GDPR and data protection

Our UK GDPR and PECR operating standard

A practical statement of how Nexa Systems handles data protection, B2B outreach, suppression, rights requests, security, and client-delivery responsibilities.

Last updated: 25 April 2026Questions about these terms?

Our data protection position

Nexa Systems is committed to handling personal data lawfully, fairly, transparently, securely, and only for clear business purposes.

Nexa Systems UK LTD is registered in England and Wales under company number 17175439. Our registered office is 124 City Road, London EC1V 2NX.

This page summarises the practical GDPR and PECR controls behind our website, CRM, client delivery, inbound enquiries, and business-to-business outreach. It should be read with our privacy policy and terms and conditions.

Core UK GDPR principles

Lawfulness, fairness, and transparency: we identify a lawful basis and explain how data is used.
Purpose limitation: we use personal data for the reasons collected or for compatible business purposes.
Data minimisation: we collect the information needed to respond, sell, deliver, support, bill, secure, and improve services.
Accuracy: we take reasonable steps to keep operational records accurate and allow correction requests.
Storage limitation: we keep data only for appropriate business, legal, accounting, security, and suppression periods.
Integrity and confidentiality: we use access controls, secure providers, and operational safeguards.
Accountability: we keep records, policies, and checks designed to demonstrate compliance.

Controller and processor roles

Nexa Systems is the controller for our own website, enquiries, prospecting, sales pipeline, client relationship, billing, internal CRM, support, and supplier records.

For client delivery, we may be a processor where a client instructs us to handle their customer or lead data inside a website, CRM, automation, email, SMS, review, booking, or reporting system. In those cases, the client remains responsible for their own lawful basis, privacy notice, customer permissions, and marketing compliance unless agreed otherwise in writing.

Lawful bases we use

Contract: to provide services, manage accounts, deliver projects, send service messages, and take payment.
Steps before a contract: to respond to enquiries, prepare audits, scope projects, send proposals, and book calls.
Legitimate interests: to operate and improve our business, secure systems, prevent fraud, keep internal records, perform B2B prospecting where appropriate, and contact relevant business contacts.
Legal obligation: to keep accounting records, respond to lawful requests, handle tax requirements, and meet legal duties.
Consent: where the law requires consent, such as certain cookies, certain marketing situations, or optional communications that require opt-in.

Legitimate interests assessment

Where we rely on legitimate interests, we apply the purpose, necessity, and balancing test. We identify the business reason, check whether the processing is necessary for that reason, and consider the person's rights, expectations, and possible impact.

For B2B outreach, our legitimate interest is offering relevant lead-capture and marketing systems to businesses that appear likely to benefit. We reduce privacy impact by focusing on business contact details, recording data sources, avoiding personal email domains, providing opt-outs, using suppression lists, and manually reviewing higher-risk contacts such as sole traders.

PECR and direct marketing controls

We identify ourselves in outreach and provide a valid opt-out or unsubscribe route.
We do not knowingly send cold marketing to personal email domains or contacts that should be treated as individual subscribers without a valid consent or soft opt-in route.
Sole traders and some partnerships are treated as higher-risk because PECR can treat them like individuals for electronic marketing.
Every send is checked against suppression records before sending.
Outreach count is capped so a prospect is not repeatedly contacted.
Email bounces, spam complaints, unsubscribes, and SMS STOP-style replies are added to suppression.
Cold email must be sent from a dedicated outreach subdomain, not the root business domain, and domain authentication must be verified before bulk sending.

Data subject rights process

People can ask to access, correct, delete, restrict, object to, or receive a portable copy of personal data where those rights apply. They can also object to direct marketing at any time.

Requests should be sent to admin@nexasystems.co.uk. We aim to respond within one month unless the law allows an extension for complex or repeated requests. We may need proof of identity before acting on a request.

Suppression and opt-out records

When someone opts out, we normally keep the minimum data needed on a suppression list instead of deleting every trace. This is necessary to make sure we do not contact them again by mistake.

Suppression records may include email address, domain, phone number, opt-out source, date, reason, and the internal note needed to enforce the block.

Security and access control

Access to internal systems is limited to authorised team members with a business need.
Authentication, role checks, audit trails, and secure provider controls are used where available.
Sensitive secrets and API keys must not be exposed in client-side code or public repositories.
Data exports and uploaded files should be handled only for their intended delivery purpose.
Suspected personal data breaches are escalated and assessed promptly, including whether notification to the ICO or affected people is required.

Vendors and processors

We use third-party vendors to operate the website and services, including hosting, database, email, SMS, payments, scheduling, file storage, AI, analytics, and support providers. We aim to use reputable providers with appropriate security and data processing terms.

Where vendors process personal data outside the UK, we rely on recognised transfer safeguards or another lawful transfer mechanism.

Client websites and systems we build

When we build websites, forms, SMS flows, review funnels, booking systems, or CRM automations for clients, the client is normally responsible for making sure their own customer-facing privacy policy, cookie notices, marketing permissions, and legal copy are accurate for their business.

We can help draft practical wording and implementation controls, but clients should take legal advice for regulated industries, unusual data use, consumer finance, health information, employment data, or high-risk processing.

Complaints

If you believe we have not handled your personal data properly, contact us first at admin@nexasystems.co.uk so we can investigate. You also have the right to complain to the Information Commissioner's Office, the UK data protection regulator.