Privacy Policy

1. About this Privacy Policy

This Privacy Policy explains how Nomius OÜ ("Nomius", "we", "us", "our") collects, uses, shares and protects personal data when you visit nomius.io (the "Website"), submit a form, request a demonstration, subscribe to our communications, create an account, or otherwise interact with us in a business context.

This Privacy Policy applies to Nomius's processing of personal data as a controller — that is, when we determine why and how personal data is processed.

It does not apply to personal data we process on behalf of our customers as a processor when they use the Nomius platform. That processing is governed by the Data Processing Agreement (DPA) between Nomius and the relevant customer.

2. Who We Are

We are registered in Estonia under company number 17218128 and have our registered office at Harju maakond, Tallinn, Põhja-Tallinna linnaosa, Sõle tn 18-99, 10320. Our main trading address is our registered office address. We are a limited company. To contact us, please email compliance@nomius.io.

Our lead supervisory authority under EU GDPR is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — www.aki.ee.

Our designated representative in the United Kingdom under Article 27 UK GDPR is: ReguLogix Consulting Ltd, 23 Crow Hill Lane, Cambridge, CB23 5AP, UK, contact@regulogix.io. You may contact our UK Representative directly in relation to your personal data and your rights under UK GDPR.

3. Personal Data We Collect

We collect the following categories of personal data:

• Identity data: first name, last name, professional title, role.
• Contact data: business email address, business telephone number, postal address.
• Account data: authentication factors, account preferences (where you create a Nomius account).
• Commercial data: company name, sector, jurisdictions of interest, regulatory frameworks relevant to your organisation, and information you choose to share when requesting a demonstration, proposal, or service.
• Transaction data: billing details, payment status, subscription tier, renewal date. Payment card data is processed directly by our payment provider; we do not store full card numbers.
• Technical data: IP address, browser type and version, time zone, operating system, device identifiers, referring URL, page interaction data, session duration.
• Marketing data: your preferences in receiving communications from us, opt-in/opt-out status, content engagement.
• Correspondence data: the content of emails, support tickets, and other communications you send to us.

We do not intentionally collect special category data or sensitive personal information through the Website. Please do not submit health, biometric, genetic, racial, religious, political, sexual orientation, trade union, or similar data via our forms.

4. How We Collect Personal Data

• Directly from you – when you complete a form, request a demonstration, subscribe to communications, create an account, attend an event or webinar, or contact us by email.
• Automatically, through cookies and similar technologies: see our Cookie Policy.
• From third parties and public sources, including:
  • Cloud infrastructure and security providers (technical and security data)
  • Analytics providers (usage data, see Section 8)
  • Professional networks such as LinkedIn (business contact data you have made publicly visible)
  • Public registers (company registers, regulatory databases) for verification of business information
  • Event and webinar partners, where you have provided your details to the organiser, with the understanding that they may be shared with sponsors or co-hosts

Where we obtain personal data from a source other than you, we will provide the information required under Article 14 of the GDPR within one month, unless an exception applies.

5. How and Why We Use Personal Data

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

• Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
• Legitimate interests: We may use your personal data where necessary to conduct our business and pursue our legitimate interests, for example, to prevent fraud and to enable us to provide you with the best and most secure customer experience. We ensure we consider and balance any potential impact on you and your rights (both positive and negative) before processing your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to do so by law).
• Legal obligation: We may use your personal data when necessary to comply with a legal obligation to which we are subject. We will identify the relevant legal obligation when we rely on this legal basis.
• Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example, if you subscribe to an email newsletter.

Purposes for which we will use your personal data

We have set out below, in a table, a description of how we plan to use the various categories of your personal data and which legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

We do not use solely automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 of the GDPR.

6. Marketing Communications

We send marketing communications to business contacts where:

• You have opted in to receive them; or
• You are an existing customer, or you have actively enquired about our services, and we rely on the soft opt-in under the UK PECR and EU ePrivacy framework, with a clear opt-out provided in every message.

You can unsubscribe at any time using the link in any marketing email, or by emailing compliance@nomius.io. Unsubscribing does not affect transactional, service-related, or legally required communications.

7. Cookies and Similar Technologies

Our use of cookies, pixels, and similar tracking technologies is described in our Cookie Policy. Non-essential cookies are set only with your prior consent, in line with PECR (UK), the ePrivacy Directive (EU), and the Estonian Electronic Communications Act. You can withdraw or change your consent at any time through the Cookie Settings link in our footer.

