ArborLink
Legal

Privacy policy

Last updated · 10 June 2026

Effective date: 10 June 2026 · Last reviewed: 10 June 2026 · Version 1.0

Controller: Growwwth Lab Limited, a company incorporated in England and Wales under number 11873185, having its registered office at 42 Bloom Heights, River Rise Close, London SE8 5FT, operating the ArborLink platform and the ArborLink marketing website (the "Controller," "we," "our," or "us").

Website: arborlink.uk
Privacy contact: partners@arborlink.uk
ICO registration number: ZC152000

1. Introduction and purpose of the present notice

The protection of personal data is treated by Growwwth Lab Limited as a matter of substantive importance, governed by the requirements of the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 ("DPA 2018"), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). The present notice has been prepared to discharge the transparency obligations imposed by Articles 12, 13, and 14 of the UK GDPR, and to inform visitors to arborlink.uk of the manner in which their personal data is collected, used, retained, and safeguarded.

The Controller is registered with the Information Commissioner's Office under registration number ZC152000.

Reading the present document carefully is recommended, as it forms an integral part of the contractual framework governing the relationship between the Controller and any individual interacting with the Website, alongside the Terms of Use.

2. Scope and limits of application

The present Privacy Policy applies exclusively to personal data processed by Growwwth Lab Limited in connection with the operation of the ArborLink marketing website arborlink.uk. The Site has been designed as a static, information-only property addressed principally to prospective independent service partners evaluating the ArborLink panel, and to other business counterparties. No customer lead-capture, e-commerce, account registration, online enquiry form, or matching functionality is hosted on arborlink.uk; the sole enquiry channel made available through the Site is electronic correspondence directed to the address indicated above.

For the avoidance of doubt, processing activities undertaken by Growwwth Lab Limited through the wider ArborLink platform — including the operator portal accessible to onboarded service partners and the separate customer-facing local brands through which proprietary lead-generation software is operated and matches are effected between UK-based customers and independent service partners — fall outside the scope of the present notice. Each such property maintains its own privacy documentation, calibrated to the specific processing footprint involved. Once an enquiry has been routed to an independent service partner, that partner acts as an autonomous data controller within the meaning of Article 4(7) of the UK GDPR, with sole responsibility for the lawfulness of any further processing.

3. Definitions

For the purpose of the present document, the expressions employed shall bear the meaning conferred upon them by Article 4 of the UK GDPR. By way of orientation, the following terms recur throughout the text:

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Data Subject: the identified or identifiable individual to whom personal data refers, namely, in the present context, the visitor to arborlink.uk.
  • Processing: any operation performed upon personal data, including collection, recording, organisation, structuring, storage, consultation, transmission, and erasure.
  • Controller: the natural or legal person which determines the purposes and means of processing, here being Growwwth Lab Limited.
  • Processor: the natural or legal person which processes personal data on behalf of the Controller.
  • Special Category Data: personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic and biometric data, and data concerning health or sex life. No such data is collected through arborlink.uk.

4. Categories of personal data processed

The Controller deliberately limits the scope of personal data collected through the Website. In the ordinary course of operation, the categories described below may be processed:

  • Server Log Data: internet protocol (IP) addresses, user-agent strings identifying browser and operating-system characteristics, date and time of access, pages requested, referring URLs, and HTTP response codes. Such data is generated automatically by the hosting infrastructure for purposes of operational security and aggregate traffic analysis.
  • Cookieless Analytics Signals: anonymised or pseudonymised technical signals derived from cookieless analytics, processed without setting any identifier on the User's terminal equipment. The implementation does not employ persistent cookies, fingerprinting, or other tracking technologies of a comparable nature.
  • Voluntary Correspondence Content: any information transmitted to the Controller by means of the electronic-mail link, including the sender's electronic mail address, name, business or trading name if disclosed, the postcode areas covered if disclosed, and the substantive content of the message. Submission of further information beyond what is strictly necessary to address an enquiry remains a matter of the sender's autonomous discretion.

No special-category data is requested, sought, or knowingly collected. Should an individual nonetheless transmit such information through correspondence, the Controller shall not actively request, further use, or retain such information unless a valid condition under Article 9 of the UK GDPR is applicable. Where the information is not necessary for addressing the communication, it may be deleted or disregarded. Where limited processing is strictly necessary, the Controller shall rely only upon an appropriate Article 9 condition, such as explicit consent where expressly and validly provided, or the establishment, exercise, or defence of legal claims where applicable.

