Privacy Policy
Information
Controller Name:
Ares Technology Solutions Limited (Company registration number: 16817738) (England and Wales).
Contact Email:
Effective Date:
This Privacy Policy is effective from 18 January 2026.
Last Updated:
This Privacy Policy was last updated on 18 January 2026.
Table of Contents
1.Who We Are (Metadata)
1.1 Controller Name.
Ares Technology Solutions Limited (Company registration number: 16817738) (England and Wales).
1.2 Effective Date.
This Privacy Policy is effective from 18 January 2026.
1.3 Privacy Policy Version.
Version 1
2.Scope and Applicable Laws
2.1 UK data protection law.
When we provide the Service, we act as a “controller” of your personal data under the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018, which together set out the main rules that apply to our processing of your personal data.
2.2 California privacy laws (CCPA/CPRA).
At present, we do not offer the Service to residents of California or otherwise do business in California. We therefore do not currently operate on the basis that the California Consumer Privacy Act and California Privacy Rights Act apply to our Service. If this changes in the future, we will update this Privacy Policy accordingly.
2.3 Geographic scope.
The Service is intended primarily for users in the United Kingdom. Users in other countries, including the EU/EEA, may access the Service, but we do not specifically market or localise the Service to any particular non-UK jurisdiction at this stage.
2.4 Data controller.
The data controller responsible for your personal data is Ares Technology Solutions Limited.
2.5 Contact address.
Our registered postal address is 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
3.Data We Collect (Categories)
3.1 Account information.
When you create an account, we collect basic details such as your name, email address, password (stored securely by our hosting platform, Bubble, and not accessible to us in plain text), age, and whether you are a student or working. Within the Service you can also add high-level financial profile information, including your estimated monthly income and expenses, your largest expected bonus or gift, and your largest expected one-time expense.
3.2 Transactions (financial log).
When you record a transaction in the Service, we store the transaction amount, the category you choose (for example groceries, outings, bills, or rent), the transaction date, and, where relevant, the number of hours worked linked to that transaction. Each transaction record is associated with your account.
3.3 Reports and forecasts.
As you use the Service, we automatically generate summaries and simple forecasts (for example weekly, monthly, and yearly overviews of your spending, income, and savings progress). These reports are created by recalculating and aggregating the transactions and account information you have entered; we do not pull in external financial data about you for this purpose.
3.4 Internet activity and technical data.
When you access or use the Service, our hosting platform (Bubble) automatically records technical information such as your IP address, browser and device details, session identifiers and cookies, and basic usage and error/diagnostic logs. This data is used only to operate, secure, and troubleshoot the Service and is not used for advertising.
3.5 Usage information.
We use the technical logs described above to derive high-level information about how the Service is used, such as which screens are visited most often, general navigation flows, and aggregated counts of active users. We use this information to operate, secure, and improve the Service. At this stage of the Service, we do not use any third-party analytics tags or advertising trackers inside the Service.
3.6 Special categories.
We do not intentionally collect (and do not seek to infer) special-category or other sensitive personal data (for example health information, biometric data, political opinions, religious or philosophical beliefs, or information about sexual orientation). You should not enter this type of information into any fields in the Service, including transaction descriptions, notes, or other free-text entries. If you nonetheless choose to provide such information, it will only be processed as part of your use of the Service and will not be used for advertising or sold to third parties.
4.How We Collect Data
4.1 Direct user input.
We collect the information you provide directly when you create an account and when you add or update transactions and other information in the Service (see sections 3.1–3.3).
4.2 Automatic processing of your inputs.
As described in section 3.3, we automatically generate reports, dashboards, and forecasts by recalculating and aggregating the transactions and account information you have entered. We do not obtain additional personal data from external sources for these calculations.
4.3 Platform logs.
When you use the Service, our hosting platform Bubble (acting as our data processor) automatically records technical logs as described in section 3.4 (for example IP address, browser and device details, session identifiers and cookies, and basic usage and error information). We access these logs only to operate, secure, and troubleshoot the Service and to understand its performance; they are not used for advertising or sold to third parties.
4.4 Third-party integrations.
Other than the processors listed in section 7, we do not currently connect your account to external third-party services (such as banks or payment providers) or import personal data about you from them. If we introduce such integrations in the future, we will update this Privacy Policy to describe the data involved and your choices.
