Last updated: October 2026
This Privacy Policy explains how NEXADATA SERVICES LTD (Company No. 16708810, registered office: 50 Princes Street, Ipswich, England, IP1 1RJ) (“NEXADATA”, “we”, “us”, “our”) collects, uses, discloses, transfers, secures and retains personal data when you interact with our website nexadataservices.com (the “Site”), our services, and any related communications or tools.
References to “UK GDPR” include the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018; “EEA” means the European Economic Area.
1) Who We Are, Scope & Roles
1.1 Controller — For the Site and the services we offer directly to end-users or prospective business clients, NEXADATA acts as Data Controller. Our contact details are set out in Clause 23 (Contact & DPO).
1.2 Processor situations — Where NEXADATA processes personal data strictly on written instructions of a client (e.g., executing a marketing mandate), NEXADATA may act as Processor; a separate Data Processing Addendum (DPA) will then govern that processing.
1.3 Policy scope — This Policy applies to the Site, forms, chat widgets, newsletters, landing pages, and any product or service that links to it. It does not apply to third-party sites/services that have their own privacy notices.
1.4 Children — Our services target professionals and businesses. We do not knowingly collect data relating to children under 16. If you believe a child provided data, contact us (Clause 23) for prompt deletion.
1.5 Updates — We may amend this Policy to reflect legal or operational changes. We will post the revised version with a new “Last updated” date and, where legally required, notify you of material changes.
2) What Data We Collect (Categories)
Subject to your interactions with us, we may collect the following categories:
2.1 Identification & Contact Data — Name, title, employer, business address, country, email, phone, preferred language.
2.2 Account & Interaction Data — Login identifiers, roles, subscription preferences, enquiry content, call/meeting notes, support tickets, chatbot transcripts.
2.3 Transactional & Billing Data — Purchase history, quotes, invoices, payment method metadata (tokenised identifiers from payment providers), VAT/Tax details (where applicable).
2.4 Marketing & Preference Data — Newsletter opt-ins, campaign engagement (opens/clicks), interests, lead source, consent logs, suppression lists.
2.5 Technical & Usage Data — IP address, device IDs, browser type/version, time zone, OS, referrers, session data, page interactions, load times, diagnostics, crash logs.
2.6 Location Data — Approximate geolocation derived from IP (city/region/country), and (only if you explicitly allow) device-based location for location-specific features.
2.7 Content You Provide — Files, forms, briefs, creative assets, testimonials, survey responses, comments, or posts you submit.
2.8 Special Categories — We do not intentionally process special category data (e.g., health, religion) or criminal-offence data. If you voluntarily include such data (e.g., in free-text fields), you acknowledge you have a lawful basis to share it; we will minimise/erase it where feasible.
2.9 Public/Third-party Data — Business contact data from public sources (e.g., Companies House), partners, data vendors, or social platforms, in compliance with applicable law.
3) How We Collect Data
3.1 Direct interactions — When you fill out forms (contact/quote/download), sign up to newsletters, request proposals, enter promotions, register for webinars, or communicate with us by email, phone, chat, or social media.
3.2 Automated means — Through cookies, SDKs and similar technologies (see Clause 5), we capture Technical & Usage Data for security, analytics, performance and personalisation.
3.3 Third parties —
3.4 Partially completed forms — If you abandon a form, we may temporarily retain entered fields to follow up and help you complete your request (subject to your consent where required).
3.5 Call/meeting recordings — With notice (and consent where required), we may record calls or demos for training, quality assurance and evidence of instructions.
4) Why We Use Your Data (Purposes & Legal Bases)
We process personal data only where a lawful basis applies:
4.1 Contract (UK GDPR Art. 6(1)(b)) — To provide quotes, onboard you, deliver services, manage accounts, process payments, provide support, fulfil warranties, and communicate about service changes.
4.2 Legitimate interests (Art. 6(1)(f)) — To:
We conduct a Legitimate Interests Assessment (LIA) where appropriate. You may object at any time (Clause 12).
