ALYGN MEDIA LTD PRIVACY POLICY
External — Published Policy | UK GDPR & Data Protection Act 2018 Compliant
Company: ALYGN MEDIA LTD — Company No. 16669971
Registered Office: KT12 1EN, United Kingdom
Data Protection Lead: Oscar Goldblatt — hello@alygnmedia.com
Version: 2.0
Last Updated: 13 April 2026
Replaces: Version dated 13 November 2025
Applies to: All users: Creatives, Clients, site visitors and third parties
Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk
1. WHO WE ARE
ALYGN MEDIA LTD ('ALYGN', 'we', 'us', 'our') is a UK-registered creative production partner that connects Brands and Clients with vetted freelance Creatives, and uses an AI-assisted matching engine called ALYGN Intelligence. ALYGN MEDIA LTD is the data controller in respect of all personal data processed under this Policy.
Contact
Data Protection Lead: Oscar Goldblatt
Email: hello@alygnmedia.com
Company: ALYGN MEDIA LTD — Company No. 16669971
Registered Office: KT12 1EN, United Kingdom
Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk
2. SCOPE AND WHO THIS POLICY APPLIES TO
This Privacy Policy explains what personal data ALYGN collects, why we collect it, how we use and share it, how long we keep it, and what rights you have in relation to it. It applies to all individuals who interact with ALYGN, including:
Creatives (freelance individuals) who sign up, submit a profile or join the waitlist
Clients and Brands who register, brief projects or join the waitlist
Visitors to the ALYGN website (alygn.co.uk)
Third parties who engage with ALYGN in a project or commercial context
By signing up, submitting an interest or waitlist form, creating a profile, or otherwise using ALYGN's services, you acknowledge you have read this Policy. This Policy is governed by UK law. Where we process data relating to individuals outside the UK, we will comply with applicable international transfer requirements as set out in Section 13.
3. WHAT PERSONAL DATA WE COLLECT
We collect the categories of personal data necessary to provide ALYGN's services. The tables below summarise the categories by data subject type.
3.1 Creative (Freelance) Data
Category
Examples
Identity
Name, profile photo, biography
Contact
Email address, city and country of residence
Professional
Roles, specialisms/tags, portfolio links, social links, languages, equipment
Availability & rates
Day rate, availability windows, timezone, preferred project types
Financial
VAT/tax registration number, payout method and bank details (held in accounting system only)
Account / system
Visibility setting, approval status, profile complete flag, email opt-in status, unsubscribe token, slug, record ID
AI matching data
AI match score, match reason, shortlist status (generated by ALYGN Intelligence — see Section 8)
3.2 Client and Brand Data
Category
Examples
Identity
Company name, company logo
Contact
Contact name(s), email, billing email, phone number, website, social handles
Business profile
Industry, company size, HQ city/country, typical project roles, budgets, project frequency, preferred working style
Account / system
CRM lifecycle stage, email opt-in/status, unsubscribe token, slug, record ID, UTM fields, timestamps
3.3 Brief and Match Data
Category
Examples
Brief
Title, brief ID, linked client, status, budget, location preference, required roles, description, deadline
Match
Linked brief, linked creative, match ID, AI score, AI reason, shortlisted flag, client feedback, outcome, timestamps
Project
Delivery metadata, project ID, status, timeline, review and rating data
3.4 Technical and Analytics Data
When you visit our website or use our platform, we may automatically collect: IP address, browser type and version, device type and operating system, page visit data, session duration, referral source, UTM parameters, and cookie identifiers. See Section 11 (Cookies) for further detail.
3.5 Email and Communications Log
We maintain an operational log of emails sent via our platform (including: recipient type, recipient record ID, email address, name, subject, body text and HTML, trigger type, provider, provider message ID, status, and timestamp). This log supports deliverability, diagnostics, unsubscribe compliance and legal accountability.
3.6 Special Category and Sensitive Data
ALYGN does not intentionally collect special category data (as defined in Article 9 UK GDPR) or criminal conviction data. You should not include such data in your profile, portfolio or communications. If ALYGN discovers special category data has been inadvertently submitted, it will be deleted unless there is a clear and documented lawful basis for retention.
