1. Introduction

This Privacy Policy explains how ASTON H-S Ltd, trading as Saont™, collects, uses, stores, secures, shares, transfers, restricts, deletes, anonymises, and otherwise processes personal data in connection with the Saont™ websites, MySaont™, SaontDocs™, onboarding and activation journeys, customer account administration, billing and subscription operations, support workflows, privacy-rights handling, security operations, and related infrastructure.

Saont™ is built as security-first compliance infrastructure. Saont™ is designed to minimise unnecessary personal data collection, limit processing to defined purposes, maintain clear operational boundaries, and avoid hidden, unrelated, or secondary uses of personal data.

Saont™ provides compliance infrastructure, workflow tooling, and automated document-delivery systems. Saont™ does not provide legal advice, legal representation, or regulatory certification. Outputs made available through the Service are not a substitute for independent legal advice tailored to a specific business, sector, jurisdiction, or fact pattern.

2. Who we are

Saont™ is operated by ASTON H-S Ltd, company number 15866638, registered in England and Wales, with a registered office at ASTON H-S Ltd 124 City Road, London, EC1V 2NX, United Kingdom.

For the purposes of UK data protection law, ASTON H-S Ltd may act in different roles depending on the processing activity involved:

  • Controller for data relating to website operation, account creation, user management, support, service administration, billing and subscription management, public-site telemetry, security, auditability, business administration, and legal compliance.
  • Processor for Customer Data processed within SaontDocs™, customer-controlled document generation, domain verification workflows, configured service content, document updates, document delivery, and related service operations where the Customer determines the purposes and means of the underlying business processing.

3. Contact details

Privacy enquiries: privacy@saont.com
Legal enquiries: legal@saont.com

Where relevant, you may also write to ASTON H-S Ltd at the registered office address above.

4. Nature of the Service

Saont™ provides compliance infrastructure and related operational tooling. Depending on the product, feature, and plan configuration, this may include account onboarding, subscription activation, domain verification, business configuration, document generation, document updates, document delivery, access controls, auditability features, status workflows, support handling, and related operational systems.

Saont™ does not act as a law firm, does not establish a solicitor-client relationship, does not assume responsibility for a Customer’s underlying legal obligations, and does not guarantee that use of the Service will make any organisation compliant with applicable law.

Customers remain responsible for their own legal review, business disclosures, processing activities, lawful bases, implementation choices, factual accuracy, and real-world compliance position.

5. Scope of this Policy

This Privacy Policy applies to personal data processed in connection with:

  • public-facing Saont™ websites, pages, and forms;
  • pricing, onboarding, checkout, and activation journeys;
  • MySaont™ authenticated environments and account areas;
  • SaontDocs™ generation, configuration, delivery, access control, and update infrastructure;
  • subscription, billing, entitlement, renewal, and administration workflows;
  • support, incident handling, complaints, and privacy-rights requests;
  • auditability, security logging, abuse prevention, and accountability records;
  • communications sent in connection with the Service;
  • internal compliance, legal, accounting, and operational administration.

6. Individuals whose data may be processed

Depending on the context, Saont™ may process personal data relating to:

  • website visitors;
  • prospective customers and enquiry submitters;
  • customer owners, administrators, users, managers, and authorised representatives;
  • billing contacts and operational contacts;
  • support requestors, complaint submitters, and privacy-rights requestors;
  • individuals whose personal data is included in Customer Data, business disclosures, or related document content created, configured, or maintained through the Service.

7. Categories of personal data we process

The categories of personal data processed by Saont™ depend on how the Service is used. They may include:

  • Account data: name, work email address, business role, invitation records, membership records, account identifiers, user identifiers, tenant identifiers, and account status data.
  • Authentication and session data: sign-in state, authentication metadata, device or browser-level signals, access timestamps, session identifiers, and security-adjacent access records.
  • Business configuration data: business name, company number, business type, registered office details, primary domain, verified domains, configuration settings, selected plan, add-ons, selected features, and document-related setup information.
  • Operational and technical data: IP address, request metadata, browser metadata, interaction metadata, error events, API request data, environment integrity signals, and service logs.
  • Billing and subscription data: subscription status, entitlement status, checkout state, activation state, invoice references, payment-adjacent references, renewal status, and related operational billing records.
  • Security and audit data: event timestamps, actor identifiers, document actions, verification actions, status changes, policy pushes, operational notes, privacy request records, and incident-related logs.
  • Support and communication data: enquiry contents, contact details, support history, message delivery events, issue reports, complaint details, and evidence of actions taken.
  • Customer Data: data submitted, configured, uploaded, generated, or otherwise maintained by or on behalf of the Customer within the Service, including information used to generate, update, deliver, or administer SaontDocs™.

