Legal

Privacy Policy

Last updated: 21 April 2026

1. Who we are

authority.md is operated by Marketing Signals Ltd ("we", "us", "our"), a company registered in England and Wales (company number 09767832, VAT number GB225235630), with registered office at 33 Harrison Road, Halifax, HX1 2AF, United Kingdom.

For the purposes of UK GDPR and EU GDPR, Marketing Signals Ltd is the data controller for the personal data we collect through authority.md.

If you have any questions about this policy or your personal data, contact us at hello@authority.md.

2. What data we collect

When you make a purchase

  • Your email address (to deliver your file)
  • The personas you purchased
  • Payment information (handled by Stripe — we never see or store your card details)
  • Country of residence (for VAT calculations and currency)
  • Order timestamp and order reference

When you submit a pre-order request

  • Your name and email address
  • The framework you're requesting and the reason
  • The category you've selected

When you visit the site (with consent)

  • Anonymised analytics data via Google Analytics (page views, session duration, approximate location, device type)
  • IP address (anonymised before storage by Google Analytics)

3. How we use your data

We use your personal data for the following purposes:

  • To fulfil your order — generate and email your purchased framework files (legal basis: contract performance)
  • To process payment — pass payment details to Stripe for processing (legal basis: contract performance)
  • To handle pre-order requests — generate and deliver bespoke frameworks (legal basis: contract performance)
  • To comply with legal obligations — VAT records, fraud prevention, dispute resolution (legal basis: legal obligation)
  • To respond to your enquiries — when you email us (legal basis: legitimate interest in customer service)
  • To analyse site usage — only if you've consented to analytics cookies (legal basis: consent)
  • To detect fraud and abuse — protect the service and other users (legal basis: legitimate interest)

We do not use your data for marketing emails unless you've explicitly opted in (which is currently not offered).

4. Who we share data with

We share data with carefully selected third-party processors only as needed to operate the service:

  • Stripe Payments Europe Ltd — payment processing. Privacy policy.
  • Anthropic PBC — generates the framework content based on the persona data we send. Privacy policy. We send only the persona name and category — never your personal data — to the AI generation API.
  • Twilio Inc. (SendGrid) — email delivery. Privacy policy.
  • Vercel Inc. — website hosting. Privacy policy.
  • Google LLC (Analytics) — site usage analytics, only with your consent. Privacy policy.
  • ImprovMX — forwards emails sent to our hello@ address.

Some of these providers are based outside the UK/EU (notably Anthropic, Stripe, Vercel, Google, SendGrid in the United States). Where personal data is transferred, we rely on standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms recognised under UK GDPR.

We do not sell your personal data to anyone, ever.

5. Cookies

authority.md uses minimal cookies. We distinguish between two types:

Essential cookies

These are required for basic site functions like processing your order. They cannot be turned off. They include short-lived session identifiers and Stripe's payment session cookies.

Analytics cookies (Google Analytics)

These help us understand how the site is used, so we can improve it. They are only set if you click "Accept" on our cookie banner. Until then, no analytics data is collected.

You can change your preference at any time by clearing your browser's local storage for authority.md, which will re-trigger the consent banner.

6. How long we keep your data

  • Order records — 7 years (UK tax law requirement for VAT and accounting records)
  • Pre-order requests and reasoning — 2 years, after which they're deleted
  • Email correspondence — 3 years from last contact
  • Analytics data — Google Analytics defaults (currently 14 months)
  • Failed/abandoned payment data — held by Stripe according to their retention policy

7. Your rights

Under UK GDPR (and EU GDPR if you're an EU resident), you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate or incomplete data
  • Right to erasure — ask us to delete your data (subject to legal retention requirements)
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — withdraw any previously given consent (such as analytics cookies)

To exercise any of these rights, email us at hello@authority.md. We'll respond within 30 days.

If you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.

8. Security

We take reasonable steps to protect your data:

  • All site traffic is encrypted via HTTPS (TLS)
  • Card details never touch our servers — they're handled directly by Stripe
  • Email and authentication systems use industry-standard authentication (SPF, DKIM, DMARC)
  • Access to operational systems is restricted and audited

No system is completely immune to security risks. If we ever experience a breach affecting your personal data, we will notify you and the ICO within 72 hours where required by law.

9. Children

authority.md is not intended for children under 13. If you are under 13, do not use this site or provide us with personal information. If we discover we have collected data from a child under 13, we will delete it immediately.

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged on our homepage for at least 30 days.

11. Contact

For privacy questions, data subject requests, or any other matter:

Email: hello@authority.md
Post: Marketing Signals Ltd, 33 Harrison Road, Halifax HX1 2AF, United Kingdom