NEXUMOUS LTD
Privacy Notice
Version 2.0 | May 2026 | Document ID: NX-PRIV-001
Document Metadata
Document title
Privacy Notice — Nexumous Ltd
Document ID
NX-PRIV-001
Version
2.0
Classification
Public
Document owner
Nicholas Zylberglajt (COO / Privacy Lead)
Last reviewed
May 2026
Next review
May 2027 (or upon material change to processing activities)
Vanta control refs
P1.1, P2.1, P3.1, P4.1, P5.1, P6.1, P8.1 (AICPA Privacy TSC)
Supervisory authority
Information Commissioner's Office (ICO) — ico.org.uk
1. About this Notice and Who We Are
This Privacy Notice explains how Nexumous Ltd collects, uses, shares and protects personal data across all of our business activities. It applies to all individuals whose personal data we process, including visitors to our website (nexumous.ai), prospective customers and marketing contacts, customers and authorised users of the Nexumous platform, and anyone who contacts us directly.
Controller details
Company name
Nexumous Ltd
Registered in
England and Wales
Company number
16043987
Registered address
20 Wenlock Road, London, N1 7GU, United Kingdom
Privacy contact
hello@nexumous.ai (subject line: Privacy)
Supervisory authority
Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
We are the data controller for all personal data described in this Notice, except where we act as a data processor on behalf of our enterprise customers (see Section 5).
Nexumous Ltd is subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process data of individuals in the European Economic Area (EEA), we are also subject to EU GDPR (Regulation (EU) 2016/679), by virtue of Article 3(2) — our platform is directed at EEA businesses and we monitor behaviour of individuals in the EEA.
2. Who This Notice Covers
This Notice applies to the following categories of people whose data we collect:
You are...
Examples of data we collect about you
A visitor to nexumous.ai
IP address, browser/device data, pages visited, session data, cookie identifiers. See Section 3.
A prospective customer or marketing contact
Name, work email, job title, company, LinkedIn profile, interaction history, event attendance. See Section 4.
A customer or platform user
16043987
Registered address
20 Wenlock Road, London, N1 7GU, United Kingdom
Privacy contact
hello@nexumous.ai (subject line: Privacy)
Supervisory authority
Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
This Notice does not cover: (a) data processed by our customers using our platform, where our customers are the data controllers (see Section 5.4); (b) employee and contractor data, which is covered under a separate internal HR Privacy Notice.
3. Website Visitors (nexumous.ai)
3.1 What we collect
When you visit nexumous.ai, we and our technology providers automatically collect certain data about your visit. This includes:
-
Technical data: IP address (pseudonymised where possible), browser type and version, operating system, device type, screen resolution.
-
Usage data: pages visited, time on page, scroll depth, referral source (e.g. search engine or link), session duration.
-
Cookie identifiers: unique identifiers set by cookies on your device. Please see our Cookie Notice at nexumous.ai/cookie-notice for the full list of cookies we use and how to manage them.
3.2 Why we collect it and our lawful basis
Purpose
Data used
Lawful basis (UK GDPR)
Retention
Measure website traffic and improve site performance (analytics)
IP, usage data, _ga / _gid cookie identifiers
Consent (Art. 6(1)(a)) — via cookie consent banner, as required by UK PECR
2 years (Google Analytics default)
Track effectiveness of LinkedIn marketing campaigns (LinkedIn Insight Tag)
IP, device/browser data, LinkedIn member ID (if logged in)
Consent (Art. 6(1)(a)) — via cookie consent banner
90 days (LinkedIn default)
Understand how visitors interact with our marketing content (HubSpot analytics)
IP, pages visited, HubSpot cookie identifiers (__hstc, hubspotutk)
Consent (Art. 6(1)(a)) — via cookie consent banner
13 months (__hstc); session (__hssc)
Operate the website securely (Wix platform functionality)
Session cookie (svSession), CSRF token (XSRF-TOKEN), CDN cache cookies
Legitimate interest (Art. 6(1)(f)) — strictly necessary for website operation; no consent required under PECR
Session or up to 2 years (svSession)
We do not use your website visit data to identify you personally, create individual profiles, or make automated decisions about you. Analytics data is aggregated and pseudonymised
3.3 LinkedIn Insight Tag — Joint Controller Notice
We use the LinkedIn Insight Tag on our website. For the processing of personal data via this tag, Nexumous Ltd and LinkedIn Ireland Unlimited Company (LinkedIn) act as joint controllers, as confirmed by the CJEU judgment in Fashion ID (Case C-40/17) and LinkedIn's own joint controller disclosure.
