Effective date: March 27, 2026 Last updated: March 27, 2026
1. Introduction
This Privacy Policy explains how ARBORLEGIS LTD («Company,» «we,» «us,» «our»), trading as Ops in a Box / Iryna Miroshnychenko, collects, uses, stores, shares, and protects personal data when you:
ARBORLEGIS LTD is a company registered in England and Wales. Registered address: 802 Sovereign Tower, 1 Emily Street, London, United Kingdom, E16 1XH Contact email: ops@irynamiroshnychenko.com
This Privacy Policy is issued in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Where our Website is accessed by individuals in the European Economic Area (EEA), we also comply with the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679).
This Privacy Policy should be read together with our Terms of Service and Cookie Policy, available on this Website.
We are committed to protecting your personal data. We do not sell, rent, or trade your personal information. We do not use your data for advertising or behavioural profiling. We collect only the data necessary for the purposes described in this Policy.
2. Data Controller
The data controller responsible for your personal data is:
ARBORLEGIS LTD 802 Sovereign Tower, 1 Emily Street, London, United Kingdom, E16 1XH Email: ops@irynamiroshnychenko.com
A data controller is the entity that determines the purposes and means of processing your personal data. If you have any questions about how your data is processed, or wish to exercise any of your rights, contact us at the email address above.
We do not have a designated Data Protection Officer (DPO), as we are not required to appoint one under Article 37 of UK GDPR. All data protection enquiries are handled directly by the Company.
3. What Personal Data We Collect
We collect different categories of personal data depending on how you interact with us.
3.1. Website Visitors
When you visit the Website, we may collect the following data:
Automatically collected (server logs):
Your visit to the Website generates server access logs maintained by our hosting provider. These logs may include: your IP address, date and time of access, pages requested, HTTP status codes, referring URL, browser type and version, and operating system. Server logs are retained by the hosting provider in accordance with its data retention policy, typically for 14–90 days, and are used solely for security monitoring, troubleshooting, and abuse prevention.
Automatically collected (via cookies and analytics):
This data is collected through Google Analytics (GA4) and is only collected if you consent to analytics cookies. See our Cookie Policy for details.
Through Google Fonts:
If Google Fonts are loaded from Google’s servers, your IP address is transmitted to Google when your browser requests the font files. We are evaluating self-hosting to eliminate this transfer. See our Cookie Policy for details.
3.2. Contact Form Submissions
When you submit the contact form on the Website, we collect:
Contact form submissions are processed by Elementor and delivered to our email address. Submissions may also be stored in the WordPress database on our hosting server. We periodically review and delete stored submissions in accordance with the retention periods in Section 7.
3.3. Call Bookings via Calendly
When you book a call through the Calendly widget embedded on the Website, the following data is collected by Calendly and shared with us:
Calendly processes this data as an independent data controller under its own privacy policy: https://calendly.com/privacy. We receive the booking details to facilitate the scheduled call.
3.4. Email and WhatsApp Communication
When you contact us by email (ops@irynamiroshnychenko.com) or WhatsApp, we collect:
WhatsApp communications are processed by Meta Platforms under its privacy policy: https://www.whatsapp.com/legal/privacy-policy. We do not control Meta’s data processing.
3.5. Clients — Onboarding and Engagement
When you become a client, we additionally collect and process:
Information you provide directly:
Information generated during the engagement:
Payment information:
We do not collect, store, or have access to your full credit card number, bank account details, or payment security codes. All payment processing is handled by Stripe (see Section 5).
3.6. Client’s Data — Data Processor Role
During the engagement, we may access and process personal data belonging to the client’s business — for example, data in the client’s CRM, customer databases, candidate information, employee records, or communication platforms.
In such cases, the client is the data controller and we act as a data processor. The terms of this processing relationship are set out in Section 10 of our Terms of Service (Data Processing Terms).
This Privacy Policy does not govern the client’s own data processing activities. The client is responsible for ensuring that its data processing is lawful and that it has obtained all necessary consents from its own data subjects.
4. How and Why We Use Your Data
We process your personal data only for specific, legitimate purposes. Below is a summary of each purpose, the legal basis under UK GDPR, and the categories of data involved.
