Privacy Policy

Introduction

Your privacy is important to us. This Privacy Policy (“Policy”) explains how we handle your personal information that we collect from you, or a third-party, in connection with our services.

This Policy lets you know, among other things:

  • How to contact us about privacy matters 
  • What personal information we collect and receive  
  • Why we collect and store personal information 
  • How we collect and store personal information 
  • What happens if you do not provide your personal information to us 
  • How we use personal information we collect 
  • How we disclose personal information and who we may disclose it to 
  • How to access and request correction of personal information we hold about you 
  • How to log a complaint in relation to how we handle your personal information 
  • If you are based in the European Union, what your rights are in relation to your personal information 
  • What countries we may transfer personal information to 
  • What our security practices are 

 Please note the following:

  • Where you are resident in New Zealand, all personal information we collect and process is handled in compliance with the Privacy Act 2020.
  • Where you are resident in Australia, all personal information we collect is handled in compliance with the Privacy Act 1988 (Cth).
  • Our privacy practices are primarily designed to comply with the laws of New Zealand and Australia. We understand that privacy expectations and legal requirements may vary across jurisdictions. We are committed to protecting personal information and applying sound privacy principles wherever our services are used. If you have questions about how this policy applies to your specific circumstances, we encourage you to contact us using the details provided at clause 4: “What are Nomos One’s contact details for privacy matters?”.

1. Definitions and Interpretation 

In this Policy any references to:  

1.1. “Nomos One”, “us”, “we” or “our” refers to Nomos One, which includes Nomos Limited, a New Zealand registered company, any of its personnel who collect, process, use or disclose personal information; and its subsidiaries and affiliates:

a. Nomosone Limited, a New Zealand registered company; and 

b. Nomos One Pty Ltd, an Australian registered company. 

1.2. “You” or “your” refers to each individual whose personal information we collect, use or disclose in accordance with this Policy. 

1.3. “Website” means www.nomosone.com.

2. When does this Policy apply?

2.1. This Policy applies to you if we collect personal information from you (whether directly, or indirectly from a third party or other source in accordance with applicable laws).

2.2. This Policy will automatically apply to anyone who is registered as a user of our lease management and lease accounting tool (accessible via www.nomosone.com) (“System”) and will otherwise apply where we collect personal information about you through other methods.

2.3. This Policy applies to all of our business activities and to all services offered by us in association with the collection, use, disclosure, retention and general management of personal information.

2.4. By providing your personal information to us by using or accessing our System, visiting our Website, self-registration or third-party disclosure to us, you acknowledge that you have read and understood this Policy and that you agree to its terms. In particular, you give your consent to the processing of your personal information as described in this Policy. 

2.5. If you do not consent to this Policy, please inform us immediately so we can delete your personal information. If you need to use or access our services, this will prevent you from doing so as we require personal information to provide our System and associated services. 

2.6. This Policy does not apply to any third-party applications or software that may integrate into the System. We suggest you check the applicable privacy policies of any third-party applications or software. We accept no responsibility or liability for any third party’s practices or policies or your provision of personal information to them.

3. How do we make changes to this Privacy Policy?

3.1. We may update this Policy from time to time. Changes will be notified to you by email and will be effective when the Policy is updated on www.nomosone.com.

3.2. We encourage you to review this Policy to stay informed about our information practices and your privacy rights.

3.3. To the extent permitted by applicable law, by continuing to use the System or allowing us (by not withdrawing consent) to continue to retain personal information about you in connection with one or more of our functions or activities, you acknowledge that you consent to any updates to this Policy. 

3.4. If you do not agree to any change we make and would like us to delete your personal information, please make this request by contacting us in accordance with the details provided in clause 4 below. If you do request deletion of your personal information we will not be able to provide the System or any services to you.

4. What are Nomos One’s contact details for privacy matters?

4.1. You can contact our Privacy Officer, Mary Wilson, regarding any privacy matters by email at privacy@nomosone.com or by post to NomosOne Limited, Level 1, 115 Stuart Street, Dunedin 9016, New Zealand.

