Privacy Policy
NexusBond Ltd (“NexusBond“, “we“, “us” or “our“) is committed to protecting the privacy and security of visitors to our website (https://nexusbond.com) and users of our services. This Privacy Policy explains how we collect, use, store, and share your personal data when you interact with our website or services, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also describes your rights regarding your personal data and how you can exercise them. We have drafted this policy in plain English to be clear and transparent, so you can easily understand our practices.
This Privacy Policy applies to personal data collected through our website (which we use for lead generation and marketing of our B2B web development and design services) and related interactions (such as scheduling meetings or subscribing to communications). It does not cover any other websites or services that may be linked on our site. By using our website or submitting information to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our site.
Who We Are (Data Controller)
NexusBond Ltd is the data controller for personal data collected via our website and related services. This means NexusBond determines the purposes and means of processing your personal information. NexusBond Ltd is a company registered in England and Wales (Company No. 09001165). Our registered office is at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, England. You can contact us with any questions or requests regarding your personal data by emailing [email protected] or writing to our postal address.
For the purposes of this policy, “personal data” (or “personal information”) means any information relating to an identified or identifiable natural person. This includes obvious identifiers like name and contact details, as well as information like IP addresses or cookies that can indirectly identify you. We do not intentionally collect any special category or sensitive personal data (such as information about health, race, religion, or political opinions) via our website, and we ask that you do not provide such information in any forms or messages you submit.
Personal Data We Collect
We may collect and process various categories of personal data from you when you visit our site or use our services. The types of information we collect fall into these categories:
Information You Provide Directly: When you interact with our lead generation forms, contact forms, or scheduling tools, you may choose to provide personal data. For example: name, email address, phone number, company name, company size, job title, and project-related information or inquiries. This includes any details you submit when requesting an instant website quotation, contacting us about a project, or signing up for our newsletter or marketing communications. If you schedule a consultation or meeting through our site (for instance, via our integrated Calendly scheduler), you will provide details like your name, email, phone, preferred meeting time, and any notes about your request. All of this information is provided voluntarily by you and we will use it only for the purposes described in this policy.
Information Collected Automatically (Usage and Device Data): When you visit our website, we automatically collect certain technical data about your device and browsing activity through cookies and similar tracking technologies (as detailed in the Cookies section below). This Usage Data may include your IP address, browser type and version, device identifiers, operating system, referring website, pages viewed, date/time of visit, and how you navigate and interact with our site. We use Google Analytics 4 (GA4) to gather statistics on site usage, and the Meta Pixel (Facebook Pixel) to understand advertising effectiveness; these tools may collect data about your interactions with our site, such as the pages you view and actions you take (like clicking a link or submitting a form). We configure these analytics tools to avoid collecting directly identifiable information wherever possible (for example, GA4 anonymizes IP addresses by default). Usage Data helps us improve our website’s functionality and understand user engagement, but it may be considered personal data under UK privacy laws since it can relate to an identifiable individual (e.g., via an IP or cookie ID).
Cookies and Similar Technologies Data: Cookies are small text files placed on your browser or device when you visit websites, which store information about your preferences or actions. Our site uses cookies (and similar technologies like pixel tags) for various purposes. Some cookies are essential for our site to function (e.g. to enable form submissions or remember your cookie consent preferences), while others are optional and help us improve your experience or market our services. Specifically, analytics cookies (from Google Analytics) collect aggregated data about site traffic and user behavior, and advertising/targeting cookies (such as those set by Meta Pixel) collect data about your browsing to tailor advertisements on platforms like Facebook/Instagram. We also may use functionality cookies to remember choices you make (for instance, if our site offers preference selections). We describe our cookie usage in more detail in the Cookies section below, including how you can manage or withdraw consent for non-essential cookies.
Information from Third-Party Sources: In general, we collect personal data directly from you. We do not typically obtain additional personal information from third-party data brokers or public databases via our website. However, if you interact with our social media pages or advertising, or if you were referred to us by a partner, we might receive basic contact or profile information through those sources. For instance, if you click on a NexusBond ad on a platform like Facebook or LinkedIn and fill in your details, those platforms may pass that information to us. We will treat any such information in accordance with this Privacy Policy. Additionally, if your contact information was provided to us by you through a third-party scheduling service (like Calendly) or is entered into our systems by our team (e.g., adding your business contact details to our CRM after an event or call), we will process it as described here.
We do not knowingly collect personal data from children. Our website and services are aimed at business professionals and are not intended for children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete the data.
How We Use Your Personal Data (Purposes and Legal Bases)
We will only use your personal data when the law allows us to, and we have identified a valid lawful basis under the UK GDPR for each use. Below we describe the purposes for which we process personal data and the corresponding legal bases:
1. To Respond to Inquiries and Provide Services: When you request an instant website quote, fill out a contact form, or otherwise inquire about our services, we use your provided information (such as your name, contact details, and project details) to respond to you and provide the information or service you requested. This may include contacting you by email or phone to discuss your project, provide a quotation, or schedule a follow-up call. The legal basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR), specifically our interest in responding to potential business clients and offering our services, or contract (Article 6(1)(b)) where your request is a step towards entering into a contract with us (for example, discussing a project proposal you asked for). We consider that our legitimate interest in growing our business and replying to your inquiry is not overridden by your data protection rights, as you initiated contact and would reasonably expect us to use your details for this purpose. If you do become a client, further processing of your data for providing and administering our services will be based on contract necessity and our legitimate interests in managing the client relationship.
