Privacy Policy

Introduction

This Privacy Policy explains how Forlais Group LTD (trading as Forlais AI, "we," "us," "our," or "Company") collects, uses, processes, and protects your personal data when you visit, browse, or interact with our website at www.allnudge.com (the "Website") and use our services (the "Services").

We are committed to protecting your privacy and ensuring you have a positive experience on our Website. This policy sets out our data handling practices in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) 2003, and the Data (Use and Access) Act 2025.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Website.

Our Data Protection Commitment

As a UK-based company, we are registered with the Information Commissioner's Office (ICO) and comply with all applicable UK data protection legislation. Your rights and the security of your personal data are paramount to us.

What Personal Data We Collect

We collect and process personal data in the following ways:

Information You Provide Directly:

• Contact Information: Name, email address, telephone number, postal address, and company name (where applicable)
• Account Information: Username, password, and profile information when you create an account
• Communication Data: Messages, queries, feedback, and correspondence you send to us
• Transaction Information: Payment details and order history (payment processing is handled securely by third-party providers; we do not store full payment card details)
• Support Requests: Details provided when you contact our customer support team

Information Collected Automatically:

• Technical Data: IP address, browser type and version, operating system, device identifiers, and referral source
• Usage Data: Pages visited, time spent on pages, links clicked, features accessed, and interactions with our Website
• Location Data: Approximate geographic location based on IP address (we do not collect GPS-level precise location data without your explicit consent)
• Cookies and Tracking Technologies: Information collected through cookies, web beacons, pixels, and similar technologies (see our Cookie Policy)

Information from Third Parties:

We may receive personal data about you from:

• Analytics Providers: Data about your interaction with our Website
• Payment Processors: Transaction verification data
• Marketing Partners: Data used for targeted advertising (where you have consented)
• Third-Party Authentication Services: If you use single sign-on features
• Business Partners or Integration Partners: If applicable
• Publicly Available Sources: Information from public registers or your social media profiles (where applicable)

Legal Basis for Processing

Under UK GDPR, we only process your personal data where we have a lawful basis to do so. We rely on the following lawful bases:

(a) Your Consent

We process personal data with your explicit, informed consent for:

• Marketing communications (email, SMS, push notifications)
• Non-essential cookies and optional analytics
• Voluntary participation in surveys or research

You can withdraw consent at any time by contacting us or adjusting your preferences in your account settings.

(b) Contractual Obligation

We process personal data necessary to:

• Fulfil your account registration and provide our Services
• Process transactions and send confirmations
• Deliver customer support
• Manage your subscription or service agreement

(c) Legal Obligation

We process personal data to:

• Comply with tax and accounting requirements (including 7-year retention for transaction records)
• Respond to legal requests, lawsuits, or regulatory inquiries
• Fulfil legal obligations under UK law
• Comply with fraud prevention regulations

(d) Legitimate Interest

We process personal data for our legitimate business interests, including:

• Fraud prevention and security
• Website and service improvement
• Analysing usage patterns to enhance user experience
• Direct marketing to existing customers (where permitted by law)
• Service troubleshooting and technical support
• Compliance monitoring and audit purposes
• Enforcing our terms and conditions

We have carefully balanced our interests against your rights, and we consider our processing proportionate and necessary. Before processing data based on legitimate interests, we conduct a balancing test to ensure our interests do not override your privacy rights.

(e) Vital Interests

We may process personal data where necessary to protect your vital interests or the vital interests of others (such as safety or health in emergency situations).

(f) Public Task

Where applicable, if we process data to perform a task in the public interest or official authority functions.

