Privacy Policy

How we collect, use, retain and protect personal data — written for founders who'd rather read a policy than skim a banner.

Last updated: 22 May 2026

1. Who we are

AlurDigital is a UK venture studio. We act as a technical co-founder for non-technical founders in exchange for a mix of cash fees and equity, and we run a small evaluation platform that founders apply through.

This policy is published by Alur Digital Ltd (referred to in this policy as "AlurDigital", "we", "us"), a company registered in England and Wales under company number 12008587, with its registered office at 82A, James Carter Road, Mildenhall, IP28 7DE.

We are the data controller for the personal data described in this policy. Our data-protection point of contact is reachable at privacy@alurdigital.com. We are registered with the UK Information Commissioner's Office under registration number ZB131951.

2. Data we collect

The data we hold about you depends on how you interact with us. We try to collect the minimum we genuinely need for each interaction.

2.1 Marketing-site visitors

  • A first-party consent cookie (alur.consent) that records your cookie-banner choice — no other tracking cookies are set until you accept them.
  • Standard server logs: IP address, user-agent string, requested URL, response code, referrer — retained for a short window for security and abuse-monitoring purposes.

2.2 Contact-form submissions

  • Your name, email address, and (optionally) your organisation.
  • The subject and free-text body of your message.
  • The IP address the submission came from (used solely for abuse detection — rate-limiting and spam prevention).

2.3 Founder applicants and active engagements

  • Account data — name, email, password (stored as a salted hash, never in plaintext), two-factor authentication state if you've opted in, country of residence, LinkedIn URL if you've provided one.
  • Application data — your answers to the intake wizard, the venture's working name, problem statement, proposed solution, target market, business model, stage, Companies House registration number (where applicable).
  • NDA-bound pitch documents — files you upload as part of an active engagement (pitch decks, financial models, technical specifications, whatever you choose to share). These are stored encrypted at rest and only visible to AlurDigital staff working on your engagement.
  • Calendar & meeting metadata — if you connect a calendar to enable scheduling, we read free/busy windows and meeting attendee lists for meetings AlurDigital staff are part of. We do not read the full calendar of meetings we're not in.
  • Internal evaluation notes — scoring, decision-log entries, meeting notes and action items recorded by AlurDigital staff during the evaluation and active-engagement phases. These are internal to us; you do not see scoring directly, but you do see decision outcomes and the notes shared with you.
  • Payment metadata — if a phase of engagement is paid (e.g. deep evaluation), we record the fact and amount of payment; payment- instrument details are handled by our payment processor and are not stored on our systems.

2.4 Contacts in our network

We maintain a CRM of contacts in our network — investors, lawyers, accountants, partner agencies, advisors and prospects. If you have been added to our CRM, we will typically hold your name, email, organisation, job title, LinkedIn URL, and a relationship history (when we last spoke, what about). You may request access or removal under section 7 below.

3. How we use your data

  • Matching founders to AlurDigital staff. We use your application data and venture profile to assign the right partner and technical lead to your engagement.
  • NDA workflow. Pitch documents you upload are gated behind a mutual NDA the platform records and the relevant staff acknowledge before access.
  • Scheduling and communications. Meeting metadata is used to schedule, hold and follow up on calls. Messages sent in the platform are stored so both sides have a complete history.
  • Internal evaluation and decision-making. Scoring and decision-log entries support consistent, defensible decisions about whether to take an engagement forward.
  • Service operation, security and abuse prevention. Logs and rate-limit signals are used to keep the platform up, fight spam, and detect unauthorised access.
  • Statutory and contractual obligations. Records required for tax, accounting, anti-money-laundering checks where applicable, and contractual record-keeping.

We do not sell your data. We do not run third-party advertising on our marketing site, and we do not embed third-party tracking pixels.

Automated decision-making. We do not carry out automated decision-making or profiling within the meaning of Article 22 UK GDPR. All evaluation decisions about founder applications are made by AlurDigital staff exercising professional judgement; scoring entries in the platform are aids to staff decision-making, not decisions in themselves. You will not be subject to a decision based solely on automated processing.

Whether providing your data is a statutory or contractual requirement (Article 13(2)(e) UK GDPR). Most of the personal data we ask for is a contractual requirement, or a requirement necessary to take steps before entering into a contract with us — not a statutory one. Founder applicants are asked for account, application and venture data so that we can evaluate the engagement and run the studio relationship; you are under no statutory obligation to provide it, but if you choose not to, we cannot assess your application, schedule meetings, gate NDA-bound documents, or run an engagement with you. Contact-form senders are asked for the minimum needed to reply — name and email; if you do not provide these we cannot respond. Our retention of accounting and tax records (section 5) is the one place where some retention is a statutory requirement under UK law, but that only applies after a paid engagement has begun. Cookie consent is never a requirement — the site works without analytics cookies and the cookie-banner choice is yours alone.

Under the UK GDPR and EU GDPR, we rely on the following legal bases:

  • Contract. Most processing of an active engagement is necessary to perform the engagement contract or to take steps at your request before entering into one.
  • Legitimate interests. Server logs, abuse detection, CRM records of professional contacts, and internal scoring/decision- log records are processed under our legitimate interest in operating the studio and making sound evaluation decisions, balanced against your interests and rights.
  • Consent. Non-essential cookies (when we add them) are set only with your active opt-in via the cookie banner. You may withdraw consent at any time.
  • Legal obligation. Some retention periods are fixed by statute (e.g. accounting records).

