How Ailume collects, uses, and protects your personal data.
About company
Ailume is a product design service operated by HALO LAB, SL (“Halo Lab”, “we”, “us”, “our”). Ailume is a brand and project of Halo Lab — not a separate legal entity or independent company. The organization responsible for the Ailume website and for any personal data collected through it is Halo Lab. The same legal entity, data controller, contact points, security practices, and policies that govern Halo Lab apply to Ailume.
In this policy, “Ailume” means the Ailume website and product design service; “Halo Lab”, “we”, or “us” means the legal entity HALO LAB, SL that operates Ailume and acts as data controller.
1. Definitions
“Controller”, “Processor”, and “Personal Data” have the meanings given under the GDPR. The Controller of personal data collected through the Ailume website is HALO LAB, SL.
2. General
Ailume is operated by Halo Lab. We collect and process personal data based on our legitimate interest in providing and improving our services and managing client relationships, and — for cookies and marketing in the EEA/UK — on your consent. Because Ailume is a Halo Lab project, the data you share through Ailume is handled by Halo Lab under this policy.
3. Collection & use of personal data
We may collect contact details, usage data, your communications with us, and content you submit, including through forms. We use this data to deliver and improve our services, communicate with you, personalize your experience, run analytics, conduct marketing where consent is required, maintain security, meet legal obligations, and manage client relationships.
4. Legal bases for processing
- Performance of a contract
- Legitimate interests in running and improving our services
- Consent for non-essential cookies and marketing in the EEA/UK
- Legal obligation
5. Disclosure of personal data
We may share personal data with service providers such as analytics, CRM, and hosting providers, affiliates and intra-group processors, business partners, professional advisors, and where required by law. Service providers are contractually obligated to protect your data and may not use it for their own purposes. We do not sell, rent, or lease your personal data.
6. Third-party links
We are not responsible for the privacy practices of third-party sites linked from the Ailume website.
7. Security
We apply appropriate technical and organizational measures to protect personal data. However, no transmission over the internet can be guaranteed completely secure.
8. Data protection principles
We follow the GDPR principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and privacy by design and by default.
9. Cookies & tracking technologies
We use cookies and similar technologies on the Ailume website to keep it working, understand how it is used, and — with your consent in the EEA/UK — personalize content and advertising.
- Necessary — required for core functionality and security; cannot be disabled.
- Analytics — Google Analytics 4, Microsoft Clarity, and Crazy Egg help us understand and improve the site.
- Functional — remember your preferences.
- Advertising — Google, Meta, and LinkedIn measure and deliver relevant ads; set only after consent in the EEA/UK.
In the EEA/UK, non-essential cookies are set only after you consent through our cookie banner. You can change or withdraw your choices anytime via browser settings; necessary cookies cannot be switched off. Third-party cookies are governed by their providers’ own policies, including Google, Microsoft, Crazy Egg, HubSpot, LinkedIn, Meta, Cloudflare, and Webflow.
10. Data retention
We retain personal data only as long as necessary:
- Leads / CRM — 24 months after last interaction
- Contracts / billing — 6 years after the engagement ends
- Support communications — 24 months after closure
- Analytics (GA4) — 14 months
- Session recordings — 30 days
- Consent records — 5 years
11. Storage locations
Personal data may be stored in the EU, the US, and the UAE, as well as other jurisdictions, with safeguards such as Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
12. International transfers
Andorra is recognized by the European Commission as providing an adequate level of data protection. For other transfers we rely on Standard Contractual Clauses, the UK Addendum, and the Data Privacy Framework as applicable.
13. Updates
We may update this Privacy Policy and will give notice of material changes via the website and/or cookie banner.
14. Your GDPR / UK GDPR rights
You have the right to be informed; to access, rectify, and erase your data; to restrict or object to processing; to data portability; to withdraw consent; to object to automated decision-making; and to lodge a complaint with a supervisory authority. To exercise these rights, contact us. We respond within one month of receipt.
15. U.S. state privacy rights
Residents of certain U.S. states, including California, Colorado, Connecticut, Virginia, Texas, Utah, Oregon, Montana, and others, have rights to access, correct, delete, and port their data, and to opt out of targeted advertising and any “sale” or “sharing.” We do not discriminate against you for exercising these rights.
16. CCPA
We do not sell the personal data of California consumers. You can exercise your California rights via the contacts below.
17. COPPA
We do not knowingly collect personal data from children under 13. If we learn we have, we delete it.
18. Fair information practices
In the event of a data breach, we commit to notifying affected users within 7 business days, consistent with applicable law.
19. Contact
For any privacy question or to exercise your rights:
- Email — mail@halo-lab.com
- Controller — HALO LAB, SL, Av. de les Nacions Unides, 40, 6-1, Edifici A Tower, Escala A, AD700 Escaldes-Engordany, Principat d’Andorra
Last updated
16 September 2025