How We Use Your Information

We use the personal data we collect for the following purposes:

• Service Delivery: Providing, maintaining, and improving our Website and Services
• Account Management: Creating and managing your account, authentication, password recovery, and access control
• Communication: Responding to inquiries, providing customer support, and sending service-related announcements
• Transactions: Processing payments, confirming orders, and managing transactions
• Marketing: Sending promotional material, newsletters, and marketing communications (where consented or permitted by law)
• Analytics and Research: Understanding how users interact with our Services to optimise performance and user experience
• Security: Detecting, preventing, and addressing fraud, security breaches, and technical issues
• Compliance: Meeting legal, regulatory, and contractual obligations
• Aggregated Insights: Creating anonymised statistical data for business analysis
• Automated Decision-Making: Personalising your experience and content recommendations (with appropriate safeguards)
• Legal Proceedings: Establishing, exercising, or defending legal claims

Who We Share Your Data With

We may share your personal data with carefully selected third parties:

Service Providers and Processors:

We process data on our behalf under Data Processing Agreements, including:

• Cloud hosting and infrastructure providers
• Payment processors and financial institutions
• Customer support and ticketing platforms
• Email and communication service providers
• Analytics and web traffic analysis tools (e.g., Google Analytics)
• Marketing and advertising platforms (with consent)
• Security and anti-fraud service providers

Legal Requirements and Authorities:

We may disclose your personal data to:

• UK law enforcement agencies (police, courts)
• Regulatory authorities and tax authorities
• Government agencies investigating fraud or illegal activity
• Courts in response to legal proceedings
• Other parties in connection with legal claims or disputes

Business Transfers:

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that business transaction. We will notify you of any such change and any choices you may have.

With Your Consent:

We may share your personal data with third parties with your explicit consent for specific purposes, including:

• Third-party partners or integrations you have chosen to connect with your account
• Business partners for co-marketing initiatives

No Sale of Data:

We do not sell, rent, or trade your personal data to third parties for marketing purposes. All recipients are contractually obligated to protect your data and comply with data protection laws.

How Long We Retain Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal obligations.

Typical Retention Periods:

• Account Information: For the duration of your account plus 3 years after account deletion (for legal and tax purposes, audit, and dispute resolution)
• Transaction Records: 7 years (as required by UK tax and accounting legislation)
• Email Communications: 2 years, unless required longer for legal purposes
• Website Analytics Data: 24 months (after which it is automatically anonymised)
• Customer Support Records: 2 years following resolution of your inquiry
• Marketing Preferences: Until you unsubscribe or withdraw consent
• Failed Login/Fraud Data: 1 year
• Cookies: Session-based to 24 months (as detailed in our Cookie Policy)

After the applicable retention period, we securely delete your personal data. In some cases, we may anonymise or aggregate data indefinitely for statistical, historical, or business purposes.

If you request data deletion, we will remove your personal data subject to legal and contractual retention requirements.

International Data Transfers

Our Website and Services are primarily provided from the United Kingdom. However, we may transfer your personal data to countries outside the UK/EEA in limited circumstances.

When we do, we ensure:

• Transfer to a jurisdiction deemed adequate by the UK Government or ICO
• Appropriate safeguards, including Standard Contractual Clauses (SCCs)
• Compliance with UK GDPR requirements for third-country transfers
• Information about the transfer and protections in place

For transfers to the USA and other non-adequate countries, we implement appropriate safeguards. You have the right to request information about transfer mechanisms by contacting us.

Your Data Protection Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of Access (Subject Access Request)

You have the right to request a copy of all personal data we hold about you in a structured, commonly used, and machine-readable format. We will provide this within 30 calendar days of a valid request (up to 90 days for complex requests).

Right of Rectification

You have the right to request correction of any personal data that is inaccurate or incomplete.

Right to Erasure ("Right to be Forgotten")

In certain circumstances, you can request we delete your personal data, including where:

• Data is no longer necessary for the purposes collected
• You withdraw consent and no other lawful basis exists
• You object to processing and we have no compelling grounds
• The data is unlawfully processed
• Legal obligation requires deletion

Note: We may retain data where required by law or where we have a legal obligation to do so.

Right to Restrict Processing

You can ask us to limit how we use your personal data. We will continue to store it but will not process it further without your consent, except where legally required.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV) and to transmit it to another controller. This applies to data processed based on consent or contract.

Right to Object

You have the right to object to processing of your personal data on the basis of legitimate interest. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

You can also object to direct marketing and automated decision-making at any time.