4. HOW WE COLLECT PERSONAL DATA
We collect personal data through the following means:
Directly from you — when you complete a waitlist or interest form, create or update a profile, submit a brief, or contact us
Automatically — through cookies, analytics tools and system logs when you visit our website or use our platform (see Section 11)
Generated by our systems — AI match scores and reasons, automation logs and run IDs, produced as a result of platform operations
From public sources you link — for example, portfolio websites or social media profiles you provide to us
From third parties — payment providers, accounting services, and identity verification providers where necessary to deliver the service
5. WHY WE PROCESS YOUR DATA AND OUR LAWFUL BASES
Under the UK GDPR, we must identify a valid lawful basis for each purpose of processing. The table below sets out our processing purposes and the lawful basis we rely on for each.
Providing ALYGN services: matching, contracting, project delivery
Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))
Necessary to perform or prepare a contract with you; also necessary for platform operation.
Automated matching and profiling (ALYGN Intelligence)
Legitimate interests (Art. 6(1)(f)); Contract (Art. 6(1)(b))
Where automated decisions have legal or similarly significant effects, safeguards and human review apply (see Section 8).
Payments, invoicing and financial accounting
Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))
Required to fulfil payment obligations and comply with HMRC and statutory accounting requirements.
Marketing and outreach communications
Consent (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f))
Consent where required by law (including PECR). Legitimate interests for business-to-business contact balanced against individual rights. See Section 6.
Platform security, fraud prevention and legal compliance
Legitimate interests (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c))
Necessary to protect the platform, users and ALYGN from harm and to comply with applicable law.
Analytics and product improvement
Legitimate interests (Art. 6(1)(f)); Consent (Art. 6(1)(a)) for non-essential cookies
Aggregated and anonymised where possible. Cookie consent required for non-essential analytics tools.
6. WAITLIST AND INTEREST FORMS — CONSENT AND MARKETING
Important — What Happens When You Submit a Waitlist or Interest Form
By completing and submitting an ALYGN waitlist or interest form (whether as a Creative or a Client), you expressly consent to ALYGN:
1. Contacting you by email about ALYGN — including onboarding, pilot invitations, service updates, product information, marketing, events and relevant partnership opportunities; and
2. Sharing the information you provide (subject to your visibility settings) with relevant Brands, Clients or third parties for the purpose of matching, hiring and commercial project delivery.
This consent is recorded with a timestamp and the form version at the point of submission.
6.1 How to Withdraw Consent or Unsubscribe
You may withdraw consent to marketing communications at any time by clicking the unsubscribe link included at the bottom of every marketing email we send. On receipt of your unsubscribe request, we will update your email status and cease sending marketing communications promptly.
Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. It does not prevent us from sending transactional or service emails that are strictly necessary for account operation — for example: project notifications that form part of your contract, payment receipts, security alerts, or critical account notices.
To exercise broader rights including erasure or restriction of processing, see Section 12.
6.2 Consent Records
All consent is recorded in Airtable with: the timestamp of submission, the version of the form and consent text presented, and the individual's opt-in status. This record is maintained for the duration of your relationship with ALYGN and for three years thereafter, to fulfil our accountability obligations under UK GDPR.
7. HOW AND WITH WHOM WE SHARE YOUR DATA
ALYGN does not sell personal data. We share personal data only where necessary for the purposes described in this Policy and under appropriate contractual controls.
7.1 Sharing Creative Profiles with Clients and Brands
By submitting a waitlist form or by creating and publishing a profile, Creatives permit ALYGN to present and share their profile — including name, portfolio, contact details, availability, rates, biography and relevant project history — with Clients and other relevant third parties for the purpose of matching, hiring and project delivery.
Profile visibility is controlled by the Creative:
Public profile — visible to Clients, approved third parties and public platform directories
Private profile — shared only when the Creative is shortlisted or specifically approved for a brief
Visibility settings can be updated by contacting hello@alygnmedia.com (self-service profile management will be available when the platform launches in 2026).
7.2 Sharing Client Details with Creatives and Project Partners
By submitting a waitlist form or registering as a Client, Clients permit ALYGN to share relevant company and contact details with Creatives, vendors and project partners as necessary to fulfil contracted projects, arrange payments and execute agreements.
7.3 Subprocessors and Service Providers
We engage third-party processors to help us operate ALYGN. All processors are subject to a signed Data Processing Agreement (DPA) and are contractually required to process personal data only on our documented instructions. Our key subprocessors are listed in Appendix B. The current subprocessor list is available on request from hello@alygnmedia.com.
7.4 Legal Obligations, Safety and Business Transfers
We may disclose personal data to a third party where required or permitted by law, including to comply with a legal obligation, to enforce our terms, or to protect the rights, property or safety of ALYGN, our users or others. If ALYGN undergoes a merger, acquisition or asset sale, personal data may be transferred to the acquiring entity subject to confidentiality obligations and compliance with this Policy.
