Privacy Policy

Nerchr Ltd (registered in England and Wales, company number 15726343)
Last updated: 16 April 2026

1. Introduction

This Privacy Policy explains how Nerchr Ltd ("we", "us", "our", or "Nerchr") collects, uses, stores, and protects your personal data. It applies to anyone who uses the Nerchr service (the "Service"), including account holders, website visitors, and users of our platform.

Nerchr is committed to protecting your privacy and ensuring you understand how your data is processed. We comply with the UK General Data Protection Regulation (UK GDPR) and relevant data protection laws.

This Privacy Policy should be read alongside our Terms of Service, Data Processing Agreement, Acceptable Use Policy, Fair Use Policy, and Cookie Policy, which together govern your use of the Service.

Company details:

  • Name: Nerchr Ltd
  • Company number: 15726343 (England and Wales)
  • Registered office: 15 Neptune Court, Vanguard Way, Cardiff, Wales, CF24 5PJ
  • Website: www.nerchr.io
  • Contact email: info@nerchr.io
  • Data Protection Officer: Thomas Richards (dpo@nerchr.io)

2. Our Roles as Data Controller and Processor

Nerchr operates in two different data protection roles depending on the type of data involved.

2.1 We are the Data Controller For:

  • Personal data belonging to account holders (registration information, billing details, usage data)
  • Personal data of website visitors (analytics, cookies)
  • Our own employees and contractors

In this role, we decide why and how your data is processed.

2.2 We are the Data Processor For:

  • Customer Data (the leads, prospects, and contacts that you capture through Nerchr funnels and manage in the Nerchr contact management system)

When you use Nerchr to capture and manage Customer Data, you (our customer) are the controller, and we process that data on your instructions. The terms governing how we process Customer Data are set out in our Data Processing Agreement, which forms part of the agreement between you and us. Customer Data is treated with the same security and confidentiality as our own data.

3. What Personal Data We Collect

We collect different information depending on how you use Nerchr.

3.1 Account Registration and Profile Data

When you create a Nerchr account, we collect:

  • Name, email address, and phone number
  • Company name and website
  • Job title and department (if provided)
  • Password (securely hashed, never stored in plain text)
  • Profile picture (if provided)
  • Communication preferences

3.2 Billing Information

  • Billing name and address
  • Payment method details are processed by Stripe (our payment processor) and are not stored by Nerchr
  • Invoice history and payment records
  • Subscription tier and billing cycle information

3.3 Usage Data

  • Login activity and authentication logs
  • Features used and frequency of use
  • Funnel interactions (which funnels you create, configure, and publish)
  • Contact management activity (leads created, statuses updated)
  • Dashboard access and report generation
  • API usage and integration activity
  • Device type, browser type, and operating system
  • IP address and approximate geographic location
  • Search queries within your account

3.4 Ad Platform Credentials

When you connect Nerchr to advertising platforms (Google Ads, Meta, Microsoft Advertising, LinkedIn, TikTok, and any other ad platforms we add later), we collect and store:

  • OAuth tokens and API keys necessary to access your accounts on those platforms
  • Account identifiers and authorisation credentials
  • These are encrypted and stored securely to enable Conversion API functionality and reporting

3.5 Cookie Data

We use cookies and similar tracking technologies on our website and within the Service. See our Cookie Policy for full details.

3.6 Communication Data

  • Emails you send to us (support requests, feedback, inquiries)
  • Messages and notifications you receive from Nerchr (product updates, billing notifications, password resets)
  • Your communication preferences and opt-in/opt-out status for marketing communications

3.7 Customer Data (Data We Process on Your Behalf)

  • Contact information of your prospects and leads (names, emails, phone numbers, company details)
  • Lead status and pipeline information
  • Custom field data you create
  • Interaction history with your funnels
  • Conversion data you upload or sync from external sources

We do not use this data for our own purposes. It belongs to you and is governed by our Data Processing Agreement.

4. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your data. Our bases are:

4.1 Contract Performance (Article 6(1)(b))

We process your personal data to:

  • Provide the Nerchr Service to you
  • Manage your subscription and billing
  • Deliver customer support
  • Generate invoices and maintain records

4.2 Legitimate Interests (Article 6(1)(f))

We process your personal data where we have legitimate interests that are not overridden by your rights, including to:

  • Detect and prevent fraud, abuse, and security incidents
  • Enforce our Terms of Service, Acceptable Use Policy, Fair Use Policy, and other legal agreements
  • Improve and optimise the Service (aggregated and anonymised data only)
  • Conduct analytics and market research (anonymised)
  • Comply with our insurance, legal, and regulatory obligations
  • Maintain business records and audit trails
  • Debug technical problems
  • Send you important service announcements (even if you opt out of marketing)

4.3 Consent (Article 6(1)(a))

We process your personal data with your consent when you choose to:

  • Receive marketing emails and newsletters
  • Participate in surveys or user research
  • Allow tracking beyond our essential cookies

You can withdraw consent at any time by unsubscribing or contacting us.