Rights Related to Automated Decision-Making

If we make automated decisions about you that have legal or similarly significant effects, you have the right to:

• Understand the logic of the decision
• Know the significance and consequences
• Request human intervention and reconsideration
• Express your point of view
• Request a human review of the decision

Right to Withdraw Consent

If your processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have breached your data protection rights:

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us with:

• Your name and account email address
• Clear description of your request
• Any supporting documentation

We will respond to your request within 30 calendar days. In complex cases, we may extend this to 90 days (and will notify you of the extension). Submit requests to: business@forlaisgroup.com

Cookies and Similar Technologies

What Are Cookies?

Cookies are small files placed on your device by our Website that store information about your browsing activity. We use cookies to enhance your experience and gather analytics data.

Types of Cookies We Use:

• Essential Cookies: Required for basic Website functionality (authentication, security, session management). These do not require consent.
• Performance/Analytics Cookies: Google Analytics and similar tools that collect anonymized data about how you use our Website (pages visited, time spent). Used to improve our Services.
• Functional Cookies: Remember your preferences and settings to personalise your experience.
• Marketing Cookies: Third-party cookies used for retargeting and advertising purposes. These require your explicit consent.

For detailed information about our cookie usage, please see our Cookie Policy.

Data Security

We implement comprehensive technical, operational, and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption: SSL/TLS encryption for data in transit; encryption of sensitive data at rest
• Access Controls: Role-based access restrictions for staff; restricted access on a need-to-know basis
• Firewalls and Monitoring: Multi-layer security infrastructure and continuous monitoring
• Regular Audits: Security assessments and penetration testing
• Incident Response: Documented procedures for responding to data breaches
• Staff Training: Data protection and security awareness training for all personnel
• Secure Development: Secure coding practices and regular software updates
• Third-Party Vetting: Security requirements in all processor contracts

Your Responsibility:

You are responsible for maintaining the confidentiality of your login credentials. Do not share your password with others or use passwords you use for other services. If you suspect unauthorised access to your account, notify us immediately.

Limitations:

While we employ robust security measures, no system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet. Any transmission is at your own risk.

Data Breach Notification

If we experience a data breach involving your personal data, we will:

• Notify you without undue delay (generally within 72 hours)
• Provide details of the breach, affected data, and likely consequences
• Explain measures we are taking to mitigate harm
• Provide contact details for further information

We will also notify the ICO as required under UK GDPR Article 33.

Third-Party Links and Content

Our Website may contain links to third-party websites and services. This privacy policy does not apply to external websites. We are not responsible for the privacy practices of third parties. We recommend reviewing their privacy policies before providing personal data.

Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete such data immediately.

For users aged 13-18, we provide additional privacy protections and do not use data for marketing purposes without verifiable parental consent.

If you believe a child has provided us with personal data, please contact us immediately.

Changes to This Privacy Policy

We may update this privacy policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on our Website with a new "Last Updated" date
• Sending you an email notification (for material changes)
• Requesting your explicit consent (if legally required)

Your continued use of our Website following changes constitutes your acceptance of the updated policy. We encourage you to review this policy regularly.

Special Category Data

We do not intentionally collect special category data (such as race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sexual orientation) unless:

• You voluntarily provide it and explicitly consent
• We are required to do so by law
• It is necessary for legal claims or compliance

If you do provide special category data, we will process it with additional safeguards.

Marketing Communications

If you have consented to receive marketing communications, we will send you information about products, services, updates, and promotional offers via:

• Email
• SMS or telephone
• Push notifications
• Social media messaging

Opting Out:

You can unsubscribe from marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Logging into your account and updating your preferences
• Contacting us directly

We will honour your preferences within 10 working days.

Contact Us for Privacy Matters

If you have questions about this privacy policy, wish to exercise your data protection rights, or have concerns about our privacy practices, please contact us:

We aim to respond to all enquiries within 10 working days. Subject Access Requests will be processed within 30 calendar days (up to 90 days for complex requests).

Legal Compliance References

This Privacy Policy has been prepared in compliance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR) 2003
• Data (Use and Access) Act 2025
• Information Commissioner's Office (ICO) guidance and recommendations

For further information about data protection rights and regulatory requirements, visit: www.ico.org.uk