2. To Schedule Meetings or Calls (Calendly): If you choose to book a consultation or meeting with us through our online scheduling tool (which is powered by Calendly), we will process the personal data you provide in the scheduling form (e.g. name, email, phone, and requested meeting time) to arrange and confirm the appointment. We (and Calendly) use this information to send you confirmation and reminder communications and to avoid scheduling conflicts. This processing is based on your consent (Article 6(1)(a)), which you give by voluntarily entering your details and scheduling a meeting, as well as our legitimate interest in efficiently coordinating meetings with prospective or current clients. You may withdraw consent by canceling the meeting and contacting us to request deletion of the scheduling details, but note that processing that has already occurred for the meeting arrangement is not affected by the withdrawal. (More details on Calendly and how it handles your data are provided in the “Third-Party Services” section below.)
3. To Send Marketing Communications (with Consent or Soft Opt-in): We may use your contact details (such as email address or phone number) to send you marketing communications about our services, industry insights, or events if you have opted-in to receive such communications. For example, if you subscribe to our newsletter or explicitly request marketing updates, we will process your data to send you those communications on the basis of consent (Article 6(1)(a)). You have the right to withdraw your consent at any time, and every marketing email will include an unsubscribe link for your convenience. Additionally, if you have engaged with us in a business context (for instance, requested a quote or became a client), we may send you relevant marketing or follow-up communications about our services under the “soft opt-in” rule (as permitted by the Privacy and Electronic Communications Regulations (PECR) for B2B contacts), based on our legitimate interests in maintaining and developing our relationship with you. In all cases, you can opt out of marketing messages from us at any time, and we will honor such requests promptly.
4. To Improve Our Website and Services (Analytics): We use data about how visitors use our website to improve its design, functionality, and content. Through Google Analytics 4, we analyze aggregated information such as overall visitor numbers, page load speeds, user navigation patterns, and which content is most engaging. This helps us understand what our audience is looking for and to enhance user experience. The data Google Analytics collects may include your IP address (truncated/anonymized), device and browser information, and on-site actions, but it does not identify you by name. We process analytics data based on your consent, obtained via our cookie consent banner when you first visit the site. Under UK law, non-essential cookies like analytics require your prior consent, which means we will only load Google Analytics cookies if you have allowed it. You can change your cookie preferences at any time (see “Cookies and Tracking Technologies” below). We have configured Google Analytics 4 with privacy in mind (for example, IP anonymization is enabled by default, and we have set appropriate data retention limits) to align with data protection requirements. The legal basis for using analytics data is consent; if you do not consent or if you opt-out, your decision will not affect your ability to use our site, and no analytics data will be collected from your device.
5. To Deliver and Measure Advertising (Meta Pixel): We engage in digital advertising to reach new customers and showcase our services. Our website uses the Meta Pixel (formerly Facebook Pixel), which is a piece of code provided by Meta Platforms, Inc. (the company behind Facebook and Instagram). The Meta Pixel tracks certain actions you take on our site (for example, visiting specific pages or submitting a form) and allows us to measure the effectiveness of our ads, understand what actions people take after seeing our ads, and retarget website visitors with relevant advertisements on Facebook/Instagram. The Pixel works by dropping a cookie or similar identifier on your browser that links your site activities to the Meta Platforms advertising network. Through this technology, Meta may collect or receive certain technical and usage information from our site and may associate it with your Meta user account (if you have one) to optimize ad delivery. We implement the Meta Pixel only if you have given consent for marketing cookies via our cookie banner; the legal basis for this processing is consent (Article 6(1)(a)). If you consent, the data collected through the Pixel may be processed by Meta in the United States or other countries (see “International Data Transfers” below for how we safeguard such transfers). You can always adjust your browser settings or use Facebook’s ad preferences to control how Meta collects and uses information for ads. We do not have access to personal identifiers like your Facebook profile through this Pixel, and we do not receive personal data from Meta about you individually; rather, we get aggregated insights (e.g., how many people took an action after seeing an ad). For more information on how Meta handles data collected through the Pixel, you can refer to Meta’s own privacy policy. Again, we rely on your consent — if you decline or revoke consent for targeting cookies, the Meta Pixel will not be activated and your browsing will not be tracked for advertising purposes.
6. To Manage Appointments and Client Relationships (CRM): We store and organize personal data related to our leads, prospects, and clients in our Customer Relationship Management system, which is powered by Odoo (Odoo S.A.). When you provide your information (through the website forms, Calendly scheduling, or during communications with us), we may input and maintain that data in our CRM. This helps us keep track of our interactions with you, follow up appropriately, and provide you with continuity of service (for example, remembering your project requirements or communication preferences). The processing activities here include storing your contact information, notes of our communications or meetings, and updating the status of our business relationship (e.g., prospective client, current client, etc.). We do this based on our legitimate interests in effectively running our business, maintaining professional relationships, and ensuring we can deliver services or proposals you have requested. We ensure that access to CRM data is restricted to our authorized staff and protected by security measures (see “Data Security” below). If you become a client, certain data may also be processed on the legal basis of contract necessity (to perform our contractual obligations to you, such as delivering a project and communicating about it). If you request that we no longer contact you or delete your data, we will remove or anonymize your information from our CRM, provided we do not need to retain it for other legitimate reasons (like a legal obligation or for defending against claims).
7. To Comply with Legal Obligations: In some cases, we may need to process personal data to comply with our legal or regulatory obligations. For example, if we have a contractual relationship and issue invoices, we might need to retain certain information for tax and accounting purposes (legal basis: legal obligation under Article 6(1)(c)). We may also process or disclose personal data where necessary to respond to lawful requests from law enforcement or to comply with court orders. We will only do so after verifying the legitimacy of such requests and to the extent required by law.