5. Sources from which data is obtained

Personal data processed in connection with the Website originates exclusively from the following sources:

  • Direct Interaction: information voluntarily transmitted by the Data Subject through electronic correspondence directed to partners@arborlink.uk.
  • Automated Technical Collection: information generated by the Data Subject's device and browser during ordinary navigation, and recorded within server logs as a technical incident of internet communication.

No personal data is acquired from public registers, data-broker services, social media platforms, or other third-party sources in the context of the operation of arborlink.uk.

6. Purposes and legal bases of processing

Each operation performed upon personal data is grounded in a lawful basis identified pursuant to Article 6 of the UK GDPR. Particulars are set out below:

  • Operational Security and Integrity of the Website: processing of server log data is undertaken for the purpose of detecting, investigating, and mitigating attempts at unauthorised access, denial-of-service activity, abuse, or other conduct prejudicial to the Site, in reliance upon the legitimate-interest basis enshrined in Article 6(1)(f) of the UK GDPR. The Controller has conducted, and shall periodically review, a legitimate-interests assessment confirming that such processing is necessary, proportionate, and not overridden by the rights and freedoms of Data Subjects.
  • Aggregated Traffic Analysis: information derived from cookieless analytics is processed in aggregate form to gain an understanding of audience composition and content performance, again on the basis of legitimate interest under Article 6(1)(f) of the UK GDPR, with measures adopted to minimise any impact upon individual privacy.
  • Handling of Inbound Correspondence: correspondence transmitted through the electronic-mail channel is processed in order to respond to the enquiry concerned, in performance of pre-contractual measures requested by the Data Subject under Article 6(1)(b) of the UK GDPR where the message relates to a prospective engagement as a service partner, and otherwise on the basis of legitimate interest in the orderly management of business communications.
  • Compliance with Legal Obligations: where the Controller is required, by virtue of statutory duty or by lawful order of a competent authority, to disclose, retain, or otherwise process personal data, such operations are carried out in reliance upon Article 6(1)(c) of the UK GDPR.
  • Establishment, Exercise, or Defence of Legal Claims: processing necessary to assert or to resist legal claims is conducted on the basis of legitimate interest under Article 6(1)(f) of the UK GDPR, in conjunction, where applicable, with paragraphs of Schedule 1 to the DPA 2018.

7. Cookies and equivalent technologies under PECR

The Website has been configured to operate without the deposit of advertising cookies, marketing tags, behavioural-targeting pixels, or other tracking technologies on the User's terminal equipment. Such technical cookies as may be set are strictly limited to what is required for the delivery of the Website to the User and for the operation of any function expressly requested. The Controller relies, in this respect, upon the exemption articulated at Regulation 6(4) of PECR, which permits the storage of, or access to, information on terminal equipment where strictly necessary for the provision of a service explicitly requested by the User.

A cookie banner is not displayed by reason that no consent-based cookies are deployed. Should the Operator at any future juncture introduce advertising, marketing, or analytical cookies relying upon consent, an appropriately calibrated consent-management platform shall be implemented in advance, in accordance with the guidance issued by the Information Commissioner's Office and with the consent standard set out at Article 7 of the UK GDPR. Further detail is set out within the Cookie Policy.

8. Analytics implementation

Visitor analytics are implemented through Cloudflare Web Analytics, a privacy-first measurement tool configured to operate without setting any cookie or other identifier on the User's terminal equipment. The tool does not employ cross-site tracking, persistent identifiers, or fingerprinting, and produces only aggregated, non-identifying measurement signals concerning audience size and content performance. By reason of this cookieless configuration, no individual is identifiable from the analytics dataset, and no consent requirement arises under Regulation 6(1) of PECR. Should the Controller at any future juncture introduce an analytics technology relying upon cookies or comparable identifiers, prior consent shall be obtained through a compliant consent-management platform before such technology is activated.