4.1. To Provide and Manage the Website
Detail | |
What we do | Ensure the Website functions correctly, loads properly, displays content as intended, and is secure. Maintain server logs for security monitoring and troubleshooting. |
Data used | Technical data (IP address, browser type, device type, server access logs). |
Legal basis | Legitimate interest (Article 6(1)(f)) — maintaining a functional, secure website and protecting against abuse. |
4.2. To Analyse Website Usage
Detail | |
What we do | Understand how visitors use the Website — which pages are viewed, where traffic comes from, what devices are used — so we can improve the Website. |
Data used | Anonymised analytics data collected via Google Analytics (GA4). |
Legal basis | Consent (Article 6(1)(a)) — analytics cookies are only activated after you provide consent. |
4.3. To Respond to Enquiries
Detail | |
What we do | Respond to messages submitted through the contact form, email, or WhatsApp. |
Data used | Name, email address, phone number, message content. |
Legal basis | Legitimate interest (Article 6(1)(f)) — responding to individuals who contact us. Where the enquiry relates to a potential service purchase, also: necessary steps prior to entering a contract (Article 6(1)(b)). |
4.4. To Schedule and Conduct Calls
Detail | |
What we do | Facilitate introductory and follow-up calls booked through Calendly. |
Data used | Name, email address, booking time, any notes provided. |
Legal basis | Legitimate interest (Article 6(1)(f)) and/or necessary steps prior to entering a contract (Article 6(1)(b)). |
4.5. To Deliver Services to Clients
Detail | |
What we do | Deliver the operational support services described in the Terms of Service — including process documentation, task management, hiring coordination, CRM management, reporting, and related activities. |
Data used | All client data described in Section 3.5 and, where applicable, client’s data described in Section 3.6. |
Legal basis | Performance of a contract (Article 6(1)(b)) — processing is necessary to deliver the services the client has purchased. |
4.6. To Process Payments
Detail | |
What we do | Process payments for Trial Month and Subscription services via Stripe. |
Data used | Billing contact details, transaction records. Payment card details are processed by Stripe and never accessed, stored, or handled by us. |
Legal basis | Performance of a contract (Article 6(1)(b)). |
4.7. To Send Service-Related Communications
Detail | |
What we do | Send clients invoices, weekly reports, onboarding materials, service updates, and communications necessary for the engagement. |
Data used | Contact name, email address. |
Legal basis | Performance of a contract (Article 6(1)(b)). |
4.8. To Comply with Legal Obligations
Detail | |
What we do | Retain records as required by UK tax, accounting, and company law. Respond to lawful requests from regulatory authorities or courts. |
Data used | Payment records, invoices, contracts, engagement records. |
Legal basis | Legal obligation (Article 6(1)(c)). |
4.9. To Protect Our Legitimate Interests
Detail | |
What we do | Defend legal claims, enforce our Terms of Service and NDA, prevent fraud, and protect the Company’s rights and property. |
Data used | Any data relevant to the claim or dispute. |
Legal basis | Legitimate interest (Article 6(1)(f)). |
4.10. To Maintain Business Records
Detail | |
What we do | Retain contracts, NDAs, engagement records, and correspondence for the purposes of legal compliance and defence of claims. |
Data used | Contracts, NDAs, engagement records, correspondence. |
Legal basis | Legitimate interest (Article 6(1)(f)) — maintaining records necessary to defend or pursue legal claims within the limitation period. Legal obligation (Article 6(1)(c)) — where retention is required by UK company and tax law. |
What We Do Not Do With Your Data
5. Third-Party Processors
We use the following third-party service providers who may process personal data on our behalf or as independent controllers. We share data with these providers only to the extent necessary for the purposes described in this Policy.
Service | Role | Purpose | Data Shared | Location of Processing | Privacy Policy |
Stripe, Inc. | Independent controller / processor | Payment processing | Billing contact details, payment card data (processed by Stripe, not by us) | USA, EU | https://stripe.com/privacy |
Google LLC (Analytics) | Processor | Website analytics | Anonymised IP, usage data, device data | USA, EU | https://policies.google.com/privacy |
Google LLC (Fonts) | Independent controller | Font delivery | IP address | USA, EU | https://policies.google.com/privacy |
Calendly LLC | Independent controller | Call scheduling | Name, email, booking time | USA | https://calendly.com/privacy |
Meta Platforms (WhatsApp) | Independent controller | Messaging | Phone number, messages | USA, EU | https://www.whatsapp.com/legal/privacy-policy |
WordPress hosting provider | Processor | Website hosting, server logs, contact form storage | Contact form data, server access logs, IP addresses | See note below | |
Elementor | Processor | Website page builder and contact form processing | Contact form submissions | USA, EU | https://elementor.com/privacy-policy |
CookieYes | Processor | Cookie consent management | Consent records, anonymised visitor ID | EU | https://www.cookieyes.com/privacy-policy |
Note on WordPress hosting: The location and identity of the hosting provider depends on our current hosting arrangement. Contact us at ops@irynamiroshnychenko.com if you require specific information about our hosting provider, its data processing location, and applicable safeguards.
