Privacy Policy
Version v0.1 (interim) · Last updated: 9 April 2026
Interim notice. This policy has been drafted in-house for User Acceptance Testing. It will be reviewed by a qualified solicitor before NZTRM is generally available and may be updated. Contact
privacy@nztdigital.com with questions.
1. Who we are
NZT Digital Solutions Ltd ("NZT", "we", "us") operates the NZTRM platform (the "Service").
- Company number: SC876897 (Scotland)
- Registered office: Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP, United Kingdom
- Privacy contact: privacy@nztdigital.com
2. Controller vs processor — how your data is handled
NZTRM is a business-to-business platform. How we treat your data depends on how you're using the Service:
- When you are a direct user of NZT (e.g. you signed up on our website, you are evaluating the platform directly with us): NZT is the data controller for your personal data.
- When you are a user on a customer tenant (e.g. your employer is a customer of NZT and you use NZTRM as part of your job): your employer is the data controllerand NZT is the data processor. For data subject rights, your first point of contact should be your employer's privacy team; NZT will assist them.
3. What personal data we collect
- Identity & contact: name, email address, job role, organisation
- Account data: password hashes (never plain text), session tokens, password-change history
- Business contact data: names and emails of contacts you add (e.g. supplier contacts, distribution list recipients)
- Usage data: login timestamps, feature interactions, report downloads
- Technical data: IP address (in security audit logs), user-agent in error events (scrubbed where possible)
- Commercial data: energy consumption forecasts, trade data, contract terms (may incidentally contain personal data)
We do not process special category data under UK GDPR Art. 9.
4. How we use your data and our lawful basis
- Providing the Service (authentication, report generation, data management) — Contract (Art. 6(1)(b))
- Security (audit logging, intrusion detection) — Legitimate interests (Art. 6(1)(f))
- Error diagnosis (Sentry error tracking) — Legitimate interests
- Operational notifications (report delivery, price alerts) — Contract; these are service messages, not marketing
- Legal compliance (tax, law enforcement) — Legal obligation (Art. 6(1)(c))
We do not use your data for marketing, advertising, profiling or automated decision-making with legal or similarly significant effects.
5. Sub-processors
We use a small number of sub-processors to deliver the Service. The full current list is published in our sub-processor register. In summary: Neon (DB, UK), Vercel (hosting, UK), Resend (email, US), Sentry (error tracking, EU), Anthropic (AI commentary, US), BetterStack (uptime, EU).
We will notify customers at least 30 days before adding a new sub-processor. We do not sell personal data.
6. International transfers
Primary processing occurs in the United Kingdom. For sub-processors outside the UK we rely on the EU adequacy decision (EU → UK) or the UK International Data Transfer Agreement (IDTA) / UK Addendum to the EU Standard Contractual Clauses.
7. How long we keep your data
Our currently-enforced retention periods are:
- Account data: lifetime of the account; deleted within 30 days of account closure unless legal retention applies.
- Email event logs (delivery, bounces): 90 days.
- Report download logs: 180 days.
- Read portal notifications: 90 days.
- Financial records (trades, contracts): 7 years (required by UK tax / accounting law).
- Backups: Neon point-in-time recovery, up to 7 days.
8. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data
- Rectify inaccurate data
- Erase your data (subject to legal retention obligations)
- Restrict or object to processing based on legitimate interests
- Data portability — receive your data in a machine-readable format
- Lodge a complaint with the Information Commissioner's Office (ico.org.uk)
To exercise these rights, email privacy@nztdigital.com. We will respond within one month. If you are a user on a customer tenant, your first point of contact should be your employer's privacy team.
9. Security
We implement appropriate technical and organisational measures: TLS 1.2+ in transit, AES-256 at rest, PostgreSQL row-level security for tenant isolation, role-based access control, audit logging, account lockout on repeated failed logins, and forced re-authentication on password change. Personal data breaches will be notified to the ICO within 72 hours as required by Art. 33.
10. Cookies
We use only strictly-necessary cookies for authentication and session management. We do not use analytics, advertising or tracking cookies. See our Cookie Policy for full detail.
11. Children
NZTRM is a business platform and is not directed at persons under 18.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the Service or by email.
13. Contact
Email: privacy@nztdigital.com
Post: NZT Digital Solutions Ltd, Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP, United Kingdom