LinkedIn's responsibilities in this joint controller arrangement — including the legal basis for processing LinkedIn member data through the Insight Tag — are set out in LinkedIn's Cookie Policy and Privacy Policy (linkedin.com/legal/privacy-policy). LinkedIn is the primary point of contact for LinkedIn members exercising their rights in relation to Insight Tag processing. You can opt out of LinkedIn's use of your data for advertising at: linkedin.com/psettings/guest-controls.
4. Prospective Customers and Marketing Contacts
4.1 What we collect and where we get it
If you are a representative of a business that may be interested in Nexumous's products and services, we may hold and process the following data:
-
Name, job title, company name, work email address, work phone number.
-
LinkedIn profile information (where you connect with us on LinkedIn or we identify you as a relevant contact via LinkedIn's platform).
-
Interaction history: records of emails, calls, meetings, event attendance, and engagement with our marketing content.
-
Company firmographic data: industry, company size, geography — used to assess fit with our platform.
We collect this data: (a) directly from you (e.g. when you fill in a contact form, attend an event, or request a demo); (b) from LinkedIn (via LinkedIn Sales Navigator or public LinkedIn profiles); (c) from publicly available sources (company websites, industry directories); (d) from HubSpot (our CRM), which aggregates contact and interaction data.
4.2 Why we use it and our lawful basis
Purpose
Data used
Lawful basis (UK GDPR)
Retention
B2B sales and business development: identifying and engaging relevant enterprise prospects
Name, company, email, job title, LinkedIn profile
Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in marketing our B2B platform to relevant professionals. Balanced against privacy impact: data is professional, not sensitive; individuals are contacted in their business capacity.
3 years from last meaningful interaction, or until opt-out (whichever is earlier)
Sending marketing emails and event invitations
Work email, name
Legitimate interest (Art. 6(1)(f)) + compliance with UK PECR (soft opt-in where applicable). We honour opt-outs immediately.
Until opt-out
Pipeline and CRM management (HubSpot)
All contact data, interaction history
Legitimate interest (Art. 6(1)(f)) — necessary for managing our sales process
3 years from last interaction
LinkedIn advertising and retargeting (LinkedIn Matched Audiences)
Email (hashed), LinkedIn member ID (where applicable)
Consent (Art. 6(1)(a)) — consent obtained through LinkedIn's platform for members; legitimate interest for non-member business contacts
Managed via LinkedIn campaign settings
You have the right to object to our processing of your data for marketing purposes at any time. To opt out, email hello@nexumous.ai with subject line 'Unsubscribe', or use the unsubscribe link in any marketing email.
5. Customers and Platform Users
5.1 What we collect
If your organisation is a customer of Nexumous — or if you are an authorised user of the Nexumous platform — we collect and process the following data:
-
Account data: name, work email address, job title, employer/organisation name, account credentials (passwords stored as hashed values only — we do not store plaintext passwords).
-
Billing and contract data: billing contact name and email, company address, VAT number, invoicing history, contract documents.
-
Platform usage data: login timestamps, feature usage logs, API call logs, session data — used for security, troubleshooting, and service improvement.
-
Customer support communications: records of support tickets, live chat or email exchanges with our support team.
-
Technical configuration data: API keys (hashed), integration settings, webhook configurations.
5.2 Why we use it and our lawful basis
Purpose
Data used
Lawful basis (UK GDPR)
Retention
Providing and managing your access to the Nexumous platform
Account data, credentials, usage data
Performance of contract (Art. 6(1)(b)) — processing is necessary to deliver the contracted service
Duration of contract + 6 years (UK limitation period)
Billing, invoicing and financial administration
Billing contact, payment data, invoicing history
Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) — Companies Act, VAT Act
7 years (HMRC statutory requirement)
Customer support and troubleshooting
Account data, support communications, usage logs
Performance of contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) — necessary to resolve support issues
3 years from ticket closure
Security monitoring and fraud prevention
Login timestamps, IP addresses, API call logs
Legitimate interest (Art. 6(1)(f)) — protecting platform integrity and preventing unauthorised access
12 months (security logs); 24 months (access audit trail)
Service improvement and product development
Aggregated and pseudonymised usage data only
Legitimate interest (Art. 6(1)(f)) — improving our platform for all customers. We do not use individually identifiable usage data for product analytics.
