Cookie policy

Effective date: 10 June 2026 · Last reviewed: 10 June 2026 · Version 1.0

Operator: Growwwth Lab Limited, a private limited company incorporated in England and Wales under company number 11873185, having its registered office at 42 Bloom Heights, River Rise Close, London SE8 5FT (the "Controller," "we," "our," or "us").

Website: arborlink.uk
Contact: partners@arborlink.uk

1. Purpose of the present notice

The present Cookie Policy has been issued to discharge the transparency obligations imposed by Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), read in conjunction with Articles 12 and 13 of the United Kingdom General Data Protection Regulation ("UK GDPR"). Its purpose is to inform visitors to arborlink.uk of the very limited use of cookies and equivalent technologies on the Website, of the legal grounds upon which any such use is sustained, and of the controls available to manage or to refuse them.

Reading the present notice together with the Terms of Use and the Privacy Policy of the Controller is recommended, as the three documents form a single coherent framework governing the relationship between Growwwth Lab Limited and visitors to the Site.

2. Definitions and technical background

For ease of comprehension, the following terms are employed throughout the present document:

• Cookie: a small text file placed by a website upon the User's terminal equipment for the purpose of storing information that may be read back during the same browsing session or upon subsequent visits.
• Session Cookie: a cookie which exists only for the duration of the browser session and is deleted automatically upon closure of the browser.
• Persistent Cookie: a cookie which is retained upon the User's device for a defined period of time, or until manually deleted, irrespective of session activity.
• First-Party Cookie: a cookie set by the domain of the Website being visited, in the present context arborlink.uk.
• Third-Party Cookie: a cookie set by a domain other than the one being visited, ordinarily associated with embedded resources or services provided by external entities.
• Similar Technologies: mechanisms which, although not technically constituting cookies, perform analogous functions of storage of, or access to, information on the User's terminal equipment, including local-storage objects, session-storage objects, IndexedDB entries, web beacons, pixel tags, and device-fingerprinting techniques.

The legal framework regulating the use of such technologies in the United Kingdom treats them broadly equivalently, with the consequence that the analysis set out below applies to cookies and to similar technologies alike.

3. Identity of the Operator and applicable law

Growwwth Lab Limited acts as the data controller in respect of any processing of personal data carried out by means of cookies or similar technologies on arborlink.uk. The Controller's identity, registered office, and contact particulars are set out at the head of the present document and within the Privacy Policy.

Applicable law includes, in particular, Regulation 6 of PECR, which governs the storage of information on, or the gaining of access to information stored within, terminal equipment of a subscriber or user, together with the consent standard set out at Article 4(11) and Article 7 of the UK GDPR, and the guidance issued from time to time by the Information Commissioner's Office concerning the use of cookies and similar technologies.

4. Position adopted by Growwwth Lab Limited

The Website has been designed with a minimal-cookie posture, consistent with its static, information-only marketing character. No advertising cookies, marketing tags, retargeting pixels, behavioural-profiling identifiers, or social-media trackers are deployed. No technology is used to compile a profile of the User across browsing sessions for the purpose of delivering targeted communications. The cookies and equivalent technologies in use, if any, are confined to what is strictly necessary for the secure delivery of the Site to the User and for the performance of any function expressly requested.

By reason of the foregoing, the Operator relies upon the exemption articulated at Regulation 6(4) of PECR, pursuant to which the requirement of prior informed consent does not apply where storage of, or access to, information on the User's terminal equipment is strictly necessary for the provision of an information-society service explicitly requested by the User. Consistent with such configuration, a consent banner is not displayed on the Site. Should the operational posture change at any future juncture, an appropriately calibrated Consent Management Platform shall be deployed, in line with the consent standard articulated at Article 7 of the UK GDPR and with the published guidance of the Information Commissioner's Office.

5. Strictly necessary cookies and equivalent technologies

The categories described below correspond to technologies which may operate on the Website in performance of the technical functions referred to in Section 4. Their use does not require the User's consent under PECR, although transparency information is, nonetheless, supplied as a matter of good practice:

• Security and Bot-Mitigation Tokens: cookies and equivalent identifiers set by the hosting and content-delivery provider, Cloudflare, Inc., for the purposes of distinguishing legitimate traffic from automated abuse, mitigating denial-of-service activity, and safeguarding the integrity of the Site. Illustrative identifiers include __cf_bm, employed for bot management, and, where relevant, cf_clearance, employed in connection with challenge-response verification. Such identifiers operate as session-bound or short-lived tokens of a strictly technical character.
• Load-Balancing Tokens: identifiers used to direct successive requests from the same User to the same back-end resource during a single session, ensuring continuity of delivery.
• Session-State Tokens: ephemeral identifiers required, where applicable, to maintain a coherent browsing session within the Website, deleted upon closure of the browser.

The categories described above are confined to what is required for the proper functioning and security of the Site. Persistent identifiers, where set, are limited in duration to that necessary for the relevant technical purpose, generally not exceeding thirty days from the date of last interaction with the Website.

6. Analytics and measurement technologies

Visitor analytics are implemented through Cloudflare Web Analytics, a privacy-first measurement tool which operates on a cookieless basis. The tool sets and reads no analytics cookie, local-storage object, or equivalent identifier on the User's terminal equipment, and employs neither cross-site tracking nor device-fingerprinting. It produces only aggregated, non-identifying measurement signals concerning audience size and content performance. By reason of this configuration, in which no information is stored on, or accessed from, the User's terminal equipment, no consent requirement arises under Regulation 6(1) of PECR. Should the Operator at any future juncture introduce an analytics technology which sets or reads cookies or comparable identifiers, prior consent shall be obtained through a compliant Consent Management Platform before such technology is activated.

