Type of Personal Data collected
Received from
Identity information – name, title, job title
you or our Customer
Contact details – work email address, postal address (where you are an unincorporated Customer or the address stated on a financial document relates to a home address)
you or our Customer
Profile – login credentials
you
Website enquiries – any personal data you provided when you submit an enquiry via our website chatbot, or information about you that is referenced by another user submitting an enquiry
you or our Customer
Financial information – account details, purchase order number, account holder name
you or our Customer
Feedback – information and responses you provide when completing surveys and questionnaires
you
Usage information – information about your activity on our software-as-a-service, including audit logs, download errors, times and dates of log-in
you (via cookies and similar technologies)
Technical information- internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system and platform on the devices you use to access our website or service
you (via cookies and similar technologies)
Marketing information – your marketing preferences
you
We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data Aggregated data helps us identify trends (e.g. what percentage of users have the role title “accountant”). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.
4. How we use your information
UK data protection law requires Nook to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:
To fulfil our contract with you if you are customer that is not an incorporated business
pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy);
comply with a legal obligation that we have; and
do something that you have given your consent for.
The table below sets out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy policy and notify you.
Purposes
Justification
Taking steps to enter into the contract with our Customer
Legitimate interests (necessary to conclude our contract with such organisations)
Contract if you are an unincorporated customer
Providing our service to our Customer
Legitimate interests (necessary to fulfil our service contract with our Customer)
Contract if you are an unincorporated customer
Handling requests for technical support and other queries
Legitimate interests (necessary to fulfil our service contract with our Customer and ensure the proper functioning of our Application)
Asking you to participate in surveys and other types of feedback
Consent
Providing insight on how our products and services are being used
Legitimate interest (necessary to improve and optimise our products and services)
Administering and protecting products, services and systems
Legitimate interests (necessary to provide our products and services, monitor and improve network security and prevent fraud)
Notifying you about changes to our privacy policy
Legal obligation
Sending you marketing material
Legitimate interest (where we market our services to businesses – to promote Nook)
Consent (where we market to unincorporated businesses, such as sole traders)
5. Marketing
Nook only provides its services to businesses (which means we operate on a Business-to-Business basis, also known as B2B). We only ever send marketing communications to work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our Customer informs us you no longer work for them.
Nook uses HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future messages.
Pixels (which are a similar technology to cookies) within those emails enable us to see:
if the email was opened
where the device opening the email was located (based on the device’s IP address)
the type of email service (e.g. Outlook) that was used
if the email (or its content) were shared on social media
if the email was flagged as spam
6. Who we share your information with
We share (or may share) your personal data with
Our staff: Nook employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
Our Customer: we have a service contract and data processing addendum in place with all our Customers which sets out what information we provide to them as part of our services. We always act in accordance with their instructions when we are processing data on their behalf.
Payment Service Providers (PSPs): these are the organisations that facilitate payments between our Customers and Customer contacts
Customer contacts these are the contacts named in the invoice or purchase order (e.g. payee details). These Customer contacts will act as an independent controller for the information they receive from us (which means they make their own decisions about how they use that information). If you have any questions about how they use the information they receive, you should ask to see their privacy information.
Our supply chain: other organisations help us provide our services and website (such as our hosting and server provider, internal IT systems, our CRM system and our website usage analysis). We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
Regulatory authorities: such as HM Revenue & Customs
Our professional advisers such as our accountants or legal advisors where we require specialist advice to help us conduct our business, or IT specialists to conduct audits on the security of our services.
Any actual or potential buyer of our business
If Nook were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. If we are the processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).
7. Where you information is located or transferred to
We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located).If you access our service or receive a communication from us whilst abroad then your personal data may be stored on services in the same country that the organisation or you are located.
8. How we keep your information safe
We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:
access controls and user authentication (including multi-factor authentication)
internal IT and network security regular testing and review of our security measures
incident and breach reporting processes
making regular back-up copies of information
business continuity and disaster recovery processes
If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.
If you notice any unusual activity on your account (or believe your account has been otherwise compromised) please let us know by emailing us at support@nook.io.