Pseudonymised — retained up to 3 years
Sending service notifications and product updates
Name, work email
Legitimate interest (Art. 6(1)(f)) — service communications necessary to the customer relationship; Performance of contract
Duration of contract
5.3 Our platform infrastructure and security
Our platform runs on Amazon Web Services (AWS), with our primary data region in Frankfurt, Germany (eu-central-1). All personal data is encrypted at rest and in transit. Access to customer data is restricted to authorised Nexumous personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication. Our security measures are documented in our Technical and Organisational Measures Schedule (document NX-SEC-001), available to customers on request under the terms of our Data Processing Agreement.
5.4 When we act as your data processor
Our platform enables you — our customer — to conduct drone missions that may capture personal data (for example, video footage of individuals in public or semi-public spaces, or thermal/sensor data from which individuals may be identifiable). In relation to that mission data, you are the data controller and we are your data processor, acting strictly on your instructions.
The terms on which we process your mission data as your processor are set out in our Data Processing Agreement (DPA), which forms part of your contract with us. Our DPA specifies: the categories of personal data we process on your behalf; the purposes and duration of processing; our security obligations; sub-processor arrangements; and your rights to audit and instruct us.
If you do not have a signed DPA in place with us, please contact hello@nexumous.ai. A DPA is required under Article 28 UK GDPR / EU GDPR for all personal data we process on your behalf.
6. People Who Contact Us Directly
If you contact us by email (hello@nexumous.ai), through a contact form on our website, or by any other means, we will collect your name, email address, and the content of your message. We use this data solely to respond to your inquiry. Our lawful basis is legitimate interest (Art. 6(1)(f)). We retain correspondence for 3 years unless it relates to a contractual matter (in which case it is retained for 6 years) or a legal matter (in which case it is retained for the duration of the matter plus 6 years).
7. Who We Share Your Data With
We do not sell personal data. We share personal data only as necessary to deliver our services, comply with legal obligations, or pursue legitimate business interests. All third parties who process personal data on our behalf do so under a Data Processing Agreement.
Recipient
Role
Purpose
Country
Safeguard
Amazon Web Services (AWS)
Processor
Cloud infrastructure — hosting, storage, compute, logging
Germany (EU) — eu-central-1 primary
UK IDTA + EU SCCs
Microsoft 365 / SharePoint
Processor
Email, document management, internal collaboration
Ireland (EU)
UK adequacy decision for EU
Google Workspace
Processor
Email, calendar, internal documents
USA
UK IDTA + EU SCCs + DPF
HubSpot Inc.
Processor
CRM, marketing automation, contact management
USA
UK IDTA + EU SCCs + DPF
LinkedIn Ireland / Corp.
Joint controller (Insight Tag); Processor (Ads)
Marketing analytics, LinkedIn advertising
Ireland (joint controller data); USA (ad data)
Joint controller agreement + DPF
Infinity Ventures Ltd
Processor
Platform support operations (limited, remote access only)
UAE (Masdar City)
UK IDTA + EU SCCs + Inter-Group DPA + TIA
Revolut Business
Independent controller
Business banking and payment processing
Lithuania (EU)
UK adequacy decision for EU
Wix.com
Processor
Website hosting and platform functionality
USA / Israel
UK IDTA + EU SCCs + Wix DPA
ICO or other regulators
Independent controller
Regulatory compliance, responding to lawful requests
UK
Legal obligation (Art. 6(1)(c))
For a complete list of sub-processors used in the delivery of the Nexumous platform, customers may request a copy of our Sub-Processor Register (document NX-SPR-001).
8. International Data Transfers
Some of our service providers are based outside the UK and European Economic Area (EEA). Where we transfer personal data to countries that do not benefit from a UK adequacy decision, we ensure appropriate safeguards are in place:
-
United States of America: We rely on UK International Data Transfer Agreements (IDTAs) incorporating the ICO-approved template, combined with EU Standard Contractual Clauses (2021/914, Module 2, controller-to-processor). Where our US providers are certified under the EU-US Data Privacy Framework and the UK-US Data Bridge, we rely on that as a supplementary safeguard. AWS, Google, HubSpot, LinkedIn, and Microsoft are each certified under the UK-US Data Bridge.
