GDPR Privacy Notice

This GDPR Privacy Notice explains, in plain English, how ForgeAI Studio (trading as NovaStacks) handles personal data and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It is a focused summary of the key points and complements our full Privacy Policy. Where this notice and the full Privacy Policy address the same matter, the full Privacy Policy provides the complete detail.

Who we are

ForgeAI Studio is a UK software company, trading as NovaStacks, that designs and builds custom SaaS platforms, AI-powered business software, bespoke web applications, internal business systems, workflow automation, portals and dashboards, and customer platforms.

• Legal entity: ForgeAI Studio
• Trading name: NovaStacks
• UK Company Registration Number: 17175307 (registered in England & Wales)
• Website: https://novastacks.co.uk
• Contact: support@novastacks.co.uk

ForgeAI Studio is the data controller for the personal data described in this notice. Email is our only contact channel.

Scope of this notice

This notice applies to personal data we process as a controller — for example, data relating to visitors to our website, enquirers, prospective clients, and the individuals we deal with at our client organisations.

When we build, host or operate software on behalf of a client, we may process personal data within those platforms on our client's instructions. In those cases the client is typically the controller and we act as a processor, and the client's own privacy notice governs that processing.

The personal data we process

Depending on how you interact with us, we may process the following categories of personal data:

• Identity and contact data — name, business name, job role, email address and similar contact details you provide.
• Enquiry and correspondence data — the content of messages you send us and our replies, including project requirements and supporting information you choose to share.
• Account and service data — information relating to the products and services you use or evaluate, and records of the support we provide.
• Technical and usage data — information collected automatically when you visit our website, such as IP address, device and browser information, and pages viewed, used to keep our services secure and working correctly.
• Transaction and billing data — records relating to orders, invoices and payments. Card payments are handled by our payment providers; we do not store full card details.

We do not seek to collect special category data through our website or general enquiries. Please do not send us sensitive personal data unless we have specifically asked for it.

Why we process your data and our lawful bases

We only process personal data where we have a lawful basis to do so under Article 6 of the UK GDPR. Our purposes and the corresponding lawful bases are:

• Responding to enquiries and providing information about our products and services — legitimate interests (to deal with requests made to us) and, where you are an existing or prospective client, steps prior to entering into a contract.
• Providing, supporting and maintaining our software and services — performance of a contract with you or the organisation you represent.
• Operating, securing and improving our website and platforms — legitimate interests (to run our business safely and effectively).
• Billing, payments and financial record-keeping — performance of a contract and compliance with a legal obligation.
• Sending service-related communications — legitimate interests or performance of a contract.
• Sending marketing communications, where applicable — consent, or legitimate interests where permitted by law; you can opt out at any time.
• Meeting legal and regulatory obligations and establishing, exercising or defending legal claims — compliance with a legal obligation and legitimate interests.

Where we rely on legitimate interests, we have considered the impact on your rights and freedoms and will not use your data where those interests are overridden. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.

Who we share your data with

We do not sell your personal data. We may share it with:

• Service providers and processors who support our business — for example, hosting and infrastructure providers, communications and email delivery providers, payment providers, and analytics and security tools. These providers act on our instructions under contracts that require them to protect your data.
• Professional advisers, such as legal, accounting and insurance advisers, where reasonably necessary.
• Authorities, regulators or other third parties where we are required to share data by law, or to protect our rights, property or safety.

Where we operate software on behalf of a client, personal data within those platforms may be accessible to that client as controller.

International transfers

We are based in the UK and aim to keep personal data within the UK and the European Economic Area (EEA) where practicable. Some of our service providers may process data outside the UK or EEA.

Where personal data is transferred internationally, we put appropriate safeguards in place as required by the UK GDPR — such as transfers to countries covered by UK adequacy regulations, or transfers made under the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. You may contact us at support@novastacks.co.uk for further information about the safeguards that apply.

How long we keep your data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, tax or reporting requirements.

• Enquiry and correspondence data is kept for as long as needed to deal with your request and for a reasonable period afterwards.
• Client and service data is kept for the duration of our relationship and for a reasonable period after it ends.
• Billing and transaction records are kept for the period required by applicable tax and accounting law.

When personal data is no longer required, we securely delete or anonymise it.

How we protect your data

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration, and we keep these measures under review. No system can be guaranteed to be completely secure, but we work to safeguard your data at all times.

Your rights under the UK GDPR

Subject to certain conditions and exemptions, you have the following eight rights in relation to your personal data:

1. The right to be informed — to be told how your personal data is collected and used, as set out in this notice and our full Privacy Policy.
2. The right of access — to obtain a copy of the personal data we hold about you, by making a Subject Access Request (SAR).
3. The right to rectification — to have inaccurate personal data corrected and incomplete data completed.
4. The right to erasure — to ask us to delete your personal data in certain circumstances (also known as the "right to be forgotten").
5. The right to restrict processing — to ask us to limit how we use your data in certain circumstances.
6. The right to data portability — to receive certain data you have provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
7. The right to object — to object to processing based on legitimate interests, and to object to direct marketing at any time.
8. Rights related to automated decision-making and profiling — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except as permitted by law.

You will not usually have to pay a fee to exercise your rights. We may charge a reasonable fee, or decline to act, if a request is manifestly unfounded or excessive.

How to make a Subject Access Request or deletion request

To exercise any of your rights, including making a Subject Access Request or asking us to delete your personal data, please email us at support@novastacks.co.uk.

To help us respond efficiently, please:

• tell us clearly which right you wish to exercise;
• describe the request and the personal data concerned; and
• provide enough information for us to verify your identity.

We may ask for additional information to confirm your identity before acting on a request. This protects your data from being disclosed to anyone who has no right to receive it.

We will respond to valid requests within one month of receipt. If your request is complex, or you have made several requests, we may extend this period by up to two further months and will let you know if we do.

Cookies and similar technologies

Our website may use cookies and similar technologies to operate the site, keep it secure, and understand how it is used. Where required, we will ask for your consent. Further detail is provided in our full Privacy Policy and, where applicable, our cookies information.

Your right to complain

If you have any concerns about how we handle your personal data, please contact us first at support@novastacks.co.uk so we can try to resolve them.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: https://ico.org.uk
• Helpline: 0303 123 1113

Raising a concern with us first will not affect your right to contact the ICO.

Changes to this notice

We may update this notice from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page shows when it was most recently revised. Please review it periodically to stay informed.

How to contact us

For any questions about this notice, our full Privacy Policy, or how we handle your personal data, please contact us by email at support@novastacks.co.uk.