Privacy Policy
Last updated: 28th May 2026 at 20:40PM
This privacy policy explains how Nagged LTD ("we", "us", "our") collects, uses and protects your personal information when you use our website at nagged.ai or otherwise interact with our service.
We are committed to handling your data responsibly and giving you clear control over it.
1. Who we are
Nagged LTD is a private limited company registered in England and Wales.
- Registered office: 66 Paul Street, London, England, United Kingdom, EC2A 4NA
- Companies House number: 17211514
- ICO registration number: [TBC]
- Data controller: Nagged LTD
- Contact for data matters: [email protected]
We are the data controller for the personal information described in this policy.
2. What personal information we collect
Information you give us:
- Your email address (when you request a sketch preview)
- Your first name (when you request a sketch preview)
- Your business name and business details (type of business, services, target audience, tone of voice, primary website goal, years trading)
- Your brand colours and (optionally) a logo file you upload
- A phone number, if you give us one when requesting a callback or deposit
- Payment information, if you pay a deposit — processed directly by Stripe; we don't store your card details
- Any message you write when contacting us
Information we collect automatically:
- Your IP address (used for security, rate limiting and abuse prevention)
- Standard server logs (browser type, request times, referring page)
- Cookies set by the website (see Cookies section)
- Marketing source data (UTM parameters) if you arrived via an advertising link
3. Why we use your information (lawful bases)
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Generate your AI website sketch from your inputs | Performance of a service you requested (contract) |
| Email you the link to your sketch | Performance of a service you requested (contract) |
| Bot/spam protection and rate limiting (IP logs) | Legitimate interest in preventing abuse |
| Process a deposit payment | Performance of a service you requested (contract) |
| Send service-related notifications | Performance of a service you requested (contract) |
| Send marketing emails about Nagged services | Soft opt-in under PECR Regulation 22(3), with opt-out at every step |
| Respond to your contact / support enquiries | Legitimate interest in providing customer service |
| Comply with legal obligations (e.g. HMRC tax records) | Legal obligation |
You can object to any processing based on legitimate interest by emailing [email protected].
4. Who we share your information with
We share your personal information with the following third-party data processors. Each is bound by a Data Processing Agreement (DPA) under UK GDPR Article 28.
| Processor | What we share | Purpose | Where |
|---|---|---|---|
| Anthropic (Claude API) | Business name, quiz answers, brand inputs | Generates the AI sketch content | USA (UK/EU adequacy safeguards) |
| Stripe | Email, name, payment details | Processing deposit payments | UK / Ireland |
| Cloudflare | IP, request data, uploaded logo files, bot signals | DNS, CDN, R2 storage, bot protection | Global (Cloudflare network) |
| Hetzner Cloud | All data stored on our server | Hosting our application and database | Germany or Finland (EU) |
| Resend | Email address and email content | Sending transactional and marketing emails | USA (UK/EU adequacy safeguards) |
| Google Workspace | Inbound emails sent to @nagged.ai | Inbound mailbox hosting | USA (UK/EU adequacy safeguards) |
| Pexels | No personal data shared | Stock image library for sketches | N/A |
We do not sell, rent or trade your personal data with anyone for marketing purposes.
5. International data transfers
Some of our processors (notably Anthropic, Resend and Google) are based in the United States. Where personal data is transferred outside the UK, we rely on the UK adequacy regulations (where applicable, e.g. UK-US Data Bridge), Standard Contractual Clauses with the UK addendum, and/or the processor's Binding Corporate Rules — all of which are UK GDPR-recognised safeguards.
6. How long we keep your information
| Data | Retention period |
|---|---|
| Lead information (where no purchase made) | 24 months from last interaction, then deleted |
| Generated preview pages (/p/{slug} links) | 7 days from creation, then expired |
| Callback requests | 24 months from last interaction, then deleted |
| Paid deposit records and Stripe data | 7 years from transaction (HMRC requirement) |
| Server logs (including IPs) | 30 days, then rotated |
| Marketing opt-out records | Indefinitely (so we know not to email you again) |
After the retention period, data is permanently deleted or anonymised.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten"), subject to legal retention requirements
- Restrict how we process your data
- Object to processing based on legitimate interest
- Portability — receive your data in a machine-readable format
- Withdraw consent to marketing emails at any time (one-click unsubscribe in every marketing email)
- Complain to the ICO if you believe we've mishandled your data — ico.org.uk/concerns
To exercise any of these rights, email [email protected] with "GDPR request" in the subject line. We aim to respond within 30 calendar days as required by UK GDPR.
8. Cookies
We use a minimal number of cookies, all strictly necessary for the website to function:
| Cookie | Purpose | Lifetime |
|---|---|---|
| nagged_session | Maintains your browser session so the form works across page loads | 2 hours |
| XSRF-TOKEN | Prevents cross-site request forgery attacks (security) | 2 hours |
| cf_clearance (Cloudflare) | Bot protection challenge result | Up to 30 minutes |
We do not currently use analytics cookies, marketing pixels or any third-party tracking. If that changes, we will update this policy and add a cookie consent banner.
9. Security
We protect your data with industry-standard safeguards including HTTPS encryption, encrypted storage of uploaded files, access controls on the admin interface, rate limiting and bot protection, and regular security updates.
No system is 100% secure. If we ever experience a personal data breach that poses a risk to your rights, we will notify the ICO within 72 hours and, where required, notify you directly.
10. Children
Our service is intended for UK business owners. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Marketing
If you've given us your email through our preview funnel, we may occasionally email you about new templates, features, case studies, marketing tips and updates from Nagged.
This is on the basis of PECR soft opt-in — we got your email during a sales enquiry for our service, and we only market our own similar services. You can unsubscribe from any marketing email with one click, or by emailing [email protected]. Service emails (e.g. your sketch link, deposit receipts) are not affected by an unsubscribe.
12. Changes to this policy
We may update this privacy policy from time to time. The "Last updated" date at the top will reflect the latest changes. For significant changes we will notify users by email.
13. How to contact us
For any questions about this privacy policy, or about how we handle your personal data:
- Email: [email protected]
- Post: Nagged LTD, 66 Paul Street, London, England, United Kingdom, EC2A 4NA
If you're unhappy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk/concerns or by calling 0303 123 1113.