Privacy Policy

Last Updated: 7 February 2026

Effective Date: 7 February 2026

1. Introduction

Harion ("we", "our", "us") is a marketing agency based in Oxfordshire, United Kingdom. We are committed to protecting your personal data and respecting your privacy rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy policy explains how we collect, use, store, and protect your personal information when you use our website at https://harion.co.uk (the "Website"), purchase our digital products, or engage our services.

Data Controller:
Harion
Oxfordshire, United Kingdom
Contact: aaron@harion.co.uk

If you have any questions about this privacy policy or how we handle your data, please contact us using the details above.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal data that you voluntarily provide to us when you:

• Submit a Contact Form: Name, email address, and any information included in your message.
• Schedule a Meeting: Name, email address, and scheduling preferences via our Google Calendar booking system.
• Purchase Digital Products: Name, email address, billing address, and payment information (processed securely via Stripe).

2.2 Information Collected Automatically

When you visit our Website, we automatically collect certain technical information through cookies and similar technologies:

• Usage Data: IP address, browser type, operating system, referring URLs, pages viewed, time spent on pages, and navigation paths.
• Device Information: Device type, unique device identifiers, and mobile network information.
• Analytics Data: Aggregated data about how visitors interact with our Website via Google Analytics 4 (GA4).
• Marketing Data: Interaction data via Facebook Pixel for retargeting purposes.

For detailed information about our cookie usage, please refer to our Cookie Policy.

2.3 Information We Do Not Collect

• Archetype Quiz Responses: We do not store, record, or retain your responses to our 9-question customer archetype diagnostic quiz. Results are generated in real-time and displayed on-screen only. No email address is required to view results.
• Children's Data: We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it immediately.

3. How We Use Your Information

3.1 Legal Basis for Processing

We process your personal data under the following legal bases as defined by UK GDPR:

• Contract Performance: To fulfil our contractual obligations when you purchase digital products or engage our services.
• Legitimate Interests: To operate, maintain, and improve our Website, analyse usage patterns, and communicate with prospective clients.
• Consent: To send marketing communications or use retargeting cookies (where applicable and where you have provided explicit consent).
• Legal Obligations: To comply with applicable laws, regulations, and legal processes.

3.2 Purposes of Processing

We use your personal data for the following purposes:

3.2.1 Contact Form Enquiries

• To respond to your questions or requests for information.
• To schedule and confirm meetings via our Google Calendar booking system.
• To communicate with you via email (Microsoft Outlook).

3.2.2 Digital Product Purchases

• To process your payment securely via Stripe.
• To deliver the purchased digital product (The Expansion Pack) to your email address.
• To send purchase confirmations and receipts.
• To maintain transaction records for accounting and legal compliance.

3.2.3 Website Analytics and Improvement

• To understand how visitors use our Website via Google Analytics 4 (GA4).
• To identify technical issues and improve Website performance.
• To analyse user behaviour and optimise content delivery.

3.2.4 Marketing and Retargeting

• To display relevant advertisements to previous Website visitors via Facebook Pixel.
• To measure the effectiveness of our advertising campaigns.

3.2.5 Service Delivery (Agency Clients)

• To access client advertising accounts (Meta, Google, TikTok) with restricted permissions to deploy and optimise paid media campaigns.
• To view aggregated performance metrics (clicks, impressions, conversions) but not individual customer data.
• To access client websites (with restricted or admin permissions as granted) to implement tracking, optimise landing pages, or deploy consumer journey tools.

4. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data to third parties. However, we share your data with trusted third-party service providers who assist us in operating our Website and delivering our services. These processors are contractually obligated to protect your data and use it only for the purposes we specify.

4.1 Third-Party Processors

4.1.1 Payment Processing

Stripe (Stripe, Inc.)
Purpose: To process payments securely for digital product purchases.
Data Shared: Name, email address, billing address, payment card details (Stripe handles all card data; we do not store payment card information).
Location: United States (adequacy decision and Standard Contractual Clauses in place).
Privacy Policy: https://stripe.com/gb/privacy

4.1.2 Website Hosting and Forms

WordPress (WP Forms, Easy Digital Downloads)
Purpose: To host our Website, manage contact forms, and facilitate digital product delivery.
Data Shared: Contact form submissions (name, email, message), purchase data (name, email, product purchased).
Location: Dependent on hosting provider Hostinger.
Privacy Policy: Refer to your hosting provider's privacy policy.

