1. Roles
You are the data controller. NUVENAR LTD is the data processor when processing personal data on your behalf inside our services.
2. Subject matter and purpose
We process personal data only to provide the services in your contract or statement of work, and to keep them running securely.
3. Categories of data
Typical categories: contact details, communication history, booking records, billing data. No special category data unless we agree in writing in advance.
4. Sub-processors
Stripe, Resend, Cloudflare, Hetzner, Anthropic, OpenAI. See the privacy policy for details and locations. We will notify you in writing at least 30 days before adding a new sub-processor.
5. Security
We apply appropriate technical and organisational measures: encryption in transit and at rest, least-privilege access, multi-factor authentication for staff accounts, server hardening, daily off-site backups, monitored intrusion detection.
6. International transfers
Where data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses or equivalent safeguards.
7. Data subject requests
We will help you respond to data subject rights requests within a reasonable time and without additional charge for ordinary requests.
8. Personal data breach
We will notify you without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting your data.
9. Audits
Once per year, on 30 days notice, you may request an audit of our processing activities. We will respond with documented evidence (security policies, penetration test summaries, sub-processor lists).
10. Return or deletion
On termination of the services, we will return or delete your data within 30 days, unless legal retention requires otherwise.
11. Contact
Data protection enquiries: support@nuvenar.com.