5. Data retention

  • Server logs: typically 30 days, longer where a specific security investigation requires it.
  • Contact-form submissions: retained as part of our CRM record of the conversation. If you ask us to delete a contact- form submission and there is no active business reason to keep it, we will.
  • Declined or withdrawn applications: retained for up to 12 months from the decision date, then archived in a redacted form (venture name, decision rationale, decision date) for our own pipeline metrics; personal data is removed at that point.
  • Active engagement data: retained for the duration of the engagement and for the period required by any continuing contractual obligations (e.g. equity holdings, exit provisions).
  • Accounting and tax records: retained for the period required by UK statute (typically six years from the end of the relevant accounting period).

6. Third-party sub-processors

We use a small set of well-known third-party providers to operate the platform. Each operates under a data-processing agreement with us. The current list:

  • Microsoft (Microsoft Graph + Microsoft 365). Used for calendar sync and scheduling. Privacy policy: privacy.microsoft.com.
  • DocuSign. Used to execute mutual NDAs at the start of deep evaluation. Privacy policy: docusign.com/company/privacy-policy.
  • Companies House. Used to look up the public Companies House record for a venture by its registration number. The data returned is itself public; we record what we looked up. Privacy policy: gov.uk Companies House charter.
  • Twilio SendGrid. Used to deliver transactional email (sign-up confirmations, password reset, meeting invitations, notifications). Privacy policy: twilio.com/legal/privacy.
  • Our backend platform host. The application servers and managed database that run the platform. Our backend platform operates inside the United Kingdom.

International data transfers. Some of our sub-processors (notably Microsoft, DocuSign and Twilio SendGrid) process personal data in the United States and other countries outside the UK. Where this happens, transfers are protected by the UK International Data Transfer Agreement (UK IDTA) or the UK addendum to the EU Standard Contractual Clauses (SCCs), supplemented by each provider's own binding commitments and security measures. A copy of the safeguards in force for any specific transfer is available on request from privacy@alurdigital.com.

We may update this list from time to time. Material changes will be reflected in this policy and, where they affect existing engagements, announced inside the platform.

7. Your rights

Under the UK GDPR and (where it applies) the EU GDPR you have the following rights in relation to your personal data:

  • Right of access — ask us for a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your data, where we are not required by law or by a continuing contract to keep it.
  • Right to data portability — ask us for a structured, machine-readable export of the data you provided.
  • Right to restrict or object to processing — including where we are relying on legitimate interests.
  • Right to withdraw consent — for any processing we are doing on a consent basis (including cookie consent).

To exercise any of these rights, write to privacy@alurdigital.com. We will respond within one month. You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk.

8. Data Protection Officer

AlurDigital is not legally required to designate a Data Protection Officer under Article 37 of the UK GDPR. We are not a public authority, we do not carry out large-scale systematic monitoring of data subjects as a core activity, and we do not process special- category or criminal-conviction data at scale. The Article 37 triggers therefore do not apply to us.

Notwithstanding that, all data-protection matters — questions about this policy, requests to exercise the rights set out in section 7, queries about a specific engagement's data handling, or any concerns about how we process your personal data — can be raised directly with the controller's data-protection point of contact at privacy@alurdigital.com. A named member of AlurDigital staff is responsible internally for data-protection compliance and will handle your query.

You also have the right at any time to lodge a complaint with the UK Information Commissioner's Office if you believe your data- protection rights have been infringed. The ICO can be contacted at ico.org.uk.

9. Cookies

We use a small number of cookies and similar storage. The current set:

  • alur.consent (essential). Records your cookie-banner choice so the banner does not re-appear on every page. Set first-party; expires after one year.
  • Authentication cookies (essential, signed-in users only). Required to keep you signed in to the founder portal or studio platform. Set first-party, HTTP-only, secure, with a short expiry that rotates on activity.
  • CSRF anti-forgery cookie (essential). Used to protect form submissions from cross-site request-forgery attacks.

We do not currently set analytics, advertising or social-media cookies on the marketing site. If we add any in future they will be set only after you opt in via the cookie banner, and this section will be updated.

You can change your cookie choice at any time using the Cookie preferences link in the site footer. The dialog lets you toggle each non-essential category independently and includes a Revoke all action that clears the consent cookie outright and re-shows the original banner on your next page load.

10. Security

We protect your data with the controls you would expect of a small modern engineering team: TLS for all traffic, encryption at rest for uploaded documents, salted-hash storage of passwords, multi-factor authentication mandatory for AlurDigital staff and optional for founders, strict role-based access control inside the platform, audit logging on every meaningful action, rate-limiting on authentication endpoints, and regular security review.

No system is perfectly secure. If we discover a security incident affecting your data, we will notify you and (where required) the Information Commissioner's Office in line with our statutory obligations.

11. Changes to this policy

We will update this policy when we materially change how we handle your data. The "Last updated" date at the top reflects the most recent change. Material changes will be flagged inside the platform for signed-in users.

12. Contact & complaints

Questions, requests, or complaints about how we handle your personal data should go to privacy@alurdigital.com, or by post to 82A, James Carter Road, Mildenhall, IP28 7DE.

You can also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint, though we'd appreciate the chance to put things right first.

13. Governing law

This policy and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) is governed by the laws of England and Wales, and the courts of that jurisdiction have exclusive jurisdiction.

Choose which cookies you allow. Essential cookies are required for the site to work and cannot be switched off. You can change these preferences at any time from this dialog, or revoke your consent entirely below to be asked again on your next visit. For the full detail of what each category does see our cookie disclosure.

Essential

Required for the site to operate — your consent choice, cross-site request protection, and (on signed-in surfaces) your authentication session. No tracking.

Analytics

Anonymous usage analytics so we can see which pages are useful. We do not currently set any analytics cookies; if we add them in future they will only fire with this toggle on.