NUALBack to home

Legal

Privacy Policy

Last updated: 19 May 2026

NUAL ("we", "us", or "our") is operated by Nomad V Group. This Privacy Policy explains how we collect, use, store, and share your personal data when you use NUAL (the "Service"). By using the Service you agree to the practices described in this policy.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data in accordance with the General Data Protection Regulation (GDPR).

1. Data We Collect

Account Information

  • Full name and email address (required to create an account)
  • Password (stored as a secure hash; we never see it in plain text)
  • Google account details if you sign up with Google (name, email, profile photo)

Business and Workspace Data

  • Business name, brand colour, and preferred currency you provide during setup
  • Client records: names, email addresses, company names, phone numbers, addresses
  • Financial documents: invoices, proposals, contracts, and their contents
  • Project and task data, lead pipeline records, time tracking entries
  • Files and logos you upload to your workspace

Usage and Technical Data

  • IP address (logged on admin actions for security audit purposes)
  • Browser type and version (user-agent string)
  • Session tokens used to keep you signed in
  • AI credit usage counters
  • Plan and subscription status

2. How We Use Your Data

  • Providing the Service: storing and displaying your workspace data, sending invoices and proposals to your clients on your behalf
  • Account management: authenticating you, managing your plan and trial period
  • AI features: your document content is sent to our AI provider (Anthropic) to generate proposal drafts, contract text, and email suggestions. See Section 5.
  • Transactional email: sending you account-related emails (welcome, trial expiry warnings, payment receipts). We do not send marketing email without your explicit consent.
  • Security and fraud prevention: logging admin actions with IP addresses, rate-limiting API requests
  • Legal compliance: retaining records as required by applicable law

3. Legal Basis for Processing (GDPR)

We rely on the following legal bases:

  • Contract performance: processing necessary to provide the Service you have signed up for (Art. 6(1)(b) GDPR)
  • Legitimate interests: security logging, fraud prevention, product improvement (Art. 6(1)(f) GDPR)
  • Legal obligation: retaining records required by tax or accounting law (Art. 6(1)(c) GDPR)
  • Consent: for any optional communications you opt into

4. Data Retention

  • Active accounts: data is retained for as long as your account is active
  • After account deletion or trial expiry without upgrade: workspace data is retained for 90 days to allow recovery, then permanently deleted
  • Security audit logs: retained for 12 months
  • Payment records: retained for 7 years as required by tax law

5. Third-Party Services

We use the following third-party processors. Each has their own privacy policy and data processing agreements in place with us:

  • Google Firebase: authentication, database (Firestore), and file storage. Data is stored on Google Cloud infrastructure. Firebase Privacy
  • Vercel / Railway: hosting and server infrastructure
  • Resend: transactional email delivery (your email address is shared to send you account emails)
  • Anthropic: AI content generation. When you use AI features, relevant document context is sent to Anthropic's API. Anthropic does not use API data to train models. Anthropic Privacy
  • DocuSeal: electronic signature processing for contracts you send through NUAL
  • Paddle: payment processing and subscription management. Paddle acts as Merchant of Record. Paddle Privacy

We do not sell your data to any third party. We do not share your data with advertising networks.

6. International Data Transfers

Some of our third-party processors operate outside the EEA (primarily in the United States). Where this occurs, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards.

7. Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate data (you can do most of this yourself in Settings)
  • Erasure: request deletion of your account and data
  • Restriction: ask us to stop processing your data in certain circumstances
  • Portability: receive your data in a structured, machine-readable format
  • Object: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at info@nomadvgroup.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Security

We implement appropriate technical and organisational measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest
  • Authentication uses secure session cookies with HttpOnly and Secure flags
  • Passwords are hashed by Firebase; we never store them in plain text
  • Access to production data is restricted to authorised personnel only
  • Admin actions are logged with IP address for audit purposes

9. Children

NUAL is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the app. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or requests:

Questions or requests?

Reach out to us and we'll respond within 2 business days.

Contact us