Privacy Policy
How AI Merge Studio LTD (trading as Areza) collects, uses, stores, and protects personal data under UK and EU GDPR.
This Privacy Policy explains how AI Merge Studio LTD (Company No. 16370224, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom), trading as Areza (“we”, “us”, “our”), collects and processes personal data. This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679).
We are the data controller for personal data collected through this website (areza.digital) and our services.
1. Data we collect
Information you provide directly
- Contact form submissions — name (optional), email, company (optional), and message content. Submitted via the form at /contact.
- Email correspondence — anything you send to [email protected] or any team email address.
- Service onboarding — when you become a client, we collect business contact details, billing information, and any data you upload as part of a Voice Agent, Knowledge Bot, AI Search, Workflow Ops, or Foundation engagement.
Information collected automatically
- Server logs — IP address, user agent, requested URL, referrer, timestamp. Retained for up to 30 days for security and abuse prevention.
- Cookies and similar technologies — see our Cookie Policy for the full list.
Information from third parties
We do not buy or receive personal data from third-party data brokers.
2. Why we process your data (legal basis)
| Purpose | Legal basis (UK/EU GDPR Art. 6) |
|---|---|
| Respond to enquiries via the contact form | Legitimate interest (Art. 6(1)(f)) — replying to people who contact us |
| Deliver services after you become a client | Contract (Art. 6(1)(b)) |
| Send invoices and meet tax obligations | Legal obligation (Art. 6(1)(c)) |
| Site security, fraud and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Optional analytics (only if you consent) | Consent (Art. 6(1)(a)) |
| Marketing communications (not currently used) | Consent (Art. 6(1)(a)) |
3. How long we keep it
| Data type | Retention period |
|---|---|
| Contact form messages | 12 months from receipt, then deleted |
| Server access logs | 30 days |
| Client project files and correspondence | 6 years after engagement ends (UK statutory limitation period for contract claims) |
| Invoices and accounting records | 6 years (UK Companies Act / HMRC requirement) |
| Analytics data (if enabled) | 14 months from collection |
| Cookie preferences | 12 months or until you change them |
4. Who we share data with (processors)
We share personal data only with the processors listed below, each bound by contractual data-protection terms. We do not sell personal data.
- Cloudflare, Inc. (US/EU) — website hosting, CDN, DDoS protection, edge functions. Cloudflare processes server logs (including IP) on our behalf. Cloudflare is GDPR-compliant and offers EU data residency.
- Telegram FZ-LLC (UAE) — contact form submissions are delivered to a private Telegram channel we operate. The message content (your name, email, company, message, and IP address) passes through Telegram servers. If you prefer not to use Telegram delivery, email us directly.
- ElevenLabs, Inc. (US) — used during Voice Agent service delivery for voice synthesis. Only relevant if you are an active Voice Agent client. Standard Contractual Clauses are in place for international transfers.
- Email providers — operational email is delivered via standard email providers (e.g. Google Workspace, Microsoft 365). The provider in use at any time is disclosed on request.
- Accounting and invoicing software — invoicing and bookkeeping providers used to meet UK statutory obligations. Disclosed on request.
We do not transfer personal data to other third parties without your consent or a legal basis.
5. International data transfers
Some processors are located outside the UK and the European Economic Area (EEA). For each transfer, we rely on either an adequacy decision (e.g. UK / EU adequacy regulations), the UK International Data Transfer Addendum, or the EU Standard Contractual Clauses. A copy of the relevant transfer mechanism is available on request.
6. Your rights
Under UK and EU GDPR you have the right to:
- Access — get a copy of the personal data we hold on you.
- Rectify — ask us to correct inaccurate or incomplete data.
- Erase — ask us to delete your data, subject to lawful retention obligations.
- Restrict — ask us to limit how we process your data.
- Object — object to processing based on legitimate interest, including for direct marketing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — at any time, where processing is based on consent. This does not affect prior lawful processing.
- Lodge a complaint — with the UK Information Commissioner’s Office (ico.org.uk) or your local EU data-protection authority.
To exercise any right, email [email protected]. We respond within 30 days; if more time is needed we will tell you why and give a clear timeline.
7. Security
We protect personal data with industry-standard measures: TLS encryption in transit, encrypted storage at rest where applicable, principle of least privilege on access, MFA on administrative accounts, and regular review of processor security posture. No system is perfect — if a personal data breach occurs that is likely to result in risk to you, we will notify you and the relevant authority within 72 hours as required by GDPR.
8. Children
Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we hold data on a minor, contact [email protected] and we will delete it.
9. Changes to this policy
We may update this policy. Material changes are noted on this page with a new “last updated” date. If changes affect rights or use of data already collected, we will notify you in advance where reasonably practical.
10. Contact
Data controller: AI Merge Studio LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom (Company No. 16370224)
Contact: [email protected] Phone: +370 658 56543
We do not currently have a designated Data Protection Officer because we do not meet the GDPR thresholds requiring one. Privacy enquiries are handled directly by company management.