4.3 Consent (Art. 6(1)(a)) — For non-essential cookies (Clause 5), certain marketing communications, location services, webinars or events where explicit opt-in is required. You can withdraw consent at any time without affecting prior processing.
4.4 Legal obligations (Art. 6(1)(c)) — For tax/audit, bookkeeping, anti-fraud, sanctions screening (if applicable), responding to lawful requests from authorities, and record-keeping duties.
4.5 Vital interests/Public task — Unlikely to apply to our service, but we may process data to protect vital interests or comply with public-law mandates where strictly necessary.
Additional notes
5) Cookies, Tracking Technologies & Analytics
5.1 Types of trackers —
5.2 Consent management — On first visit, a banner lets you accept/reject non-essential cookies and manage category-level preferences. You can change your choices at any time via the Cookie Settings link in the footer.
5.3 Analytics — We may use analytics tools to collect anonymised or pseudonymisedmetrics (pages viewed, session duration, device types). IP addresses may be truncated or masked where supported.
5.4 Third-party pixels/SDKs — Social networks or ad platforms may place pixels to measure conversions and build audiences. These providers may act as independent controllers; consult their privacy notices and manage your preferences in their settings.
5.5 Browser controls — You can block/delete cookies in your browser. Blocking non-essential cookies may degrade certain features, but the Site should remain accessible.
5.6 Do Not Track — Industry standards are evolving; we will honour legally recognised browser signals where applicable and feasible.
6) Sharing of Personal Data
6.1 Intragroup transfers — If NEXADATA creates or affiliates with other entities, personal data may be shared within the group for internal administration, consolidated reporting, client relationship management, or cross-border service delivery.
6.2 Service providers — We use trusted third-party providers to support IT hosting, CRM, analytics, payment processing, communications, marketing automation, and customer support. These providers act as Processors under written agreements, restricted to processing only on our documented instructions.
6.3 Business partners — We may share data with selected partners (e.g., resellers, consultants, advertising networks, referral partners) if such sharing is relevant to deliver requested services or joint marketing. In each case, we ensure contractual safeguards and limit the data shared to what is strictly necessary.
6.4 Legal and compliance recipients — We may disclose information:
6.5 Corporate transactions — In case of merger, acquisition, restructuring, or asset sale, your personal data may be transferred to the acquiring entity under the same protections as this Privacy Policy.
7) International Data Transfers
7.1 General — While we are established in the UK, some service providers or partners may be located outside the UK and EEA, particularly in the United States. This may involve cross-border transfers of your personal data.
7.2 Safeguards — Where data is transferred outside the UK/EEA, we ensure adequate safeguards, including:
7.3 US transfers — If providers are located in the US, we check their compliance with recognised frameworks (e.g., UK-US Data Bridge or equivalent).
7.4 Your rights — Upon request, we can provide further details about international transfers, including a copy of relevant safeguards (redacted where necessary for confidentiality).
7.5 Risks — Despite safeguards, transferred data may be subject to foreign government access under local laws. By using our services, you acknowledge such risks, unless you object under your rights in Clause 12.
8) Data Security
8.1 Technical measures — We adopt industry-standard security, including encryption (at rest and in transit), firewalls, intrusion detection, pseudonymisation, access logs, and multi-factor authentication for systems handling personal data.
8.2 Organisational measures — Staff undergo confidentiality training, role-based access controls are enforced, and data protection policies are regularly reviewed.
8.3 Incident response — We maintain an incident response plan. In case of a personal data breach, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours where required, and affected individuals if the breach poses a high risk to their rights and freedoms.
8.4 Limitations — While we do our utmost to secure personal data, no system is 100% secure. Transmission of data over the internet is at your own risk. We encourage you to use strong passwords, not reuse credentials across platforms, and report suspected compromises promptly.