7. Absence of advertising, marketing, and social-media cookies

For the avoidance of doubt, the Operator confirms that:

• No Advertising Cookies are Deployed: no third-party advertising network, demand-side platform, or supply-side platform has access to the Website for the purpose of placing identifiers upon User devices.
• No Marketing Tags are Deployed: no Meta Pixel, LinkedIn Insight Tag, X (formerly Twitter) Pixel, TikTok Pixel, or analogous behavioural-marketing technology is integrated within the Website.
• No Social-Media Plug-ins are Embedded: social-media share buttons or embedded widgets capable of setting third-party cookies upon load are not present on the Site, the Operator having opted, where social-media references are needed, for static iconography linking outward to the relevant profiles.
• No Cross-Site Tracking Identifiers are Generated: no first-party persistent identifier is employed for the purpose of recognising the User across distinct browsing sessions for marketing-attribution objectives.

Should the foregoing posture change in connection with a marketing initiative, the relevant technologies shall be deployed exclusively behind a Consent Management Platform, with the User retaining the ability to refuse, to withdraw, and to manage granular preferences in accordance with Article 7(3) of the UK GDPR.

8. Third-party providers and cookie-related disclosures

The hosting, content-delivery, and analytics infrastructure of the Website is provided by a single third-party processor, namely Cloudflare, Inc., which supplies hosting and content-delivery services together with the cookieless Cloudflare Web Analytics measurement described in Section 6. Where, in connection with the technical functions described in Sections 5 and 6 above, any limited information is communicated to such provider, the provider acts as a processor of the Controller within the meaning of Article 28 of the UK GDPR, under written data-processing terms, and processes such information solely upon instruction. The privacy notice of such provider, available at cloudflare.com/privacypolicy, provides further information concerning the manner in which it treats data received from the controllers using its services.

9. Local storage, session storage, and similar mechanisms

The Website does not, in its current configuration, employ persistent local-storage objects or IndexedDB entries to store identifying information on the User's terminal equipment. Where transient session-storage objects are employed, their function is confined to the immediate operational requirements of the current browsing session and to the same strictly necessary purposes described in Section 5 above. No device-fingerprinting technique is in use, the Controller having determined that any such technique would be subject to the same consent regime as cookies under PECR and would not be compatible with the minimal posture adopted in respect of the Site.

10. Controls available to the User

Notwithstanding that the present configuration relies exclusively upon strictly necessary technologies, the User retains full control over cookies through the settings of the browser employed. The principal browsers in current use provide built-in interfaces through which cookies may be inspected, restricted, or deleted. Reference information is provided below for the User's convenience:

• Google Chrome: support.google.com/chrome/answer/95647
• Mozilla Firefox: support.mozilla.org
• Apple Safari: support.apple.com/en-gb/guide/safari
• Microsoft Edge: support.microsoft.com
• Opera: help.opera.com/en/latest/web-preferences

In addition, generalised guidance concerning the management of cookies, including practical instructions for less-common browsers and mobile-device configurations, is available through neutral resources such as aboutcookies.org and ico.org.uk.

Refusal of strictly necessary cookies, although technically possible at the browser level, may produce degraded performance of certain functionalities, in particular the security mechanisms operated by the hosting infrastructure, and is accordingly not recommended. As no consent-based cookies are deployed, refusal of the strictly necessary category shall not result in any loss of advertising or analytical functionality, no such functionality being deployed by reference to consent.

11. Do-Not-Track signals and Global Privacy Control

The Controller acknowledges the existence of browser-level signals such as the "Do Not Track" header and the "Global Privacy Control" mechanism. Owing to the absence of behavioural-tracking technologies on arborlink.uk, no specific reaction to such signals is required, the Site already operating in a posture consistent with the underlying intent of those signals. Should consent-based technologies be introduced in the future, the response of the Controller to such signals shall be calibrated in line with regulatory guidance current at that moment.

12. International transfers

To the extent that the operation of strictly necessary technologies, or of the cookieless analytics implementation, involves the transmission of limited information to processors located outside the United Kingdom, such transfers are conducted in accordance with the safeguards described within Section 10 of the Privacy Policy of the Controller, including reliance upon adequacy regulations made by the Secretary of State, upon the International Data Transfer Agreement, and upon supplementary technical measures.

13. Retention of cookie-related information

Information collected by means of the strictly necessary technologies described herein is retained for the limited duration appropriate to the underlying technical purpose, typically the length of the browsing session in the case of session cookies and a period not exceeding thirty days in the case of short-lived persistent identifiers used for security or load-balancing functions. Aggregated and anonymised analytics datasets are retained in accordance with the retention parameters set out within Section 11 of the Privacy Policy.

14. Updates to the present notice

The Controller reserves the right to revise the present Cookie Policy in order to reflect operational changes, evolution in cookie deployment, regulatory developments, or updated guidance issued by the Information Commissioner's Office. The amended version shall enter into force upon publication on the Website, and material amendments affecting the rights of the User shall, where reasonably practicable, be communicated through a prominent notice. Continued use of the Website following such publication signifies awareness of the revised text. Where, by reason of any such revision, consent-based technologies are introduced, prior consent shall be sought before deployment, in compliance with the legal standard already described.

15. Contact

Questions or requests for clarification concerning the present Cookie Policy may be addressed to partners@arborlink.uk, or by post to the registered office indicated below.

A complaint may, additionally, be lodged with the Information Commissioner's Office, the supervisory authority for the United Kingdom in matters of data protection, whose contact particulars are set out within Section 14 of the Privacy Policy.

Growwwth Lab Limited — registered in England and Wales, company number 11873185. Registered office: 42 Bloom Heights, River Rise Close, London SE8 5FT. ICO registration ZC152000.