Privacy Policy
Last updated: 2 July 2026
This document is subject to legal review and may change following that review.
1. Who we are
Nucleus HQ is a multi-tenant, white-label CRM platform operated by Miles Austin trading as Nucleus HQ. We are based in the United Kingdom.
For platform account data, Miles Austin trading as Nucleus HQ is the data controller. For tenant CRM data, each tenant is normally the data controller and Nucleus HQ acts as their processor.
You can contact us about privacy matters at: support@nucleushq.app
2. Scope of this policy
This policy applies to all personal data processed through the Nucleus HQ platform, regardless of which tenant host you access it on (for example, hub26.nucleushq.app or any custom domain pointing to Nucleus HQ).
Nucleus HQ operates in two distinct capacities, and your rights differ slightly depending on which applies to you. Section 5 explains this in detail.
3. Data we collect
3.1 Platform account data
When a tenant administrator creates or manages a Nucleus HQ account, we collect:
- Name and email address of account holders and team members
- Hashed password credentials
- Billing contact information and payment method metadata (card last four digits, expiry) processed via Stripe
- Usage logs, session tokens, and access timestamps for security and audit purposes
- Custom branding assets (logo, colour settings) uploaded by the tenant
3.2 Tenant CRM data
Tenants (businesses using Nucleus HQ to manage their own customers) upload or generate data about their contacts through the platform. This may include:
- Contact names, email addresses, phone numbers, and notes
- Conversation history across email and other connected channels
- Booking and calendar appointment records
- Lead source and campaign information
- Files and documents uploaded to contact records
- Segment membership, pipeline stage, and custom field values
- Funnel activity and automation event logs
Nucleus HQ does not determine the purposes for which this CRM data is used. That responsibility rests with the tenant. See Section 5.
3.3 Technical and usage data
- IP addresses, browser type, and device information collected via server logs
- Feature usage patterns collected for platform improvement
- Error reports and diagnostic information
4. Cookies and similar technologies
Nucleus HQ uses only the following categories of cookies by default:
| Category | Purpose | Strictly necessary? |
|---|---|---|
| Session / authentication | Keeps you signed in across page loads | Yes |
| CSRF protection | Prevents cross-site request forgery attacks | Yes |
| Cookie consent preference | Remembers your consent choice | Yes |
We do not use any analytics, advertising, or third-party tracking cookies by default. You may be shown a consent banner on your first visit; declining will not affect your ability to use the platform. Full detail on cookie categories and how to manage them is in our Cookie Policy.
5. Our role as controller and processor
5.1 Controller for platform account data
For the account data of tenant administrators and team members (Section 3.1), Nucleus HQ acts as the data controller. We decide why and how this data is processed, and this privacy policy governs those activities.
5.2 Processor for tenant CRM data
For the CRM data that tenants load into the platform (Section 3.2), Nucleus HQ acts as a data processor acting on the tenant's instructions. Our processor obligations are set out in our Data Processing Agreement. The tenant is the controller of that data and is responsible for:
- Having a lawful basis for collecting and processing their contacts' data
- Providing their own privacy notice to the contacts they manage in Nucleus HQ
- Responding to data subject rights requests from their own contacts
- Ensuring their use of Nucleus HQ complies with applicable law
If you are a contact in a Nucleus HQ tenant's CRM and wish to exercise your data rights, please contact that business directly. They are the controller of your data.
6. Our legal bases for processing
We process platform account data under the following legal bases (UK GDPR Article 6):
- Contract (Art. 6(1)(b)): Processing necessary to provide the platform to you under our Terms of Service.
- Legitimate interests (Art. 6(1)(f)): Security logging, fraud prevention, platform improvement, and business communications.
- Legal obligation (Art. 6(1)(c)): Retaining billing and transaction records to meet financial reporting obligations.
- Consent (Art. 6(1)(a)): Any non-essential cookies or optional marketing communications, where applicable.
7. Subprocessors
We share data with the following categories of subprocessors to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, DNS, bot management | US / Global |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing and billing management | US / EU |
| Contabo GmbH | Server infrastructure and data storage | United Kingdom / Germany |
Where subprocessors are located outside the UK or European Economic Area, we rely on appropriate transfer mechanisms, such as the International Data Transfer Agreements approved by the ICO, or adequacy decisions, to ensure equivalent protection. The maintained register, including providers engaged only if enabled, is on our Subprocessors page.
8. Data retention
- Account data: Retained for the lifetime of your account, plus six years after closure to meet financial and legal obligations.
- Security and access logs: Retained for up to 90 days.
- Tenant CRM data: Retained until the tenant deletes it or closes their account, at which point it is purged within 30 days.
- Backups: Encrypted backups are retained for up to 30 days and then permanently deleted.
9. Security measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2 or higher) and at rest
- Tenant data isolation so each tenant's data is logically separated
- Password hashing using industry-standard algorithms
- Brute-force rate limiting on authentication endpoints
- Access controls limiting staff access to data on a need-to-know basis
- Regular security reviews and patch management
10. Your rights under UK GDPR
Where Nucleus HQ is the controller of your personal data (platform account data), you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your data where there is no overriding legitimate reason to retain it.
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email us at support@nucleushq.app. We will respond within one calendar month.
11. Right to complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's OfficeWycliffe House
Water Lane
Wilmslow
SK9 5AF
ico.org.uk/make-a-complaint
We ask that you contact us first so we can try to resolve your concern.
12. Changes to this policy
We may update this policy from time to time. We will notify account holders by email before any material changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.