5.Why We Process Data (Purposes) and Legal Bases
5.1 Purposes.
We use your personal data for the following purposes:
5.1.1 To create and manage your account and user profile.
5.1.2 To allow you to log, view, and track your transactions and related financial information.
5.1.3 To generate dashboards, summaries, and weekly, monthly, and yearly forecasts based on your data.
5.1.4 To maintain the security and stability of the Service, monitor its performance, prevent fraud or misuse, and fix bugs or other issues (including the use of basic operational telemetry and logs).
5.1.5 To communicate with you about the operation of your account and the Service, including essential notices and updates.
5.1.6 To comply with our legal and regulatory obligations, such as responding to data-subject requests, meeting record-keeping requirements, and dealing with regulators or law-enforcement authorities where required.
5.2 Legal bases.
Depending on the context, we rely on different legal bases under the UK GDPR for the processing described above. In general, the purposes in sections 5.1.1–5.1.3 are based on performance of a contract, the purposes in sections 5.1.4 and 5.1.5 are based on our legitimate interests, and the purpose in section 5.1.6 is based on legal obligation. In limited future cases we may also rely on consent, as explained below.
5.2.1 Performance of a contract (UK GDPR Art. 6(1)(b)). We process your personal data where this is necessary to enter into and perform our contract with you, in particular to create and administer your account, provide the core budgeting and transaction-logging features of the Service, and generate the dashboards, summaries, and forecasts you request.
5.2.2 Legitimate interests (UK GDPR Art. 6(1)(f)). We process personal data where this is necessary for our legitimate interests and where those interests are not overridden by your rights and freedoms. In particular, we rely on this legal basis to keep the Service and its infrastructure secure and stable, to monitor for and prevent fraud or misuse, to investigate and fix bugs or incidents using technical logs, and to send essential, non-promotional communications about the operation of your account and the Service (such as password-reset emails, security alerts, and notices of significant changes to this Privacy Policy or our Terms). We do not currently use your personal data to send marketing emails. If we introduce marketing communications in the future, we will do so only in compliance with applicable law and will give you a clear choice.
5.2.3 Legal obligation (UK GDPR Art. 6(1)(c)). We process personal data where this is necessary to comply with our legal obligations under UK law. This includes responding to valid data-subject rights requests, keeping records that tax, company, or accounting laws require us to retain, meeting applicable security and breach-notification duties, and complying with court orders or other lawful requests from public authorities. Where we retain or review data in connection with suspected misuse but are not under a strict legal obligation to do so, we rely on our legitimate interests as described in section 5.2.2.
5.2.4 Consent (UK GDPR Art. 6(1)(a)). We do not currently rely on consent as a legal basis for processing your personal data. If in the future we wish to process your data for purposes that are not necessary for our contract with you or for our legitimate interests—such as sending marketing communications or using non-essential cookies or similar technologies—we will ask for your freely given, specific, informed, and unambiguous consent. Where we rely on your consent, you may withdraw it at any time, and we will explain the practical consequences of doing so at the point where consent is requested.
6.How We Use Personal Data
6.1 Dashboards, reports, and forecasts.
We use the transactions and account information you enter into the Service to generate dashboards showing your income, expenses, and savings, and to produce weekly, monthly, and yearly reports and forecasts that help you understand patterns in your finances. These outputs are informational summaries for your own use and do not constitute regulated or personalised financial advice.
6.2 Budgeting calculator and visualisations.
We use the information you enter about your income, expenses, and other financial details to run simple budgeting calculations and scenario estimates, and to display the results back to you as graphs and charts. These calculations are based only on the data you provide in the Service and are intended to help you visualise your finances, not to provide regulated or personalised financial advice.
6.3 Security, stability, and performance.
We use technical and usage data (such as the logs described in sections 3.4 and 3.5) to operate and protect the Service, monitor for and prevent fraud or misuse, troubleshoot errors, and understand how the Service performs so we can improve it. This data is used only for these operational and security purposes and to produce high-level, aggregated usage statistics, not for advertising or tracking you across other websites.
6.4 No sale or third-party marketing use.
We do not sell your personal data or share it with third parties so that they can use it for their own marketing, advertising, or profiling. Our service providers (such as Bubble and Google Workspace) are only allowed to process your personal data on our behalf and are not permitted to use it for their own independent marketing or advertising purposes.
7.Data Sharing and Processors
We share personal data with a small number of service providers who act as our “processors”. They may only process your data on our instructions and for the purposes described below.
