Privacy Policy

Last updated: DATE TO BE FILLED ON PUBLICATIONEffective date: DATE TO BE FILLED ON PUBLICATIONVersion: 1.0

This Privacy Policy explains how Nuflw Ltd ("Nuflw", "we", "us", "our") collects, uses, stores, and shares personal data when you use our marketing operations platform at nuflw.com and any related services (the "Service"). It also explains your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

This policy is written in plain English where possible. Where legal terms appear, they have the meanings given in the UK GDPR.

1. Who we are

Nuflw is a marketing operations platform that helps solo marketers and small agencies manage email campaigns, content planning, ad creation, competitor intelligence, client onboarding, and publishing - across one workspace instead of many disconnected tools. Nuflw includes an AI layer called Forge AI which provides creative tools (Ad Builder, Forge Chat) and an intelligence layer (Forge Intelligence) that watches your marketing operations and surfaces actionable insights.

Legal entity: Nuflw Ltd, a company registered in England and Wales.

Company registration number: COMPANIES HOUSE NUMBER

Registered office: NUFLW LTD REGISTERED OFFICE ADDRESS

ICO registration number: ICO REGISTRATION NUMBER

Privacy contact: privacy@nuflw.com

For all data protection enquiries, including requests to access, correct, or delete your personal data, contact us at privacy@nuflw.com. We aim to respond within 30 days of receiving your request.

2. Who this policy applies to

This Privacy Policy applies to:

• Users: people who create a Nuflw account, whether as a solo marketer or as a member of an agency workspace. We are the data controller for your personal data
• Visitors: people who browse nuflw.com without creating an account. We are the data controller for limited browsing data
• Customer contacts: people whose data is uploaded to a Nuflw workspace by a Nuflw user (for example, marketing contacts in an agency's CRM workspace). For this data, we act as data processor on behalf of the Nuflw user, who remains the controller. Our handling of this data is governed by the Data Processing Agreement between us and the workspace owner

If you are a customer contact of a Nuflw user (you received an email from someone using Nuflw, for example), please contact the Nuflw user directly for any data requests. We will assist them in fulfilling your request.

3. The data we collect

3.1 Account data (when you sign up)

When you create a Nuflw account, we collect:

• Your name
• Your email address
• A password (stored only as a hashed value, never in plain text)
• Your workspace name(s)
• The plan you select

3.2 Profile and workspace data (during use)

When you use Nuflw, we collect:

• Information you add to your workspace (brand guidelines, voice notes, positioning documents, personas)
• Email campaign content you create
• Marketing contacts you upload (acting as processor on your behalf)
• Content you plan, schedule, and publish
• Documents you generate (proposals, contracts, onboarding materials)
• Designs and ad creatives you produce
• Notes, comments, and other content you create

3.3 Usage data (automatically collected)

While you use Nuflw, we automatically collect:

• IP address
• Browser type and version
• Device type and operating system
• Pages you visit on nuflw.com and within the Service
• Actions you take within the Service (clicks, submissions, feature usage)
• Date and time of access
• Referring website (where you came from before visiting us)

3.4 Communications data

When you contact us by email, through support channels, or via in-app messaging, we keep a record of the conversation, including:

• Your email address
• The content of your message
• Date and time
• Our response

3.5 Billing data (for paid plans)

When you subscribe to a paid Nuflw plan, billing is processed by our payments provider Stripe. We receive limited billing data from Stripe including:

• The fact that you are a paying customer
• Your subscription plan and renewal date
• Country of billing
• Last four digits of your payment method (for display only)

We never store full payment card numbers. Stripe handles all payment data directly and is PCI-DSS Level 1 certified.

3.6 Cookies and similar technologies

When you visit nuflw.com, we use cookies and similar technologies. See Section 9 for full details on which cookies we use and how to manage them.