Sub-processors: In the course of delivering services, we may engage subcontractors who access client data (as described in Section 15 of the Terms of Service). A current list of sub-processors is available upon request by emailing ops@irynamiroshnychenko.com. Clients are notified before any new sub-processor begins processing their data.
During client engagements, we may also access and work within third-party tools selected by the client (e.g., Notion, Slack, Asana, Linear, ClickUp, Google Workspace, HubSpot, Monday.com, or other platforms). Data in these tools is processed under the client’s own agreements with those providers. We access such tools only as necessary to deliver the agreed services and in accordance with the Terms of Service and NDA.
We review our third-party processors periodically to ensure they maintain appropriate data protection standards.
6. International Data Transfers
Some of our third-party service providers process data outside the United Kingdom and European Economic Area, primarily in the United States.
Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:
We do not transfer personal data to countries without appropriate safeguards in place.
If you have questions about specific transfers, contact us at ops@irynamiroshnychenko.com.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
Data Category | Retention Period | Reason |
Server access logs | 14–90 days (determined by hosting provider) | Security monitoring, troubleshooting, abuse prevention. |
Website analytics data | 14 months (GA4 default setting) | GA4 default retention. Anonymised. |
Contact form submissions (stored in WordPress) | 12 months after last communication, then deleted from database | To manage enquiries. Periodically reviewed and purged. |
Contact form submissions (email copy) | 12 months after last communication | To manage enquiries and follow-up. Deleted if no engagement begins. |
Calendly booking data | 12 months after the call | To manage scheduling and follow-up. |
Email and WhatsApp communications (pre-client) | 12 months after last communication | To manage enquiries. Deleted if no engagement begins. |
Client engagement data (reports, SOPs, notes, communications) | Duration of the engagement + 24 months | To support continuity, resolve disputes, and maintain records. |
Client’s data (CRM, candidates, etc. — processor role) | Deleted or returned within 30 days of engagement termination | As specified in Terms of Service, Section 10.3. |
Payment records and invoices | 6 years from the end of the financial year in which the transaction occurred | UK tax and accounting law (Companies Act 2006, HMRC requirements). |
NDA and contracts | 6 years from the date of termination of the engagement | Limitation period for contractual claims under UK law (Limitation Act 1980). |
Cookie consent records | 3 years | To demonstrate compliance with PECR and UK GDPR (accountability principle). |
After the retention period expires, personal data is securely deleted or anonymised. «Securely deleted» means permanent removal from active systems, backups, and archives within a reasonable timeframe not exceeding 90 days from the end of the retention period.
8. Data Security
We implement technical and organisational security measures appropriate to the nature, scope, and sensitivity of the personal data we process, and to the risks presented by our processing activities. These measures are designed to protect personal data against unauthorised or unlawful access, accidental loss, destruction, alteration, or disclosure.
Our measures include:
No method of data transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of any data security issue, please contact us immediately at ops@irynamiroshnychenko.com.
9. Data Breach Notification
9.1. Breaches of Data We Control
In the event of a personal data breach that affects data for which we are the data controller (e.g., website visitor data, contact form data, or our own client contact records), we will:
9.2. Breaches of Data We Process on Behalf of Clients
For breaches affecting data for which we act as a data processor on behalf of a client, the notification obligations are set out in Section 10.3 of the Terms of Service. In summary: we will notify the client without undue delay and no later than 48 hours after becoming aware of the breach.
10. Your Rights
Under UK GDPR (and, where applicable, EU GDPR), you have the following rights in relation to your personal data:
Right of access (Article 15) — You may request a copy of the personal data we hold about you, together with information about how it is processed.
Right to rectification (Article 16) — You may request that we correct inaccurate personal data or complete incomplete data.
Right to erasure (Article 17) — You may request that we delete your personal data where there is no compelling reason to continue processing it. This right is not absolute — we may retain data where required by law (e.g., financial records) or where we have a legitimate legal basis for continued retention.
Right to restrict processing (Article 18) — You may request that we temporarily restrict processing of your data, for example while we verify its accuracy or assess a request for erasure.