7.1 Email delivery (service and transactional communications).
We use Google Workspace (Gmail), provided by Google LLC and its affiliates, to send and receive emails for our arestech-fi.com domain (including addresses such as info@arestech-fi.com). In this role, Google acts as our service provider and processes personal data contained in or associated with those emails, such as recipient and sender email addresses, email headers (including the subject line), limited message content, and delivery metadata (for example timestamps, message IDs, bounce or complaint information, and receiving-server details). We use this service to deliver and troubleshoot service-related emails, such as account setup messages, password-reset links, and security or important service notices. We design these emails so that they do not include detailed budgeting summaries or your individual financial transaction data.
7.2 Application hosting and database.
We use Bubble.io as our primary application and database hosting provider. Bubble acts as our data processor and stores the personal data you enter into the Service (including account details, transaction records, and related usage data), as well as the technical logs described in sections 3.4 and 3.5. Bubble in turn uses Amazon Web Services (AWS) infrastructure as a sub-processor to host and operate the Service and to store the data processed within it.
7.3 Cloud infrastructure (AWS).
Amazon Web Services (AWS) provides the underlying cloud infrastructure used by Bubble to host and operate the Service. In this context AWS acts as a sub-processor engaged by Bubble, and personal data stored in Bubble may therefore be held on AWS servers in the regions Bubble configures for us. For more information about international data transfers, see section 8.
7.4 Location and international transfers (email).
Email content and related personal data processed through Google Workspace may be stored and processed in the UK, the EU/EEA, and other countries depending on Google’s service configuration and operational needs (for example for support, security, or backup). Where personal data is transferred outside the UK or the EU/EEA, we rely on appropriate safeguards such as adequacy decisions and, where required, Standard Contractual Clauses together with the UK Addendum or equivalent mechanisms to protect that data.
7.5 Security for email.
Emails sent and received through Google Workspace are protected in transit using industry-standard encryption (such as TLS) where supported by the receiving or sending service. We use domain authentication measures (including SPF and DKIM, and DMARC where configured) to help prevent unauthorised use of our email domain. Access to Google Workspace administrative tools and mailboxes is restricted to authorised personnel and protected by appropriate access controls.
7.6 Sub-processors.
Our core service providers, such as Google (for email) and Bubble/AWS (for application hosting and infrastructure), may in turn use their own affiliates and carefully selected sub-processors to help deliver those services. Where this happens, they are required by contract to ensure that any sub-processor protects personal data to at least the same standard and only processes it for the purposes described in this Privacy Policy and in our agreements with them.
7.7 Domain and mailbox management (Wix).
We use Wix only for domain and mailbox management related to our arestech-fi.com domain. Wix does not host or process the personal data you enter into the Service itself, which is hosted on Bubble, and is therefore not a processor for Service data.
7.8 Legal disclosures and professional advisers.
We may disclose personal data to regulators, courts, law enforcement, or other public authorities where we are legally required to do so, or where necessary to establish, exercise, or defend legal claims. We may also share information with professional advisers (for example lawyers, accountants, or auditors) where necessary for compliance or to obtain professional advice, subject to appropriate confidentiality obligations.
8.International Transfers
8.1 Application hosting region and transfers.
The Service is hosted on Bubble, which in turn uses Amazon Web Services (AWS) cloud infrastructure. Based on our current configuration, the main Bubble cluster we use is located on AWS servers in the United States. This means that personal data you enter into the Service is transferred from the United Kingdom to the United States for hosting and Service operation purposes.
8.2 Safeguards for transfers to the United States.
Bubble offers multiple hosting regions, and under our current configuration the Service is hosted on infrastructure located in the United States. As a result, personal data is transferred from the United Kingdom to a country that is not subject to a UK adequacy decision. To protect these transfers, we rely on appropriate safeguards such as the International Data Transfer Addendum (UK Addendum) used together with the European Commission’s Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms made available by Bubble and AWS. These safeguards require the receiving parties to protect personal data to a standard essentially equivalent to UK law.
8.3 Other international transfers.
Where our service providers (such as Google, Bubble, or AWS) transfer personal data to countries outside the UK or EU/EEA, we require them to use appropriate safeguards such as adequacy decisions or Standard Contractual Clauses together with the UK Addendum or equivalent mechanisms. We will update this section if our hosting region or the transfer mechanisms we rely on change.
9.Security Measures
9.1 Encryption in transit.
All connections to the Service are protected using HTTPS with industry-standard transport encryption (such as TLS) to help ensure that personal data is encrypted in transit between your device and our systems.
9.2 Access controls and backend security.
Personal data stored in the Service is protected using Bubble’s built-in database security and access-control features. Access to backend systems and administrative functions is restricted to authorised personnel only, using role-based permissions and the principle of least privilege.