3.7 What we do NOT collect

We do not collect:

• Special category data (health, religion, political views, biometric data, etc.) unless you explicitly upload it as part of your workspace content, in which case you remain responsible for its lawful processing
• Children's data - Nuflw is not intended for use by anyone under 18
• Data from third-party tracking pixels, advertising networks, or social media tracking on nuflw.com beyond what is disclosed in Section 9

4. Why we use your data (lawful bases)

Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

4.1 Contract (Article 6(1)(b))

To provide the Service you signed up for, including:

• Creating and managing your account
• Storing the data you upload to your workspace
• Running the AI features you use (Forge Chat, Ad Builder, Forge Intelligence)
• Sending you transactional emails (account confirmations, password resets, billing notifications)
• Providing customer support

4.2 Legitimate interests (Article 6(1)(f))

For specific purposes where we have determined our interests do not override your rights:

• Improving the Service through aggregate usage analytics
• Detecting and preventing fraud, abuse, and security incidents
• Sending occasional product updates and feature announcements to existing users (you can unsubscribe at any time)
• Maintaining audit logs and operational records

You have the right to object to processing based on legitimate interests. See Section 7.

4.3 Consent (Article 6(1)(a))

Where we rely on consent specifically:

• Non-essential cookies and analytics tools
• Marketing emails to people who are not existing customers
• Any future processing that materially changes how we use your data

You can withdraw consent at any time. Where you withdraw consent, this does not affect the lawfulness of processing before withdrawal.

4.4 Legal obligation (Article 6(1)(c))

For maintaining records required by UK law:

• Tax and accounting records (held for 6 years)
• Records of how we respond to data subject requests
• Anti-fraud and anti-money-laundering checks

4.5 AI features specifically

When you use AI features (Forge Chat, Ad Builder copy generation, Forge Intelligence insights), we process your prompts and the relevant workspace context using Anthropic's and OpenAI's commercial APIs. The lawful basis is contract (Article 6(1)(b)) - the AI features are part of the Service you signed up for.

5. Our AI providers and your data

We use third-party AI providers to power AI features within Nuflw. Specifically:

• Anthropic (Claude API) - powers Forge Chat, Forge Intelligence agents, Forge Design output, and the Carousel generator
• OpenAI (API) - powers the Ad Builder copy generation (GPT-4o) and ad image generation (DALL-E)

Importantly: neither Anthropic nor OpenAI uses your data to train their AI models. Both providers contractually commit, in their commercial API terms, not to use API customer data (which includes everything Nuflw sends them on your behalf) for model training. We have not opted into any data-sharing programs that would change this.

Data sent to AI providers is retained briefly by them for abuse monitoring purposes (typically 30 days or less, depending on the provider and endpoint) and then permanently deleted.

If at any point in the future we consider opting into any AI provider data-sharing programs, we will notify all affected users at least 30 days in advance and require explicit opt-in. We will never make such a change unilaterally.

6. Who we share your data with

6.1 Sub-processors

We use the following third-party services to operate Nuflw. Each acts as a sub-processor of your data under our instructions:

We maintain Data Processing Agreements with all sub-processors that handle personal data. If we change sub-processors, we will update this list and notify existing customers via email at least 30 days before the change takes effect.

6.2 Other disclosures

We may share your personal data with:

• Professional advisors - our lawyers, accountants, and auditors, where necessary for legitimate business operations
• Law enforcement and regulators - where we are legally required to disclose, such as in response to a valid court order or regulatory investigation
• Acquirers - if Nuflw is acquired, sold, or merged with another company, your data may transfer to the acquirer, subject to the protections in this policy
• In emergencies - to protect the vital interests of any person, where there is a serious threat to life or safety

We do not:

• Sell your personal data to anyone
• Share your personal data with advertising networks
• Share your personal data with data brokers
• Share your personal data with any party not listed above

7. Your rights

Under UK GDPR, you have the following rights regarding your personal data. You can exercise any of these by emailing privacy@nuflw.com.

7.1 Right of access

You can ask for a copy of all personal data we hold about you. We will provide this within 30 days, in a structured electronic format where possible. The first request is free; subsequent identical requests within a 12-month window may incur a reasonable fee.

7.2 Right to rectification

You can ask us to correct inaccurate or incomplete personal data. You can also update most of your data directly through your account settings.

7.3 Right to erasure ("right to be forgotten")

You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it (for example, tax records). Deletion of account data triggers:

• Immediate deactivation of your account
• Removal from all visible Nuflw interfaces within 24 hours
• Permanent deletion from our active databases within 30 days
• Permanent deletion from backups within 90 days

Note: data we hold in audit logs (such as billing records and security logs) may be retained for the legal periods specified in Section 8.

