Privacy
policy.
How we collect, use, and protect the information you share when you contact us or work with Alyon.
Updated 1 June 2026 · Effective 1 June 2026
This Privacy Policy describes how Alyon (“Alyon”, “we”, “us”, or “our”) collects, uses, and shares personal information when you visit alyon.studio (the “Site”), contact us, or engage us for design and development services (collectively, the “Services”).
We are committed to protecting your privacy and processing your personal data lawfully, fairly, and transparently. This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) where applicable.
1. Who We Are
Alyon is a design and engineering studio that builds websites, online stores, and platforms.
- Data Controller: Alyon
- Website: https://www.alyon.studio
- Contact email: hello@alyon.studio
- Partnerships: partners@alyon.studio
If you are in the European Economic Area (EEA) or the United Kingdom and have any questions about how we handle your personal data, you can contact us at the address above.
2. Information We Collect
We only collect information that is necessary to operate the Site, respond to inquiries, and deliver our Services. Specifically:
2.1 Information you provide to us
- Contact form data: When you fill in our contact form or email us, we collect your name, email address, company name, project description, budget, timeline, and any other information you choose to share.
- Client onboarding data: If you engage us for a project, we collect billing details, business information, content assets, brand materials, login credentials to third-party services you ask us to integrate with, and any other information necessary to deliver the work.
- Communications: Records of correspondence, meeting notes, and any feedback you give us during a project.
2.2 Information we collect automatically
When you visit the Site, we automatically collect certain information through cookies and similar technologies:
- Usage data: Pages viewed, time on page, scroll depth, links clicked, referring URL, exit pages.
- Device data: Browser type and version, operating system, device type, screen resolution.
- Network data: IP address (anonymised where possible), approximate geographic location (country/city level), language preferences.
- Performance data: Page load times, errors, and similar diagnostics.
We use Google Consent Mode v2 to manage tracking. The following categories of cookies and tracking technologies may be loaded on the Site, only after you give specific consent through our cookie banner:
- Analytics (analytics_storage) — Google Analytics 4, to understand how visitors use the Site.
- Advertising (ad_storage) — Google Ads conversion tracking, to measure which paid search clicks lead to inquiries. (Active when we are running paid search campaigns.)
- Preferences (personalization_storage) — to remember your language choice and other preferences on return visits.
We do not use ad_user_data or ad_personalization. This means we do not send hashed user data to Google for advertising purposes, and we do not run remarketing or personalized advertising campaigns.
If you reject cookies, none of these scripts are loaded and no data is collected. See Section 6 for details on each category.
2.3 Information from third parties
We do not buy personal data from third parties. We may receive information about you from referrers (e.g. an existing client who recommends you to us) only if they have your permission to share it.
3. How We Use Your Information
We use your personal information for the following purposes, each tied to a lawful basis under GDPR:
| Purpose | Lawful basis |
|---|---|
| Respond to your contact form or email inquiry | Legitimate interests / pre-contractual steps at your request |
| Send proposals, contracts, and invoices | Performance of a contract |
| Deliver design and development services | Performance of a contract |
| Provide ongoing care and maintenance | Performance of a contract |
| Analyse Site usage to improve our content and offer | Consent (analytics cookies) |
| Measure the effectiveness of our Google Ads paid search campaigns | Consent (advertising cookies) |
| Remember your language preference and similar settings | Consent (preferences cookies) |
| Send occasional updates about our work (only if you opt in) | Consent |
| Comply with tax, accounting, and legal obligations | Legal obligation |
| Protect the Site against fraud and abuse | Legitimate interests |
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.
4. How We Share Your Information
We do not sell your personal information. We share it only with the following categories of recipients, and only as necessary:
- Service providers (processors) acting on our instructions:
- Google LLC — Google Analytics 4, Google Ads (paid search conversion tracking only — no remarketing or personalized advertising), and Google Workspace (email). Analytics and advertising data are shared only if you have given the corresponding cookie consent.
- Hosting providers — for the Site and for your project deliverables (e.g. Vercel, Netlify, Cloudflare, AWS, depending on the project).