9.3 Email domain authentication.
We use domain authentication measures such as SPF and DKIM (and DMARC where configured) to help prevent unauthorised use of our email domain and reduce the risk of phishing or spoofed emails.
9.4 Backups.
We maintain backups of Service data to support disaster recovery and business continuity. Backups are created at least weekly and are stored securely with restricted access and encryption. Backup copies are retained for approximately 30 days before being overwritten or deleted in line with our backup retention schedule.
9.5 No bank account integrations.
The Service does not currently connect to your bank or payment accounts and does not collect bank credentials. This reduces the amount of sensitive financial data we handle directly. If we introduce bank or financial account integrations in the future, we will update this Privacy Policy and implement appropriate additional safeguards.
10.Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
10.1 Account data (email, profile).
We keep your basic account and profile details (such as your name and email address) for as long as your account remains active. If you delete your account, we will delete or irreversibly anonymise this data on our active systems within 90 days, unless we need to retain specific information for longer to comply with legal obligations or to resolve ongoing disputes, investigations, or enforce our agreements. Residual copies may remain in secure backups for a limited period until those backups are overwritten or deleted in line with our backup retention practices.
Where applicable, you may request an export within the timeframe described in our Terms.
10.2 Financial entries and generated reports.
Your financial transaction records and the reports and forecasts generated from them are stored for as long as your account remains active, unless you delete individual entries earlier within the Service. If you delete your account, we will delete or irreversibly anonymise your identifiable financial entries and associated reports on our active systems within 90 days, unless we need to retain specific information for longer to comply with legal obligations or to resolve ongoing disputes or investigations, prevent fraud or misuse, or enforce our agreements. We may retain anonymised or aggregated statistics that no longer identify you for analytics and service-improvement purposes.
10.3 System logs and technical telemetry.
Technical logs generated by our hosting platform Bubble (such as the data described in Section 3.4) are retained for a short period for security monitoring, performance troubleshooting, and abuse prevention, in line with our current configuration and Bubble’s standard settings. Retention periods may vary depending on configuration and Bubble’s practices and may change over time. We do not currently export or maintain separate long-term copies of these raw logs outside Bubble. Aggregated usage information derived from these logs may be retained for longer but is used only in an aggregated form to operate and improve the Service and is not used for advertising or sold to third parties.
10.4 Legal and contract records.
Certain records that relate to our legal and contractual relationship with you—such as records of your acceptance of our Terms, key communications about your account, and any invoices or payment-related documentation—may be retained for up to six years after your account is closed. We keep these records to comply with our tax and accounting obligations and because six years is the standard limitation period for most contractual claims under UK law, so we may need the records to establish, exercise, or defend legal claims.
10.5 Email delivery and audit logs.
We use Google Workspace as our email provider, which means that technical and audit logs about emails we send or receive in connection with the Service are generated and retained by Google as our data processor. In addition to the content of emails themselves (which we may retain as part of the legal and contract records described in Section 10.4), Google may maintain delivery and tracing metadata (for example sender and recipient addresses, timestamps, and status information) and Gmail audit log events for a limited period in line with our current Google Workspace settings and Google’s logging and retention controls. Retention periods may vary depending on configuration and Google’s practices, and may change over time. Messages placed in Trash or Spam are typically deleted after a period under Google’s standard behaviour, subject to any administrator policies and limited recovery features that may apply. If we enable Google Vault or change our Workspace retention settings in the future, the retention of email content and related logs will follow the applicable Vault and Workspace policies, and we will update this section as needed.
11.Your Rights and How to Exercise Them
11.1 Contact channel.
To exercise your data protection rights or ask questions about this Privacy Policy, contact us at info@arestech-fi.com.
11.2 What to include.
Please include the email address associated with your account and specify which right you wish to exercise (for example access, rectification, erasure, portability, restriction, or objection).
11.3 Verification.
To protect your account and personal data, we may ask you to confirm your email address or provide limited additional information to verify your identity before we respond to a request.
11.4 Response time.
We aim to respond without undue delay and in any event within one month of receiving your request. If a request is complex or you submit multiple requests, we may extend this period by up to two additional months, and we will inform you within the first month if an extension is needed.
11.5 Fees.
Requests are generally handled free of charge. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request, and we will explain our reasons.
11.6 Format.
Where applicable, we will provide copies of your data or portable exports in a commonly used, machine-readable format (for example CSV or JSON).