-
United Arab Emirates (Infinity Ventures Limited only): We rely on a UK IDTA and EU SCCs Module 2, combined with our Inter-Group Data Processing Agreement. A Transfer Impact Assessment (TIA) has been completed. No personal data is stored locally in the UAE — all data remains on AWS (Frankfurt).
-
European Union / EEA (Microsoft 365, Revolut): UK→EU transfers are covered by the UK Government's adequacy decision for the EU, adopted 28 June 2021. No IDTA or SCCs are required.
Further detail on our international transfer safeguards, including Transfer Impact Assessments for transfers to the USA and UAE, is available on request by contacting hello@nexumous.ai.
9. Your Data Protection Rights
Under UK GDPR (and EU GDPR where applicable), you have the following rights in relation to personal data we hold about you. These rights apply to the extent relevant to the specific processing activity and lawful basis:
Right
What it means
Right of access (Art. 15)
You can ask us for a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16)
You can ask us to correct personal data that is inaccurate or incomplete.
Right to erasure (Art. 17)
In certain circumstances, you can ask us to delete your personal data (e.g. where processing was based on consent and you withdraw it, or where we have no legitimate reason to continue holding it).
Right to restriction (Art. 18)
You can ask us to pause processing of your data in certain circumstances (e.g. while you contest its accuracy or we assess an objection).
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you can ask us to provide your data in a structured, machine-readable format.
Right to object (Art. 21)
You can object to processing based on legitimate interest at any time. We will stop unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to processing for direct marketing.
Right to withdraw consent (Art. 7(3))
Where we rely on consent (e.g. for analytics cookies), you can withdraw it at any time via our cookie settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing.
Right not to be subject to solely automated decisions (Art. 22)
We do not make decisions about you solely by automated means that produce significant legal or similarly significant effects. If this changes, we will notify you and provide the required safeguards.
To exercise any of your rights, or to make a data subject request (DSR), please contact us at hello@nexumous.ai with the subject line 'Data Subject Request'. We will respond within 30 calendar days. In complex cases we may extend this by a further two months — we will notify you if an extension is required and explain why.
If you are not satisfied with how we handle your request or how we process your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. If you are based in the EEA, you may also contact your local data protection supervisory authority.
10. Cookies
Our website uses cookies and similar tracking technologies. A full explanation of the cookies we use, their purpose, duration, and how to manage your preferences is set out in our Cookie Notice, available at nexumous.ai/cookie-notice.
You can withdraw or update your cookie consent at any time by clicking the 'Cookie Settings' link on our website. Note that withdrawing analytics or marketing cookies will not affect your ability to use our website.
11. Children's Data
Our website and platform are directed at business professionals and enterprise customers. We do not knowingly collect personal data from individuals under the age of 16. If you believe that we have inadvertently collected personal data from a child, please contact us at hello@nexumous.ai and we will promptly delete it.
12. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. When we make material changes, we will post an updated notice on our website and, where required by law or where we consider it appropriate, notify affected individuals by email. The version number and 'last reviewed' date at the top of this document will always reflect the current version.
We encourage you to review this Notice periodically. Your continued use of our website or platform after the date of an update constitutes acknowledgement of the updated Notice, to the extent permitted by applicable law.
13. Contact Us
If you have any questions about this Privacy Notice, how we handle your personal data, or wish to exercise your rights, please contact us:
Contact details
By email
hello@nexumous.ai (subject line: Privacy)
By post
Nexumous Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom
Privacy Lead
Nicholas Zylberglajt, COO
Supervisory authority
Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
14. Document Control
Version
Date
Author
Changes
1.0
Apr 2026
Nicholas Zylberglajt
Initial version — website visitors only
2.0
May 2026
Nicholas Zylberglajt
Expanded to cover all data subjects: website visitors, prospective customers, B2B customers and platform users, direct contacts. Added joint controller disclosure for LinkedIn Insight Tag. Added Section 5.4 (Nexumous as processor for customer mission data). Added international transfers summary table. Aligned with Sub-Processor Register (NX-SPR-001) and TIA Pack (NX-TIA-001).
© 2025 by Nexumous LTD.