8. Data we do not use for these purposes

Saont™ does not use personal data for the following purposes:

  • behavioural advertising;
  • cross-site advertising profiles;
  • selling personal data;
  • data brokerage;
  • third-party enrichment unrelated to service delivery;
  • hidden marketing profiling;
  • training general-purpose AI models on Customer Data.

9. Where personal data comes from

Saont™ may obtain personal data from:

  • the individual directly;
  • the Customer organisation setting up or administering the Service;
  • authorised users acting on behalf of a Customer;
  • authentication, billing, hosting, and communications providers involved in service delivery;
  • technical interactions with Saont™ systems, including logs and security events;
  • domain verification, activation, document-publishing, and service administration workflows.

10. How we use personal data

Saont™ uses personal data only where there is a defined operational, contractual, legal, or security purpose. These purposes include:

  • creating, administering, and maintaining accounts and memberships;
  • authenticating users and securing access to customer workspaces;
  • operating subscription, checkout, billing, renewal, and entitlement logic;
  • verifying domain control and maintaining domain-bound document delivery;
  • generating, updating, storing, delivering, and controlling access to SaontDocs™;
  • maintaining auditability, accountability, and traceability for key service actions;
  • preventing abuse, fraud, spoofing, tampering, and unauthorised access;
  • detecting, investigating, and responding to incidents, errors, and integrity failures;
  • handling support requests, privacy-rights requests, and legal enquiries;
  • maintaining accounting, tax, legal, and regulatory records;
  • administering service continuity, diagnostics, and platform operations;
  • improving operational resilience and reducing misuse or service risk.

11. Processing matrix

The table below summarises common controller-side processing activities.

Category Purpose Lawful basis
Account data Create and administer access to the Service Contract
Authentication and session data Secure sign-in, session integrity, and access control Contract and legitimate interests
Business configuration data Configure products, domains, and document-delivery infrastructure Contract
Billing and subscription data Process subscriptions, renewals, invoicing, and service entitlements Contract and legal obligation
Operational and technical data Operate, diagnose, protect, and improve platform integrity Legitimate interests
Security and audit data Evidence actions, detect misuse, investigate incidents, defend claims Legitimate interests and legal obligation
Support and communication data Respond to queries, support issues, rights requests, and complaints Contract, legitimate interests, and legal obligation
Cookie or preference data where used Apply user-selected preferences and, where relevant, optional settings Consent where required by law

12. Public pages and cookieless telemetry

On public-facing Saont™ pages, Saont™ may use first-party cookieless telemetry designed around aggregated counters rather than per-user behavioural tracking. This may be used to understand high-level page performance and product-journey completion, such as page views, allowlisted calls to action, general completion counts, and broad time-on-page buckets.

Saont™ public telemetry is designed to avoid cross-site tracking and is separated from Customer Data processing. It is not used for behavioural advertising and is not designed to build hidden personal profiles for advertising purposes.

13. Lawful bases

Where Saont™ acts as controller, the lawful bases relied on may include:

  • Contract, where processing is necessary to provide the Service, administer accounts, authenticate access, manage subscriptions, verify domains, deliver documents, and run related service operations.
  • Legitimate interests, where processing is necessary for platform security, abuse prevention, fraud prevention, service integrity, incident investigation, internal accountability, and proportionate operational improvement that does not override individuals’ rights and freedoms.
  • Legal obligation, where processing is required for tax, accounting, legal compliance, record-keeping, law-enforcement cooperation, regulatory response, or valid legal process.
  • Consent, where consent is specifically required by law and validly obtained.

Where Saont™ acts as processor, the Customer is responsible for identifying and documenting its own lawful basis or bases for the Customer’s underlying processing activities.

14. Controller and processor boundaries

Saont™ does not treat all processing as the same. The role depends on the context. Where Saont™ processes Customer Data in connection with customer-controlled document generation, customer-configured content, document delivery, and related service functionality, Saont™ acts only on the Customer’s documented instructions, subject to the applicable contract, Data Processing Agreement, security requirements, and law.

In processor contexts, Saont™ does not take independent ownership of Customer Data and does not determine separate purposes for that Customer Data merely because it provides the Service. The Customer remains responsible for deciding what personal data is placed into its content, documents, notices, workflows, and business operations.