8. To Ensure Website Functionality and Security: We process some data to maintain the security and proper functioning of our website and IT systems. This includes using certain essential cookies and logging information (like IP addresses) to protect against malicious activity, debug issues, and manage consent preferences. Our basis for this is legitimate interests – specifically, our interest in keeping our website secure, preventing fraud, and ensuring it works as intended for users. For example, we might use your IP address and browser info to detect and block spam or unauthorized access attempts. We do not use this data to profile you for marketing; it is only used for security/functional purposes.
In any instance where we rely on consent as the legal basis, you have the right to withdraw that consent at any time. For example, you can withdraw your consent for analytics or pixel tracking by adjusting your cookie settings on our site (or via your browser), or unsubscribe from marketing emails by clicking the link in the footer of those emails. If you withdraw consent, we will stop the processing of your data for the purpose you originally agreed to, unless we have another lawful basis that we have communicated to you. Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew consent.
When we rely on legitimate interests, we have balanced those interests against your rights and freedoms to ensure no undue harm to your privacy. You still have the right to object to processing based on legitimate interests (see “Your Rights” below), and we will honor such objections unless we have compelling grounds to continue or the processing is needed for legal claims.
We will not use your personal data for new purposes that are not covered by this Privacy Policy without first providing you notice (and if required, obtaining your consent).
Cookies and Tracking Technologies
Cookies are small files stored on your browser or device by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the site owners. We use cookies and similar tracking technologies on our site for several reasons, as outlined below.
1. Types of Cookies We Use:
Strictly Necessary Cookies: These cookies are essential for the operation of our website and to enable you to use its features. For example, they allow us to remember your cookie preferences, enable form submissions (such as the contact or quotation form), or keep you logged in to any secure areas. Without these cookies, services you have asked for (like navigating the site or submitting information) cannot be provided. These cookies do not gather information about you for marketing or analytics. Because they are necessary for the site to function, we do not require your consent to place these cookies; however, you can still block them via your browser settings (though portions of the site may not work properly if you do).
Functionality Cookies: These cookies allow our website to remember choices you make and provide enhanced, more personalized features. For instance, if our site offers a choice of language or remembers your region or username for a future visit, functionality cookies would store those preferences. Currently, our site’s use of functionality cookies is limited; however, if we use any third-party tools that embed content (for example, a Calendly widget or a chat support feature), those might set cookies to remember you or tailor the experience. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.
Analytics/Performance Cookies: We use analytics cookies to collect information about how visitors use our website, in order to improve performance and user experience. For example, we use Google Analytics 4, which sets cookies (such as
_gaand others) to gather data on things like how many people visit the site, which pages are popular, how long users stay on each page, and whether visitors encounter errors. These cookies do not collect information that directly identifies you; the data is aggregated and used to understand trends and statistics (for example, total number of visitors in a day, or general patterns of usage). We have configured Google Analytics to anonymize IP addresses and disable sharing of data with other Google products, to further protect your privacy. Analytics cookies are only placed if you have given consent via the cookie banner. If you do not allow these cookies, we will not collect analytics data from your device, and it will not affect your use of the site (but it helps us if you do allow, so we can improve our services). You can opt-out at any time by adjusting your cookie settings or browser settings.Advertising/Targeting Cookies: These cookies record your visit to our website, the pages you have visited, and the links you have followed. They are used to deliver advertisements more relevant to you and your interests, often on other sites or social media platforms. We use the Meta Pixel and possibly similar ad cookies to help with our advertising efforts. For instance, if you allow targeting cookies, the Meta Pixel on our site will note that you visited and allow us to show you a NexusBond advertisement later on Facebook or Instagram that is relevant to your interest in our services. These cookies may track your browsing across other sites as well (for example, if those sites also utilize the same advertising networks). They work by uniquely identifying your browser and internet device; however, they typically do not store directly identifiable information like your name. If you do not allow these cookies, you will experience less targeted advertising from us. Targeting cookies from third parties (like Meta or other ad networks) are only set with your consent. You can manage these in our cookie banner or block them in your browser. Please note that even if you opt-out of targeting cookies, you may still see generic ads from us on other platforms – they just won’t be tailored based on your web behavior.
Third-Party Cookies: In addition to the cookies we set, some third-party services that we use may set their own cookies on our site (with your permission where required). For example, as noted, Google Analytics and Meta Pixel set their respective cookies. Additionally, if we embed content from other platforms (like a YouTube video, a social media feed, or use Calendly’s embedded scheduler), those services might set cookies as well. We do not control third-party cookies and their use is governed by the privacy/cookie policies of the third parties. However, our cookie consent mechanism is designed to not load these third-party tools (except strictly necessary ones) unless you have opted in. Calendly, for instance, may set cookies to remember your input or preferences when booking a meeting; Odoo (our CRM) might set a cookie if you log into any client portal (if such exists); and any social media sharing plugin could set cookies. We endeavor to inform you and obtain consent for any such cookies when they are not strictly necessary.
2. Cookie Consent and Management:
When you first visit our website, you will see a cookie banner or pop-up asking you to set your cookie preferences. You can choose to accept all cookies, reject non-essential cookies, or customize your choices (e.g., allowing analytics but not advertising cookies). Your preferences will be remembered by a necessary cookie so that we don’t keep pestering you with the banner on every visit. However, note that if you clear your cookies or use a different device/browser, you may need to set your preferences again.
