Legal

Privacy Policy

This policy explains what personal data NUVENAR LTD collects, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to nuvenar.com, NuvenarHub, and every service we operate.

Effective: 2026-05-30

Last reviewed: 30 May 2026. We review this policy at least every twelve months and after any material change to the services, sub-processors, or applicable law.

1. Who we are

NUVENAR LTD ("NUVENAR", "we", "us", "our") is a private limited company registered in England and Wales. We act as a data controller for personal data submitted through nuvenar.com and as a data processor for personal data customers process inside NuvenarHub. Our Data Protection contact is reachable at [email protected]. General enquiries: [email protected].

2. The personal data we collect

2.1 Information you give us directly

  • Contact form data: name, email address, company, telephone (optional), the message you write.
  • Account registration data: name, email, password (hashed with bcrypt), business name, business address, telephone, billing details.
  • Payment data: handled by Stripe. We never store full card numbers. We retain the last four digits, card brand, expiry, and Stripe customer/payment-method tokens.
  • Customer service correspondence: emails, WhatsApp messages, and in-app assistant transcripts you exchange with our support team.
  • Content you upload to NuvenarHub: contact records, call recordings, transcripts, conversation history, attachments, custom properties, ad creatives, and any other content you choose to store.

2.2 Information we collect automatically

  • Technical data: IP address, user agent, device type, operating system, screen resolution, timezone, referring URL.
  • Usage data: pages visited, features used, click events, error events, session duration, timestamps.
  • Cookies and similar technologies: only essential cookies required to keep you logged in. We use Plausible Analytics for traffic measurement, which is cookieless and does not track across sites.
  • Server logs: HTTP request logs, retained for 30 days for security and debugging.

2.3 Information from third parties

  • Stripe: payment status, charge IDs, customer IDs, subscription IDs.
  • Meta (WhatsApp Business API, Facebook Lead Ads, Instagram): inbound messages, lead form submissions, ad performance metrics, when you connect your Meta business assets to NuvenarHub.
  • Google Ads / TikTok Ads (where connected): campaign performance, ad spend, conversion events.
  • Treatwell / Fresha (where connected): booking events, customer contact details.

3. Lawful bases for processing (UK GDPR Article 6)

  • Contract (Art. 6(1)(b)): to deliver and bill for the services you have signed up for, including NuvenarHub subscriptions and bespoke engagements.
  • Legitimate interest (Art. 6(1)(f)): to reply to enquiries, to keep the service secure, to detect abuse, to improve the product, to send transactional emails about your account, and to perform direct marketing to existing customers within reasonable expectations. You can object at any time by emailing us.
  • Legal obligation (Art. 6(1)(c)): to retain tax and accounting records for the period required by HMRC (currently six years from the end of the relevant accounting period), and to respond to lawful requests from courts and regulators.
  • Consent (Art. 6(1)(a)): for non-essential cookies (if any are added in future), for marketing emails to new prospects who are not existing customers, and for any other processing where consent is the only available basis. You can withdraw consent at any time without affecting prior lawful processing.

4. Special category data

We do not require, request, or seek special category data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life, sexual orientation, genetic data) for the operation of NuvenarHub or for the marketing site. Customers who upload such data into their own NuvenarHub workspace do so as data controllers and are responsible for establishing a valid lawful basis under UK GDPR Article 9.

5. Sub-processors and recipients

We share personal data only with the sub-processors that operate the service, only for the purpose set out below, and only under written contracts that mandate appropriate technical and organisational safeguards. The full and current list:

  • Hetzner Online GmbH (Germany / Finland) - cloud hosting infrastructure.
  • Cloudflare, Inc. (USA, UK office) - DNS, CDN, DDoS protection, edge security.
  • Stripe Payments UK, Ltd. (UK) - payment processing, billing, customer portal.
  • Resend, Inc. (USA) - transactional email delivery.
  • Anthropic, PBC (USA) - AI features (Claude). Training on customer data is disabled.
  • OpenAI, LLC (USA) - AI features (GPT and Whisper). Training on customer data is disabled.
  • Twilio Inc. (USA, UK office) - voice calling and SMS (Calling module).
  • Meta Platforms Ireland Ltd. (Ireland) - WhatsApp Business Cloud API, Facebook Lead Ads, Instagram messaging (where customers connect their assets).
  • Google Ireland Ltd. (Ireland) - Google Ads sync, optional reCAPTCHA.
  • TikTok Information Technologies UK Ltd. (UK) - TikTok Ads sync (where customers connect their assets).
  • Plausible Analytics OU (Estonia) - cookieless web analytics for nuvenar.com.