9) Data Retention
9.1 Retention principle — We retain personal data only for as long as necessary to fulfil the purposes outlined in this Policy, unless a longer retention period is required by law (e.g., tax records, statutory obligations).
9.2 General timeframes —
9.3 Erasure or anonymisation — At the end of retention, we securely delete or anonymisedata so it can no longer be linked to you.
9.4 Legal holds — If litigation, investigation, or audit is reasonably anticipated, data may be retained beyond the normal schedule until the matter is resolved.
9.5 Your requests — You can request deletion of your personal data at any time (see Clause 12). We will respect your request unless overriding legal or contractual obligations require us to retain certain information.
10) Marketing & Communications
10.1 Direct marketing — We may send you marketing communications (emails, SMS, phone calls, postal mail) about our services or similar products, based on legitimate interest or your explicit consent, depending on the channel and applicable law.
10.2 Right to object — You can opt out at any time by using the unsubscribe link in emails, replying STOP to SMS, adjusting your preference centre (where available), or contacting us directly (Clause 23).
10.3 Third-party marketing — We will not sell your data to third parties. We may, however, share it with carefully selected partners (e.g., digital advertisers, agencies) to deliver relevant promotions on our behalf.
10.4 Social media advertising — If you interact with our pages or ads on platforms like LinkedIn, Facebook, Instagram, or Google, those platforms may process your data as independent controllers. We encourage you to review their privacy notices and adjust your settings on each platform.
10.5 Cookies and profiling — Marketing cookies may be used to build a profile of your interests and deliver personalised advertising. Profiling is limited to business-relevant segmentation and does not involve fully automated decisions with significant effects.
11) Your Rights under Data Protection Law
11.1 Overview — As a data subject under UK GDPR and the Data Protection Act 2018, you have a number of rights with respect to your personal data. These include:
11.2 Limitations — These rights are not absolute and may be restricted by overriding legal obligations, legitimate interests, or contractual requirements.
11.3 Exercising rights — Requests must be submitted in writing (see Clause 23). We may require proof of identity before processing. We generally respond within one month, extendable by two months for complex cases.
12) Exercising Your Rights & Complaints
12.1 How to submit a request — You may contact us at the details in Clause 23 to exercise any of your rights. Please clearly indicate which right you wish to exercise.
12.2 Complaints to us — If you are unhappy with our handling of your personal data, please first contact our Data Protection Officer (DPO). We take complaints seriously and aim to resolve them amicably.
12.3 Complaints to supervisory authority — If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (ico.org.uk).
12.4 International users — If you are located in the EEA, you may also complain to your local Data Protection Authority.
12.5 No charge — Exercising your rights is generally free. However, we may charge a reasonable fee for repetitive, manifestly unfounded, or excessive requests, or refuse to act on them.
13) Children’s Data
13.1 No intentional collection — Our services are directed at businesses and professionals. We do not knowingly collect or process personal data relating to children under 16.
13.2 Parental responsibility — If we learn that we have inadvertently collected personal data from a child, we will delete it as soon as possible unless legal obligations require retention.
13.3 Parental rights — Parents or guardians who believe their child’s data has been provided without consent may contact us (Clause 23) to request deletion.
13.4 Age-related adaptations — If future services target younger audiences, we will implement specific safeguards and adapt this Policy accordingly.
14) Automated Decision-Making and Profiling
14.1 Profiling — We may analyse your interactions with our Site (e.g., visits, downloads, clicks, form completions) to build profiles for business segmentation (e.g., industry sector, company size, engagement level).
14.2 Purpose — Profiling is used solely for improving service relevance, tailoring marketing campaigns, and prioritising follow-up by our teams.
14.3 No significant effects — Such profiling does not result in legal consequences or similarly significant effects for you. It is limited to B2B marketing and service improvement.
14.4 Human review — Where decisions could materially affect you (e.g., eligibility for a contractual service), a human review is always involved.