8. ALYGN INTELLIGENCE — AUTOMATED MATCHING AND PROFILING
ALYGN Intelligence is ALYGN's AI-assisted matching engine. It analyses Client briefs and Creative profiles to produce a match score (0-100) and a brief written reason for each match. These scores and reasons are stored in Match records and inform the shortlists presented to Clients.
ALYGN Intelligence is in active development and its full functionality is planned for mid-to-late 2026. No automated decision-making results from ALYGN Intelligence will be applied to individuals until the platform is fully operational and the controls below are in place.
8.1 Human Oversight
A mandatory human review step is built into the ALYGN workflow. No AI-generated shortlist will result in a commercial placement without a human reviewer validating and approving the output. This ensures that automated profiling does not produce a decision with legal or similarly significant effect on any individual without human intervention, in compliance with Article 22 UK GDPR.
8.2 Your Rights in Respect of Automated Processing
You have the following rights in relation to ALYGN Intelligence:
Right to explanation — you may request meaningful information about the logic, significance and likely consequences of any profiling applied to you
Right to human review — you may request that a human reviews any automated result that affects you, and contest the outcome
Right to object — you may object to profiling under Article 21 UK GDPR; we will cease profiling unless we can demonstrate compelling legitimate grounds
To exercise any of these rights, contact hello@alygnmedia.com.
8.3 DPIA and Bias Testing
ALYGN has conducted a Data Protection Impact Assessment (DPIA) for ALYGN Intelligence processing, covering scope, data categories used, principal risks (including bias, erroneous matching and privacy leakage), and the safeguards applied. The DPIA is reviewed at least quarterly and whenever a material change is made to ALYGN Intelligence. A non-technical DPIA summary is available on request; a full DPIA is available to enterprise customers under NDA.
ALYGN conducts regular bias and fairness testing on ALYGN Intelligence models. Results inform ongoing model improvements. Role-based access controls and encryption protect all AI processing data.
9. HOW LONG WE KEEP YOUR DATA
We retain personal data only for as long as necessary for the purpose for which it was collected, and to meet our legal obligations. The retention schedule below applies unless a longer period is required by applicable law.
Data Category
Retention Period
Legal Basis / Notes
Financial records, invoices, payroll (Xero)
7 years
Companies Act 2006; HMRC statutory requirement
Active Creative and Client accounts
Duration of relationship
Contract; legitimate interests
Inactive accounts
12 months after last activity, then delete or anonymise
GDPR data minimisation; storage limitation
Briefs, matches, projects, reviews
Duration of project + 12 months archive; up to 7 years if legal dispute
Limitation Act 1980; contract records
Email and communications log
12 months
Operational compliance; unsubscribe records
Consent records
Duration of relationship + 3 years
GDPR accountability (Art. 5(2))
AI run logs and explainability data
12-36 months (per DPIA)
DSAR support; ICO AI guidance
Right-to-work / ID check copies
Until check complete; max 2 years
Immigration Rules; GDPR minimisation
Backups
Up to 90 days, then secure deletion
Resilience; secure deletion on expiry
Breach and incident logs
5 years from incident
ICO accountability; litigation limitation
DSAR records
3 years from response
Accountability; limitation period
Marketing / analytics data
26 months (rolling)
ICO analytics guidance
On deletion, data is removed from primary systems and queued for deletion from backup systems at the next scheduled backup cycle. Where full immediate deletion is not technically possible within a backup system, access to that data is restricted in the interim. Deletion events are logged.
Where a legal obligation requires us to retain data beyond the standard period (for example, statutory accounting records), we will retain only the minimum data necessary to fulfil that obligation.
10. HOW WE PROTECT YOUR DATA
ALYGN implements a layered approach to data security, incorporating the following technical and organisational measures:
Encryption in transit — all data transmitted between your browser and ALYGN is encrypted using HTTPS/TLS (minimum TLS 1.2)
Encryption at rest — where supported by vendor platforms, personal data is encrypted at rest
Access controls — role-based access control (RBAC) and the principle of least privilege are enforced across Airtable, Google Workspace and all systems holding personal data
Authentication — multi-factor authentication (MFA) is required for all administrator accounts
Audit logging — access to personal data and key system actions are logged and available for review
Vendor controls — all processors are subject to DPAs and are contractually required to implement appropriate security measures
Monitoring — automated health checks, error logging and admin alerts are in place for platform automations
Periodic testing — vulnerability scanning and penetration testing are conducted prior to any major product launch and at least annually
No system can guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay in accordance with Article 33 and 34 UK GDPR.