9. Recipients and disclosure of personal data

Personal data processed in connection with the Website is treated as confidential and is communicated to third parties only where strictly necessary and on the basis of appropriate contractual safeguards. The categories of recipient currently engaged are:

  • Hosting, Content-Delivery, and Analytics Provider: Cloudflare, Inc., which provides the Controller with hosting infrastructure, content distribution, network security services, and the cookieless Cloudflare Web Analytics measurement described in Section 8. Cloudflare acts as a processor within the meaning of Article 28 of the UK GDPR and is bound by a written instrument satisfying the requirements of Article 28(3).
  • Electronic Mail Service Provider: Zoho Corporation, which supplies the workspace platform through which correspondence directed to partners@arborlink.uk is received, stored, and managed. Zoho is similarly engaged as a processor under data-processing terms compliant with Article 28 of the UK GDPR.
  • Professional Advisers: legal, accounting, and audit professionals retained by the Controller from time to time, where access to personal data is incidentally required for the performance of their engagement, all such persons being bound by duties of professional secrecy.
  • Competent Authorities: law-enforcement, regulatory, or judicial bodies which lawfully require disclosure pursuant to a binding instrument, including, by way of illustration, requests made under the Investigatory Powers Act 2016 or pursuant to court order.

Personal data is not sold, rented, or otherwise made available to third parties for direct-marketing purposes. No category of third-party advertising network has access to the Website's processing footprint.

10. International transfers of personal data

Certain processors engaged by the Controller, including Cloudflare and Zoho, operate infrastructure situated outside the United Kingdom. Where personal data is transferred to a destination not covered by an adequacy regulation made pursuant to Section 17A of the DPA 2018, the transfer is supported by appropriate safeguards within the meaning of Article 46 of the UK GDPR, namely:

  • International Data Transfer Agreement or Addendum: the standard contractual framework approved by the Secretary of State and laid before Parliament under Section 119A of the DPA 2018, or the Addendum issued by the Information Commissioner's Office for use with the European Commission's Standard Contractual Clauses, as appropriate to the recipient.
  • Supplementary Measures: technical and organisational safeguards, including encryption in transit and at rest, pseudonymisation where appropriate, and contractual restrictions upon government access, adopted in light of the transfer-impact assessment conducted for each relevant flow.

The United States, where significant elements of the processors' infrastructure are located, benefits from the United Kingdom Extension to the EU-US Data Privacy Framework, under which the Secretary of State has determined, by way of the Data Protection (Adequacy) (United States of America) Regulations 2023, an adequate level of protection in respect of certified recipients. Where applicable processors are certified under that framework, transfers proceed in reliance upon the relevant adequacy regulation.

11. Retention periods

Personal data shall be retained for no longer than is necessary for the purposes for which it was collected, in compliance with the storage-limitation principle articulated at Article 5(1)(e) of the UK GDPR. Indicative retention periods are set out below:

  • Server Log Data: retained for a period not exceeding ninety days, following which records are deleted or fully anonymised, save where retention for a longer period is necessary for the investigation of a specific security incident or for the establishment, exercise, or defence of legal claims.
  • Analytics Datasets: retained only in aggregated, non-identifying form, in line with the retention parameters of the cookieless analytics implementation, no individual-level identifier being stored at any stage.
  • Inbound Correspondence: retained for the duration necessary to address the enquiry concerned and, thereafter, for a residual administrative period reasonable in light of the subject matter of the communication, generally not exceeding twenty-four months in the absence of an ongoing commercial discussion, regulatory requirement, or potential dispute.
  • Records Required by Statutory Obligation: retained for the period required by the relevant legal instrument, including, by way of illustration, accounting records preserved for at least three years under Section 388(4)(a) of the Companies Act 2006 in the case of a private company, and tax, accounting, and supporting financial records retained for six years where required for HMRC and Company Tax Return compliance purposes.

Upon expiry of the applicable retention period, personal data is either erased or rendered irreversibly anonymous.

12. Security measures

The Controller has implemented technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing, in accordance with Article 32 of the UK GDPR. Such measures include, without limitation:

  • Transport-Layer Encryption: end-to-end encryption of all communications between the User's browser and the Website through current versions of Transport Layer Security.
  • Access Controls: strict authentication, role-based authorisation, and the principle of least privilege within internal information systems, supplemented by multi-factor authentication for administrative interfaces.
  • Network and Application Hardening: deployment of network-edge protections supplied by the hosting provider, including denial-of-service mitigation, web-application firewalling, and bot-management measures.
  • Personnel Confidentiality: binding contractual obligations of confidentiality and instruction-based processing imposed upon any individual authorised to access personal data on behalf of the Controller.
  • Incident Response: documented procedures for the identification, assessment, containment, and notification of personal-data breaches, designed to satisfy the seventy-two-hour notification deadline articulated at Article 33 of the UK GDPR where the threshold of risk is met.

Notwithstanding the adoption of measures conforming to the state of the art, the transmission of information through the internet cannot be guaranteed as wholly secure, and the User is invited to refrain from transmitting particularly sensitive material through the electronic-mail channel without first considering more protected communication channels.

