Email us at [insert email] with “Subject Access Request” in the subject line. Include sufficient information to identify you (e.g., account email, order number).

Response time: We will respond within one month of receipt (or up to three months for complex requests, with notification of the extension).

Fee: Access requests are normally free of charge, unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

Identity verification: We may request additional information to verify your identity before responding, in accordance with the Data (Use and Access) Act 2025.

8.2 Right to rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

How to exercise: Update your profile information in your account dashboard, or contact us at [insert email] with details of the corrections needed.

Response time: One month from request.

8.3 Right to erasure (“right to be forgotten”)

You have the right to request deletion of your personal data in certain circumstances:ico+1

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing based on legitimate interests, and we have no overriding legitimate grounds
  • The data was unlawfully processed
  • Deletion is required to comply with a legal obligation

Exceptions: We may refuse erasure if we need to retain the data to:waterfront+1

  • Comply with legal obligations (e.g., tax and accounting records for 6–7 years)
  • Establish, exercise, or defend legal claims
  • Fulfil an ongoing contract with you

How to exercise: Contact us at [insert email] or use the account closure feature (if available).

8.4 Right to restriction of processing

You have the right to request that we restrict (pause) processing of your personal data in certain circumstances:ico+1

  • You contest the accuracy of the data (restriction applies while we verify accuracy)
  • Processing is unlawful, but you do not want erasure
  • We no longer need the data, but you need it to establish, exercise, or defend a legal claim
  • You have objected to processing based on legitimate interests (restriction applies while we verify whether our legitimate grounds override yours)

How to exercise: Contact us at mail@arthony.org.

8.5 Right to object

Object to processing based on legitimate interests:

You have the right to object to the processing of your personal data based on our legitimate interests (Article 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

Object to direct marketing:

You have an absolute right to object to processing for direct marketing purposes at any time. We will stop processing your data for marketing immediately upon receipt of your objection.

How to exercise:

  • Marketing emails: Click the “Unsubscribe” link in any marketing email, or adjust your preferences in your account dashboard
  • Other objections: Contact us at [insert email]

8.6 Right to data portability

Where we process your personal data based on your consent or for contract performance, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine‑readable format (e.g., CSV, JSON), and to transmit it to another controller.waterfront+1

How to exercise: Contact us at [insert email] specifying the data you wish to receive.

The Data (Use and Access) Act 2025 has updated the rules on automated decision‑making.osborneclarke+2

We do not currently use solely automated decision‑making (including profiling) that produces legal effects or similarly significantly affects you.

If we were to implement such processing in the future, you would have the right to:

  • Be informed of the logic involved
  • Request human intervention
  • Express your point of view
  • Challenge the decision

8.8 How to exercise your rights

To exercise any of the rights described above:

  1. Email us at mail@arthony.org with your request
  2. Include sufficient information to identify you (name, account email, order number)
  3. Specify which right you wish to exercise and provide relevant details
  4. Verify your identity: We may request additional information or documentation to confirm your identity before processing your request (this is to protect your data from unauthorised access)

Response time: We will respond to your request within 1 month (or up to 3 months for complex requests, with advance notice of any extension).

No fee: Exercising your rights is normally free of charge, unless your request is manifestly unfounded, excessive, or repetitive.waterfront+1

8.9 Right to complain to the ICO

If you are unhappy with how we have handled your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.ico+1

Contact the ICO:

We encourage you to contact us first so we can try to resolve your concern directly.

9. Marketing Communications

9.1 Promotional emails and newsletters

We will send you marketing emails, newsletters, special offers, and promotional content only if:

  • You have opted in (given explicit consent), or
  • Soft opt‑in applies: You are an existing customer, we obtained your email during a sale or negotiation, the marketing relates to similar products/services, and you were given an easy opportunity to opt out at the time and in every subsequent message (in accordance with PECR)

9.2 How to unsubscribe

You can unsubscribe from marketing communications at any time by:

  • Clicking the “Unsubscribe” link in any marketing email
  • Logging into your account and updating your communication preferences
  • Emailing us at [insert email] with “Unsubscribe” in the subject line

Note: Even if you unsubscribe from marketing emails, we will still send you essential service‑related communications (order confirmations, account notifications, security alerts, legal notices) as these are necessary to fulfil our contract with you.

9.3 Third‑party marketing

We do not share your personal data with third parties for their own marketing purposes without your explicit consent.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Site to enhance your experience, analyse usage, and deliver personalised content and advertising.

Full details about the cookies we use, their purposes, and how to manage your preferences are provided in our separate Cookie Policy.

Key points:

  • Strictly necessary cookies are used to provide essential Site functions and do not require consent
  • Analytics, advertising, and personalisation cookies require your explicit consent before being placed
  • You can manage your cookie preferences at any time via our cookie banner or browser settings
  • For more information, see our Cookie Policy.

11. Third‑Party Websites and Services

Our Site may contain links to third‑party websites, platforms, products, or services (including affiliate links, social media, and partner sites).

We are not responsible for the privacy practices, content, or terms of use of third‑party sites. When you click a link and leave our Site, you are subject to the privacy policy and terms of the destination site.

We encourage you to read the privacy policies of every website you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

When we make material changes, we will:

  • Update the “Last Updated” date at the top of this document
  • Notify you by email (if you have an account) or by prominent notice on the Site
  • Where required by law, obtain your fresh consent for any new processing activities

We recommend that you review this Privacy Policy periodically to stay informed about how we protect your data.

Your continued use of the Site after changes have been notified constitutes acceptance of the updated Privacy Policy.

13. Contact Us and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights, please contact us:

ArthOny Media
Email: privacy@arthony.org or mail@arthony.org

For complaints or escalation: You may also contact the Information Commissioner’s Office (ICO):

  • Website: https://ico.org.uk/
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

END OF PRIVACY POLICY