Privacy Policy

1. Data Controller

AromaLab is developed and published by M24 Media. For all privacy enquiries, contact us at callum@m24media.com. We are the data controller for any personal data processed in connection with this website and the AromaLab app.

2. Overview

AromaLab is a native macOS application. Your formula, ingredient, inventory, and business data is stored locally on your Mac in a Core Data database. We do not operate user accounts or collect personal information through the app itself. The limited personal data we do process is described in detail below.

3. Personal Data We Process

We process the following categories of personal data, depending on how you interact with AromaLab and this website:

• Website visitors: IP address, HTTP request metadata (browser type, referring page, timestamp) collected by Cloudflare as part of hosting infrastructure.
• App Store / subscription: Anonymised subscription status (active or expired) received from Apple and RevenueCat. We do not receive your name, email address, or payment details from these providers.
• AI features (optional): AI features require you to supply your own API key from a separate Google Gemini or Anthropic Claude account, which you manage and pay for directly with that provider. When you use an AI feature, content you submit — including formula details, ingredient names, and prompts — is sent from the app directly to Google or Anthropic using your API key, according to your choice of provider. AromaLab does not proxy, intercept, or retain copies of this content.
• iCloud sync (optional): If you enable iCloud sync, your app data is stored in your personal Apple iCloud account via CloudKit. We have no access to that data.
• Perfumers Vault integration (optional): Data exchanged with a Perfumers Vault server travels directly between the app and your server over your local network. We do not proxy or store any of it.

4. Lawful Basis for Processing

Where GDPR applies, we rely on the following lawful bases:

• Legitimate interests (Art. 6(1)(f)): Website infrastructure logs processed by Cloudflare to ensure security and reliable delivery of this website.
• Performance of a contract (Art. 6(1)(b)): Subscription status data received from Apple and RevenueCat is necessary to provide the AromaLab Pro features you have purchased.
• Consent (Art. 6(1)(a)): When you choose to use AI features and enter your own API key, you are actively directing the app to submit data to your chosen third-party AI provider (Google or Anthropic) under that provider's own terms of service and privacy policy. This is entirely optional and can be disabled at any time in app settings.

5. International Data Transfers

Some of the third-party services we rely on are based in the United States. When your data is processed by these services, it is transferred outside the European Economic Area (EEA). Each provider maintains appropriate safeguards:

• Google LLC (Gemini API): If you choose to use Gemini AI features, requests are sent directly to Google using your own API key under your own Google account. Google participates in the EU–US Data Privacy Framework. Privacy information.
• Anthropic PBC (Claude API): If you choose to use Claude AI features, requests are sent directly to Anthropic using your own API key under your own Anthropic account. Anthropic relies on Standard Contractual Clauses (SCCs). Privacy Policy.
• Apple Inc. (App Store, iCloud): Participates in the EU–US Data Privacy Framework and maintains Binding Corporate Rules. Privacy Policy.
• RevenueCat Inc.: Relies on Standard Contractual Clauses. Privacy Policy.
• Cloudflare Inc. (website hosting): Participates in the EU–US Data Privacy Framework. Privacy Policy.

You can request a copy of the relevant safeguards by contacting us at callum@m24media.com.

6. Data Retention

• Website logs: Retained by Cloudflare for up to 30 days in accordance with their standard infrastructure logging policy.
• Subscription status: Retained for the duration of your subscription and for as long as required by applicable law (typically up to 7 years for billing records held by Apple and RevenueCat).
• AI feature inputs: AromaLab does not retain these. Because requests are made directly from the app to Google or Anthropic using your own API key, retention and processing by those providers is governed entirely by their own policies and your agreement with them (linked above).
• App data: Stored locally on your device and, if enabled, in your iCloud account. Retention is entirely under your control — delete the app or your iCloud data at any time to remove it.

7. Cookies and Tracking

This website does not use cookies, analytics scripts, or tracking pixels. Cloudflare may set a technical security cookie (__cf_bm) strictly necessary for bot protection. No consent is required for this cookie as it is functionally necessary.

8. Analytics

AromaLab does not include any third-party analytics or tracking frameworks. We do not collect usage data, crash reports, or telemetry beyond what Apple collects through standard App Store mechanisms, which you can control in System Settings → Privacy & Security.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Ask us to delete your personal data where there is no compelling reason for us to continue processing it.
• Right to restriction (Art. 18): Ask us to restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format and transfer it to another controller.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Rights related to automated decision-making (Art. 22): We do not carry out solely automated decision-making that produces legal or similarly significant effects on you.
• Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time (e.g. by disabling AI features in app settings) without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at callum@m24media.com. We will respond within one month. We will not charge a fee for reasonable requests.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO). In the EU, you may contact the supervisory authority in your member state of habitual residence.

11. Children's Privacy

AromaLab is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "last updated" date at the top of this page.

13. Contact

For any questions or requests relating to this privacy policy, contact us at callum@m24media.com.