5. Why do we collect personal information?

5.1. Nomos One collects personal information in connection with the promotion and provision of our services. This is generally for one or more of the following reasons:

a. To provide requesting individuals with sales or marketing resources and facilitate any related requests from them.  

b. For contracting and negotiation purposes. 

c. To provide user access to individuals to use the System.  

d. To facilitate our provision of services to requesting individuals whether requested by them directly or by their employer with their implied consent. 

e. To facilitate discussions with agents acting on behalf of any of our customers. 

f. To support service delivery, automation, service improvement, and existing and prospective customer engagement through traditional technological approaches or AI-powered tools. 

g. As required by law.

6. What personal information do we collect?

6. 1. Personal information has varying definitions in applicable privacy laws. The Privacy Act 2020 of New Zealand defines this as “information about an identifiable individual” and the Privacy Act 1988 defines this as “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion if true or not; and (b) whether the information or opinion is recorded in a material form or not”.

If you reside outside of New Zealand or Australia, we recommend reviewing how personal information is defined in your jurisdiction.

6.2. The type of personal information we collect depends on the purpose for collection and circumstances of collection, and may include: 

a. contact information – such as your name, title, postal address, telephone number and email address; and 

b. website user data collected when you visit our Website or access the System. This may include your IP address, cookies, device information, unique device identifiers, operating system and version, and network information. 

7. What other information and data do we collect? 

7.1. We may from time to time collect information that is not personal information but is derived from actions you take in the System. We may use this data for analytics purposes to ensure we can further develop and improve our services.

7.2. If we do combine non-personal information with personal information the combined information will be treated as personal information and this Policy and applicable laws will apply to our processing of that personal information.

8. What information don’t we collect? 

8.1. We do not actively collect sensitive information (e.g. biometric, genetic or health data, or information about racial or ethnic origin, political opinions and religious affiliations) but may come across sensitive information in providing our services. If this happens, we will treat this information in accordance with applicable laws.

8.2. The System and our services are not directed or provided to individuals under 16.  We do not knowingly collect personal information from children under 16.  If we become aware that a child under 16 has provided us with personal information, or that a third-party has provided us with that information we will take steps to delete such information.  If you become aware that we may have been provided with a child’s personal information, please contact: privacy@nomosone.com as soon as is practicable.

8.3 We do not collect personal information relating to any parties in leasing or other applicable contracts entered by a user or client into the System (or entered by us at a user’s or client’s request) as this is collected by the user or customer who enters or requests to enter this into the System. In this instance, we solely process the information. By entering any such information you warrant that you have obtained all necessary consents from the individuals identified in this  information before you enter it into the System. 

9. How do we collect personal information?

9.1. We may collect personal information:

a. directly from you, including in the following circumstances: 

     i. when you interact with us in person, on the phone or via email; 

     ii. when you provide us with your personal information in another kind of document, for example, in a contract; and 

     iii. when you enter information into a form, including an online form;

b. automatically when you visit our Website; 

c. from an organisation you work for, are an agent of, or otherwise are associated with (“Associated Entity”);  

d. via creation of a user account relating to you in the System at the request of your Associated Entity; 

e. indirectly from any other third-party you have provided your personal information to and have provided consent to them to disclose it to us, whether that be specific and express consent or generalised third party sharing consent through acceptance of their privacy policy; or 

f. via a third-party AI tool such as through an AI powered sales demonstration sign up screening tool or AI powered outbound calling tool.  

9.2. Where you provide us with personal information about another individual you undertake that the disclosure is lawful.

10. How do we store and retain your data?

10.1. We outsource hosting of our product infrastructure to Amazon Web Services (AWS). At present, our server and back up instances resides in Sydney, Australia. 

10.2. We will retain your personal information for as long as it is needed for the purpose for which it was collected (or any other purpose you have consented to) or for so long as we are required by law to retain it.

10.3. Generally, how long we keep information we collect about you depends on the type of information. For example:

a. User account information: We will retain your user account information while your account is active and until you or your Associated Entity provide notice to us to terminate your access to the System, whether specifically, or as part of a contract termination. Where your Associated Entity has terminated their contract with us, we will retain your data for a period that aligns with the termination process outlined in their contract with us.

We may also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce contracts, to support our operations, and to continue the development and improvement of our services.   

b. Marketing information: If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our service, such as when you last opened an email from us or ceased using your Nomos One account.   

We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created. 

10.4. For clarity, Nomos One or our third-party providers will not store or retain any of your personal information in an AI model.