4.4 Legal Obligation (Article 6(1)(c))

We process your personal data where required by law:

  • Tax compliance (UK financial records)
  • Data subject access requests
  • Law enforcement requests
  • Regulatory investigations

5. Who We Share Your Data With

5.1 Service Providers

We share data with trusted third parties who help us deliver the Service. The current list of sub-processors is maintained at www.nerchr.io/sub-processors and forms part of our Data Processing Agreement. Key sub-processors include:

Amazon Web Services (AWS)

  • Cloud infrastructure, hosting, storage, databases, authentication, and AI-related platform services
  • Located in the US and EU, with appropriate safeguards in place
  • Subject to data processing agreements

Cloudflare

  • Content delivery, DNS, network security, and edge services
  • Located in the US and EU
  • Subject to data processing agreements

Stripe

  • Processes payments and manages billing
  • Does not store full card details with us
  • Subject to PCI compliance standards

Sentry

  • Error monitoring and diagnostics
  • Located in the US
  • Subject to data processing agreements

Google Workspace

  • Email, calendaring, and business productivity services, including transactional and support communications
  • Located in the US
  • Subject to data processing agreements

Slack

  • Team communication and internal support and operational collaboration where your data may be referenced
  • Located in the US
  • Subject to data processing agreements

Atlassian (including Trello)

  • Feedback tracking, issue management, and internal collaboration
  • Located in the US and Australia
  • Subject to data processing agreements

Google Analytics

  • Tracks website usage and behaviour
  • You can opt out via your browser settings or the Google Analytics Opt-out Browser Add-on

Zapier

  • Enables integrations with third-party applications when you choose to use Zapier
  • Only receives data you explicitly authorise

The full list of sub-processors, including any additions, is published at www.nerchr.io/sub-processors and you will be notified of changes in line with our Data Processing Agreement.

5.2 Ad Platforms

When you connect your advertising accounts to Nerchr:

  • We send conversion data to Google Ads, Meta, Microsoft Advertising, LinkedIn, TikTok, and any other ad platforms you have connected
  • This data is sent via their Conversion APIs, on your instructions, to improve the performance of your campaigns
  • You control which events are sent and when
  • Ad platforms act as independent data controllers of the data they receive under their own privacy policies
  • As the controller of Customer Data, you are responsible for informing your end users that conversion data relating to them may be shared with advertising platforms, and for ensuring that you have a valid legal basis for doing so

5.3 Regulatory and Law Enforcement

We may disclose your data when required by law:

  • Court orders or legal process
  • Government or regulatory authorities
  • Protection of legal rights, privacy, and safety
  • Enforcement of our Terms of Service, Acceptable Use Policy, or Fair Use Policy

5.4 Business Transfers

If Nerchr is acquired, merged, or significantly restructured, your data may be transferred as part of that transaction. We will notify you of any such change and your options regarding your data.

5.5 Customer Data

  • Customer Data is never shared with third parties except where you explicitly authorise it
  • You can sync Customer Data with other platforms via Zapier, webhooks, or API integrations you choose to enable
  • You remain the controller of Customer Data in all cases, and the terms in our Data Processing Agreement apply

6. International Data Transfers

6.1 Where Your Data is Processed

Your data is processed in the UK, the EEA, and the US (cloud infrastructure and some service providers are based outside the UK).

6.2 Legal Safeguards

We have implemented appropriate safeguards for transfers outside the UK:

  • UK International Data Transfer Agreements where required
  • Standard Contractual Clauses (with the UK Addendum) for relevant transfers
  • Adequacy findings where applicable
  • Data processing agreements with all sub-processors

Full details of transfer mechanisms are set out in our Data Processing Agreement.

6.3 Your Rights

Where your data is transferred internationally, you retain all UK GDPR rights, including the right to request information about the safeguards in place.

7. Data Retention

We retain your personal data for as long as necessary for the purposes listed in this policy.

7.1 Account Data (Your Registration and Profile Information)

  • Retained during the active term of your account
  • After account termination, retained for up to 90 days to allow for account reactivation and to resolve any outstanding billing or support matters, then deleted or anonymised
  • May be retained beyond this period only where required by law (for example, for tax or regulatory purposes)

7.2 Billing and Financial Records

  • Retained for 7 years to comply with UK tax law
  • Separated from active account data after account termination

7.3 Customer Data (Leads and Contacts)

  • Retained during the active term of your account
  • Available for export for 30 days after account termination, then deleted, unless a different retention period is agreed in writing
  • You may export your Customer Data at any time
  • You can delete specific contacts at any time

7.4 Marketing Communications

  • Retained whilst you remain subscribed
  • Deleted when you unsubscribe or ask to be removed

7.5 Server and Usage Logs

  • Retained for 12 months
  • Used for security, troubleshooting, and performance monitoring

7.6 Cookie Data

  • Retained according to our Cookie Policy
  • Most persistent cookies are set to expire after 12 months unless refreshed

8. Your Data Subject Rights

Under UK GDPR, you have the right to:

8.1 Right of Access

You can request a copy of all personal data we hold about you. We will respond within 30 days.