8. Who We Share Personal Data With

We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes set out in Section 5:

• Cloud infrastructure providers: Amazon Web Services, Inc. and Google LLC, providing hosting, storage, and compute services. Data is hosted primarily in EU regions, but the contracting entities are US-based and may have administrative or support access from the US.
• Analytics and marketing technology providers: including Google Analytics and HubSpot, for website analytics and marketing automation.
• Communications and productivity providers: including Google Workspace (email, calendar, documents) and video-conferencing tools used to deliver demonstrations and meetings.
• Payment processors: Stripe for processing subscription payments. We do not store full payment card data.
• Professional advisors: auditors, lawyers, accountants, insurers, and consultants under duties of confidentiality.
• Authorities: courts, regulators, law enforcement, and tax authorities, where we are required by law to disclose.
• Corporate transactions: counterparties and their advisors in connection with any reorganisation, merger, acquisition, sale, joint venture, assignment, transfer, or other disposition involving Nomius.

We require all third parties to respect the security of personal data and process it only in accordance with our written instructions and applicable law.

We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising.

9. International Data Transfers

Some of our service providers, notably Amazon Web Services, Inc. and Google LLC, are headquartered in the United States. Data is hosted in EU regions where possible, but transfers to the US occur where these providers' personnel access data for support, security, or operational purposes.

For these transfers, we rely on the following safeguards:

• To the United States: the EU–US Data Privacy Framework and the UK Extension to the EU–US Data Privacy Framework, where the recipient is self-certified. AWS and Google are both DPF-certified. For any transfers outside the scope of the DPF, we additionally rely on the European Commission's Standard Contractual Clauses (Module Two – controller to processor) and the UK International Data Transfer Addendum (IDTA), supplemented by a Transfer Impact Assessment and appropriate technical and organisational measures (encryption in transit and at rest, access controls, logging).
• To other third countries: European Commission adequacy decisions where available; otherwise, SCCs and the UK IDTA, supported by a Transfer Impact Assessment.

You may request a copy of the relevant transfer mechanism by emailing compliance@nomius.io.

10. Data Security

We maintain technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2 or higher) and at rest
• Role-based access control and the principle of least privilege
• Multi-factor authentication for administrative access
• Centralised logging, monitoring, and alerting
• Vulnerability management, secure-development practices, and code review
• Vendor due diligence and contractual data protection terms
• Regular staff training on information security and data protection

Our information security programme is aligned with ISO/IEC 27001.

We have procedures to detect, contain, investigate, and respond to personal data breaches. Where required by law, we will notify the relevant supervisory authority, and where there is a high risk to your rights and freedoms, we will notify you directly.

11. How Long Do We Keep Personal Data

After the relevant retention period, personal data is deleted or anonymised. Backup copies are overwritten on the standard backup rotation cycle.

12. Your Rights

12.1 If you are in the UK, EU, or EEA

Under UK GDPR and EU GDPR, you have the right to:

• Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons, which, if applicable, will be notified to you at the time of your request.
• Object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• You also have the absolute right to object at any time to the processing of your personal data for direct marketing purposes.
• Request the transfer of your personal data to you or to a third party. We will provide your personal data to you or to a third party you have chosen in a structured, widely used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
  • If you want us to establish the data's accuracy;
  • Where our use of the data is unlawful, but you do not want us to erase it;
  • Where you need us to hold the data even if we no longer require it, as you need it to establish, exercise or defend legal claims; or
  • You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it. If you wish to exercise any of the rights set out above, see Contact details below.

You may complain to:

• The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) – Nomius's lead supervisory authority – www.aki.ee
• The UK Information Commissioner's Office (ICO) – www.ico.org.uk – for matters concerning UK data subjects
• Your local EEA supervisory authority

We would, however, appreciate the opportunity to address your concerns directly before you contact a regulator.

12.2 If you are in Switzerland

Under the revised Swiss Federal Act on Data Protection (revFADP), you have rights that are substantially similar to those above, including the right to obtain information about automated individual decisions. Complaints may be made to the Federal Data Protection and Information Commissioner (FDPIC) – www.edoeb.admin.ch.

