Privacy Policy

NestaDev Ltd

NestaDev Ltd is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, share and protect personal data when you:

Visit www.nestadev.com
Use our platforms (including ELSA and related digital services)
Enquire about or purchase our services
Subscribe to marketing communications
Engage with us as a client, supplier or partner

This policy applies to health and social care providers, business clients, website visitors, and individuals whose personal data is processed through our services.

Data Controller

NestaDev Ltd
311 Ancoats Garden
Manchester
M4 5GH
United Kingdom

Data Protection Contact: support@nestadev.com

Personal Information We Collect

1. Information You Provide Directly

Data Category	Examples
Account Information	Organisation name, contact name, job title, email address, phone number, billing address
User Credentials	Email address, encrypted password, multi-factor authentication details
Organisation Profile	Services offered, registration details, geographic areas served, staff size
Tender & Bid Data (ELSA Users)	Tender titles, commissioning authorities, service specifications, bid responses
Policy & Compliance Content	Policy documents, procedures, implementation plans
Enquiries & Contact Forms	Name, email, phone number, message content
Support Communications	Support tickets, email correspondence, feedback

2. Information Automatically Collected

When you use our website or platforms, we may collect:

Usage Data – Features accessed, time spent, AI feature interactions
Technical Data – IP address, browser type, device type, operating system
Log Data – Access logs, security logs, performance data
Cookies & Tracking Technologies – Session cookies and analytics cookies (with consent)

3. Information from Third Parties

We may receive data from:

Public registers (e.g., Companies House, public tender portals)
Payment processors (payment confirmations, billing data)
Analytics providers (aggregated performance data)
CRM and marketing systems used to manage enquiries

How We Use Personal Information

We process personal data under UK GDPR lawful bases:

Lawful Basis	Purpose
Contract Performance	Delivering services, account management, billing, support
Legitimate Interests	Service improvement, security monitoring, analytics, product development
Legal Obligation	Tax compliance, financial record keeping, regulatory compliance
Consent	Marketing communications, optional cookies, testimonials

Purposes of Processing

1. Service Delivery

Providing access to NestaDev platforms and services
Generating AI-assisted recommendations
Creating documentation and compliance tools
Processing subscriptions and payments
Providing support

2. Product & Service Improvement

Improving AI accuracy and performance
Developing new features
Conducting usability testing
Analysing usage patterns

3. Security & Fraud Prevention

Monitoring for unauthorised access
Investigating misuse or fraud
Maintaining audit logs
Responding to security incidents

4. Marketing & Communications

Sending service updates
Providing educational materials
Sending promotional communications (with consent)
Requesting feedback

You may opt out of marketing at any time.

How We Share Personal Information

We do not sell personal data.

We may share data with trusted service providers under Data Processing Agreements:

Category	Purpose	Location
Cloud Hosting Providers	Infrastructure & data storage	UK / EEA
Payment Processors	Billing services	UK / EEA
Email & CRM Systems	Communications	UK / EEA
Analytics Providers	Usage analysis	UK / EEA
AI/ML Providers	Natural language processing	UK / EEA or approved jurisdictions

We may also disclose data where legally required.

International Data Transfers

Data is stored primarily in the UK and EEA.

If transferred outside the UK/EEA, we use:

UK International Data Transfer Agreement (IDTA)
Standard Contractual Clauses
Adequacy decisions
Supplementary safeguards where required

Data Retention

Data Type	Retention Period
Account Information	Duration of contract + 6 years
Tender & Policy Content	Duration of contract + 2 years
Website Enquiries	24 months
Usage & Log Data	12 months (security logs up to 24 months)
Financial Records	6 years
Marketing Consent	Until withdrawn + 30 days

Your Data Protection Rights

Under UK GDPR, you have the right to:

Access your personal data
Correct inaccurate data
Request erasure
Restrict processing
Data portability
Object to processing
Withdraw consent at any time
Not be subject to solely automated decision-making

ELSA and other NestaDev tools are decision-support systems. AI outputs require human review and are not automated legal decisions.

To exercise your rights:

Email: support@nestadev.com
Phone: 07442279106

We respond within one month.

Right to Complain

You may lodge a complaint with:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113

Cookies

Essential Cookies

Used for:

Login session management
Security protection
Platform functionality

These cannot be disabled.

Analytics Cookies (with consent)

Used to:

Improve website performance
Analyse user behaviour
Optimise user experience

You can manage cookie preferences via browser settings.

Security Measures

NestaDev implements technical and organisational safeguards including:

Technical

AES-256 encryption at rest
TLS 1.3 encryption in transit
Multi-factor authentication
Role-based access controls
Firewalls & intrusion detection
Encrypted backups

Organisational

Staff data protection training
Confidentiality agreements
Access reviews
Incident response procedures

Our practices align with recognised information security frameworks and best practice standards.

Children’s Privacy

NestaDev services are not intended for individuals under 18.
We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy to reflect changes in law, operations or services.

Significant updates will be communicated via:

Website notice
Email (where applicable)

Contact Information