14.5 Right to object — You may opt out of profiling for marketing at any time (Clause 10 & 11).
15) Joint Controllers & Third-Party Controllers
15.1 Joint controllers — In rare cases where we determine purposes and means of processing jointly with another entity (e.g., co-branded webinars), we will:
15.2 Independent controllers — Certain partners (e.g., payment gateways, social media platforms, analytics providers) may process data as independent controllers. In such cases, their own privacy notices apply.
15.3 Transparency — We strive to disclose in advance any situation where your data will be processed by a party not bound to act as our processor.
15.4 Responsibility — Unless explicitly stated otherwise, NEXADATA SERVICES LTDremains solely responsible for processing activities conducted under its control.
15.5 Data-sharing agreements — Where joint controllership applies, written agreements are put in place in accordance with Article 26 UK GDPR, ensuring you can exercise your rights effectively.
16) Handling of Data Subject Requests
16.1 Acknowledgement — Upon receiving a request under Clause 11, we acknowledge receipt within 7 business days and inform you of the expected timeline for response.
16.2 Identity verification — For security, we may require reasonable proof of identity before granting access or making changes. Acceptable proof includes government-issued ID combined with contact details we already hold.
16.3 Response timeframes — We aim to respond within one calendar month. Where the request is complex or numerous, we may extend by up to two additional months, notifying you of the extension and reasons.
16.4 Refusal of requests — We may decline requests that are manifestly unfounded, repetitive, or excessive. In such cases, we will explain the reason and inform you of your right to complain to the ICO.
16.5 Format of response — Where feasible, responses will be provided electronically, in a structured, commonly used, machine-readable format (CSV, JSON, or PDF).
17) Third-Party Websites and Social Media
17.1 External links — Our Site may contain links to third-party websites. These are provided for convenience only. We are not responsible for their content or privacy practices.
17.2 Independent policies — If you follow a link to a third-party website, that website’s privacy notice applies. We strongly encourage you to review their terms before submitting any personal data.
17.3 Social media — Where our services integrate with social media platforms (e.g., LinkedIn, Facebook, Instagram, X/Twitter, Google), those platforms may automatically provide us with certain information (such as your profile data or engagement metrics).
17.4 Your controls — You may manage what data we can access from within your social media account settings.
17.5 No endorsement — Links or embedded content from third parties do not imply endorsement of their practices by NEXADATA SERVICES LTD.
18) Retention for Legal Proceedings and Disputes
18.1 Litigation hold — If litigation, regulatory investigation, or audit is pending or reasonably anticipated, we may preserve relevant personal data beyond ordinary retention schedules (see Clause 9).
18.2 Evidence preservation — Copies may be retained for evidentiary purposes, including logs of consent, communication history, contracts, and payment records.
18.3 Disclosure in proceedings — Data may be disclosed in legal proceedings, arbitration, or mediation, where necessary to protect our rights or comply with a lawful request.
18.4 Privilege — Where legally applicable, communications with our legal advisers remain privileged and confidential.
18.5 Deletion after resolution — Once disputes or investigations are concluded, preserved data will either be securely deleted or anonymised, unless further retention is mandated by law.
19) Accountability and Governance
19.1 Policies and procedures — NEXADATA maintains internal governance policies covering data protection, information security, access control, breach response, and staff training.
19.2 Data Protection Officer (DPO) — A designated DPO (or equivalent compliance officer) oversees data protection matters, advises management, and acts as the contact point for supervisory authorities.
19.3 Training — Employees with access to personal data receive training on confidentiality, lawful processing, and secure handling of information.
19.4 Audits — Periodic audits and reviews are conducted to verify compliance with this Policy and applicable legislation.
19.5 Records of processing — In line with Article 30 UK GDPR, we maintain up-to-date records of processing activities, accessible to supervisory authorities upon request.
20) Liability and Indemnification
20.1 Publisher liability — NEXADATA SERVICES LTD shall only be liable for proven damages directly caused by unlawful processing of personal data in breach of applicable laws or this Policy.