If at any time you change your mind about cookie consent, you can update your preferences. We provide a link or mechanism on our site (often in the footer or a “Cookie Settings” button) where you can revisit your choices. Alternatively, you can control cookies through your browser settings: most web browsers allow you to refuse new cookies, delete existing cookies, or alert you when cookies are being set. Please refer to your browser’s help documentation for instructions on how to do this. Keep in mind, blocking all cookies (including essential ones) via your browser may impair some features of our site – for example, forms might not submit properly or your preferences may not be saved.
For targeting cookies like those from Meta/Facebook, you can also utilize tools provided by those third parties to opt out. For example, Facebook offers ad preference settings in your user account, and there are industry opt-out sites like the Network Advertising Initiative’s website or Your Online Choices (for EU/UK users) that allow opting out of many ad networks.
3. Do-Not-Track Signals: Some browsers have a “Do-Not-Track” (DNT) feature that signals to websites that you do not want to be tracked. Our site currently does not respond to DNT signals specifically, because there is no industry consensus on how to interpret them. Instead, we rely on our cookie consent system to honor your choices regarding tracking. Rest assured, if you decline analytics and targeting cookies on our site, we will not deploy those tracking tools for you regardless of DNT.
4. More Information: For more details about how we use cookies, you can contact us or refer to any Cookie Policy or detailed cookie list we maintain (if available on our site). By using our site with cookies enabled in your browser, you consent to our use of cookies as described here (to the extent you have not opted out). We aim to be fully transparent about our use of cookies and to comply with the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR requirements for cookie consent and privacy.
Third-Party Services and Data Processors
In the course of running our website and providing our services, we utilize several third-party services and platforms. Some of these third parties will process personal data on our behalf as “data processors” (bound by contracts to only act on our instructions), while others might process data for their own purposes as well (in which case they may be separate controllers of that data). We carefully select these providers to ensure they have strong privacy and security practices, and we only share the minimum data necessary with them. Below we outline the key third-party services we use that may involve your personal data:
Google Analytics 4: As noted, we use Google Analytics for website analytics. The service is provided by Google Ireland Limited for users in the UK/EEA (and by Google LLC in the USA). Google Analytics acts as our data processor to provide aggregated statistical data about site usage. The information generated by the Google Analytics cookies about your use of our website (which may include truncated IP address and usage data) is transmitted to Google’s servers. Google may process this data in various locations, including the United States. We have a data processing agreement with Google and have configured GA4 to enhance privacy (e.g., IP anonymization and limited retention). Google will use this information on our behalf to evaluate website usage and compile reports. Google is not permitted to use the data we collect for their own direct purposes (Google Analytics data may be used by Google to improve their services, but they do not identify individuals or share that data except as per their terms). For more details, you can review Google’s Analytics privacy and data practices on their website. If you opt out of analytics (via our site or Google’s own opt-out tools), Google Analytics will not collect your data.
Meta Pixel (Facebook Pixel): This is provided by Meta Platforms, Inc., headquartered at 1601 Willow Road, Menlo Park, CA 94025, USA. When active (with your consent), the Meta Pixel will send certain data about your visit to Meta. In this context, NexusBond and Meta might be considered joint controllers of the data collected via the Pixel, since we decide to implement it and Meta decides how to use it for ad targeting. We ensure that Meta only provides us with aggregated insights and we do not receive personal identifiers like your Facebook username. Meta may use the data collected via Pixel for its own purposes in accordance with its Data Policy (for example, to personalize ads on its platform or to improve its ad services). You can use features like Facebook’s “Off-Facebook Activity” tool to view and control the data that Meta collects from businesses and websites. We only deploy the Pixel after you have given consent through the cookie banner. If you withdraw consent, the Pixel will be deactivated for your browsing session. We also implement Meta’s Conversions API as needed, which sends event data directly to Meta’s servers for more reliable tracking (under the same consent conditions). Meta is certified under frameworks like the EU-U.S. Data Privacy Framework (for EU transfers) which may be extended to UK transfers, and we rely on standard contractual clauses for UK data transfers to Meta (see “International Data Transfers”).
Calendly (Online Scheduling Service): We use Calendly to facilitate appointment scheduling on our site. Calendly, LLC (Address: 271 17th St NW, Ste 1000, Atlanta, GA 30363, USA), provides an online platform that integrates with our website, allowing you to book meetings with us by selecting an available time slot and entering your contact details. When you use Calendly via our site, you may either be redirected to Calendly’s website or interact with an embedded Calendly widget. The personal data you input (name, email, phone, and any message or answers to questions we set up in the scheduling form) will be collected by Calendly on our behalf. Calendly will process that information to send you confirmation and reminder emails (in some cases, SMS reminders if you provided a phone and opted in) about the meeting, and it provides us with the details so we know you booked and can prepare for our meeting. Calendly operates as a data processor for us regarding this data – we have an agreement with Calendly to ensure your data is protected. Calendly’s systems will store your information securely and transmit it to our calendar system. Calendly may also collect certain technical information (like your IP or device info) when you interact with the scheduler, and they use cookies to ensure the scheduling process works smoothly. For example, a Calendly cookie might remember your timezone or pre-fill your email if you’ve used Calendly before. The use of Calendly on our site is entirely optional – it is there for your convenience. If you prefer not to use it, you may contact us directly via phone or email to set up a meeting. By using the Calendly scheduler, you understand that your appointment data will be handled by Calendly under their privacy policy (available on Calendly’s website). We only use the information collected via Calendly for managing the appointment and subsequent follow-up. We do not use it for marketing unless you separately consent to that, and Calendly does not use your information for any purpose other than providing the scheduling service. Calendly may transfer data to the U.S. for processing (since they are U.S.-based), so see “International Data Transfers” for how we handle that.
