As a company based in the UK, we are subject to UK data protection law, but our website visitors may be based around the world.
We sometimes need to update this policy to reflect any changes to the way our service is provided or to comply with new legal requirements. We will notify you of any important changes before they take effect.
We are Payaable Ltd (trading as Nook), a company incorporated and registered in England and Wales under company number 12921042 and its registered office at 3 Park View Mews, London, England, SW9 0AG (Nook, we, us or our).
We provide payment and invoicing management software services to UK businesses (our Customers) seeking to simplify their payment processes. Our software allows users to upload financial documents (like invoices or purchase orders) and quickly monitor transactions made, payers and payees, and debts owed or sums due.
For all visitors to our website, Nook is the controller for your information (which means we decide what information we collect and how it is used). We are registered with the Information Commissioner’s Office (ICO), the UK regulator for data protection matters, under number ZB036880.
If you work for our Customer or you send or receive an invoice from our Customer, most of the time our Customer is the controller and Nook is their processor (which means we must follow the instructions they give us). But sometimes we are the controller for your information (for example, for any product feedback you give us).
If you are a Customer that is not an incorporated business (e.g. you are a sole trader or work in a partnership) then Nook will act as the controller for your information.
Personal data means any information which does (or could be used to) identify a living person. We have grouped together the types of personal data that we collect and where we receive it from below:
We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data Aggregated data helps us identify trends (e.g. what percentage of users have the role title “accountant”). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.
UK data protection law requires Nook to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:
Nook only provides its services to businesses (which means we operate on a Business-to-Business basis, also known as B2B). We only ever send marketing communications to work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our Customer informs us you no longer work for them.
Nook uses HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future messages.
Pixels (which are a similar technology to cookies) within those emails enable us to see:
We share (or may share) your personal data with
If Nook were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. If we are the processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).
We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located).If you access our service or receive a communication from us whilst abroad then your personal data may be stored on services in the same country that the organisation or you are located.
We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:
- access controls and user authentication (including multi-factor authentication)
- internal IT and network security regular testing and review of our security measures
- incident and breach reporting processes
- making regular back-up copies of information
- business continuity and disaster recovery processes
If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.
If you notice any unusual activity on your account (or believe your account has been otherwise compromised) please let us know by emailing us at firstname.lastname@example.org.