20.2 Exclusions — We shall not be liable for indirect or consequential losses (e.g., lost profits, reputational harm), unless required by mandatory law.
20.3 Shared responsibility — Where personal data is transferred to independent third-party controllers (e.g., social networks, payment processors), liability for their processing rests with those controllers.
20.4 User responsibility — You remain responsible for ensuring the accuracy of the personal data you provide and for safeguarding any login credentials or authentication methods linked to our services.
20.5 Indemnification — By using our services, you agree to indemnify and hold harmless NEXADATA SERVICES LTD against claims, damages, or costs resulting from your misuse of personal data in violation of applicable law.
21) Data Portability
21.1 Scope — Where processing is based on consent or contract and carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (e.g., CSV, JSON, XML).
21.2 Transfer to another controller — Where technically feasible, you may request that we transmit this data directly to another controller.
21.3 Limitations — Data portability does not apply to non-automated files (e.g., paper records), derived/analytical data created by NEXADATA, or processing carried out on legal obligations or legitimate interests grounds.
21.4 Verification — We will confirm identity before releasing portable data to prevent unauthorised disclosure.
21.5 Timeframes — We respond to portability requests in accordance with the timelines set out in Clause 16.
22) International Data Protection Frameworks
22.1 UK and EEA adequacy — Where data is transferred outside the UK or EEA, we rely on adequacy regulations, standard contractual clauses (SCCs), or binding corporate rules (BCRs) as safeguards.
22.2 UK-US Data Bridge — For transfers to certified US organisations, we may rely on the UK-US Data Bridge or other recognised frameworks.
22.3 Third-party compliance — We require our processors and sub-processors located outside the UK/EEA to implement equivalent levels of protection consistent with UK GDPR.
22.4 Transparency — Details of the mechanisms we use for transfers can be provided upon request, subject to redactions for confidentiality.
22.5 User acknowledgement — By using our services, you acknowledge that your personal data may be transferred internationally as described in this Policy.
23) Contact & Data Protection Officer (DPO)
23.1 Controller — The controller of your personal data is:
NEXADATA SERVICES LTD
Company number: 16708810
Registered office: 50 Princes Street, Ipswich, England, IP1 1RJ
23.2 Data Protection Officer (DPO) — For questions, rights requests, or complaints, please contact our designated DPO:
Email: [To be defined, e.g. privacy@…………………...com)
Postal: Data Protection Officer16708810, 50 Princes Street, Ipswich, England, IP1 1RJ
23.3 Supervisory authority — You may also lodge complaints with the Information Commissioner’s Office (ICO) via www.ico.org.uk or +44 (0)303 123 1113.
23.4 Response commitment — We will use reasonable efforts to respond to all enquiries and complaints within 30 days.
23.5 Language — Communications can be made in English. Other languages may require additional time for translation and response.
24) Changes to this Privacy Policy
24.1 Updates — We may update this Privacy Policy from time to time to reflect changes in law, technology, or business practices.
24.2 Notification — When updates are material, we will notify you by a prominent notice on the Site, and where legally required, seek your consent again.
24.3 Historic versions — Previous versions of this Policy are archived and can be provided upon request.
24.4 Effective date — The Policy becomes effective on the date indicated at the top (“Last updated”).
24.5 Continued use — By continuing to use our services after updates, you agree to the revised Policy.
25) Final Provisions
25.1 Governing law — This Privacy Policy is governed by and construed in accordance with the laws of England and Wales.
25.2 Jurisdiction — Any disputes relating to this Policy fall under the exclusive jurisdiction of the courts of England and Wales.
25.3 Entire agreement — This Privacy Policy, together with our Terms & Conditions, constitutes the entire agreement relating to privacy between you and NEXADATA SERVICES LTD.
25.4 Severability — If any provision is found invalid or unenforceable, the remaining provisions shall remain in full force.
25.5 No waiver — Failure by NEXADATA to enforce a provision shall not constitute a waiver of rights.