- Payment processors — for invoicing (e.g. Stripe, Wise).
- Communication tools — Slack, Notion, Linear, Figma, GitHub, where used during a project.
- Accounting and tax software — for invoicing and compliance.
- Professional advisors — lawyers, accountants, insurers, where required.
- Public authorities — if required by law, court order, or to protect our legal rights.
- Successors — in the event of a merger, acquisition, or sale of assets, your information may be transferred, subject to this Privacy Policy.
Each processor is bound by a Data Processing Agreement (DPA) or equivalent contract that requires them to safeguard your data.
5. International Data Transfers
Some of our service providers are located outside the EEA or UK (primarily in the United States). When we transfer personal data internationally, we rely on one of the following safeguards:
- EU-US Data Privacy Framework certifications (where applicable).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Addendum, where applicable.
You can request a copy of the safeguards we use by emailing hello@alyon.studio.
6. Cookies and Tracking Technologies
A cookie is a small text file placed on your device when you visit a website. We use Google Consent Mode v2, which means no non-essential cookies or tracking scripts load until you give specific consent through our cookie banner. The categories below correspond to the consent signals defined by Consent Mode v2.
6.1 Strictly necessary cookies
Required for the Site to function (e.g. routing, security, load balancing). These do not require consent under EU and UK law.
6.2 Analytics cookies (analytics_storage)
Used by Google Analytics 4 to measure how visitors use the Site (pages viewed, time on page, device type, approximate location). We have configured GA4 with IP anonymisation enabled.
6.3 Advertising cookies (ad_storage)
Used by Google Ads solely to track which paid search ad click led to an inquiry on our Site. This allows us to measure whether our advertising spend is producing results and to optimise our campaigns. We do not use these cookies for remarketing or for showing personalised ads.
This category may not be active at all times — it depends on whether we are running paid search campaigns.
6.4 Preferences cookies (personalization_storage)
Used to remember your preferences (such as your language choice on our multi-language Site) so the Site works the way you set it on your next visit. These cookies are only set after consent.
6.5 What we do NOT collect
We have deliberately disabled the following Google Consent Mode v2 categories on our Site:
- ad_user_data — we do not send hashed user identifiers to Google for advertising measurement.
- ad_personalization — we do not personalise ads based on your interaction with our Site, and we do not run remarketing campaigns.
If we ever change this, we will update this policy and obtain renewed consent before activating those categories.
6.6 Consent Mode v2
We use Google Consent Mode v2 to honour your consent choices across Google services. If you accept only some categories (for example, analytics but not advertising), Google scripts will receive corresponding signals and will only collect the data you have consented to. If you reject all non-essential categories, no scripts are loaded and no data is collected.
6.7 Managing your consent
You can change or withdraw your cookie consent at any time by clicking the cookie settings link in our footer, or by clearing the cookies stored by alyon.studio in your browser (this will trigger our consent banner to appear again on your next visit). You can also opt out of Google Analytics across all sites by installing the Google Analytics Opt-out Browser Add-on.
7. Data Retention
We keep personal data only for as long as we need it:
- Contact form inquiries that do not become projects — 24 months, then deleted.
- Project records (contracts, deliverables, correspondence) — 7 years after the end of the engagement, to comply with tax and accounting laws and to defend against potential legal claims.
- Invoices and financial records — 10 years, or the period required by applicable tax law, whichever is longer.
- Analytics data — 14 months in Google Analytics 4 (default), aggregated thereafter.
- Marketing subscribers — until you unsubscribe, plus a short suppression period afterwards.
After these periods, we either securely delete the data or anonymise it.
8. Your Rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — ask us to delete your data where there is no compelling reason for us to keep it.
- Restriction — ask us to stop processing your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — at any time, where processing is based on consent.
- Lodge a complaint — with your local data protection authority. For EU residents, find your authority at edpb.europa.eu. UK residents can complain to the ICO.
If you are a California resident, you also have the right to know what categories of personal information we have collected, to delete that information, and to non-discrimination for exercising your rights under the CCPA.