Enterprise customers may request security attestations, penetration test summaries or equivalent assurance documentation by contacting hello@alygnmedia.com.
11. COOKIES AND ANALYTICS
ALYGN currently does not use cookies, from summer 2026 the following will apply:
ALYGN uses cookies and similar tracking technologies on our website. A cookie is a small text file placed on your device. We use the following categories of cookies:
Cookie Type
Description and Basis
Strictly necessary
Required for the website to function (e.g., session management, security). No consent required.
Analytics / performance
Used to understand how visitors use our site (e.g., Google Analytics via Framer). Requires opt-in consent under PECR.
Marketing / targeting
Used to deliver relevant advertising or measure campaign effectiveness. Requires opt-in consent.
A cookie consent banner is presented to all visitors before any non-essential cookies are set. You can manage or withdraw your cookie consent at any time through the cookie settings on our website. Withdrawing consent does not affect cookies already placed; they will expire at their natural expiry time or can be deleted through your browser settings.
For full details of the cookies we use, their purpose, duration and the third parties involved, please refer to our Cookie Policy, available on the ALYGN website.
12. YOUR DATA PROTECTION RIGHTS
Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to legal exceptions; we will explain any limitation when responding to a request.
Right
What It Means
Access (Art. 15)
Request a copy of the personal data we hold about you and information about how we process it.
Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Erasure (Art. 17)
Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations.
Restriction (Art. 18)
Request that we restrict processing of your data in certain circumstances.
Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.
Automated decisions (Art. 22)
Not to be subject to a decision based solely on automated processing with legal or similarly significant effects; request human review and contest the outcome.
Withdraw consent
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
12.1 How to Exercise Your Rights
To exercise any of the above rights, contact us at hello@alygnmedia.com. We will verify your identity before processing any request. We will respond within one calendar month. For complex or numerous requests, this period may be extended by a further two months; we will notify you within the initial one-month period if an extension is required.
We will not charge a fee for handling requests unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request with written reasons.
12.2 Right to Complain
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. INTERNATIONAL DATA TRANSFERS
ALYGN is based in the United Kingdom. Some of our subprocessors (including OpenAI, Google Workspace and others listed in Appendix B) may process personal data outside the UK.
We will not transfer personal data to a country outside the UK unless an appropriate safeguard is in place under Chapter V UK GDPR. The transfer mechanisms we rely on include:
UK adequacy regulations — transfers to countries or international organisations that have received a UK adequacy decision
UK International Data Transfer Agreements (IDTAs) — standard contractual clauses approved by the ICO, incorporated into our DPAs with processors in non-adequate countries
UK Addendum to EU Standard Contractual Clauses — where applicable to existing processor agreements
Details of the transfer safeguards in place for specific processors are available on request from hello@alygnmedia.com.
14. CHILDREN
ALYGN's services are intended for adults (18 years and over) and for businesses. We do not knowingly collect or process personal data from individuals under the age of 18. If we become aware that personal data from a person under 18 has been submitted to us, we will delete it promptly. If you believe we have inadvertently collected data relating to a child, please contact hello@alygnmedia.com immediately.
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will notify active users by email and/or by posting a prominent notice on the ALYGN website before the changes take effect. The 'Last Updated' date at the top of this Policy indicates when it was most recently revised.
We encourage you to review this Policy periodically. Continued use of ALYGN's services after a revised Policy has been published constitutes acceptance of the updated terms, to the extent permitted by applicable law.
16. CONTACT US
For any questions, concerns or requests relating to this Privacy Policy or ALYGN's data protection practices, please contact:
Data Protection Lead
Name: Oscar Goldblatt
Email: hello@alygnmedia.com
Company: ALYGN MEDIA LTD
Address: KT12 1EN, United Kingdom
For urgent security or breach matters, please contact us immediately at the email above.
For complaints, you may also contact the ICO at ico.org.uk
APPENDIX A — CONSENT AND ACCEPTANCE STATEMENT
The following statement is presented to users at the point of submitting a waitlist or interest form, and at account registration. It forms the basis of ALYGN's consent-based processing.