11. Are you required to provide personal information?

11.1. Providing your personal information is voluntary, but if you do not provide it, we may not be able to provide you with some or all the services you have requested or perform certain functions in relation to you.

11.2. You may provide pseudonymous information instead of your personal information, except where: 

a. you are entering into a legal contract with Nomos One, which requires valid personal details for enforcement and accountability;  

b. it is impracticable for Nomos One to provide services without verified identity, such as for security, access control, or compliance obligations; or 

c. there is a legal or regulatory requirement to collect and verify your real personal information. 

12. How do we use your personal information?

12.1. We use your personal information to: 

a. verify your identity; 

b. assist us in performing our functions, including providing services to our customers and performing and/or enforcing our contractual obligations; 

c. help us improve our services and improve your experience in using the System, including for internal training purposes; 

d. provide, update, support, maintain and protect the System, the Website, and our business; 

e. anonymise it, in order to use the anonymised data to improve our products and services and develop new products and services; 

f. as input context for an Artificial Intelligence (“AI”) model that is private and accessible only to you and your Associated Entity (including anyone permitted access to your Associated Entity’s data within the System) within the environments within the System of which you are a user;  

g. use in third party AI tools as part of our service delivery, service, engagement and productivity improvements and knowledge provision. This may include using AI for data analysis, data input to the System, data extraction and summarisation, personalisation, auto-drafting emails, video call and chat summaries, task suggestions and allocation, service and support response and escalation, as well as performance and user behaviour monitoring;  

h. communicate with you, including: 

     i. by responding to questions, comments or requests and sending emails and other communications relating to the System including planned maintenance or software updates and changes to this Policy or our Terms of Use (https://www.nomosone.com/terms-of-use/); 

     ii. notifying you about other or new Nomos One services or promotions, where you have opted-in to receive such notifications; and 

     iii. either directly or via one of our partners, for marketing (which may include direct marketing), research or participation in surveys or competitions, where you have opted-in to receive such communications;

i. investigate and help prevent complaints, security issues, and abuse; 

j. help with billing, account management, auditing and other administration services; 

k. facilitate the development and marketing (which may include direct marketing) of the System and our Website; 

l. protect the rights, property, or personal safety of us or our agents, personnel, or others; and 

m. comply with our legal obligations.

12.2. We may use your personal information for the purposes of direct (or targeted) marketing through our Website, email or third-party sources to tell you about our products and services. Where we market to you through third-party sources, we may disclose your personal information to those third parties to facilitate each instance of direct marketing for us.  

If you do not want us to use your personal information for direct marketing, you can opt out from it by contacting privacy@nomosone.com or by posting your request to NomosOne Limited, Level 1, 115 Stuart Street, Dunedin 9016, New Zealand.

13. How this Policy applies to users of the System 

13.1. The System is provided for our customers to use, which are typically organisations rather than individuals. Our customers maintain user accounts enabling individuals to access and use the System on their behalf.

13.2. Where you use the System through an Associated Entity, both us and your Associated Entity are responsible for ensuring your personal information is protected, but we encourage you to direct your privacy questions to your Associated Entity in the first instance, as your use of the System may also be subject to their internal policies. We are not responsible for any Associated Entity’s privacy or security practices, which may be different from this Policy. Please contact your Associated Entity or refer to your Associated Entity’s policies for more information. 

13.3. As part of an organisation’s subscription an Associated Entity is required to assign one or more representatives to act as administrators within the System who are able to do the following (“Administrator”):

a. view your profile information (which will at a minimum include your name and email address);  

b. require you to reset your account password; 

c. restrict, suspend or terminate your access to the System; 

d. change the email address associated with your account; 

e. change your information, including profile information;  

f. restrict your ability to edit, restrict, modify or delete information; and 

g. request an export of all user’s account information from us.

13.4. Where we process personal information in accordance with an organisation’s (whether they are a customer or contact for another reason) instructions (including instructions conveyed through an Administrator’s actions), that organisation acknowledges and agree that they:  

a. have all legally required consents to provide such instructions in regard to that personal information, observing the rights of data subjects; and  

b. if required, will enter into agreements regarding treatment of personal information as requested by us. 

