| Business process | Type | Data subject | Legal basis |
| Website | Location (e.g. address or IP address) | Customers | Consent |
| Financial, Contracts, Business data | Customers, Employees, Contractors, Suppliers, Partners | Legitimate interest | |
| Storage and exchange of documents | Not applicable | Not applicable | Legitimate interest |
| Delivery of goods and services | Financial, Location (e.g. address or IP address), Contracts, Software tools and applications, Business data, Technical data (e.g. source code) | Customers, Employees, Contractors, Suppliers, Partners | Performance of a contract |
| Financial and business administration | Identification, Financial, Date of Birth, Educational and employment history, Copy of ID, Location (e.g. address or IP address), Social Security Number, Contracts, Software tools and applications, Business data, Technical data (e.g. source code) | Customers, Employees, Contractors, Suppliers, Partners | Legitimate interest |
| Marketing | Business data | Customers, Contractors, Suppliers, Partners | Consent |
We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your Personal Data outside United Kingdom. If we do, you can expect a similar degree of protection in respect of your Personal Data.
We will only share your Personal Data with third parties in accordance with the GDPR and as outlined in the legal justification table above.
We share your personal data with the following enterprise third parties. We also share your data with SME third parties, details of which are available upon request. You will be notified when we have engaged with a new third party recipient of your personal data.
| Function | Payment software |
| Business process | Administration |
| Data categories | Location (e.g. address or IP address), Business data |
| Data subjects | Customers |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service, Office software |
| Business process | Email, Digital storage of documents, Software tools and applications |
| Data categories | Financial, Contracts, Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Email provider, Document storage service |
| Business process | Digital storage of documents |
| Data categories | Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Appointment scheduling tool |
| Business process | Delivery of goods or services |
| Data categories | Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service |
| Business process | Digital storage of documents |
| Data categories | Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service |
| Business process | Digital storage of documents, Administration |
| Data categories | Contracts, Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service |
| Business process | Digital storage of documents |
| Data categories | Contracts, Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Other software suite |
| Business process | Software tools and applications, Production of content |
| Data categories | Photographs |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Marketing tool |
| Business process | Delivery of goods or services, Production of content |
| Data categories | Software tools and applications, Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service |
| Business process | Digital storage of documents, Delivery of goods or services |
| Data categories | Business data |
| Data subjects | Customers |
| Security measures | N/A |
| Function | Email provider, Document storage service |
| Business process | Email, Digital storage of documents, Software tools and applications, Production of content |
| Data categories | Financial, Contracts, Business data |
| Data subjects | Customers, Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Document storage service |
| Business process | Digital storage of documents, Production of content |
| Data categories | Technical data (e.g. source code) |
| Data subjects | Employees |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Other software suite |
| Business process | Digital storage of documents, Administration |
| Data categories | Business data |
| Data subjects | Employees, Contractors, Suppliers, Partners |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
| Function | Customer service software |
| Business process | Delivery of goods or services |
| Data categories | Business data |
| Data subjects | Customers, Employees |
| Security measures | Physical security such as access controls, clean desk policy and CCTV; Access controls and prevention of unauthorised access on the basis of roles and strong authentication methods; All data is encrypted at rest and access is only permitted via encrypted channels (e.g. SSL); Data is minimized and regularly deleted according to national retention periods. |
International data transfers
The third parties we have engaged for the abovementioned business process may transfer your personal information to outside of United Kingdom. Nanu Ltd’s third party processors take all necessary measures to ensure the confidentiality, availability and integrity of personal data and to comply with the GDPR with regards to international data transfers. The international nature of its compliance certifications, as well as far-reaching technical security measures (including but not limited to encryption of the personal data, making the data illegible to an unauthorised recipient) are sufficient to ensure that the data subjects continue to benefit from the fundamental rights they are entitled to under the GDPR.
Nanu Ltd relies on processing agreements with these sub-processors that include the model clauses (or “Standard Contractual Clauses”) which have been tested on the adequacy of its protection with regards to the specific sub-processing activities carried out in this particular subprocessing relationship.
Additional security measures are taken to safeguard the international data transfers:
Your data is protected by Nanu Ltd and its processors in pursuance to all legal requirements set by the relevant data processing laws. Nanu Ltd has taken technical and organizational security measures to protect your data and requires its data processors to meet the same requirements. Nanu Ltd has signed processing agreements with its processors to ensure an adequate level of data protection.
The following security measures are taken by Nanu Ltd to protect your personal data in the course of the listed business processes:
Nanu Ltd staff members are required to conduct themselves in a manner consistent with Nanu Ltd’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.All staff members undergo appropriate background checks prior to hiring and sign a confidentiality agreement outlining their responsibility in protecting customer data.
We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
Nanu Ltd maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you. Nanu Ltd staff members will not process customer data without authorization.
As a rule, data is hosted within United Kingdom, but it is possible that we might transfer personal data to countries within the EEA, to the UK or in exceptional circumstances outside of those areas. We ensure that we comply with the GDPR and the DPA when sending data overseas by relying on data processing agreements containing standard contractual clauses with our subprocessors or by taking additional measures to secure this data transfer, such as anonymisation.
The data centres on which personal data is hosted are secured and monitored 24/7 and physical access to facilities is strictly limited to select staff.
All devices which are used to access personal data for which we are responsible are secured with antivirus software, firewalls, encryption and access management. We regularly update operating systems and software to ensure vulnerabilities cannot be exploited.
We carry out regular vulnerability scanning of our website and have engaged credentialed external auditors to verify the adequacy of our security and privacy measures.
Each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of their personal data, as well as the right to object to the processing and the right to data portability.
You can exercise these rights by contacting us at the following email address: privacy@nanu.tech. Each request must be accompanied by a copy of a valid ID, on which you put your signature and state the address where we can contact you. Ensure that you write “Data Request” in the subject line of your email.
Within one month of the submitted request, you will receive an answer from us. We will not charge you for submitting your request unless the request is manifestly unfounded or otherwise unreasonable in its nature. Depending on the complexity and the number of the requests this period may be extended to two months.
The collected data are used and retained for the duration determined by law. You may, at any time, request your data to be deleted from any Nanu Ltd account, system or other data processing medium in accordance with the process described above.
These conditions are governed by United Kingdom legislation. The court in the district where the collector has its place of business has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
For questions about this privacy policy, product information or information about the website itself, please contact: privacy@nanu.tech.
| Third party headquarter address | 510 Townsend Street, San Francisco, CA 94103, United States of America |
| The primary location of processing is the USA. | Personal data collected by Stripe may be stored and processed in any country where Stripe or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Stripe’s Privacy Policy | https://stripe.com/gb/privacy |
| Third party headquarter address | 1 Microsoft Way, Redmond, WA 98052, United States |
| The primary location of processing is the USA. | Personal data collected by Microsoft Office 365 may be stored and processed in any country where Microsoft Office 365 or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Microsoft Office 365’s Privacy Policy | https://privacy.microsoft.com/en-ca/privacystatement |
| Third party headquarter address | 1602 Amphitheatre Pkwy, Mountain View, CA 94043, United States |
| The primary location of processing is the USA. | Personal data collected by Google Cloud may be stored and processed in any country where Google Cloud or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Google Cloud’s Privacy Policy | https://cloud.google.com/privacy |
| Third party headquarter address | 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, United States |
| The primary location of processing is the USA. | Personal data collected by Calendly may be stored and processed in any country where Calendly or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Calendly’s Privacy Policy | https://calendly.com/privacy |
| Third party headquarter address | 351 California St #1200, San Francisco, United States |
| The primary location of processing is the USA. | Personal data collected by DocSend may be stored and processed in any country where DocSend or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see DocSend’s Privacy Policy | https://www.docsend.com/privacy-policy/ |
| Third party headquarter address | 221 Main Street, Suite 1550, san Fransisco, CA 94105 United States |
| The primary location of processing is the USA. | Personal data collected by DocuSign may be stored and processed in any country where DocuSign or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see DocuSign’s Privacy Policy | https://www.docusign.com/company/privacy-policy |
| Third party headquarter address | 333 Brannan Street San Francisco, CA 94107, United States |
| The primary location of processing is the USA. | Personal data collected by Dropbox may be stored and processed in any country where Dropbox or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Dropbox’s Privacy Policy | https://www.dropbox.com/features/cloud-storage/cloud-security |
| Third party headquarter address | 345 Park Avenue San Jose, CA 95110-2704 |
| The primary location of processing is the USA. | Personal data collected by Adobe may be stored and processed in any country where Adobe or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Adobe’s Privacy Policy | https://www.adobe.com/privacy.html |
| Third party headquarter address | Figma, Inc. 760 Market St, Floor 10 San Francisco, CA 94102 |
| The primary location of processing is the USA. | Personal data collected by Figma may be stored and processed in any country where Figma or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Figma’s Privacy Policy | https://www.figma.com/privacy/ |
| Third party headquarter address | N/A |
| The primary location of processing is the N/A. | Personal data collected by Google Firebase may be stored and processed in any country where Google Firebase or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Google Firebase’s Privacy Policy | N/A |
| Third party headquarter address | 1602 Amphitheatre Parkway, Mountain View, CA, 94043 |
| The primary location of processing is the USA. | Personal data collected by Google Workspace may be stored and processed in any country where Google Workspace or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Google Workspace’s Privacy Policy | https://cloud.google.com/privacy |
| Third party headquarter address | 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107 |
| The primary location of processing is the USA. | Personal data collected by Github may be stored and processed in any country where Github or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| For more information, see Github’s Privacy Policy | https://docs.github.com/en/github/site-policy/github-privacy-statement |
| Third party headquarter address | Vlamingstraat 4, 2712BZ, Zoetermeer |
| The primary location of processing is the The Netherlands. | Personal data collected by Naq Cyber may be stored and processed in any country where Naq Cyber or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Adequacy decision exists between United Kingdom and European Union |
| Additional safeguards (Schrems II) |
|
| For more information, see Naq Cyber’s Privacy Policy | https://www.naqcyber.com/policies/privacy-policy |
| Third party headquarter address | 2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin 2 |
| The primary location of processing is the Ireland and EEA. | Personal data collected by Intercom may be stored and processed in any country where Intercom or its affiliates, subsidiaries, or service providers operate facilities. |
| Safeguards (art. 45 GDPR) | Adequacy decision exists between United Kingdom and European Union |
| Additional safeguards (Schrems II) |
|
| For more information, see Intercom’s Privacy Policy | https://www.intercom.com/help/en/articles/1722980-how-intercom-tracks-and-stores-data |
| Country where data is processed or sent to | United Kingdom |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
| Country where data is processed or sent to | United Kingdom |
| Safeguards (art. 45 GDPR) | Standard Contractual Clauses |
| Additional safeguards (Schrems II) |
|
Nanu Ltd’s third party processors take all necessary measures to ensure the confidentiality, availability and integrity of personal data and to comply with the GDPR with regards to international data transfers. The international nature of its compliance certifications, as well as far-reaching technical security measures (including but not limited to encryption of the personal data, making the data illegible to an unauthorised recipient) are sufficient to ensure that the data subjects continue to benefit from the fundamental rights they are entitled to under the GDPR. Nanu Ltd relies on processing agreements with these sub-processors that include the model clauses (or “Standard Contractual Clauses”) which have been tested on the adequacy of its protection with regards to the specific sub-processing activities carried out in this particular subprocessing relationship. Additional security measures are taken to safeguard the international data transfers: