Legal

GDPR & Data Protection

Last updated: 1 May 2026

1. Our Commitment

Nexa Point Group Limited ("Nexa Point") is committed to protecting the personal data of our clients, website visitors, and service users. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), which together form the primary data protection framework applicable in the United Kingdom following the UK's departure from the European Union.

This page summarises our data protection obligations and your rights. For full details of how we collect and use personal data, please refer to our Privacy Policy.

2. Who Is the Data Controller?

Nexa Point Group Limited is the data controller for personal data processed in connection with our website, marketing, and client management activities. This means we determine the purposes and means of processing your personal data.

Where we process personal data on behalf of our clients in connection with delivering managed IT services, we act as a data processor. In those circumstances, the client remains the data controller and Nexa Point processes data only in accordance with their documented instructions and under the terms of a data processing agreement.

Data Controller Details:
Nexa Point Group Limited
Company No. 16323341
71–75 Shelton Street, London, WC2H 9JQ
info@nexapoint.co.uk | 07459 158430

3. Lawful Bases for Processing

UK GDPR requires a lawful basis for every processing activity. We rely on the following:

  • Contract (Article 6(1)(b)): Processing necessary to perform a contract with you, or at your request prior to entering a contract (e.g. service delivery, invoicing, portal account management).
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including service improvement, security monitoring, and direct client communications, provided those interests are not overridden by your data protection rights.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with UK law, including tax and accounting obligations.
  • Consent (Article 6(1)(a)): Where you have freely given, specific, informed, and unambiguous consent, for example, analytics cookies and marketing communications.

4. Data Minimisation and Purpose Limitation

We collect only the personal data that is necessary for the specific purpose for which it is collected. We do not process personal data in a manner incompatible with the original purpose for which it was collected, unless we have a new lawful basis or your consent.

5. Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • bcrypt hashing of all user passwords with a cost factor of 12.
  • httpOnly, Secure, SameSite=Strict cookies for authentication tokens.
  • Role-based access controls within the client portal.
  • Regular review of access permissions and infrastructure security.
  • Signed JWTs with short expiry (15 minutes) for API access.

6. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:

  • Client account data: Duration of the service contract plus 6 years (to meet statutory limitation periods).
  • Enquiry and contact data: 2 years from last contact.
  • Financial and invoicing records: 6 years (HMRC requirement).
  • Website analytics data: Up to 26 months.
  • Support tickets and communications: 3 years from ticket closure.

7. International Data Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. This includes reliance on UK adequacy regulations (for countries deemed to provide adequate protection) or, where required, standard contractual clauses or other approved transfer mechanisms. Our primary hosting provider (Railway Technologies) operates data centres in Europe.

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

8.1 Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you, along with information about how it is used. We will respond within 30 days.

8.2 Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it.

8.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis.

8.4 Right to Restrict Processing

You can request that we restrict the processing of your data in certain situations, such as where you contest its accuracy or object to processing.

8.5 Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

8.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

8.7 Rights Related to Automated Decision-Making

We do not currently make decisions about individuals solely by automated means that produce significant legal or similarly significant effects.

8.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9. How to Exercise Your Rights

To exercise any of the above rights, please contact us using the details below. We may need to verify your identity before processing your request. We will respond within 30 calendar days. In complex cases, we may extend this by a further two months but will inform you of any extension within the first 30 days.

We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

10. Personal Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR. Where the breach poses a high risk to individuals, we will also notify affected individuals without undue delay.

11. The Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the UK supervisory authority at any time:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
ico.org.uk

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

12. Data Processing Agreements

Where Nexa Point processes personal data on behalf of client organisations as a data processor, we are prepared to enter into a formal Data Processing Agreement (DPA) that meets the requirements of UK GDPR Article 28. Please contact us at info@nexapoint.co.uk to discuss DPA requirements.

13. Contact

For all data protection enquiries, subject access requests, or to exercise your rights, please contact:
Nexa Point Group Limited
71–75 Shelton Street, London, WC2H 9JQ
info@nexapoint.co.uk
07459 158430