Odoo (Customer Relationship Management platform): Odoo S.A. (headquartered in Belgium) provides the CRM software that we use to store and manage our business contacts and client information. Odoo acts as a data processor for us. When you submit a form on our website or schedule a meeting (or if we otherwise obtain your contact details through business interactions), that data may be entered into our Odoo CRM database. The kinds of data stored include your name, contact info (email, phone, company name/address), and a log of interactions (e.g., notes from calls or meetings, quotes provided, etc.). Odoo’s platform is a cloud-based service – our data is hosted on secure servers, which may be located within the UK or the European Economic Area (EEA). We have ensured that Odoo implements appropriate technical and organizational measures to protect personal data (such as encryption and access controls) and that it complies with GDPR/UK GDPR requirements. Odoo will not access or use the data we store in the CRM except as necessary to provide the service to us (for example, troubleshooting technical issues or performing upgrades, and even then under strict confidentiality). In essence, Odoo is like a locked filing cabinet that we rent to hold your information; they keep it secure but do not look inside without our permission. We keep our CRM data up-to-date and will delete or anonymize contacts that are no longer needed (as described in “Data Retention”). If you have any questions specifically about Odoo’s handling of personal data, you can refer to Odoo’s privacy resources or contact us for more information.
Email and Cloud Service Providers: We also use standard business tools for email communication (which may include providers like Microsoft Outlook/Office 365 or Gmail) and cloud storage (for files or backups). These providers may incidentally process personal data contained in communications or documents. For instance, if you email us, your email (which includes your address and whatever info you include in the message) will be stored on our email service provider’s servers. We have agreements or terms in place with these providers (Microsoft or Google, for example) to ensure they also protect data according to applicable laws. Such providers might store data outside the UK (often in the EEA or US), but we rely on their compliance with UK GDPR transfer safeguards (again, see “International Data Transfers”). We limit the use of cloud services to reputable companies with strong security.
Website Hosting and IT Support: Our website is hosted on servers provided by third-party hosting companies. Hosting providers have access to the server where your data might be temporarily processed (e.g., when you submit a form, the data passes through the server). We ensure our web host is reliable and compliant with data protection standards. Additionally, we might employ IT consultants or service providers to help maintain our website and systems. These parties may have access to personal data in the course of their work (for example, a developer troubleshooting the form submissions might see entries in a database). We contractually bind all such providers to confidentiality and to process data only under our instructions and in compliance with privacy laws.
We do not sell your personal data to third parties. We also do not share your personal data with third-party marketers or advertisers outside of the context described in this policy (i.e., the only advertising-related sharing is via cookies/pixels that you consent to, as described above).
Whenever we share data with service providers, we adhere to the principle of data minimization – we only share what is necessary for the specific task. For example, if we use an accountant or legal advisor for our company, we might share client contact information if needed for invoicing or contracts; those professionals would be bound to confidentiality as well.
In the event of any corporate transactions (for instance, if NexusBond Ltd were to merge with another business or if we were to transfer part of our operations), personal data might be shared with advisors or prospective parties under strict terms to evaluate the transaction, and ultimately transferred to successors of our business. If that happened, we would ensure your data remains subject to equivalent protections as under this policy, and we would notify you of any significant change in data control.
Lastly, we may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, law enforcement request), but we will carefully review such requests and only provide the minimum data necessary.
International Data Transfers
NexusBond is based in the United Kingdom. However, some of the third-party services we use (as described above) are located outside of the UK, which means personal data may be transferred or accessed internationally. In particular:
European Economic Area (EEA): The EEA (which includes EU countries) is currently deemed adequate by the UK for data transfer purposes. Our use of Odoo (based in Belgium) means some data is stored in the EEA, and the UK permits UK-to-EEA data flows freely. Similarly, if we work with any providers or partners in the EU (or if you are in the EU and reach out to us), those transfers are allowed under an adequacy decision. We still treat such data with the same security and care as data kept in the UK.
United States: Several of our key service providers are in the U.S. (Calendly, Meta/Facebook, Google, possibly our email or hosting providers). The UK does not currently have a blanket “adequacy decision” for the U.S., meaning we must ensure additional safeguards when transferring personal data to the U.S. or any other country without adequacy. For all such transfers, we rely on approved contractual and organizational safeguards. Typically, this involves using the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs), which are legal contracts that bind the recipient to protect the data to UK GDPR standards. For example, our contracts with Google, Meta, Calendly, and Odoo all include standard data protection clauses. Some of these providers (like Google and Meta) may also participate in the new EU-U.S. Data Privacy Framework and are expected to extend similar commitments to UK data, but until there’s an official UK-U.S. arrangement, we continue to rely on SCCs/IDTA. In addition to contractual measures, we consider technical measures (encryption, pseudonymization) and the providers’ reputations and compliance history when transferring data.
Other Countries: If any data is transferred to countries other than the EEA or U.S., we will ensure an appropriate legal mechanism is in place. For instance, if our hosting provider stores backup data in Canada, note that Canada is recognized as adequate by the UK (just an example). If we engage a processor in India or another location, we would use SCCs and ensure the processor gives commitments on data security.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy when transferred internationally. Despite the safeguards, you should be aware that when data is in another country, it may be subject to lawful access requests by governments in that jurisdiction (for example, U.S. authorities under certain conditions). We factor this into our assessments and choose providers that have a strong stance on privacy and transparency about government requests.