14. When do we disclose personal information? 

14.1. We disclose personal information in the following circumstances:

a. Associated Entities and Administrators: 

     i. While processing your personal information, Nomos One will share and disclose personal information in accordance with your Associated Entity’s instructions and applicable laws, including under any applicable terms in our Terms of Use or other agreed contract between your Associated Entity and Nomos One.

     ii. Administrators and other permitted representatives and personnel related to your Associated Entity may be able to access, modify or restrict access to personal information. This may include, for example, your employer using our System to export logs of activity or accessing or modifying your profile details. Administrator users will see the name and email address of users. All other users will be able to see other users’ names within each self-contained structure within the System which stores your Associated Entity’s leasing portfolio and data (“Organisation”) that they have access to as permitted and controlled by your Associated Entity.

     iii. Administrator users may grant access to non-employees (e.g. an auditor or law firm employee) via inputting their username and email address.

b. Corporate affiliates: Nomos One may share personal information with its corporate affiliates, including any parent company, subsidiary, or related company.

c. Third party service providers and partners: We may engage third party companies or individuals as service providers or business partners to assist us in providing the System and our services, for the purposes of processing personal information, or for other purposes in which they incidentally process personal information. We will only disclose personal information with third-party service providers that adopt stringent and industry-standard data processing and security processes. These third parties may:  

     i. provide information processing, database management, and storage services; 

     ii. support the development, operation and maintenance of our Website (including the System); 

     iii. gather feedback from individuals about our System and services; 

     iv. use your personal information for marketing purposes (including direct marketing, where you have opted into this) on our behalf; 

     v. use your personal information (with strict controls in place) to enable us to make an AI related request to support our prospective and existing customer engagement, task automation and service insights; 

     vi. provide secure payment processing; and 

     vii. provide customer service.

In relation to clause 14.1(c)(v), please note that any third-party AI tool we may use will follow strong storage and retention policies consistent with clause 14.1(c)(v). 

d. Business sale or corporate transaction: If Nomos One (or assets of Nomos One) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company may receive all personal information held by or on behalf of Nomos One. In this event, you will be notified via email, of any change in ownership, uses of your personal information, and choices you have regarding your personal information.

e. To comply with law or legal processes: Nomos One may disclose your personal information: 

     i. if required by law; 

     ii. if we reasonably believe that use or disclosure is necessary to investigate fraud, or comply with a law, court order, or legal process; 

     iii. to protect the rights, property, or personal safety of us or our agents, personnel, or others; or 

     iv. to law enforcement or government officials as we, in our sole discretion, believe is necessary or appropriate.

15. International data transfer

15.1. Nomos One currently provides its System and services from New Zealand and Australia. To facilitate our provision of the System and services, we store all data (including backups and disaster recovery), including personal information in an Amazon Web Services Data Center in Sydney, Australia and use that information within Australia, as well as transferring that information to New Zealand for the purposes described in this Privacy Policy. 

15.2. Additionally, in order to provide our System and services, our third-party vendors process operational data outside of Australia and New Zealand in the United States and European Union. 

15.3. If we need to transfer your data outside of your country of residence, or Australia or New Zealand to enable us or any of our third-party suppliers to provide the System or our services to you it will be to:

a. the European Economic Area, United Kingdom or the United States; or 

b. a country that provides “comparable safeguards” to New Zealand’s Privacy Act 2020, or

c. a country that has law that “has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information” as per Australia’s Privacy Act 1988, or 

d. a country or organisation that has ‘adequacy’ for the purpose of Article 45 of Regulation (EU) 2016/679 (including organisations subject to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks).  

16. What can you request in relation to your personal information (if you are a non-European Union resident)?

a. Access to your Personal Information: You may request access to personal information that we hold about you by contacting us, using the contact details provided in this Policy at clause 4. We will reply to your request within a reasonable time period aligned with applicable laws, usually within 30 days.

Aside from this, Administrators can access your name and email address information by logging into the System and viewing the settings tab within an Organisation and clicking on “Users”.  

b. Correction: 

     i. You may request that we correct factual errors in your personal information by sending us a request that shows the error(s), using the contact details provided in this Policy at clause 4. 

     ii. We will reply to your request within a reasonable time period aligned with applicable laws, usually within 30 days.  

     iii. If we choose not to correct errors that you have identified in your personal information, you may request that we attach a correction statement which may include any information you have submitted about why you believe the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, to be available for any users of your personal information to read. 

     iv. To protect your privacy and security, we may also take reasonable steps to verify your identity before granting access or making corrections. We may refuse access to or correction of your personal information for any reason of refusal permitted by law. 

