Privacy policy

1. Who we are

Noxvik Ltd (“Noxvik”, “we”, “us”, or “our”) is the data controller for the personal data described in this policy.

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 of the UK GDPR. Our nominated privacy contact handles all data protection queries and can be reached at the email address above.

2. Scope of this policy

This policy applies to:

• Visitors to noxvik.com and any subdomains we operate.
• Business contacts who enquire about, request a quote for, or book a reputation audit with us.
• Decision-makers, authorised users, and points of contact at our client organisations.
• Individuals whose reviews or feedback appear on review platforms we administer on behalf of a client (for example Google Business Profile, Trustpilot, Facebook, or Yelp).
• Suppliers, partners, and other third parties we correspond with in the course of business.

This policy does not cover the practices of third-party platforms (such as Google, Trustpilot, Meta, Yelp, or LinkedIn) that operate under their own privacy policies. We provide signposting to those policies where relevant.

3. Personal data we process

We process the following categories of personal data, depending on your relationship with us:

3.1 Identification and contact data

• Full name, job title, role, and the organisation you represent.
• Business email address, telephone number, and postal address.
• Authentication details such as account usernames and hashed passwords for any client portal we provide.

3.2 Business and commercial data

• Company name, sector, trading address, registered number, and approximate business size.
• Contractual records, including signed agreements, statements of work, and service tier.
• Billing and payment information processed through our payment processor (we do not store full card numbers).
• Correspondence, support tickets, and notes from calls or meetings.

3.3 Website and technical data

At present our website does not run analytics. The only technical data we process when you visit is:

• IP address, browser type and version, operating system, device type, and referring URL, contained in standard server logs and used for security and to keep the site running.
• Your IP address is also transmitted to Google when your browser loads the web fonts used on this site. See section 7.
• Strictly necessary cookies and similar identifiers, placed under the PECR Regulation 6(4) exemption.

If we introduce website analytics in the future, we would also process behavioural data such as pages visited, time spent on pages, links clicked, scroll depth, approximate location derived from IP, and session identifiers. We would only do so after putting an appropriate consent mechanism in place and updating this policy, as described in section 7.

3.4 Service operations data

• Brand voice samples, tone of voice guidelines, and approved response templates you share with us.
• Drafts, edits, and final versions of review responses produced for you.
• Performance reports we generate covering review velocity, rating trends, and response times. For clients on the Growth Plan, reports also include competitor benchmarks.
• Notes relating to disputed reviews, including correspondence with platforms about review removal requests.

3.5 Review platform data

Where we administer review platforms on your behalf, we may process limited personal data relating to reviewers, including the reviewer’s display name, the text and rating of their review, and any platform-issued identifier. We treat this data strictly in line with the relevant platform’s terms of service and only for the purpose of responding to and managing reviews. Further detail is in section 9.

4. Where we collect data from

We collect personal data from the following sources:

• Directly from you, when you complete a form on our website, book an audit, send us an email, speak with us on a call, or sign a service agreement.
• From your colleagues, where someone within your organisation introduces us to you or nominates you as a point of contact.
• From public sources, such as Companies House, your company’s website, LinkedIn company pages, business directories, and trade publications, for the purpose of researching and contacting potential B2B clients.
• From review platforms via authorised access you have granted us (for example via Google Business Profile management permissions).
• From our service providers, such as our CRM, email, and hosting platforms, and from any analytics platform we introduce in the future.
• From referrers and partners, where they introduce you to us with your awareness.

5. Purposes and lawful bases

Under Article 6 of the UK GDPR we must have a lawful basis for processing personal data. The table below summarises the main purposes for which we process personal data and the lawful basis we rely on for each.

5.1 Delivering our services to you (Article 6(1)(b), contract)

We rely on the performance of a contract, or steps taken at your request prior to entering a contract, to process your data when you enquire about our services, when we onboard you, and when we deliver the contracted services month to month.