15. Customer responsibility

Customers are solely responsible for:

  • ensuring that personal data submitted to the Service is lawful, relevant, and accurate;
  • identifying and documenting their own lawful bases;
  • providing legally compliant privacy information to their own users, customers, staff, or visitors;
  • ensuring their generated documents reflect their actual real-world processing activities;
  • obtaining any consents required for their own operations;
  • reviewing and approving content before publication, deployment, or reliance where appropriate.

Customers must not assume that automated generation, updates, or delivery of documents removes the need for factual accuracy, lawful implementation, and proper internal review.

16. No legal advice and no guarantee of compliance

Saont™ provides automated compliance infrastructure and document tooling. Saont™ does not provide legal advice, legal representation, regulated legal services, or a guarantee of legal compliance.

Saont™ does not guarantee that use of the Service will achieve, maintain, or prove compliance with UK GDPR, PECR, consumer law, employment law, sector-specific rules, or any other legal or regulatory framework.

Regulatory compliance depends on factors outside Saont™’s control, including a Customer’s actual business practices, internal procedures, disclosures, lawful bases, products, data flows, staff behaviour, third-party integrations, and implementation choices.

17. System limitations and automation boundaries

The Service operates using structured inputs, account settings, domain and entitlement states, operational logic, and controlled workflows. Outputs may not capture every factual nuance, legal interpretation, jurisdictional variation, or organisation-specific circumstance.

Customers remain responsible for checking that service outputs remain appropriate to their operations, activities, business model, data use, and applicable law. Where a Customer needs legal advice, it should obtain independent advice from a suitably qualified professional.

18. Security-first architecture and integrity controls

Saont™ is built around a security-first model. Measures and design choices may include:

  • encryption in transit and, where appropriate, at rest;
  • role-based access controls and least-privilege principles;
  • restricted production access for authorised operational needs only;
  • integrity-focused audit logging for key service actions;
  • domain verification and domain-bound document delivery controls;
  • signed or token-based controls for document and embed workflows where implemented;
  • rate limiting, traffic controls, and misuse-prevention measures;
  • segregated service components and controlled operational boundaries;
  • fail-closed behaviour where integrity, verification, or entitlement cannot be confirmed.

No system can guarantee absolute security. However, Saont™ is designed to reduce unnecessary exposure and to prioritise controlled, integrity-focused processing.

19. Domain verification, document delivery, and access restrictions

Saont™ may process domain details, verification records, DNS-related status information, token identifiers, document access events, timestamps, and other operational metadata to verify domain control, manage document availability, enforce access restrictions, and evidence document-delivery behaviour.

This is central to Saont™’s domain-bound delivery model. Where verification, entitlement, integrity, subscription state, or risk conditions cannot be confirmed, Saont™ may restrict, suspend, or fail closed in order to protect service integrity and reduce unauthorised or misleading delivery.

20. Audit trails and accountability records

Saont™ maintains audit and accountability records relating to key operational, document, verification, support, billing, privacy, and security events. These records help evidence service actions, maintain traceability, support incident response, handle disputes, investigate misuse, and meet accountability requirements.

Certain audit records may need to be retained even after account closure, suspension, or a valid deletion request where retention remains necessary for fraud prevention, security integrity, legal defence, accounting, tax, or regulatory accountability.

21. Support, communications, and service messages

Saont™ may process contact details, message content, delivery events, and account context to respond to support requests, provide operational assistance, handle complaints, send service notices, manage privacy requests, and maintain evidence of communications.

Service-related communications may include account, billing, access, verification, document, security, legal, and privacy notices where these are necessary for the operation or administration of the Service.

22. Subprocessors, service providers, and recipients

Saont™ uses selected providers to support authentication, billing, communications, hosting, storage, database infrastructure, and related service-delivery functions. Depending on the service layer involved, a provider may act as Saont™’s processor or subprocessor, or may act as an independent controller for its own service environment.

Saont™ may use providers such as:

  • Clerk for authentication and identity-management functions;
  • Stripe for checkout, billing, subscription, and payment-adjacent operations;
  • Postmark for transactional email delivery;
  • Render for hosting and infrastructure deployment;
  • MongoDB for database infrastructure and storage functions.

Saont™ may also disclose personal data to professional advisers, insurers, auditors, regulators, competent authorities, courts, and law-enforcement bodies where reasonably necessary or legally required.

Saont™ maintains a current subprocessor page at legal.saont.com/subprocessors.

23. International transfers

Some providers used by Saont™ may process personal data outside the United Kingdom or make it accessible from outside the United Kingdom. Where Saont™ carries out a restricted transfer of personal data, Saont™ will use an appropriate transfer mechanism recognised under UK data protection law.