13. Rights of the data subject

In accordance with Articles 15 to 22 of the UK GDPR, the Data Subject enjoys the following rights in relation to personal data concerning them:

  • Right of Access: to obtain confirmation as to whether personal data is being processed, together with a copy of such data and the supplementary information set out at Article 15(1) of the UK GDPR.
  • Right to Rectification: to obtain, without undue delay, the correction of inaccurate personal data and the completion of incomplete personal data, including by means of a supplementary statement.
  • Right to Erasure: also known as the right to be forgotten, to obtain the deletion of personal data in the circumstances enumerated at Article 17 of the UK GDPR, subject to the exceptions set out therein.
  • Right to Restriction of Processing: to obtain the marking of stored personal data with the aim of limiting its further processing where the conditions of Article 18 of the UK GDPR are satisfied.
  • Right to Data Portability: to receive personal data which has been provided to the Controller, in a structured, commonly used, and machine-readable format, and to transmit such data to another controller, where the processing is based upon consent or upon contract and is carried out by automated means.
  • Right to Object: to object, on grounds relating to the particular situation of the Data Subject, to processing carried out on the basis of legitimate interest, in which event the Controller shall cease processing unless overriding legitimate grounds are demonstrated.
  • Rights Concerning Automated Decision-Making: to be free from decisions producing legal or similarly significant effects which are based solely upon automated processing, including profiling. No such decisions are taken in connection with arborlink.uk.
  • Right to Withdraw Consent: where processing is based upon consent, to withdraw such consent at any moment, without prejudice to the lawfulness of processing carried out prior to withdrawal.

Requests for the exercise of any of the foregoing rights may be addressed to partners@arborlink.uk. The Controller shall respond without undue delay and, in any event, within one calendar month of receipt, save where the complexity or number of requests justifies an extension of up to two further months, in which case the Data Subject shall be informed accordingly.

14. Right to lodge a complaint with the supervisory authority

Without prejudice to any other administrative or judicial remedy, the Data Subject has the right to lodge a complaint with the Information Commissioner's Office, the supervisory authority for the United Kingdom in matters of data protection, whose contact particulars are: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; telephone 0303 123 1113; ico.org.uk.

Lodging a complaint with the Information Commissioner's Office is encouraged to be undertaken following an initial communication with the Controller, so that an opportunity is afforded to address the matter directly, although such prior contact is not a precondition for the exercise of the statutory right.

15. Children's data

The Website is addressed to a professional and trade audience and is not directed to children. No personal data of individuals under the age of thirteen is knowingly collected. Should it come to the attention of the Controller that personal data concerning a child has been received, the data shall be deleted without undue delay, and the appropriate verification procedures shall be activated.

16. Status of independent service partners under the intermediary model

Visitors who, through channels distinct from the present Website, engage with one of the customer-facing brands operated through the ArborLink platform and are subsequently matched with an independent service partner should note that, from the moment of hand-off, the matched partner acts as an autonomous data controller in respect of personal data thereafter processed by it. The Controller's role under that separate processing arrangement is limited to that of facilitator within the matching software and does not extend to the subsequent supply, performance, or administration of the service contracted with the partner. Information concerning the privacy practices of any such partner must be sought directly from the partner concerned.

17. Changes to the present privacy policy

The Controller reserves the right to update, amend, or otherwise revise the present Privacy Policy from time to time, in order to reflect operational changes, evolution in data-processing practice, or developments in Applicable Law and regulatory guidance. The revised version shall come into effect upon publication on the Website. Material amendments affecting the rights of Data Subjects shall, where reasonably practicable, be notified through a prominent banner or notice. Continued use of the Website following such publication signifies awareness of, and acquiescence to, the amended version.

18. Contact and privacy queries

Any question, concern, or request relating to the processing of personal data by Growwwth Lab Limited in connection with arborlink.uk may be addressed to partners@arborlink.uk, or by post to the registered office indicated below.

A formally designated Data Protection Officer is not currently appointed, the conditions of Article 37 of the UK GDPR not having been met in respect of the Controller's processing activities. Privacy enquiries are nonetheless monitored at the address indicated below and addressed within the statutory timeframes.

Growwwth Lab Limited — registered in England and Wales, company number 11873185. Registered office: 42 Bloom Heights, River Rise Close, London SE8 5FT. ICO registration ZC152000.