Right to data portability (Article 20) — Where processing is based on consent or a contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
Right to object (Article 21) — You may object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to withdraw consent (Article 7(3)) — Where processing is based on your consent (e.g., analytics cookies), you may withdraw consent at any time. For analytics and third-party cookies, you can withdraw consent by clicking the «Consent Preferences» link in the footer of any page on the Website, or by clearing your browser cookies and revisiting the Website. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right not to be subject to automated decision-making (Article 22) — We do not make any automated decisions about you, including profiling, that produce legal or similarly significant effects.
How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: ops@irynamiroshnychenko.com
Please include sufficient information to identify yourself and specify which right you wish to exercise. We may ask for proof of identity before processing your request to protect your data from unauthorised access.
Response time: We will respond to your request within 30 days. If the request is complex or we receive a large number of requests, we may extend this period by up to 60 additional days. If an extension is necessary, we will notify you within the initial 30-day period and explain the reason for the delay.
Cost: Exercising your rights is free of charge. If a request is manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) of UK GDPR.
11. Legitimate Interest Assessment
Where we rely on legitimate interest as a legal basis for processing, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. Specifically:
Website functionality and security (Section 4.1): Our interest in maintaining a functional and secure website is balanced against the minimal privacy impact of processing technical data. Server logs are retained for a short period and used solely for security and troubleshooting. No directly identifiable personal data is used beyond IP addresses, which are not combined with other data to identify individuals.
Responding to enquiries (Section 4.3): Individuals who contact us through the form, email, or WhatsApp have a reasonable expectation that we will respond. The data processed is limited to what the individual has voluntarily provided. The privacy impact is minimal.
Maintaining business records (Section 4.10): Our interest in retaining contracts and NDAs for the statutory limitation period is balanced against the individual’s interest in erasure. Retention is limited to the minimum period necessary for legal defence, after which data is deleted.
Protecting our rights (Section 4.9): Our interest in defending legal claims and enforcing contracts is balanced against the individual’s interest in privacy. This processing only occurs when there is an actual or reasonably anticipated dispute.
If you wish to challenge our reliance on legitimate interest for any processing activity, you may exercise your right to object as described in Section 10.
12. Children
Our Website and services are directed at businesses and business professionals. They are not directed at individuals under 18 years of age.
We do not knowingly collect personal data from children. If you believe that we have inadvertently collected personal data from a child, please contact us at ops@irynamiroshnychenko.com, and we will promptly investigate and delete the data.
13. Links to Third-Party Websites
Our Website may contain links to third-party websites, platforms, and services (e.g., LinkedIn, WhatsApp, Calendly, Stripe). These links are provided for your convenience.
We are not responsible for the privacy practices, content, or security of any third-party website or service. We encourage you to read the privacy policy of every website you visit and every service you use.
A link from our Website to a third-party site does not imply endorsement, affiliation, or responsibility for that site or its data practices.
14. Marketing
As of the date of this Policy, we do not send marketing emails, newsletters, or promotional communications.
If we introduce marketing communications in the future, we will:
We will never use your data for marketing purposes without your prior explicit consent.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing activities, changes in applicable law, or updates to the Website and services.
Changes will be posted on this page with an updated «Last updated» date.
For material changes that significantly affect how your personal data is collected, used, or shared, we will make reasonable efforts to provide prominent notice, such as:
We encourage you to review this Policy periodically. Continued use of the Website after a revised Policy has been posted constitutes acceptance of the updated terms. If you do not agree with any changes, please stop using the Website and contact us to request deletion of your data.
16. Contact
For questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at:
ARBORLEGIS LTD Trading as Ops in a Box / Iryna Miroshnychenko 802 Sovereign Tower, 1 Emily Street, London, United Kingdom, E16 1XH Email: ops@irynamiroshnychenko.com
17. Complaints
If you believe that we have not handled your personal data properly or have not responded to your request satisfactorily, you have the right to lodge a complaint with the relevant supervisory authority.
For UK residents and for matters relating to ARBORLEGIS LTD as a UK-registered company:
Information Commissioner’s Office (ICO) Website: https://ico.org.uk Phone: 0303 123 1113 Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For EEA residents:
You may also lodge a complaint with the data protection supervisory authority in your country of residence. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
We encourage you to contact us first at ops@irynamiroshnychenko.com so that we can try to resolve your concern directly before you escalate to a supervisory authority.
© 2026 Ops in a Box by Iryna Miroshnychenko. All rights reserved.