If you would like more information about our international data transfer practices or a copy of the relevant safeguards (e.g., the SCCs/transfer addendum used), please contact us. We may redact certain contractual details for confidentiality, but can provide insight into the protections in place.
Data Retention
We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In general, this means:
Inquiry and Lead Data: If you contact us for information about our services (but do not become a customer), we will retain your contact details and correspondence for a certain period in case you have follow-up questions or we need to refer back to our communications. Typically, we retain inquiry data for up to 24 months from the date of our last interaction with you. We find this timeframe appropriate to accommodate long sales cycles and potential future opportunities to work together, especially in a B2B context. However, we will not send you marketing beyond that period (or at all) if you have opted out or if we otherwise sense the opportunity is closed, unless you re-initiate contact. You can request deletion of your data sooner, and we will honor such requests as described below (unless we have a legal reason to keep it).
Client Data: If you become a client of NexusBond, we will retain your personal data for the duration of our business relationship and for a period afterward as necessary. Client records (including contracts, communications, project files, and billing information) may be kept for 6 years or more after the end of the engagement. This retention period is often driven by legal requirements (for example, UK tax law requires keeping invoices for at least 6 years) and our legitimate interest in having records in case of any disputes or follow-up projects. We aim not to keep data longer than needed; thus, non-essential parts of client data might be deleted sooner (for instance, we might archive or remove old project communications after a couple of years if no longer relevant). Critical information (like contracts and payment records) will be kept per legal obligations.
Newsletter/Marketing Subscription Data: If you have subscribed to a newsletter or agreed to receive marketing emails, we will retain your email address and related profile info until you unsubscribe or otherwise inform us that you no longer wish to receive the communications. If we notice that your email consistently bounces or you never engage, we might remove you from the list as part of routine list cleaning. In any case, if you withdraw consent or opt-out, we will stop sending you emails and will delete or suppress your contact details on our marketing list promptly.
Analytics Data: Data collected via Google Analytics is retained according to the settings we’ve applied in GA4. Currently, user-level and event-level data associated with cookies and user identifiers in GA4 is set to be retained for 14 months (which is the maximum we allow before automatic deletion). Aggregate reports in Google Analytics may be kept longer, but those reports do not contain personal data. Also, IP addresses used for analytics are anonymized and not stored. If you have opted out of analytics, then no new analytics data will be collected from you. Meta Pixel data on our side is only retained in aggregate form (we do not receive personal data from Pixel); Meta itself might retain the event data for a certain period (as per their policies), but that is not directly in our control.
Calendly and Scheduling Data: Details of meetings scheduled via Calendly (e.g., your name, email, meeting time) may remain in our Calendly account history and our integrated calendars. We periodically clean out old calendar invites and scheduling entries. Typically, we might retain Calendly records for a year or two for reference. If you want us to delete your specific Calendly information sooner, you can request that. Calendly may have its own retention practices (for example, they might purge data after some time); however, since we pull that data into our systems (calendar, CRM), we govern the deletion on our side.
CRM Data (Leads/Contacts): Our practice is to regularly review the data in our CRM (Odoo). Contacts or leads that have been inactive for a long time and have not engaged in our services may be deleted or anonymized. We generally align this with the inquiry data policy (around 24 months of inactivity). For prospects that never converted, we will remove identifying details after that period, or sooner if we determine there is no interest. For clients, as stated, data is kept longer, but we may archive old contact records in the CRM if, say, a client contact leaves their company or we haven’t had interaction in years.
Legal and Security Records: We keep certain logs or records as required for legal compliance and security. For example, website security logs that capture IP addresses of visits (to detect malicious activity) are kept for a short period (usually a few weeks) unless they identify a security incident, in which case relevant logs might be retained for investigation and evidence. Records of consent (such as cookie consent or marketing consent) are kept as long as needed to demonstrate compliance (which might be up to 2-3 years, aligning with statutory limitation periods for claims).
Once the retention period for a piece of data expires, or we no longer have a legitimate reason to keep it, we will either securely delete or anonymize the personal data. Anonymization is a process of altering data so that it no longer can be associated with an identifiable individual – for example, we might aggregate data or remove personal identifiers so the data can be used for statistical purposes without identifying you. If data is anonymized, we may retain and use it indefinitely, as it ceases to be personal data.
Please note that in some cases we may retain your personal data for a longer period if required by law or as necessary to establish, exercise, or defend a legal claim. For instance, if we are engaged in a dispute with you or a third party, we may need to preserve relevant information until the matter is resolved. We will base any extended retention on necessity and proportionality.
We also want to highlight that you have the right to request deletion of your data at any time (see “Your Rights” below). Upon such a request, if there is no compelling reason for us to keep the data, we will delete it. If an ongoing basis for retention exists (e.g., a legal requirement), we will inform you of that and isolate the data so it’s only used for that purpose until deletion is possible.
Data Security
We take the security of your personal data seriously and have implemented a range of technical and organizational measures to protect it from unauthorized access, loss, alteration, or disclosure. Here are some key aspects of our data security approach:
Secure Website and Transmission: Our website is encrypted using HTTPS/TLS technology. This means that any data you submit via our site (for example, through forms or the scheduler) is transmitted securely and cannot easily be intercepted by third parties. You can verify this by looking for the padlock icon in your browser address bar when visiting our site. We also enforce strong encryption for our email accounts and encourage secure communications.
