Legal · Privacy

Privacy Notice — NDA Acceptance Gate

Last updated: 13 May 2026 · Notice version: v1.0

This notice explains how N-Zyte Labs Limited processes your personal data when you accept an NDA via our access portal. It sits alongside the NDA itself — the NDA governs confidentiality; this notice governs how we handle the personal data created in the act of signing it.

Plain-English summary

When you sign our NDA via this app, we keep a record of the fact you signed it, what you signed, when, and from where. We do this so we can show — in court if needed — that you agreed to the agreement. We share this record only with the providers who run the app and the audit store. We keep it for seven years from the end of the agreement. You have rights over this data, set out below.

1. Who we are

The controller of your personal data for this purpose is:

Data controller details
Controller N-Zyte Labs Limited
Company number 17012908 (England & Wales)
Registered office 5 St. Bride Street, London, England, EC4A 4AS, United Kingdom
Contact [email protected]
ICO registration Pending — N-Zyte Labs Limited application in progress; the registration number will be displayed here once granted.

2. What we collect

When you accept the NDA via the access portal, we collect and process the following personal data:

  • Identity (from your authenticated session): your email address, an internal Cloudflare Access subject identifier, and your access session ID.
  • Identity (entered by you): your typed legal name and your typed signature.
  • Intent record: the fact that you ticked the intent-to-be-bound checkbox, plus the exact text of the checkbox at the time you ticked it.
  • Acceptance event metadata: date and time of acceptance (server-side and client-side), your IP address, your browser user-agent string, the Cloudflare Ray ID for the request, and approximate geolocation derived from your IP address.
  • Document fidelity: the cryptographic hash (SHA-256) of the exact NDA text shown to you, and the cryptographic hash of the rendered signed copy of the NDA.

3. Why we collect it

We process this data for three purposes:

  • To form and perform the NDA itself. Your name, email, and the acceptance event are necessary to bring the NDA into existence as a contract between you and N-Zyte Labs Limited.
  • To maintain an evidential audit trail. The metadata above proves the agreement was formed, by whom, when, in what circumstances, and over which exact text.
  • To send you a copy of the signed NDA. A rendered signed copy is emailed to your authenticated address after acceptance, for your records.

4. Our lawful bases (UK GDPR)

Lawful bases under UK GDPR
Lawful basis What it covers
Article 6(1)(b) — Performance of a contract Your name, email, and the acceptance event itself. Without these, the contract cannot be formed or performed.
Article 6(1)(f) — Legitimate interests The audit trail metadata (IP, user-agent, Ray ID, geolocation, document hashes). Our interest is the enforceability of the NDA and the integrity of the audit trail. We have balanced that against your expectation as a counterparty to a written agreement and consider the processing proportionate.

5. Who else sees this data

We share your data with the following parties, acting as our processors under written data-processing terms:

  • Cloudflare, Inc. — provides access control (Cloudflare Access), web hosting (Cloudflare Pages), application runtime (Cloudflare Workers), audit-record storage (Cloudflare D1), and storage of the rendered signed NDA artefact (Cloudflare R2). Cloudflare is a US company; international transfers rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  • Resend, Inc. — sends the confirmation email containing the signed NDA artefact to your authenticated email address and to our internal agreements mailbox. Resend is a US company; international transfers rely on the same UK International Data Transfer Addendum mechanism.
  • Google LLC — provides Google Workspace, which hosts our internal agreements mailbox ([email protected]). The confirmation email containing the signed NDA artefact is delivered to and stored in this mailbox; any correspondence you initiate with us at this address (for example to exercise your data-protection rights) is also processed by Google for delivery to our team. Google is a US company; international transfers rely on the same UK International Data Transfer Addendum mechanism.

We do not sell your data. We do not share it with marketing partners or advertisers. We do not use it for any purpose other than those stated in section 3.

6. How long we keep it

We retain your data for seven (7) years from the latest of:

  • the date you accepted the NDA;
  • the date of the most recent disclosure of confidential information to you under the NDA; or
  • the end of the confidentiality survival period set out in the NDA itself.

After that seven-year period, audit records are flagged as expired and become eligible for deletion under our retention policy. Hard deletion occurs no later than twelve (12) years after acceptance.

We chose seven years to give a one-year buffer over the six-year limitation period for simple-contract claims under section 5 of the Limitation Act 1980.

7. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data. Note that under UK GDPR Article 17(3)(e) we may refuse erasure to the extent that retention is necessary for the establishment, exercise, or defence of legal claims; the audit trail typically falls within this exception.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Objection — object to processing carried out on the basis of legitimate interests.
  • Data portability — request your data in a portable format (limited to data we hold under contract or consent bases).

To exercise any of these rights, email [email protected]. We aim to respond within one month.

8. Complaints

You have the right to complain to the Information Commissioner's Office (ICO) if you are unhappy with how we have handled your personal data:

ICO contact details
Online https://ico.org.uk/concerns/
Phone 0303 123 1113
Post Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the chance to address your concerns first — please email us at [email protected].

9. Changes to this notice

If we change how we process your data, we will update this notice and (where relevant) notify you. The current version of this notice is the one published at the URL displayed on the acceptance page. The version and last-updated date appear at the top of this notice.