11.7 Territorial note.
The Service is intended primarily for users in the United Kingdom. Where applicable, the rights described in this section reflect the UK GDPR, and we will also honour equivalent rights under the EU GDPR for EU/EEA users where that law applies. If we begin offering the Service in additional jurisdictions, we will provide any required jurisdiction-specific notices and update this Privacy Policy accordingly.
12.Automated Decision-Making and Profiling
12.1 No automated decisions.
We do not engage in automated decision-making (including profiling) that produces legal or similarly significant effects on users. While the Service may generate automated calculations, summaries, and forecasts based on the data you enter, these are provided for informational purposes only and do not determine your eligibility for any product, service, or benefit.
13.Children’s Data
13.1 Minimum age.
The Service is intended for adults only. You must be at least 18 years old to create an account and use the Service.
13.2 No intentional collection of children’s data.
We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been collected from a person under 18, we will take reasonable steps to delete that information as soon as possible.
14.Cookies and Tracking Technologies
14.1 Strictly necessary cookies and similar technologies.
The Service uses a small number of strictly necessary cookies and similar technologies (such as Bubble session cookies and security-related tokens) that are required for the site and app to function—for example, to keep you logged in as you navigate between pages and to help protect your account from unauthorised access. Under UK law (including the UK GDPR and the Privacy and Electronic Communications Regulations), these strictly necessary cookies do not require your consent, but we describe them here for transparency. We do not currently use any non-essential cookies or similar technologies (such as analytics, advertising, or tracking cookies) inside the Service. If we introduce non-essential cookies in the future, we will provide clear information about them and, where required, obtain your consent before placing them on your device.
14.2 Cookie inventory (strictly necessary).
The Service uses strictly necessary cookies and similar technologies provided by Bubble to manage login sessions and help protect the Service. Cookie names and durations may vary depending on Bubble’s implementation and updates. You can view cookies and their expiry times in your browser settings. Based on our current configuration, examples include:
Cookie/SDK name: Session ID
Provider: Bubble.io
Purpose: Identify the user’s session
Type: Strictly necessary
Duration: Session
Cookie/SDK name: Session signature
Provider: Bubble.io
Purpose: Verify session integrity, prevent tampering
Type: Strictly necessary
Duration: Session
Cookie/SDK name: User identifier
Provider: Bubble.io
Purpose: Identify logged-in user for authentication
Type: Strictly necessary
Duration: Varies (set by Bubble)
14.3 IP addresses, logs, and tracking.
We do not use cookies or similar technologies to track you across other websites, to build marketing profiles, or to share your data with third-party advertising networks. As described in sections 3.4, 3.5, and 10.3, our hosting platform Bubble (acting as our data processor) automatically records technical information such as IP addresses, browser and device details, session identifiers and cookies, and basic usage and error logs so that we can operate, secure, and troubleshoot the Service and understand its performance. We use this information only for these operational and security purposes and to produce high-level, aggregated usage statistics, not for behavioural advertising or selling your data.
15.Changes To This Policy
15.1 Notification of changes.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service, where appropriate, before the changes take effect.
15.2 Last updated.
This Privacy Policy was last updated on 18 January 2026.
16.Contact Details and Controller Information
16.1 Privacy contact.
If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can contact us at info@arestech-fi.com.
16.2 Data Controller
16.2.1 Name. Ares Technology Solutions Limited
16.2.2 Postal address. 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
16.2.3 Data Protection Officer / representatives. We have not appointed a Data Protection Officer. As we are established in the United Kingdom, we do not have a UK representative. If we later appoint a DPO or an EU representative, we will update this section.
16.3 Supervisory authority and complaints
16.3.1 United Kingdom. The UK supervisory authority is the Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO if you believe our processing of your personal data infringes applicable data protection law.
16.3.2 Other jurisdictions. If you are located outside the United Kingdom, you may also have the right to raise concerns with your local data protection authority, where applicable.
17.Communication
17.1 Service and security emails.
We may send essential service-related or security-related emails that are necessary to operate and protect the Service (for example account verification, password resets, critical security alerts, and important notices about your account).
17.2 Marketing communications.
We do not currently send marketing emails. If we introduce marketing communications in the future, we will do so in compliance with applicable law (including UK GDPR and PECR), using an appropriate lawful basis (including consent where required). You will be given a clear choice and a simple way to opt out or unsubscribe at any time.
18.Eligibility
18.1 Minimum age.
The Service is intended for adults only. You must be at least 18 years old to create an account and use the Service (see section 13).