What does the Arristal score measure?

The Arristal Score rates the operational health of a supply chain across five drivers — planning, procurement, inventory, fulfilment, and risk — each scored 0 to 100, with an overall index and a maturity band. A low score in a driver typically points to a quantifiable gap in working capital, margin, or revenue at risk, expressed as a range derived from the score, the company's revenue, and sector benchmarks.

How long does the assessment take?

The 20-question form takes most respondents about four minutes. The scored report is generated immediately after submission — there is no scheduled call and no waiting period.

What is the difference between the Quick Diagnostic and the Paid Diagnostic?

The Quick Diagnostic (€250) returns the score, the five driver scores, and a directional financial signal, with no € figures. The Paid Diagnostic (€2,000) adds the financial translation with the derivation shown, the killer insight from your specific score combination, and four executable recommendations, delivered as an eight-page report with a companion workbook.

Who is the assessment for?

It is built for CFOs, COOs, and supply chain directors who need a fast, evidence-based view of where the supply chain is losing money before committing to a longer engagement.

Privacy

What we collect, and what we do with it.

Arristal asks for management judgement and a short financial snapshot. This explains exactly what happens to that information, in plain language. No system access, no advertising trackers, no selling of data.

Last updated 2026-06-10

Who is responsible

Arristal is the data controller for the information you give us — we decide what is collected and why. For any privacy question, or to make a request about your data, write to [email protected]. We answer within one month, as the GDPR requires.

Our registered company details are available on request at [email protected].

What we collect

We collect only what the diagnostic needs, in three groups:

Account details. Your email address and, optionally, your name, company name, and sector, so we can run the assessment and send the report.
Assessment content. Your answers to the assessment questions — management judgement about how the supply chain runs — and a short financial snapshot you enter (for example revenue range, inventory days, margin) used to translate scores into financial ranges.
Technical data. Standard information your browser sends (IP address, device and browser type) and basic usage events, used to run the service, keep it secure, and limit abuse.
Enquiry and interest data. If you use the contact form or register interest in the founding cohort, we collect your email address, any name or company you give, and your message, to respond to you.

We do not ask for, and do not need, access to your ERP or finance systems. Nothing connects to your internal systems — you type a small number of figures, and that is the extent of the financial data involved.

Why we use it, and the legal basis

Under the GDPR, each use rests on a specific legal basis:

What we do	Legal basis
Run the diagnostic and deliver your report	Performance of our contract with you
Keep the service secure and reliable	Our legitimate interest
Take payment for paid diagnostics	Performance of contract; legal obligation (tax)
Send anything beyond your own report	Your consent, withdrawable at any time

We do not sell your data, and we do not share it for anyone else’s marketing.

Automated report generation

Your report is produced by an automated process. A scoring engine weights your responses across the five supply chain drivers and maps the result to a 0–100 index; the financial ranges are derived from that index and the figures you entered, using published sector benchmarks. A large language model then drafts the written narrative from those inputs. The model runs under Anthropic’s API terms, which state that inputs are not used to train their models (Anthropic may process inputs for trust and safety as described in their usage policy).

This is decision support, not a decision that has a legal or similarly significant effect on you. A human is always available — reply to your report or write to [email protected] and we will go through any finding with you.

Who else processes it

We use a small number of service providers to run the product. They process data only on our instructions, under data-processing terms:

Provider	Purpose	Region	Safeguard
Cloudflare	Website hosting, content delivery, report file storage (encrypted at rest by default)	EU edge / global	EU data-processing terms; SCCs
Anthropic	Generating the report narrative from your responses	United States	SCCs; API terms prohibit training on inputs
Resend	Delivering report and transactional emails, including the report and financial workbook as attachments	United States	SCCs
Stripe	Payment processing for paid diagnostics	EU / United States	SCCs
Financial Modeling Prep	Public-company financial lookups: receives company name and country to match public records; no assessment answers or financial figures	United States	Public-record lookups; SCCs
Serper	Public context lookups: receives the sector label only	United States	Public-data lookups
Plausible Analytics	Cookie-free, aggregate website analytics	European Union	EU-hosted; no personal profiles

The context lookups are limited: the sector lookup sends only the sector label, and the company financial lookup sends your company name and country to match public records. Neither receives your assessment answers or the figures you entered.

International transfers

Some providers are outside the European Economic Area, mainly in the United States. Where your data is transferred there, the transfer is covered by the European Commission’s standard contractual clauses or an equivalent safeguard, so it keeps GDPR-level protection.

How we protect it

The measures are practical, not decorative:

Traffic between your browser and our servers is encrypted with HTTPS, as is data sent to our cloud storage and email providers.
Report files are held in Cloudflare R2, which encrypts stored objects at rest by default.
Report downloads use short-lived signed links, not permanent public URLs.
Access is authenticated, and accounts can only see their own data.
Secrets and credentials are held in the environment, never in client-side code.
The application sets standard security response headers and rate-limits sensitive endpoints.

No system is perfectly secure, but the design keeps the exposure of your figures small.

How long we keep it

We keep your assessment data and report for as long as you have an account, so you can return to your results and run pulse checks. If you close your account or ask us to delete your data, we remove it within 30 days, except where we are legally required to keep limited records — for example, payment and invoice records kept for the period tax law requires. Contact enquiries and founding-cohort registrations are kept for up to two years, or until you ask us to remove them.

Your rights

Under the GDPR you can ask us to:

show you the data we hold about you (access);
correct anything inaccurate (rectification);
delete it (erasure);
restrict how we use it in certain circumstances;
object to processing based on our legitimate interest — we then stop unless we have compelling grounds;
give you a copy in a portable format (portability);
withdraw any consent you gave, without affecting what came before.

To exercise any of these, email [email protected]. If you are not satisfied with our response, you can complain to your national data protection authority — for EU residents, the authority in your country of residence.

Cookies and analytics

We use cookie-free, aggregate analytics that do not build a profile of you or follow you across other sites, so there is no advertising-cookie banner to click through. The only storage we set is what is strictly needed to keep you signed in to your account.

Children

Arristal is a business tool for organisations. It is not directed at children, and we do not knowingly collect data from anyone under 16.

Changes and contact

If we change this policy, we update the date at the top of this page, and we tell account holders by email about any material change. For anything in this policy, or any request about your data, write to [email protected].