4.1.3 Email Communications

Microsoft Outlook (Microsoft Corporation)
Purpose: To respond to contact form enquiries and communicate with clients.
Data Shared: Name, email address, message content.
Location: United States and European Union data centres.
Privacy Policy: https://privacy.microsoft.com/en-gb/privacystatement

4.1.4 Meeting Scheduling

Google Calendar (Google LLC)
Purpose: To schedule and confirm meetings with prospective clients.
Data Shared: Name, email address, scheduling preferences.
Location: United States (adequacy decision and Standard Contractual Clauses in place).
Privacy Policy: https://policies.google.com/privacy

4.1.5 Analytics

Google Analytics 4 (GA4) (Google LLC)
Purpose: To analyse Website traffic and user behaviour.
Data Shared: IP address (anonymised), browser type, device information, pages viewed, session duration.
Location: United States (adequacy decision and Standard Contractual Clauses in place).
Privacy Policy: https://policies.google.com/privacy
Opt-Out: You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

4.1.6 Advertising and Retargeting

Facebook Pixel (Meta Platforms, Inc.)
Purpose: To deliver targeted advertisements to previous Website visitors and measure campaign performance.
Data Shared: IP address, browser type, pages viewed, interaction data.
Location: United States and European Union data centres (adequacy decision and Standard Contractual Clauses in place).
Privacy Policy: https://www.facebook.com/privacy/policy/
Opt-Out: You can manage your Facebook ad preferences here: https://www.facebook.com/ads/preferences/

4.2 Legal Disclosures

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government agencies, regulatory bodies). We will only disclose the minimum amount of data necessary to comply with such legal obligations.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law.

5.1 Retention Periods

• Contact Form Enquiries: We retain contact form submissions and associated email correspondence for 2 years from the date of your last communication with us. After this period, data is securely deleted unless we have a legitimate reason to retain it (e.g., ongoing client relationship).
• Purchase Data: We retain purchase records (name, email, transaction details) for 7 years from the date of purchase to comply with UK tax and accounting obligations (HMRC requirements). Payment card data is not stored by us and is handled entirely by Stripe.
• Analytics Data: Google Analytics data is retained for 14 months (GA4 default setting). You can request deletion of your data at any time by contacting us.
• Marketing Data: Facebook Pixel data is retained according to Meta's data retention policies. You can opt out of retargeting at any time via your Facebook ad preferences.

5.2 Data Deletion

When personal data is no longer required, we securely delete or anonymise it in accordance with our data retention schedule. You have the right to request deletion of your data at any time (see Section 8: Your Rights).

6. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it from unauthorised access, disclosure, alteration, or destruction.

6.1 Security Measures

• Encryption: All payment transactions are processed via Stripe using SSL/TLS encryption. We do not store payment card details on our servers.
• Access Controls: Access to personal data is restricted to authorised personnel only and is protected by secure authentication methods.
• Regular Audits: We regularly review and update our security practices to ensure compliance with industry standards.
• Third-Party Security: We require all third-party processors to implement equivalent security measures and comply with UK GDPR requirements.

6.2 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within 30 days of your request.

7.2 Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request that we correct or update it.

7.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request that we delete your personal data in certain circumstances, such as:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw your consent (where consent was the legal basis for processing).
• You object to processing and there are no overriding legitimate grounds for us to continue.
• The data has been unlawfully processed.

Please note that we may be required to retain certain data for legal or accounting purposes (e.g., purchase records for 7 years under HMRC requirements).

7.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability

You have the right to request that we transfer your personal data to another organisation or provide it to you in a structured, commonly used, and machine-readable format.

