Privacy Policy

Last updated: April 4, 2026

This Privacy Policy explains how Nabu Watch ("we", "us", "our") collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection law. By using our service you acknowledge this policy.

Table of Contents

1. Data Controller
2. Personal Data We Collect
3. Legal Basis for Processing
4. Data Retention
5. Data Sharing & Sub-processors
6. Your Rights Under GDPR
7. Cookies
8. International Transfers
9. Security
10. Children's Privacy
11. Updates to This Policy
12. Contact Us

1. Data Controller

The data controller responsible for your personal data is:

Nabu Watch

[Address placeholder — to be updated]

Email: privacy@nabu.watch

If you have any questions regarding the processing of your personal data or wish to exercise your rights, please contact us at the address above.

2. Personal Data We Collect

We collect and process the following categories of personal data:

Account Information

Full name, email address, password (stored as a one-way hash), organisation name, and account preferences. Collected when you register.

Website & Monitoring Data

The website URLs you add to our platform, the scan results and compliance reports generated for those URLs, SSL certificate data, and the compliance status of legal pages (privacy policies, terms, cookie notices, etc.).

Usage Data

Information about how you interact with the service: pages visited, features used, scan frequency, API calls made, and token consumption data.

Technical Data

IP address, browser type and version, operating system, referring URLs, and timestamps of requests. This data is logged for security and rate-limiting purposes.

Billing Data

Subscription plan and billing history. Payment card details are processed directly by our payment processor and are never stored on our servers.

3. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6 to process your personal data:

Consent (Art. 6(1)(a))

When you register for an account you give us your consent to process your email address and name for the purpose of account management and service communication. You may withdraw consent at any time by deleting your account.

Contract Performance (Art. 6(1)(b))

Processing of website URLs and scan results is necessary to deliver the compliance monitoring service you contracted for. Without this we cannot provide the core product.

Legitimate Interest (Art. 6(1)(f))

We process technical/usage data on the basis of our legitimate interest in securing the platform, preventing abuse, and improving our service. Our interests are balanced against your rights and do not override them.

Legal Obligation (Art. 6(1)(c))

Where required by applicable law (e.g. financial record-keeping regulations) we may process data to comply with a legal obligation.

4. Data Retention

We keep personal data only as long as necessary for the purpose it was collected:

—Account data is retained for the lifetime of your active account. If you delete your account, personal data is permanently removed within 30 days.
—Scan results are retained according to your plan's data retention policy. You can request early deletion at any time.
—Security logs (IP addresses, access logs) are retained for up to 90 days for fraud prevention and security incident investigation.
—Billing records may be retained for up to 7 years to comply with financial regulations.

6. Your Rights Under GDPR

As a data subject under the GDPR you have the following rights with respect to your personal data:

Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure / Right to Be Forgotten (Art. 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purpose collected, you withdraw consent, or you object and there is no overriding legitimate interest. You can exercise this right by deleting your account in the dashboard or by contacting us.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where processing is based on consent or contract.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Restrict Processing (Art. 18)

You have the right to request that we restrict processing of your personal data in certain circumstances (e.g. while a dispute is being resolved).

Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection authority (DPA) if you believe we are processing your personal data unlawfully.

To exercise any of these rights, please contact us at privacy@nabu.watch. We will respond within 30 days.

7. Cookies

We use cookies and similar technologies on our platform. Please refer to our Cookie Policy for full details of what cookies we use, why we use them, and how you can manage your cookie preferences.

8. International Transfers

Your personal data is stored and processed within the European Union. We do not transfer personal data to countries outside the EEA unless adequate safeguards are in place (e.g. Standard Contractual Clauses approved by the European Commission, or an adequacy decision).

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include encryption in transit (TLS), encryption at rest, access controls, regular security assessments, and audit logging. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we take data protection seriously.

10. Children's Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us and we will delete it promptly.

11. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes we will notify you by email or by a prominent notice in the application. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact our privacy team: