Privacy Policy

This privacy policy explains what information we collect and use when you visit our website at, use our services, send or receive an invoice from a Nook customer or are a key contact working for a prospective Nook customer. This policy explains your legal rights and what to do if you have any concerns. 

As a company based in the UK, we are subject to UK data protection law, but our website visitors may be based around the world.

We sometimes need to update this policy to reflect any changes to the way our service is provided or to comply with new legal requirements. We will notify you of any important changes before they take effect.

1. Who we are and other important information

We are Payaable Ltd (trading as Nook), a company incorporated and registered in England and Wales under company number 12921042 and its registered office at 3 Park View Mews, London, England, SW9 0AG (Nook, we, us or our).

We provide payment and invoicing management software services to UK businesses (our Customers) seeking to simplify their payment processes. Our software allows users to upload financial documents (like invoices or purchase orders) and quickly monitor transactions made, payers and payees, and debts owed or sums due.

For all visitors to our website, Nook is the controller for your information (which means we decide what information we collect and how it is used). We are registered with the Information Commissioner’s Office (ICO), the UK regulator for data protection matters, under number ZB036880.

If you work for our Customer or you send or receive an invoice from our Customer, most of the time our Customer is the controller and Nook is their processor (which means we must follow the instructions they give us). But sometimes we are the controller for your information (for example, for any product feedback you give us).

If you are a Customer that is not an incorporated business (e.g. you are a sole trader or work in a partnership) then Nook will act as the controller for your information.

2. Contact details

If you have any questions about this privacy policy or the way that we use information, please get in touch by emailing

3. The information we collect about you

Personal data means any information which does (or could be used to) identify a living person. We have grouped together the types of personal data that we collect and where we receive it from below:

Type of Personal Data collected Received from
Identity information – name, title, job title you or our Customer
Contact details – work email address, postal address (where you are an unincorporated Customer or the address stated on a financial document relates to a home address) you or our Customer
Profile – login credentials you
Website enquiries – any personal data you provided when you submit an enquiry via our website chatbot, or information about you that is referenced by another user submitting an enquiry you or our Customer
Financial information – account details, purchase order number, account holder name you or our Customer
Feedback – information and responses you provide when completing surveys and questionnaires you
Usage information – information about your activity on our software-as-a-service, including audit logs, download errors, times and dates of log-in you (via cookies and similar technologies)
Technical information- internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system and platform on the devices you use to access our website or service you (via cookies and similar technologies)
Marketing information – your marketing preferences you

We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data Aggregated data helps us identify trends (e.g. what percentage of users have the role title “accountant”). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.

4. How we use your information

UK data protection law requires Nook to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:

  • To fulfil our contract with you if you are customer that is not an incorporated business 
  • pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy);
  • comply with a legal obligation that we have; and
  • do something that you have given your consent for.

The table below sets out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy policy and notify you.

Purposes Justification
Taking steps to enter into the contract with our Customer Legitimate interests (necessary to conclude our contract with such organisations)

Contract if you are an unincorporated customer
Providing our service to our Customer Legitimate interests (necessary to fulfil our service contract with our Customer)

Contract if you are an unincorporated customer
Handling requests for technical support and other queries Legitimate interests (necessary to fulfil our service contract with our Customer and ensure the proper functioning of our Application)
Asking you to participate in surveys and other types of feedback Consent
Providing insight on how our products and services are being used Legitimate interest (necessary to improve and optimise our products and services)
Administering and protecting products, services and systems Legitimate interests (necessary to provide our products and services, monitor and improve network security and prevent fraud)
Notifying you about changes to our privacy policy Legal obligation
Sending you marketing material Legitimate interest (where we market our services to businesses – to promote Nook)

Consent (where we market to unincorporated businesses, such as sole traders)

5. Marketing

Nook only provides its services to businesses (which means we operate on a Business-to-Business basis, also known as B2B). We only ever send marketing communications to work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our Customer informs us you no longer work for them.

Nook uses HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future messages.

Pixels (which are a similar technology to cookies) within those emails enable us to see:

  • if the email was opened
  • where the device opening the email was located (based on the device’s IP address)
  • the type of email service (e.g. Outlook) that was used
  • if the email (or its content) were shared on social media
  • if the email was flagged as spam

6. Who we share your information with

We share (or may share) your personal data with

  • Our staff: Nook employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
  • Our Customer: we have a service contract and data processing addendum in place with all our Customers which sets out what information we provide to them as part of our services. We always act in accordance with their instructions when we are processing data on their behalf.
  • Payment Service Providers (PSPs): these are the organisations that facilitate payments between our Customers and Customer contacts
  • Customer contacts these are the contacts named in the invoice or purchase order (e.g. payee details). These Customer contacts will act as an independent controller for the information they receive from us (which means they make their own decisions about how they use that information). If you have any questions about how they use the information they receive, you should ask to see their privacy information.
  • Our supply chain: other organisations help us provide our services and website (such as our hosting and server provider, internal IT systems, our CRM system and our website usage analysis). We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
  • Regulatory authorities: such as HM Revenue & Customs
  • Our professional advisers such as our accountants or legal advisors where we require specialist advice to help us conduct our business, or IT specialists to conduct audits on the security of our services.
  • Any actual or potential buyer of our business

If Nook were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. If we are the processor for that information, we will also check with the controller before any information is released (unless the law does not allow us to do so).

7. Where you information is located or transferred to

We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located).If you access our service or receive a communication from us whilst abroad then your personal data may be stored on services in the same country that the organisation or you are located.

8. How we keep your information safe

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

- access controls and user authentication (including multi-factor authentication)
- internal IT and network security regular testing and review of our security measures
- incident and breach reporting processes
- making regular back-up copies of information
- business continuity and disaster recovery processes

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).  Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

If you notice any unusual activity on your account (or believe your account has been otherwise compromised) please let us know by emailing us at