     v. We encourage you to ensure that your personal information is kept up-to-date and accurate

c. Complaints: 

      i. If you have any questions about privacy related issues or wish to complain about the handling of your personal information by us, please contact our Privacy Officer, Mary Wilson at privacy@nomosone.com. We may ask you to lodge your complaint in writing. Any complaint will be investigated by the Privacy Officer and you will be notified of the decision in relation to your complaint as soon as practicable after it is made, usually within 30 days. 

     ii. If we are unable to satisfactorily resolve your concerns about our handling of your Personal Information, you can contact the:

A. Office of the Australian Privacy Commissioner (OAIC) if you reside in Australia; 

B. Office of the Privacy Commissioner if you reside in New Zealand; 

C. or the relevant Privacy Commissioner or Data Protection Commissioner (or similar) for your jurisdiction if you reside elsewhere.

d. Revoke consent: You may revoke your open and obvious consent permitting us to collect and process your personal information at any time by: 

     i. emailing us;

     ii. using the contact details provided at clause 4 of this Policy;

     iii. or using the “unsubscribe” function in any communication that we send to you.

If you email us to revoke your consent, we will action your request as soon as possible in accordance with applicable laws, usually within 30 days. 

If you revoke your consent, we may no longer be able to provide you with access to the System, our Website and / or our services. The withdrawal of consent will not affect processing of personal information that occurs before you notify us that you have withdrawn your consent.

e. Deletion: 

     i. There may not be a legal right to delete your personal information in the region you reside in, but you may request that we permanently delete the personal information we hold about you in the following circumstances:

A. you believe that it is no longer necessary for us to hold the personal information we hold about you;

B. we are processing the personal information we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other reason  under which we can process the personal information in accordance with applicable laws; or 

C. you believe the personal information we hold about you is being unlawfully processed by us.  

     ii. We will require you to provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for deletion. After deleting the personal information, we may not be able to provide services to you, or the same level of service that we were previously able to provide.

     iii. During the period while we consider your request to delete your personal information, you may request us to restrict our processing of the personal information. We will discuss this with you and how we can restrict the processing of your personal information. 

     iv. Where you have requested that we delete personal information that we have made public and we are required by law to delete this information, we will use reasonable steps to try to tell others that are displaying the personal information or providing links to the personal information to delete that personal information. 

17. What are your rights (if you are a European Union resident?)

17.1. An “EU resident” is an individual who is in the European Union at the time their personal information is processed.

17.2. If you are an EU resident, you may have certain rights in relation to the personal information we hold about you. We set out these rights and how to exercise them below. Some of these rights only apply in certain circumstances.

17.3. These rights include:

a. being informed; 

b. access; 

c. rectification; 

d. restriction of processing; 

e. erasure (‘the right to be forgotten’); 

f. data portability; 

g. objection; and  

h. rights in relation to automated decision-making including profiling.

17.4. In the context of the European General Data Protection Regulation (“GDPR”), for the personal information we hold an Associated Entity, or an individual is the “controller” of some personal information; and Nomos One is the “processor” of that personal information and the “controller” of other personal information.

17.5. In contrast to clause 13.4 of this Policy, where we process personal information about an EU resident or EU residents in accordance with an organisation’s (whether they are a customer or contact for another reason) instructions (including instructions conveyed through an Administrator’s actions), that organisation acknowledges and agrees that they:

a. will remain the sole data controller of such personal information; 

b. will be responsible for the legality of the data processing and observing the rights of the data subjects; and 

c. will from time to time enter into one or more specific agreements regarding treatment of personal information, as requested by Nomos One. 

17.6. How to exercise your rights: 

a. Where we are the “processor” and not the “controller”, you may need to exercise your rights through the controller, who may be the administrator for your account in the System. 

b. Please note that we will require you to provide us with proof of identity before responding to any requests to exercise your rights. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances). To exercise any of your rights, please send us the following details, using the contact details at clause 4 of this Policy: 

     i. proof of identity (one of the following: passport, driving licence, national identity card or birth certificate. The documents must include your full name and date of birth, nationality, and include proof of any name change). If you are exercising rights on behalf of another EU resident (“the data subject”), please include both your proof of identity and the proof of identity of the data subject. You will also need a signed consent from the data subject, authorising you to exercise these rights on their behalf. If the data subject is a minor, you will not need signed consent, but will require proof of your status as the data subject’s parent or guardian;

     ii. contact details;

     iii. details of country of residence;

     iv. details of the data right(s) you wish to exercise, including any relevant details; and 

     v. confirmation that you understand that Nomos One may require further details from you in order to confirm your identity and/or process your request.