12.3 If you are in the USA

You have the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of recipients
• Access a copy of your personal information
• Correct inaccurate personal information
• Delete personal information, subject to legal exceptions
• Opt out of "sale" or "sharing" – Nomius does not sell or share personal information as those terms are defined; we therefore do not operate a "Do Not Sell or Share My Personal Information" link, but you may submit a request, and we will confirm in writing
• Limit use of sensitive personal information – we do not collect sensitive personal information through this Website
• Non-discrimination – we will not discriminate against you for exercising any right
• Authorised agent – you may use an authorised agent to submit requests on your behalf, subject to verification

We honour Global Privacy Control (GPC) signals as a valid opt-out signal where applicable.

12.4 Exercising your rights

To exercise any right, email compliance@nomius.io. We may need to verify your identity before responding, particularly for access, correction, or deletion requests.

We will respond:

• Within one month for UK / EU / EEA requests, extendable by two further months for complex requests
• Within 45 days for US state law requests, extendable by 45 days where reasonably necessary

There is no fee for most requests. We may charge a reasonable fee or refuse to act where requests are manifestly unfounded, repetitive, or excessive – and we will explain our reasoning.

13. Making a Data Protection Complaint to Nomius

If you believe that we have processed your personal data in a way that infringes any applicable data protection law, you have the right to make a complaint directly to us.

This includes, for example, concerns about how we have:

• Handled a subject access request or another rights request;
• Collected, used, stored, retained, secured, or shared your personal data;
• Responded to a personal data breach affecting you;
• Communicated with you for marketing purposes; or
• Explained our processing in this Privacy Policy or related notices.

13.1 How to make a complaint

You can make a data protection complaint to us by any of the following means:

• Email: compliance@nomius.io with the subject line "Data Protection Complaint"
• Through our UK Representative: contact@regulogix.io (with the subject line "Nomius Data Protection Complaint") for UK data subjects who prefer to use this route

We will accept and investigate complaints submitted by any reasonable means, including through general correspondence channels, even if the above routes are not used.

To help us investigate efficiently, please include, where possible:

• Your name and contact details;
• A clear description of your concern and the personal data involved;
• Relevant dates, reference numbers, or correspondence; and
• The outcome you are seeking.

If you are making a complaint on behalf of someone else, please include evidence of your authority to act for them.

13.2 How we will handle your complaint

• Acknowledgement: We will acknowledge receipt of your complaint within 30 days of receiving it.
• Investigation: We will conduct appropriate enquiries into the subject matter of your complaint. Our investigation will be proportionate to the nature, complexity, and seriousness of the issue raised.
• Progress updates: We will keep you informed of progress, including expected timeframes for resolution and explanations for any delays.
• Outcome: We will respond with the outcome of our investigation without undue delay – that is, without unjustifiable or excessive delay, taking into account the complexity of the issue and any harm involved. Our response will set out the result of our enquiries, the steps (if any) we have taken or will take, and our reasoning.
• Records: We maintain a central log of data protection complaints, our investigations, and the outcomes.

13.3 Your right to escalate to the ICO or other supervisory authority

If you are not satisfied with how we have handled your complaint, or if you do not receive an adequate response, you retain the right to complain to a supervisory authority at any time:

• UK Information Commissioner's Office (ICO) – www.ico.org.uk
• Estonian Data Protection Inspectorate – www.aki.ee
• Your local EEA supervisory authority
• For Swiss data subjects: the Federal Data Protection and Information Commissioner (FDPIC) – www.edoeb.admin.ch

Making a complaint to us does not affect your right to bring a claim before a competent court, or to seek any other remedy available to you under applicable law.

14. Children

Our Website and services are intended for businesses and professionals, not children. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided personal data to us, please contact compliance@nomius.io, and we will delete it.

15. Third-Party Links

The Website may contain links to third-party websites, plug-ins, and applications (for example, LinkedIn). Clicking those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy practices. We encourage you to read the privacy policy of every site you visit.

16. Changes to This Privacy Policy

We regularly review this Privacy Policy. The "Last updated" date at the top reflects the most recent version. We will communicate material changes by email (where we have an active relationship with you) or by a prominent notice on the Website. Historic versions are available on request from compliance@nomius.io.

17. Contact Us

For privacy questions, to exercise your rights, or to make a complaint to Nomius:

• Email: compliance@nomius.io
• UK Representative: contact@regulogix.io (with the subject line "Nomius Data Protection Enquiry")