Data processing addendum

Payaable Ltd (trading as Nook) is a company incorporated and registered in England and Wales under company number 12921042 and its registered office at 3 Park View Mews, London, England, SW9 0AG (Nook, we, us or our). 

We provide payment and invoicing management software services to UK businesses seeking to simplify their payment processes (our Customer, you or your). We cannot perform our services unless you provide personal data to us. Except as specified in our Privacy Policy (available at https://nook.io/privacy), Nook is the processor and you are the controller for personal data processed by Nook when we provide our services to you. 

Whenever there is a controller-processor relationship, UK data protection law requires any processing by a processor to be governed by a contract. This data processing addendum (Addendum) sets out our respective obligations under data protection law. When you sign up to use Nook Services, you agree to be bound by the Addendum so you should read this document carefully before registering as a Customer.

1. Definitions
    Controller
    the organisation or person that makes decisions about what and why Personal Data is being collected.
    Data Protection Laws
    any laws and regulations relating to privacy or processing of personal data, including: 

    EU Directive 2002/58/EC (as amended by 2009/136/EC) and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR);

    EU Regulation 2016/679 (GDPR)

    the GDPR as amended by Schedule 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (UK GDPR) and Data Protection Act 2018 (DPA);

    any laws or regulations supplementing or replacing PECR, the GDPR, UK GDPR or DPA;

    and any relevant guidance or codes of practice issued by a regulator.
    Personal Data
    any information which can (or could be used to) identify a living person.
    Process
    any actions in relation to Personal Data – ranging from actively using or analysing the information to simply having access to or storing the information. Processing, Processed and Processes shall be interpreted accordingly.
    Processor
    the organisation or person that carries out a task for the Controller which requires them to Process Personal Data.
    Personal Data Breach
    a security incident in which Personal Data has been accidentally or illegally destroyed, lost, changed or shared with, accessed or used by someone who did not have permission.
    Service
    the services provided by Nook to you under the Terms https://nook.io/terms.
    1.1 A reference to writing or written includes email.

    1.2 Any words following the phrases including, include, such as, for example or any similar expression are intended to be illustrative only.

    1.3 Use of the singular shall include the plural and vice versa.
    2. Status of the parties

    2.1 Where we receive Personal Data from you or we are required to process Personal Data to deliver our Service to you, you are the Controller of that Personal Data and we are the Processor. We will only Process Personal Data in line with your instructions.

    2.2 We state in our Privacy Policy (available at https://nook.io/privacy) where we act as the Controller for any Personal Data.

    3. Providing information to individuals

    3.1 It is your responsibility as the Controller to inform individuals how their Personal Data is used and maintain the mandatory records required under Data Protection Laws.

    3.2 Our Privacy Policy provides basic information to individuals about how their Personal Data will be used when it is in input by our Customers but the specific details will vary from customer to customer depending on how that Customer uses our Service.

    4. Our obligations to you

    4.1 Where we Process Personal Data for which you are the Controller (as set out in Schedule 1), Nook shall:

    4.2 Process Personal Data in line with your written instructions;ensure that any of our staff who have access to Personal Data are bound by obligations of confidentiality (which are included in our employment contract or equivalent contract with them);have technical and organisational measures and procedures which ensure an appropriate level of security for Personal Data and reduce the risk of a Personal Data Breach;only appoint third parties (who we instruct to help us deliver our Service) after we have notified you in writing and you have not objected within [fourteen (14)] days;not transfer Personal Data outside the UK until after we have notified you in writing and you have not objected within [fourteen (14)] days;promptly inform you if there has been a Personal Data Breach which impacts the Personal Data we Process under this Addendum;at the end of our contractual relationship, or any earlier written request from you, delete or return Personal Data;assist you and provide the information required to ensure you can comply with your obligations under the Data Protection Laws;promptly inform you if we receive a request from or on behalf of an individual who wishes to exercise their rights under the Data Protection Laws, and provide assistance so you can respond to the request; not disclose Personal Data without your written permission unless we are legally required to make the disclosure (in which case, we will promptly notify you unless we are prohibited from doing so); andallow you to access our premises or records to audit our compliance with the Data Protection Laws, provided you give us [seven (7) days’] notice.


    5.
    Your obligations to Nook

    5.1 It is your responsibility as the Controller to identify and comply with the conditions of the lawful basis for the purpose (for which Nook Processes the Personal Data on your behalf). You warrant that you have obtained the necessary permissions for Nook to Process Personal Data in a compliance with the Data Protection Laws, including any non-UK laws which may apply in the circumstances.

    5.2 Where the Processing requires Personal Data to be transferred internationally (such as an invoice notification to be sent to a payee located in the United States), it is your responsibility to ensure there is a legal mechanism which permits such transfer. Where applicable, you must forward the legal instrument that legitimises the transfer so that Nook can be added as a party the document.

    6. Aggregated information

    6.1 We collate information input by users of our software to identify trends and improve our Service. This information is aggregated in a way that means it is no longer possible to identify any individual user and is therefore no longer Personal Data. That aggregated information falls outside the scope of this Addendum.
              Schedule 1

              This table sets out the Personal Data that we receive from you or that we Process as part of the provision of our Service to you.
              Subject Matter of Processing

              The service that we will provide to you
              Nook provides a software-as-a-service which allows you to:
              - add users to a verified Customer profile (to associate user accounts with the businesses they operate under)

              - input contact and payment details for accounts payable

              - and receivable automate late payment chaser communications
              Duration of Processing

              The period of time beginning from when Nook first accesses Personal Data until we delete or return such Personal Data to you.

              From the date that you first register with Nook until the date that you or we end the contract in accordance with the Terms and the main business account (and all associated user accounts) are deleted.
              Nature of Processing

              The ways in which Nook will Process the Personal Data on your behalf

              We create user credentials when you (and users associated with your account) register to use our Service.

              We store and can access Personal Data you input to use our Service (such a payee contact details). 

              We transfer and send Personal Data to facilitate your payment instructions (for example to send an invoice to your customer).

              We use Personal Data to communicate and provide our Service to you.We delete Personal Data on your instruction or when our contract with you ends.
              Purpose of Processing

              As the Controller, only you can determine the lawful basis.
              Below we have suggested common lawful bases used by our customers:

              Legitimate Interest – to effectively manage payments made to or by your business, including recovering debts owed to you

              Contractual performance – to fulfil the conditions of a contract where you have entered into an agreement with an individual or unincorporated business (such as a sole trader)
              Types of Personal Data

              • first name, last name
              • email address
              • financial details (where personal account or unincorporated business)
              • postal address (where personal address or unincorporated business)
              • other contact details (where these are included on invoices, purchase orders or otherwise input by you)
              • job title and employer  
              • analytical and technical data such as IP address and how users interact with our services
              • user credentials  
              • any other Personal Data input by you
              Types of special category data

              Types of Personal Data which are sensitive and have additional protections under UK law (e.g. health data)

              We never seek to Process special category data but this may sometimes happen if you input special category data or special category data could be inferred from information (for example, where you are a caterer and an invoice is addressed to an individual for services provided at a religious celebration).
              Categories of data subjects

              Types of individuals’ whose Personal Data will be Processed by Nook

              • you (if you are an unincorporated business, such as a sole trader)
              • your staff
              • any individual that can be identified on an invoice or purchase order (your customers or their staff, your suppliers or their staff etc)