How Nexa Systems handles personal data

This policy explains what we collect, why we use it, how long we keep it, who we share it with, and the rights people have under UK data protection law.

Last updated: 25 April 2026Questions about these terms?

Who we are

Nexa Systems provides websites, lead response systems, missed-call text-back, review funnels, CRM support, and related marketing services for UK trades and local service businesses.

Nexa Systems UK LTD is registered in England and Wales under company number 17175439. Our registered office is 124 City Road, London EC1V 2NX.

For data protection purposes, Nexa Systems is normally the controller for personal data collected through this website, inbound enquiries, sales conversations, client onboarding, billing, support, and our own business-to-business marketing. Where we process data inside a client system on the client's written instructions, we may act as processor for that client.

Contact for privacy requests: admin@nexasystems.co.uk.

Personal data we collect

Identity and contact details, such as name, business name, role, email address, phone number, website URL, postal address if supplied, and social profile or business listing information.
Enquiry and sales data, such as form submissions, call notes, booking details, stated business problems, audit requests, proposal preferences, and communications with us.
Chat and assistant data, such as messages you send to the website assistant and contact details you choose to provide so our team can reply or book a call.
Client delivery data, such as onboarding answers, brand assets, service areas, website content, project notes, support requests, billing records, and files a client chooses to upload.
Website and technical data, such as IP address, device and browser type, pages viewed, timestamps, referrer, security logs, and cookie or analytics preferences where enabled.
Marketing and outreach data, such as publicly available business contact information, source, lawful-basis notes, suppression records, opt-out requests, email delivery events, and replies.

Where we get data from

Most personal data comes directly from you when you use our forms, book a call, reply to us, become a client, or provide information during onboarding.

For business-to-business prospecting, we may also use publicly available business information, business websites, search results, Google Business Profiles, public directories, and information a business has made available for commercial contact. We do not intentionally build cold outreach lists from personal email domains such as Gmail, Hotmail, Yahoo, Outlook, iCloud, me.com, or live.co.uk.

Why we use personal data and our lawful bases

To respond to enquiries, book calls, prepare audits, send proposals, provide services, manage projects, and support clients. Lawful bases: contract, steps before a contract, and legitimate interests.
To run billing, accounting, tax, fraud prevention, security, record keeping, and legal compliance. Lawful bases: legal obligation and legitimate interests.
To improve our website, services, forms, internal systems, and client experience. Lawful basis: legitimate interests, unless consent is required for a particular cookie or tracking technology.
To send service updates, transactional messages, reminders, invoices, and operational notifications. Lawful bases: contract, legal obligation, and legitimate interests.
To send compliant business-to-business marketing where PECR and UK GDPR allow it, including by relying on legitimate interests for suitable corporate business contacts and consent where required.

Business-to-business marketing and opt-outs

We only want to contact businesses where our services are relevant. Our outreach is aimed at UK trades and local service businesses, not private individuals.

Under PECR, corporate subscribers can usually receive B2B marketing emails or texts without prior consent, provided the sender is identified and a valid opt-out address is provided. Sole traders and some partnerships are treated more like individuals, so we use extra caution and may require consent or manual review before outreach.

Every marketing email must identify Nexa Systems and include a clear unsubscribe or opt-out route. SMS replies containing STOP, UNSUBSCRIBE, OPT OUT, or similar wording must be added to suppression immediately. We keep suppression records so we can respect opt-outs rather than accidentally contacting someone again.

Cookies and tracking

We use strictly necessary cookies and similar technologies where needed to operate the website, protect forms, maintain sessions, or provide requested functionality.

Our cookie policy lists the exact operational cookies and storage currently used on the website, including Auth.js security cookies and theme preference storage.

If we use analytics, advertising, retargeting, email tracking pixels, or other non-essential tracking technologies, we will only use them where we have provided clear information and obtained consent where PECR requires it. You can block or delete cookies through your browser settings, although some features may stop working correctly.

Who we share data with

We share personal data only where needed to run the business, deliver services, comply with law, or protect rights and security.

Hosting, database, storage, authentication, email, SMS, AI assistant, analytics if enabled, scheduling, payment, support, and project-delivery providers.
Professional advisers such as accountants, lawyers, insurers, banks, and auditors.
Public authorities, regulators, law enforcement, or courts where required by law or necessary to protect legal rights.
Client-approved third parties where a client asks us to connect their website, CRM, phone, review, ad, payment, or booking systems.

International transfers

Some providers may process personal data outside the UK. Where this happens, we rely on appropriate safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful transfer mechanism.

How long we keep data

Enquiry and lead records: normally up to 24 months after the last meaningful interaction, unless a longer period is needed for legal claims, suppression, or business records.
Client, project, contract, billing, and accounting records: normally up to 7 years after the relationship ends, to meet tax, accounting, and legal record requirements.
Marketing suppression records: kept for as long as needed to respect opt-outs and avoid future unwanted contact.
Website security logs and technical records: kept for a limited period appropriate to security, diagnostics, and fraud prevention.
Uploaded assets and delivery files: kept while we provide services and then deleted or archived according to the client relationship and legal needs.

Your rights

Depending on the circumstances, UK data protection law may give you the right to be informed, access your personal data, correct it, erase it, restrict how it is used, object to certain uses, request portability, and complain to the Information Commissioner's Office.

You always have the right to object to direct marketing. To make a request, email admin@nexasystems.co.uk. We may need to verify your identity before responding.

Security

We use administrative, technical, and organisational controls designed to protect personal data, including role-based access, secure authentication, provider security controls, audit trails, suppression checks, and internal policies limiting who can access client and prospect data.

No online service can guarantee perfect security, but we aim to handle data with care, limit access, and respond quickly to suspected incidents.

Changes to this policy

We may update this privacy policy as our services, systems, or legal duties change. The latest version will always be published on this page with the updated date shown above.