c. Please note, if you make a request in relation to your data rights and we do not hold information in a form that allows us to identify you, we will inform you of that. We will not be obliged to comply with those data rights unless you provide additional information that allows us to identify what information we hold about you. If we do not take action on your request in relation to your data subject rights, we will advise you within one month of the reasons we will not be taking action. You may make a complaint to us or to your data protection authority, and you may seek a judicial remedy in accordance with the provisions of the GDPR. 

d. We will communicate any rectification, erasure of personal information or restriction of processing that we undertake in accordance with your instructions to any third parties who have received that personal information unless that notification is impossible or involves a disproportionate effort. If you request, we will provide you with details of those third parties that have received your personal information. 

17.7. Complaints: In the event that you wish to make a complaint about how we process your personal information or respond to any request by you in relation to your data rights, please contact us using the details provided at clause 4 of this Policy, and we will endeavour to deal with your request as soon as possible. You also have the right to launch a claim with your data protection authority.

17.8. Legal basis for using your personal information: The GDPR requires us to tell you the legal basis for processing your personal information. The principal bases on which we process your personal information are:

a. Consent: Applies where you have freely given an informed, specific and unambiguous indication that we are permitted to collect and process your personal information. At any time, you may revoke your consent to the processing of some or all of your personal information by: 

     i. emailing us, using the contact details at clause 4 in this Policy; or 

     ii. using the “unsubscribe” function in any communication that we send to you. 

If you revoke your consent, we may need to stop providing you with access to our System or services, if consent is the only legal basis for our processing of your personal information. The withdrawal of consent will not affect processing of personal information that occurs before you notify us that you have withdrawn your consent.

b. Contract: Applies if processing your personal information is necessary for the performance of a contract to which you are a party. For example, if we are providing services to you, we may need to use your personal information to carry out those services and any related activities. 

c. Legitimate interests: Applies if the processing is necessary for our legitimate interests or the legitimate interests pursued by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal information.

17.9. The right to be informed: 

Where we collect information from you, or from a third party, we will inform you of the collection and inform you of information relating to the collection through provision of this Policy to you, and where necessary through additional contact providing any further required information.

17.10. The right to access:

a. You have the right to know whether we process personal information about you, and if we do, to access personal information we hold about you and certain information about how we use it and who we share it with. 

b. We may not provide you with certain personal information if providing it would interfere with another’s rights (e.g. where providing the personal information we hold about you would reveal information about another person) or where another exemption applies. 

c. You have the right to one copy of the information set out above. If you request further copies of that information, we may charge a reasonable fee for our administrative costs.

17.11. The right to rectification: You have the right without undue delay to rectify or correct any personal information we hold about you that is inaccurate. You may have incomplete personal information we hold about you completed, including by means of a supplementary statement (taking into account the purposes of processing of the relevant personal information). During the period while we assess whether the personal information we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.

17.12. The right to restrict processing to storage only:

a. You have a right to require us to stop processing the personal information we hold about you other than for storage purposes, in certain circumstances. Please note, however, that if we stop processing the personal information, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or for another individual’s protection). 

b. You may request we stop processing and only store the personal information we hold about you where:

     i. you believe the personal information is not accurate, for the period it takes for us to verify whether the personal information is accurate;

     ii. our processing of your personal information is unlawful and we wish to erase the personal information, but you want us to store the personal information instead;

     iii. the personal information is no longer necessary for our purposes and we wish to erase it, but you require us to store that personal information for the establishment, exercise or defence of legal claims; or 

     iv. you have exercised your right to object, pending the verification of whether our legitimate grounds of processing override your interests, rights and freedoms.

c. If you have obtained a restriction on processing, we will inform you before that processing restriction is lifted.