Depending on the transfer, this may include an adequacy regulation, the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful safeguard.

Where appropriate, Saont™ may assess the transfer context and apply supplementary measures proportionate to the transfer risk.

24. Data retention principles

Saont™ does not retain personal data for longer than reasonably necessary for the relevant purpose or longer than required by law. Retention periods depend on the category of data, the operational function it serves, active subscription state, security and accountability requirements, and legal or dispute-related risk.

Where full deletion is not immediately possible or not legally appropriate, data may instead be restricted, locked, de-identified, pseudonymised, archived, or anonymised.

25. Retention framework by category

  • Account and membership data is generally retained while the account remains active and for a limited period afterwards where needed for reactivation handling, security, support, contractual administration, or dispute resolution.
  • Billing and transaction-related records are retained for as long as required to meet accounting, tax, legal, and record-keeping obligations.
  • Security logs and verification data may be retained for defined operational periods where needed to detect abuse, investigate incidents, evidence integrity, or defend claims.
  • Audit and accountability records may be retained for longer where needed to evidence key actions, platform state, or security-relevant events.
  • Public cookieless telemetry may be retained in aggregated form for a limited period, commonly up to 90 days, unless a different operational need applies.
  • Certain operational records may be retained for at least 1 year where required by internal retention standards linked to accountability, incident review, or service history.
  • Customer Data is retained in accordance with the applicable contract, the Customer’s instructions, security requirements, and any legal obligations requiring limited retention.

26. Deletion, account closure, and restriction

Saont™ provides processes for account closure and privacy-rights handling. Where a deletion or erasure request is valid and no exemption applies, Saont™ will delete or anonymise the relevant data within the scope required by law.

However, erasure is not absolute. Saont™ may retain limited information where necessary for accounting, tax, fraud prevention, security, suppression of future contact where appropriate, audit trail integrity, or the establishment, exercise, or defence of legal claims.

27. Data subject rights

Subject to applicable law and relevant exemptions, individuals may have the right to:

  • be informed about how their personal data is used;
  • request access to their personal data;
  • request correction of inaccurate or incomplete personal data;
  • request erasure in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing based on legitimate interests in certain circumstances;
  • request portability where the legal conditions are met;
  • withdraw consent where processing relies on consent;
  • complain to the Information Commissioner’s Office.

28. Processor-side rights handling

Where Saont™ is acting only as processor for the relevant data, Saont™ may refer the request to the relevant Customer, or support that Customer in responding, as appropriate under the applicable contract or Data Processing Agreement.

29. Response handling and identity verification

To protect personal data and reduce the risk of unauthorised disclosure, Saont™ may require reasonable identity verification before fulfilling a rights request. Saont™ may also request clarification where a request is unclear, overly broad, repetitive, or directed to data for which Saont™ is not the correct controller.

30. Automated operational logic

Saont™ may use automated operational logic for areas such as authentication states, entitlement gating, document-delivery controls, verification status, access restrictions, service routing, abuse detection, integrity checks, and related platform operations.

However, Saont™ does not carry out solely automated decision-making that produces legal effects or similarly significant effects on individuals within the meaning of UK data protection law.

31. Children

Saont™ is designed for business use and is not directed to children. Saont™ does not knowingly design the Service for individuals under 18.

32. Legal disclosures and business transfers

Saont™ may disclose personal data where required by law, court order, regulatory request, valid legal process, or where disclosure is reasonably necessary to protect rights, security, integrity, or the Service.

If ASTON H-S Ltd is involved in a merger, acquisition, restructuring, financing transaction, asset sale, or similar corporate event, personal data may be disclosed or transferred as part of that process, subject to appropriate confidentiality and legal safeguards.

33. Complaints

If you believe personal data has been handled unlawfully or unfairly, please contact privacy@saont.com first so that we can review the issue.

You also have the right to complain to the UK Information Commissioner’s Office.

34. Changes to this Policy

Saont™ may update this Privacy Policy from time to time to reflect changes in the Service, law, regulatory expectations, infrastructure, operational practice, or risk controls.

The version and last updated date shown at the top of this page indicate the current revision. Where required, material changes will be communicated through appropriate service channels.

35. Final note on scope

This Privacy Policy explains how Saont™ processes personal data in connection with the Service. It does not alter the Customer’s own responsibility to document, justify, and implement lawful processing in its own organisation.

Where a Customer uses Saont™ to publish or maintain documents, the Customer remains responsible for ensuring that those documents accurately reflect its real-world processing activities and legal position.