8.2 Right of Rectification

You can correct inaccurate or incomplete data. Most account data can be updated directly through your account settings.

8.3 Right of Erasure

You can request that we delete your personal data, subject to exceptions (for example, where we need it for legal compliance or contract performance).

8.4 Right to Restrict Processing

You can ask us to limit how we use your data whilst you dispute its accuracy, or where we no longer need it but you ask us to retain it.

8.5 Right to Data Portability

You can request your data in a portable format and ask us to transfer it directly to another organisation (where technically feasible).

8.6 Right to Object

You can object to processing based on legitimate interests or for marketing purposes.

8.7 Rights Related to Automated Decision-Making

We do not make decisions based solely on automated processing that have legal or similarly significant effects. Where we use automated systems (for example, fraud detection), you have the right to human review.

8.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

8.9 How to Exercise Your Rights

Contact our Data Protection Officer:

  • Email: dpo@nerchr.io
  • Mail: Data Protection Officer, Nerchr Ltd, 15 Neptune Court, Vanguard Way, Cardiff, Wales, CF24 5PJ

We will respond to your request within 30 days. You may need to provide proof of identity.

If your request relates to Customer Data (data about leads or contacts captured through a Nerchr customer's funnels), we will direct you to the relevant Nerchr customer, who is the controller of that data.

9. Security

9.1 Technical Measures

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest
  • Secure authentication (passwords hashed with modern algorithms)
  • Multi-factor authentication for access to production systems
  • Role-based access controls and principle of least privilege
  • Security monitoring and logging
  • Regular backups with tested restoration procedures

A full list of technical and organisational measures is set out in Schedule 3 of our Data Processing Agreement.

9.2 Organisational Measures

  • Confidentiality agreements with all staff and contractors
  • Data protection training for relevant employees
  • Incident response procedures
  • Limited access to personal data on a need-to-know basis

9.3 Limitations

No security system is completely impenetrable. Whilst we use industry-standard measures, we cannot guarantee absolute security. You use Nerchr at your own risk, though we take every reasonable precaution to protect your data.

10. Children

The Nerchr Service is not directed to anyone under 18 years old. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it and terminate the account.

If you believe we have collected data from a child, please contact us at dpo@nerchr.io.

11. Third-Party Links

Our website and Service may contain links to third-party websites and services. This Privacy Policy applies only to Nerchr. We are not responsible for the privacy practices of other websites. Please review their privacy policies before sharing your personal data.

12. Marketing and Communications

12.1 Promotional Emails

We may send you promotional emails about new features, special offers, and Nerchr news. You can opt out at any time by:

  • Clicking the "unsubscribe" link in any promotional email
  • Updating your communication preferences in your account settings
  • Emailing us at info@nerchr.io

12.2 Service Announcements

We will send you essential service announcements (billing notifications, security alerts, policy changes, password resets) regardless of your email preferences. You cannot opt out of these as they are necessary for Service delivery.

12.3 Surveys and Research

We may invite you to participate in surveys or user research. Participation is always optional.

13. Cookies and Similar Technologies

We use cookies and similar technologies (pixels, tags, local storage) on our website and within the Service. See our complete Cookie Policy for full details.

In summary:

  • Essential cookies enable core Service functionality and cannot be disabled
  • Analytics cookies help us understand how you use Nerchr
  • Preference cookies remember your choices
  • Marketing cookies support our advertising on platforms such as Google, Meta, LinkedIn, Microsoft, and TikTok, and are only set with your consent
  • You can control most non-essential cookies through your browser settings or our cookie consent tool

14. Policy Changes

We may update this Privacy Policy to reflect legal changes, new features, or other updates. We will:

  • Update the "Last updated" date at the top of this policy
  • Notify you of material changes by email or prominent notice on our website
  • Request your consent for material changes that affect your data use where required by law

Your continued use of Nerchr after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or how Nerchr handles your data:

Data Protection Officer

  • Email: dpo@nerchr.io

General Inquiries

  • Email: info@nerchr.io
  • Mail: Nerchr Ltd, 15 Neptune Court, Vanguard Way, Cardiff, Wales, CF24 5PJ

Data Protection Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection authority:

  • Website: https://ico.org.uk
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

16. Definitions

Personal Data - Any information relating to an identified or identifiable natural person.

Processing - Any operation performed on personal data including collection, use, storage, transfer, or deletion.

Data Controller - The person or organisation that determines the purposes and means of data processing.

Data Processor - The person or organisation that processes personal data on behalf of the controller.

Data Subject - The individual to whom personal data relates.

Customer Data - Personal data of your contacts (prospects, leads) that you provide to or collect through Nerchr.

UK GDPR - The UK General Data Protection Regulation as it applies in UK law.

17. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law principles. Any dispute arising from this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This Privacy Policy is effective as of 16 April 2026.

PRIVACY POLICYCOOKIE POLICYT&CS
info@nerchr.io
©Nerchr Limited 2026. All rights reserved.
Registered in England and Wales. Company No. 15726343.