7.6 Right to Object

You have the right to object to our processing of your personal data based on legitimate interests or for direct marketing purposes. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

7.7 Right to Withdraw Consent

Where we process your data based on consent (e.g., marketing cookies, retargeting), you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

7.8 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

ICO Contact Details:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: https://ico.org.uk

7.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at aaron@harion.co.uk. We will respond to your request within 30 days. In some cases, we may require additional information to verify your identity before processing your request.

8. International Data Transfers

Some of our third-party service providers are based outside the United Kingdom and European Economic Area (EEA). When we transfer your personal data to these providers, we ensure that appropriate safeguards are in place to protect your data in accordance with UK GDPR.

8.1 Safeguards for International Transfers

• Adequacy Decisions: We transfer data to countries that have been deemed by the UK government to provide an adequate level of data protection (e.g., the European Union).
• Standard Contractual Clauses (SCCs): Where adequacy decisions do not exist, we use Standard Contractual Clauses approved by the UK ICO to ensure your data is protected.
• Third-Party Compliance: We require all third-party processors to comply with UK GDPR and implement equivalent security measures.

8.2 Countries Involved

Your data may be transferred to the following countries:

• United States: Stripe, Google (GA4, Google Calendar), Microsoft (Outlook), Meta (Facebook Pixel). These transfers are protected by adequacy decisions and/or Standard Contractual Clauses.
• European Union: Google, Microsoft, Meta maintain data centres within the EU and comply with UK GDPR.

9. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your browsing experience, analyse Website traffic, and deliver targeted advertising. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.

9.1 Types of Cookies We Use

• Essential Cookies: Required for the Website to function properly (e.g., quiz functionality, video embeds, Google Calendar booking system).
• Analytics Cookies: Used to collect aggregated data about Website usage via Google Analytics 4 (GA4).
• Marketing Cookies: Used for retargeting purposes via Facebook Pixel.

9.2 Managing Cookies

You can manage your cookie preferences at any time by:

• Adjusting your browser settings to block or delete cookies.
• Using the cookie consent banner on our Website to opt out of non-essential cookies.
• Opting out of Google Analytics tracking: https://tools.google.com/dlpage/gaoptout
• Managing Facebook ad preferences: https://www.facebook.com/ads/preferences/

Please note that disabling certain cookies may affect the functionality of our Website.

10. Agency Services and Client Data

When you engage Harion to provide paid media management services, you grant us restricted access to your advertising accounts and website backend. This section explains how we handle data in the context of our agency services.

10.1 Access Permissions

• Advertising Accounts: You grant us restricted access (non-admin unless explicitly granted) to your Meta, Google, and TikTok advertising accounts. We do not have access to your account credentials or billing information.
• Website Access: You grant us restricted or admin access (as agreed) to your website backend to implement tracking, optimise landing pages, or deploy consumer journey tools.

10.2 Data We Access

• Aggregated Metrics Only: We view aggregated performance data (clicks, impressions, conversions, cost per result) but do not access individual customer data (names, email addresses, purchase history) unless explicitly required for campaign optimisation and agreed in writing.
• No Data Extraction: We do not download, extract, or store client customer data on our systems. All data remains within your advertising platforms and website, unless explisetly asked for reporting features.

10.3 Data Processor Role

In the context of agency services, Harion acts as a data processor on your behalf. You remain the data controller responsible for ensuring compliance with UK GDPR when collecting and processing customer data. We process data only in accordance with your documented instructions and our contractual agreement.

10.4 Security Obligations

• We implement appropriate technical and organisational measures to protect client data.
• Access to client accounts is restricted to authorised personnel only.
• We do not share, sell, or use client data for any purpose other than delivering agreed services.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will update the "Last Updated" date at the top of this policy and notify you by:

• Posting the updated policy on our Website.
• Sending an email notification to existing customers and clients (where applicable).

We encourage you to review this privacy policy periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or how we handle your personal data, please contact us:

Harion
Oxfordshire, United Kingdom
Email: aaron@harion.co.uk

We will respond to your enquiry within 30 days.

HARION
Applied psychology for brands that actually have to make it work.