Consent Statement (presented at point of submission)
By submitting this form / creating an account on ALYGN, I confirm that I have read and understood ALYGN's Privacy Policy (available at alygn.co.uk/privacy) and I consent to ALYGN:
1. Contacting me by email about ALYGN's services — including onboarding, pilot invitations, platform updates, product information, marketing, events and relevant commercial opportunities.
2. Sharing the information I have provided (subject to my visibility settings) with relevant Brands, Clients and project partners for the purpose of matching, hiring and creative project delivery.
I understand that I may withdraw this consent at any time by clicking the unsubscribe link in any marketing email, or by contacting hello@alygnmedia.com. Withdrawal of consent does not affect the lawfulness of processing before withdrawal, and does not prevent ALYGN from sending transactional or service-critical communications necessary to operate my account.
APPENDIX B — KEY SUBPROCESSORS
The table below lists the key third-party processors engaged by ALYGN at the date of this Policy. All are subject to a signed Data Processing Agreement (DPA) and, where applicable, a UK International Data Transfer Agreement (IDTA) or equivalent. The current full subprocessor list is available on request from hello@alygnmedia.com.
Subprocessor
Purpose
Safeguards
OpenAI (ChatGPT Business)
AI matching engine — analysing briefs and creative profiles
Enterprise DPA; private workspace; contractually prohibited from training on customer data; IDTA/SCC in place
Airtable
Central data store for all operational data
DPA + SCC; role-based access controls; audit logging
Framer
Website and intake forms; Google Analytics integration
DPA; consent-based analytics only
Zapier
Workflow automation between systems
DPA; processes only on ALYGN instructions
Xero
Accounting, invoicing and payroll
DPA + SCC; statutory financial data retention
Google Workspace
Email (Gmail) and document storage (Drive)
DPA; MFA enforced on all admin accounts; SCC
Softr
Platform portal / user-facing front-end (planned)
DPA; role-based access controls
We will update this list when new processors are engaged. We will give reasonable prior notice of material changes to subprocessors where required by applicable law.
APPENDIX C — DPIA SUMMARY: ALYGN INTELLIGENCE
This summary describes the Data Protection Impact Assessment (DPIA) conducted by ALYGN for ALYGN Intelligence. A full DPIA is available to enterprise customers under NDA. Contact hello@alygnmedia.com.
C.1 Processing Description
ALYGN Intelligence is an AI-assisted matching engine that converts Client briefs and Creative profiles into ranked shortlists. It produces an AI Score (0-100) and a brief written reason for each Creative-to-Brief match. These outputs are stored in Match records within Airtable and inform (but do not determine) shortlists presented to Clients.
C.2 Data Categories Used
Creative profile fields (name, roles, specialisms, portfolio links, availability, rates, ratings, prior project history), Client brief fields (description, required roles, budget, timeline, location preference), and system-generated match and project data.
C.3 Principal Risks Identified
Bias and unfair matching — AI models may reflect historical biases in training data, leading to systematic under-ranking of certain Creative profiles
Erroneous matches — incorrect or low-quality shortlists could affect a Creative's commercial opportunities
Privacy leakage — PII contained in prompts submitted to third-party AI services could be exposed
Unauthorised access — inappropriate access to AI scores, reasons and match data
C.4 Safeguards Applied
Mandatory human review — no AI shortlist results in a commercial placement without a human reviewer signing off the output
PII redaction — high-risk personally identifiable information is redacted from prompts before submission to any third-party AI service
Bias and fairness testing — models are tested for bias and performance on a regular basis; results inform model updates
Explainability retention — AI score, run ID, model version and reason are retained for 12-36 months to support DSARs
Access controls — role-based access and audit logging restrict who can view match scores and reasons
Contractual protections — DPA and IDTA/SCC in place with OpenAI; private enterprise workspace prevents customer data being used for model training
C.5 DPIA Review Cadence
The DPIA is reviewed at least quarterly and whenever a material change is made to ALYGN Intelligence, including changes to the model, data inputs, or the matching workfl
C.6 Requesting a Review or Explanation
If an automated matching decision has affected you and you wish to request a human review or explanation, contact hello@alygnmedia.com. We will respond within one calendar month.
VERSION HISTORY
Change Log
v1.0 — 13 November 2025 — Initial publication
v2.0 — 13 April 2026 — Full review and restructure; new sections on international transfers, data categories tables, retention schedule formalised, DPIA summary expanded, subprocessor table updated, consent statement clarified, formatting overhauled
© 2026 ALYGN. All rights reserved. London, UK