Access Controls: Personal data within our organization is accessible only to those who need it for their job duties. For example, our sales and consulting team will have access to lead and client information to follow up with you, but our developers or designers might only have access if needed for a project (and even then, likely to limited info). All employees and contractors of NexusBond are bound by confidentiality obligations. We regularly review who has access to what data and revoke credentials when they are no longer needed. Our internal systems (like the CRM, email, file storage) are password-protected and, where available, protected with multi-factor authentication (requiring a second step, such as a code on a phone, to log in). We educate our staff about data protection best practices and require them to follow our internal data protection policies.
Data Encryption and Protection: For data stored digitally (databases, spreadsheets, etc.), we use reputable cloud services that encrypt data at rest on their servers. Whenever feasible, we also encrypt data in transit (for example, our CRM uses HTTPS for all connections). Sensitive fields (like passwords, though we generally don’t collect passwords on our site aside from any login a user might have) are stored hashed or encrypted. Physical documents (which we rarely have for website leads) are stored securely or converted to electronic form and then shredded if containing personal data.
Regular Updates and Patching: We keep our website platform, plugins, and software up-to-date to protect against known vulnerabilities. Our IT team or contractors monitor for security updates and apply them promptly. We also use security software (firewalls, anti-malware scanners) on our website and devices to prevent and detect intrusions or malicious activity.
Monitoring and Testing: We monitor our systems for potential breaches or attacks. If suspicious activity is detected (for example, multiple failed login attempts or an unusual spike in traffic that could indicate a denial-of-service attack), we investigate and respond. We may employ intrusion detection systems or have our hosting provider manage such security monitoring. Periodically, we might conduct or commission security audits and penetration tests on our systems to identify and fix weaknesses.
Data Backups: We perform regular backups of critical data (such as our CRM database and website data) to ensure that we can recover information in case of a technical incident or ransomware attack. These backups are stored securely and are encrypted. Backup data is retained for a limited period and is subject to secure handling as well.
Third-Party Security: When we entrust your data to third-party processors (like those mentioned earlier: hosting, CRM provider, Calendly, etc.), we ensure that they also take appropriate security measures. We review their security certifications or statements (for instance, many are ISO 27001 certified or SOC 2 compliant, which are standards for information security). We include clauses in our contracts requiring them to maintain adequate security and to notify us promptly in the event of any data breach affecting your data.
Despite all these measures, it’s important to note that no method of transmission over the internet or electronic storage is 100% secure. We strive to protect your personal data, but we cannot guarantee its absolute security. For example, email communications you send to us might traverse third-party servers; while we have TLS enabled, if your email provider doesn’t, there could be some risk. You should also take care when sending us sensitive information and consider using encrypted methods if appropriate.
In the unlikely event of a data breach that poses a risk to your rights and freedoms (e.g., a leak of personal data), we have a breach response plan in place. We will notify the UK Information Commissioner’s Office (ICO) as required by law (generally within 72 hours of becoming aware of the breach, if it meets the threshold for reporting). We will also inform affected individuals without undue delay if the breach is likely to result in a high risk to them (for instance, if it involved disclosure of personal details that could lead to identity theft or harm). We would communicate the nature of the breach, what data was involved, the potential consequences, and what measures we are taking to mitigate it and prevent future occurrences.
We encourage you to also play a role in protecting your data. When you submit information to us online, ensure you’re on our legitimate site (https://nexusbond.com) and that your device is secure. If you create any accounts or passwords on our site (though currently our lead gen site doesn’t have user accounts beyond maybe a newsletter sign-up), use a strong, unique password and keep it confidential.
If you suspect any misuse of your data or have a security-related concern about your interactions with us (for example, if you suspect someone has impersonated NexusBond or you received a suspicious communication claiming to be from us), please contact us immediately at [email protected]. We will investigate and take appropriate action.
Your Rights Under UK GDPR
As an individual whose personal data we process, you have certain rights under the UK GDPR and Data Protection Act 2018. We respect these rights and have processes in place to enable you to exercise them. Your key data subject rights include:
Right to be Informed: You have the right to be informed about the collection and use of your personal data. This Privacy Policy is one of the ways we fulfill this right by explaining what data we collect, how we use it, and other relevant information. We aim to be transparent and provide you with clear information whenever we collect personal data (for example, through just-in-time notices on forms, if needed).
Right of Access: You have the right to request access to the personal data we hold about you. This is commonly known as a “Subject Access Request.” You can ask us to confirm whether we process your personal data and, if so, request a copy of that data, along with information about how we use it, who we share it with, how long we keep it, etc. We will provide this information free of charge, typically within one month of receiving a valid request (we may take up to an additional two months for complex requests, but we will inform you if an extension is needed). To protect the privacy of others, we may need to ask you for proof of identity before releasing data. If your request is unfounded or excessive (e.g., repetitive), the law allows us to charge a reasonable fee or refuse to act, but we will explain our reasoning in such cases.
Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected or completed. Upon your request, we will rectify any errors in your data as quickly as possible. For instance, if we have your name or company name spelled incorrectly, or your contact details have changed, please let us know and we will update our records.
Right to Erasure: This is also known as the “right to be forgotten.” You have the right to request the deletion or removal of your personal data where there is no compelling reason for us to continue processing it. This right is not absolute and applies in certain circumstances, such as: the data is no longer necessary for the purpose we collected it; you originally consented and have now withdrawn consent, and we have no other lawful basis; you have objected to processing based on legitimate interests and we have no overriding grounds to continue; we processed your data unlawfully; or we must delete your data to comply with a legal obligation. If you request erasure, we will also notify any third-party processors who have your data on our behalf to delete it as well (assuming it was data we control). Note that we might not be able to erase data that we are required to keep by law or which is relevant to a legal dispute; we will inform you if that is the case. We will also explain if any archiving or suppression will be done instead (for example, keeping minimal info that you opted out, so we don’t contact you again).