7.4 Right to restriction of processing

You can ask us to stop processing your data while we investigate a complaint or request. During restriction, we will keep your data but not actively use it.

7.5 Right to data portability

You can ask for a copy of your data in a structured, commonly-used, machine-readable format (such as CSV or JSON) to transfer to another service.

7.6 Right to object

You can object to processing based on legitimate interests (Section 4.2). You can also object at any time to direct marketing - which we will action immediately.

7.7 Right to withdraw consent

Where we rely on consent (Section 4.3), you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

7.8 Right to complain

If you are unhappy with how we have handled your data, you can complain to the UK's Information Commissioner's Office:

• Website: https://ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the chance to address your concerns directly before you involve the ICO. Email us at privacy@nuflw.com.

8. How long we keep your data

We retain personal data only for as long as necessary:

| Category | Retention period | |---|---| | Active account data | While your account is active | | Deleted account data | Permanently deleted within 30 days of deletion request (backups within 90 days) | | Workspace content (campaigns, designs, contacts) | While workspace is active; deleted within 30 days of workspace deletion | | AI conversation history (Forge Chat, etc.) | 12 months from last use, or until you delete it | | Forge Intelligence compiled context | While workspace is active | | Web analytics and usage logs | 13 months from collection | | Email delivery logs | 12 months from sending | | Billing and tax records | 6 years from end of relevant accounting period (UK statutory) | | Security and audit logs | 12 months | | Customer support communications | 3 years from last interaction | | Data we hold under legal hold (e.g. ongoing dispute) | For the duration of the legal requirement |

After the retention period ends, data is permanently and irrecoverably deleted.

9. Cookies and similar technologies

When you visit nuflw.com, we use cookies and similar technologies to make the Service work. We categorise these as follows:

9.1 Strictly necessary cookies

These are essential for the Service to function. They cannot be disabled.

• Authentication cookies - keep you logged in
• Security cookies - protect against cross-site request forgery
• Load balancing cookies - route requests efficiently
• Cookie consent cookie - remembers your cookie preferences

9.2 Analytics cookies (with your consent)

Help us understand how the Service is used so we can improve it.

• Vercel Analytics - measures page views, performance, and visitor counts (privacy-preserving, no personal identifiers)

You can opt out of analytics cookies at any time via the cookie banner or by visiting /cookie-preferences.

9.3 No advertising or tracking cookies

We do not use:

• Third-party advertising cookies
• Cross-site tracking cookies
• Social media pixels (Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel, etc.)

10. International data transfers

Some of our sub-processors are based outside the UK, primarily in the United States. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

• UK adequacy decisions where they apply
• Standard Contractual Clauses (UK SCCs / International Data Transfer Agreement) with all US-based sub-processors
• Transfer impact assessments for sensitive transfers

You can request a copy of the safeguards we use for any specific transfer by emailing privacy@nuflw.com.

11. Data security

We take data security seriously. Our security measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Hashed and salted password storage (we never see your password)
• Multi-factor authentication available on all accounts (recommended for all users)
• Role-based access controls within Nuflw infrastructure
• Regular security audits and dependency vulnerability scanning
• Incident response procedures including breach notification (where required, within 72 hours to the ICO)

No internet-based service can guarantee 100% security. If you believe your account has been compromised, contact us immediately at privacy@nuflw.com.

12. Children's data

Nuflw is intended for use by professional marketers and business owners. It is not designed for or directed at anyone under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact privacy@nuflw.com and we will delete it immediately.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes (changes that affect your rights or how we process your data) will be communicated to existing users by email at least 30 days before they take effect.

Minor changes (clarifications, formatting, updated sub-processor details that don't materially change processing) may be made without advance notice but will always be reflected in the "last updated" date at the top.

You can subscribe to be notified of any changes by emailing privacy@nuflw.com.

14. Contact us

For any data protection enquiries:

Email: privacy@nuflw.com

Post: Data Protection, Nuflw Ltd, NUFLW LTD REGISTERED OFFICE ADDRESS

We aim to respond to all enquiries within 5 working days, and to formal data subject requests within the statutory 30-day window.

For all other support enquiries, please contact hello@nuflw.com.