17.13. The right to erasure:

a. You may request that we erase the personal information we hold about you without undue delay in the following circumstances: 

     i. you believe that it is no longer necessary for us to hold the personal information we hold about you;

     ii. we are processing the personal information we hold about you on the basis of your consent, and you wish to withdraw your consent and there is no other ground under which we can process the personal information;

     iii. you have exercised your right of objection and there are no overriding legitimate grounds for the processing;

     iv. you believe the personal information we hold about you is being unlawfully processed by us; or

     v. we are required to erase your personal information for compliance with law.

b. Please provide as much detail as possible on your reasons for the request to assist us in determining your basis for erasure. After deleting the personal information, we may not be able to provide services to you, or the same level of service that we were previously able to provide. 

c. Where you have requested that we erase personal information that we have made public and there are grounds for erasure, we will use reasonable steps, including technical measures to inform others that are displaying the personal Information or providing links to the personal information to erase that personal information.

17.14. The right to portability:

a. You have the right to receive certain parts of the personal information that we collect from you in a structured, commonly used and machine-readable format and a right to request that we transfer such personal information to another party.

b. The personal information that you can request to be made portable under this “portability” right is data that you have provided us with your consent, or that you provided for the purposes of performing our contract with you, where the processing of that personal information is carried out by automated means.

c. If you wish for us to transfer the personal information to another party, please ensure you provide the details of that party and note that we can only do so where it is technically feasible. We are not responsible for the security of the personal information or its processing once received by the third party. We also may not provide you with certain personal information if providing it would interfere with another individual’s rights, for instance where providing the personal information we hold about you would reveal information about another person.

17.15. The right to objection: At any time you have the right to object to our processing of your personal information where: 

a. our right to process stems from lawful processing as defined at article 6(1)(e) or (f) of the GDPR, and you object to processing based on either of these grounds.

For clarity, in the GDPR article 6(1)(e) states that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” and article 6(1)(f) states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”.

In these instances, we will stop processing your personal information unless we present “compelling legitimate grounds for the processing which override the interests, rights and freedoms” of you, or where we need to process it for “the establishment, exercise of defence of legal claims”.

b. we use your personal information for direct marketing purposes (including where the processing is profiling where it is related to the direct marketing) and you no longer wish for your information to be used in this way.

Please provide as much detail as possible on your reasons for the request to assist us in determining whether there is a compelling legitimate interest in us continuing to process such data or whether we need to process it in relation to legal claims. You may exercise your right to request that we stop processing the personal information during the period while we make the assessment on an overriding interest. Please advise us if you would like to make that processing restriction request at the time you provide the details of your objection to processing.

17.16. Rights in relation to automated decision making and profiling: 

a. You have the right not to have automated decisions (including profiling) made about you, or that affect you on a legal basis, or otherwise have significant effects on you.

b. This right does not apply if we require automated decision making (which may include profiling) in order to enter into or perform a contract with you, or where you give us explicit consent to use your personal information for these purposes.

18. How do we manage receiving unsolicited personal information?

18.1. If we receive personal information we should not have, we may first consider whether we could have collected the information in accordance with applicable laws. 

18.2. If we determine that collection of that personal information is lawful we will process it in accordance with this Policy. If we determine that collection of the personal information would not be lawful, we will destroy or de-identify the personal information as soon as practicable if we are not required to retain the personal information for legal reasons. 

19. How are cookies used?

19.1. “Cookies” are a small piece of data sent from a website and stored in a user’s web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user’s previous activity. This applies to anyone who accesses or uses our Website or the System, meaning that if you or your organisation are not a customer of ours, but you browse or access our Website, cookies will still function as described.

19.2. We use cookies to make the System as easy for you to use as possible and to help us better understand user behaviour.

19.3. We treat information collected by cookies and other similar technologies as non-personal information unless:

a. applicable laws require us to treat it as personal information; and

b. to the extent that non-personal information is combined with personal information, we treat the combined information as personal information for the purposes of this Policy.

19.4. You can disable cookies on your computer if you wish, but please note that if you disable caching or choose to block sites from sending any data, this may cause the System or Website not to work.  

20. What are our security practices?

20.1. Nomos One is committed to protecting your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.  Nomos One and our service providers utilise a combination of industry-standard security technologies, procedures and organisational measures, including penetration testing, to help protect your personal information from unauthorised access, use, loss, or disclosure.

20.2. Given the nature of the internet we cannot guarantee security of information transmitted through the internet.  We will do our best to protect your personal information, however any transmission is at your own risk. 

V2 – 14.05.2025