Right to Restrict Processing: You have the right to ask us to restrict the processing of your personal data in certain scenarios. Essentially, this means we would store your data but temporarily halt any other processing activities. You might exercise this right if: you contest the accuracy of the data (we’ll restrict processing until we verify accuracy); or you have objected to processing (see below) and we are considering our grounds; or the processing is unlawful and you prefer restriction over deletion; or we no longer need the data but you need us to keep it for the establishment, exercise, or defense of legal claims. When processing is restricted, we will only process that data with your consent (aside from storing it) or for legal reasons. We will inform you before lifting any restriction.
Right to Data Portability: For data that you provided to us and that we process by automated means under consent or contract (e.g., data you actively gave us, processed digitally on the basis of your consent or to perform a contract), you have the right to get that data from us in a structured, commonly used, machine-readable format and/or have it transmitted to another controller where technically feasible. In practice, this right has limited scope for our activities, but if applicable, we will provide the data in a CSV or similar file format that is easy to reuse. This could apply, for instance, if you wanted a copy of the information you submitted in a form or any profile data you provided when signing up for a service. We will also, if you request, transmit it directly to another organization, provided it’s technically feasible (direct transfer is sometimes not straightforward between systems, but we will do our best or provide it to you to pass along).
Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (or on performing a task in the public interest/exercise of official authority, though we do not process on the latter basis). If you file an objection, we must stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or the processing is for the establishment, exercise, or defense of legal claims. In simpler terms, if you object to something like receiving follow-up communications from us based on our business interests, we will likely honor it and stop, as your rights generally override our direct marketing interests (note: if the objection is to direct marketing specifically, we will cease immediately – see next bullet). If you object to processing that is not promotional in nature, we will assess whether there is an overriding justification to continue (which is rare, outside of perhaps needing to keep data for legal reasons). You also have an absolute right to object to any processing of your data for direct marketing purposes at any time. This includes profiling related to direct marketing. For example, if we were tailoring some offers to you based on your profile and sending those via email, you can object and we will stop that processing. In practice, this is akin to the right to opt-out of marketing, which we always honor.
Right Not to be Subject to Automated Decision-Making (Including Profiling): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects for you. We do not engage in any automated decision-making or profiling that has legal or significant effects on individuals through our website or lead generation process. We do not, for instance, have algorithms that decide something about you without human involvement (like credit decisions, hiring decisions, etc., made automatically). Any profiling we might do is limited to marketing segmentation (which does not have a significant effect on you and is under our control). If that ever changes, we will inform you and ensure the proper safeguards are in place, including your right to obtain human intervention and contest decisions.
If you wish to exercise any of these rights, you may contact us at [email protected] with your request. To expedite processing, please state clearly which right you wish to exercise and provide any information that will help us locate your data (for example, the email address you used, the date of your inquiry, etc.). We may need to verify your identity before proceeding with certain requests (especially for access, deletion, or any request that involves personal data disclosure), to ensure we do not accidentally modify or release someone else’s data.
We will respond to your request as soon as possible, generally within one month. If your request is complex or if we have received many requests, we may extend the response time by an additional two months, but we will inform you within the first month if an extension is needed and explain why.
There is usually no fee for exercising your rights. We will not charge you for requests to access your data or to exercise any other rights. The only time we might charge is if a request is manifestly unfounded or excessive, particularly if it is repetitive. In such cases, we could charge a reasonable fee to cover administrative costs or refuse to act on the request. However, this is rare and we would provide a justification if we believe a fee or refusal is warranted.
Your right to complain: While we encourage you to contact us first to resolve any issues or concerns, you also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection in the UK. The ICO’s contact details are:
Website: https://ico.org.uk/make-a-complaint/
Helpline: +44 303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK.
If you believe we have not handled your personal data properly or have not respected your rights, you can report this to the ICO. However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please consider reaching out to us first. We value your privacy and will do our best to address any problems.
Links to Other Websites
Our website may contain links to websites of third parties (for example, our profiles on social media platforms, or articles and resources we reference). If you follow these links, please note that those third-party websites are not governed by this Privacy Policy. We do not have control over, and are not responsible for, the content, security, or privacy practices of third-party sites. We encourage you to read the privacy policies of any external sites you visit after clicking links on our site. This caution also extends to any use of Calendly or other embedded services; while we integrate them for your convenience, interacting with those services may be akin to visiting their site in terms of data collection.
Additionally, if you came to our website through a link on another site (for example, an advertisement or a partner’s site), and if that site passed parameters or data to us (like a campaign ID, which is mostly not personal data), we still treat any personal data collected on our site in accordance with this policy. Just be mindful that any data you gave to the other site is subject to their policy.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our practices, to clarify our policies, or to ensure compliance with legal requirements. If we make significant changes, we will post the updated policy on this page and update the “Last Updated” date at the top. For substantial changes, we may also provide a more prominent notice (such as a banner on our website or an email notification, if appropriate).
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after any changes to this Privacy Policy will be deemed acceptance of those changes, except where consent is required (in which case we will seek that separately).
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please do not hesitate to contact us:
NexusBond Ltd (Company No. 09001165)
Registered Office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, UK
Email: [email protected]
Phone: +44 (0)20 3858 0209