We do not sell, rent, or trade personal data. We do not share personal data with advertising networks for re-targeting. Where a sub-processor is added or removed, we will update this list and email account administrators at least thirty (30) days before the change takes effect.

6. International data transfers

Primary storage is in the European Economic Area (Hetzner Helsinki, Finland). Some sub-processors above are based outside the UK and EEA. Where personal data is transferred to a country not subject to a UK adequacy regulation, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, together with supplementary technical measures including encryption in transit and at rest.

7. Retention

  • Contact form messages: 24 months from receipt, then deleted.
  • Account data (active customers): for the lifetime of the account.
  • Account data (closed accounts): 90 days post-closure to permit reactivation, then anonymised. Billing records retained six (6) years for HMRC.
  • Customer content inside NuvenarHub: until the customer deletes it or the account is closed.
  • Server logs: 30 days.
  • Security event logs: 12 months.
  • Backups: rolling 35-day window, encrypted at rest.

8. Your rights under UK GDPR

You have the right to:

  • Be informed about how we process your data (this notice).
  • Access a copy of your personal data.
  • Correct inaccurate or incomplete data.
  • Erase your personal data (right to be forgotten), subject to overriding lawful obligations.
  • Restrict processing in defined circumstances.
  • Receive your data in a portable, machine-readable format.
  • Object to processing based on legitimate interest or direct marketing.
  • Withdraw consent where consent is the lawful basis.
  • Not be subject to a solely automated decision that produces a legal or similarly significant effect.

To exercise any of these rights email [email protected]. We respond within one calendar month. We may extend that by a further two months for complex requests, and we will tell you within the first month if we do.

9. Right to complain

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, by phone on 0303 123 1113, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the chance to address your concern first.

10. Security

We apply organisational and technical safeguards proportionate to the risk. These include: TLS 1.2+ in transit, AES-256 at rest for application databases and backups, bcrypt password hashing, principle of least privilege, scoped API keys, mandatory webhook signature verification, immutable audit logs on security events, multi-factor authentication available on every account, regular dependency scanning, time-bound vendor access, segregated staging and production environments, and incident response procedures. No system is 100 percent secure. We will notify the ICO within 72 hours of becoming aware of a personal data breach where it presents a risk to individuals, and we will notify affected data subjects without undue delay where the breach presents a high risk.

11. Children

Our services are not intended for individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, email us and we will delete it.

12. Cookies

We use strictly necessary cookies to keep you logged in. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. Plausible Analytics is cookie-free. See the cookie policy at /legal/cookies for details.

13. Marketing

Existing customers will receive transactional emails about their account and occasional product updates as a legitimate interest. You can opt out at any time by clicking the unsubscribe link in the email or by emailing us. We do not perform email marketing to prospects who have not opted in or to purchased lists.

14. Automated decisions and profiling

We do not make solely automated decisions that have a legal or similarly significant effect on individuals. NuvenarHub uses AI to suggest replies, summarise calls, and route conversations, but the end-user customer (the operator of the NuvenarHub account) makes the final decision in every case.

15. Updates to this policy

If we change this policy in a material way, we will email registered customers at least 30 days before the change takes effect and update the "Last reviewed" date above. Continued use of the services after the change indicates acceptance of the updated policy.

16. Contact and Data Protection Officer

We have not formally appointed a Data Protection Officer because we are not required to under UK GDPR Article 37. For any privacy question, request, or complaint, email [email protected]. Our postal address is available on request to verified data subjects.

This policy is provided in good faith and reflects our actual data practices as of the effective date above. It does not constitute legal advice. If you need legal advice about how UK GDPR applies to your own organisation, consult a qualified solicitor.