Privacy Policy

Effective date: 1 June 2025. Last updated: 1 June 2025.

This Privacy Policy explains how Ardent Lens ("we," "us," or "our") collects, uses, stores, and shares your personal data when you use our platform. It also explains your rights under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Data Protection Act 2018.

We take your privacy seriously. We collect only what we need, we use it only for the purposes described here, and we do not sell your personal data to anyone.

The data controller for personal data collected through the Ardent Lens Platform is Ardent Lens. For any questions about how we process your data, to exercise your rights, or to contact our data protection point of contact, please use the Contact page.

Account and registration data

When you create an account, we collect your name (first and last), email address, and the password you set (stored in hashed form — we never store your password in plain text). If you update your profile, we also collect optional information such as a display name, biography, and profile photograph.

Subscription and payment data

When you subscribe to a premium plan, we collect billing information necessary to process your payment. Payment card details are processed and stored by our payment provider (Paystack) and are not stored on our systems. We retain a record of the transaction, your subscription status, plan type, and payment history.

Content and interaction data

When you interact with content on the Platform — such as reading articles, posting comments, or following authors — we collect records of those interactions. This includes comments you post, articles you have read, and your follow relationships with other users.

Communications data

When you contact us via the Contact, Careers, or Write For Us forms, we collect the information you provide: your name, email address, and the content of your message. If you subscribe to our newsletter, we collect your email address and record your subscription preferences.

Technical and usage data

When you visit the Platform, our servers automatically collect certain technical information, including your IP address, browser type and version, operating system, the pages you visit, time and date of access, and referring URLs. This data is used for security, performance monitoring, and aggregate analytics. We do not use this data to build individual behavioural profiles for commercial purposes.

Cookie and tracking data

We use cookies and similar technologies as described in our Cookie Policy. The cookies we set include essential cookies required for the Platform to function, and optional analytics cookies that we only set with your consent.

Under the UK GDPR and EU GDPR, we are required to have a lawful basis for each purpose for which we process your personal data. The bases we rely on are:

• Contract (Article 6(1)(b)): Processing that is necessary to provide the services you have requested — creating and managing your account, delivering premium content you have subscribed to, and processing payments.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided those interests are not overridden by your rights. This includes security monitoring, fraud prevention, improving the Platform, moderation of user-generated content, and responding to enquiries you send us.
• Consent (Article 6(1)(a)): Where you have given us specific, informed consent — for example, subscribing to our newsletter, or accepting non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with a legal obligation — for example, retaining financial records as required by tax law.

We use the personal data we collect for the following purposes:

• To create, manage, and authenticate your account.
• To deliver premium content you have paid for.
• To process payments and manage your subscription.
• To communicate with you about your account, subscription, or enquiries.
• To send editorial newsletters and content digests you have opted into.
• To display your comments and profile on the Platform (with your consent to participate).
• To moderate content and enforce our Terms of Use.
• To improve the Platform through aggregate usage analytics.
• To detect, investigate, and prevent fraud, security breaches, and abuse.
• To comply with legal obligations and respond to lawful requests from authorities.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, including profiling for advertising purposes.

We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing purposes. We share data only as follows:

Service providers (data processors)

We share data with third-party service providers that act as data processors on our behalf. These providers are contractually bound to process your data only as we instruct and to maintain appropriate security measures. Our key processors include:

• Supabase — database hosting, authentication, and file storage. Data is stored on servers in the European Union or United Kingdom (depending on your region setting).
• Paystack — payment processing. Paystack processes payment card data directly and is PCI-DSS compliant. We do not receive or store full card numbers.
• Resend — transactional email delivery (account notifications, password resets, newsletters).
• Vercel — Platform hosting and content delivery infrastructure.

Legal disclosure

We may disclose personal data if required to do so by law, court order, or in response to a lawful request by a public authority. We will, where legally permissible, notify you if such a request is received.

Business transfers

If Ardent Lens is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a materially different privacy policy.

Some of our third-party processors operate outside the UK and EU. Where we transfer personal data to a country that does not have an adequacy decision under UK or EU GDPR, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses (SCCs) or an equivalent mechanism. For more information about the safeguards applicable to a specific transfer, please contact us.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Specific retention periods include:

• Account data: Retained for the duration of your account and for up to 30 days following account deletion (to allow for reactivation requests), after which it is permanently deleted.
• Financial and billing records: Retained for seven years from the date of the relevant transaction, as required by tax and accounting regulations.
• Comment data: Comments remain on the Platform while your account is active. Upon account deletion, comments are anonymised (your name and profile are removed; the comment text may remain in context).
• Newsletter subscription: Retained until you unsubscribe. We maintain a suppression record to avoid re-subscribing you inadvertently.
• Contact form submissions: Retained for up to 24 months from the date of submission for reference and audit purposes.
• Technical logs: Server access logs are retained for up to 90 days and then deleted.

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us via the Contact page. We will respond within one calendar month.

• Right of access (Article 15): You have the right to obtain confirmation that we process your personal data and to receive a copy of the data we hold about you, along with information about how we process it.
• Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data. You can update most account information directly in your account settings.
• Right to erasure / right to be forgotten (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent (and no other legal basis applies), or where it has been unlawfully processed. We may retain certain data where required by law.
• Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while a dispute about accuracy is resolved.
• Right to data portability (Article 20): Where processing is based on your consent or a contract with you, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to request that we transmit it directly to another controller where technically feasible.
• Right to object (Article 21): You have the right to object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your national data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, you should contact the supervisory authority in the country where you are habitually resident, work, or where an alleged infringement occurred.

We may need to verify your identity before fulfilling a rights request. We will not charge a fee for rights requests unless they are manifestly unfounded or excessive. If we are unable to fulfil a request, we will explain why within the one-month response period.

Our Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact us immediately and we will take steps to delete that data.

We implement technical and organisational measures designed to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encrypted data storage, TLS encryption for data in transit, access controls and authentication, and regular security reviews. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. When we make material changes, we will update the effective date at the top of this page and notify registered users by email or by a prominent notice on the Platform. We encourage you to review this policy periodically.

If you have questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact us via the Contact page. We aim to respond to all privacy-related enquiries within five business days and will escalate your request to our data protection point of contact where necessary.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your personal data lawfully. The ICO can be contacted at ico.org.uk/make-a-complaint.