5.2 Running and developing our business (Article 6(1)(f), legitimate interests)

We rely on legitimate interests to:

• Identify and contact prospective B2B clients whose business profile suggests our services would be relevant.
• Maintain CRM and pipeline records.
• Improve our website, services, internal training, and processes.
• Protect our network and infrastructure from fraud and abuse.
• Establish, exercise, or defend legal claims.

We have completed legitimate interests assessments for each of these purposes and have balanced our interests against the rights and freedoms of the individuals concerned. You can ask for further detail at any time using the contact details in section 20.

5.3 Service-related communications (Article 6(1)(b), contract; Article 6(1)(a), consent)

Noxvik does not send marketing emails to the clients we work with or to the contacts you share with us. We do not rely on the PECR Regulation 22(3) “soft opt-in” to market to existing customers. Where you submit your details through our website (for example to request a Reputation Scorecard), we use them only to fulfil that specific request and to follow up on related queries you initiate. If we ever want to send any other form of electronic marketing, we will obtain your specific prior consent first, and you can opt out at any time by emailing us.

5.4 Legal and regulatory obligations (Article 6(1)(c), legal obligation)

We process data where required by law, including in relation to UK tax, accounting, anti-money laundering, the Companies Act 2006, and our regulatory obligations under the UK GDPR, PECR 2003, and the DMCC Act 2024.

5.5 Cookies and trackers (Article 6(1)(a), consent)

We rely on your consent under PECR for non-essential cookies and similar technologies. See section 7 for full detail.

6. Special category and criminal offence data

We do not seek to collect special category data (as defined by Article 9 of the UK GDPR) or criminal offence data (as defined by Article 10) in the ordinary course of our business. If such data is incidentally included in a customer review or in correspondence forwarded to us by a client, we will minimise its use and retention and process it only where strictly necessary, relying on the appropriate Article 9 or Schedule 1 Data Protection Act 2018 condition.

7. Cookies and similar technologies

We use cookies and similar technologies in line with the Privacy and Electronic Communications Regulations 2003 (PECR), as amended, and the UK GDPR. A cookie is a small text file placed on your device by a website. Similar technologies include local storage, session storage, and pixel tags.

7.1 Cookies and third-party requests we currently use

At present, our website sets only strictly necessary cookies. These are required for the website to function (for example, security and load balancing) and are placed without consent under the PECR Regulation 6(4) exemption. We do not currently use analytics, functional, or marketing cookies, and we do not use any third-party advertising or behavioural tracking technologies on this website.

Our website loads web fonts hosted by Google (Google Fonts). When your browser requests these fonts, your IP address and basic request data are sent to Google in order to serve the fonts. We do not use this for analytics or advertising, but it is a transfer of personal data to a third party outside the strictly necessary cookie set described above. International transfers are addressed in section 11. You can prevent external font loading using your browser settings or an extension, and we keep the option to self-host these fonts under review.

7.2 Future changes and managing your preferences

If we introduce analytics, functional, or marketing cookies in the future, we will first put in place an appropriate consent mechanism in line with PECR and the UK GDPR, and we will update this policy before any such cookie is set. You can also manage cookies at any time in your browser settings, including blocking or deleting cookies that have already been placed. Restricting cookies may reduce some functionality of the website but will not prevent you from accessing it.

8. Electronic marketing and PECR

Noxvik does not send unsolicited electronic marketing to the clients we work with, the contacts you share with us, or the individuals who submit details to our website. We do not rely on the PECR Regulation 22(3) “soft opt-in” to market to existing customers, we do not buy or rent marketing lists, and we do not send unsolicited automated calls, text messages, or faxes for marketing purposes.

If we ever send an electronic marketing communication, it will be on the basis of your clear prior consent and will include an easy means to opt out at any time. To opt out, or to ask us to stop processing your details for any communication, email hello@noxvik.com. We act on requests within five working days at the latest.

9. Client and review platform data

When you engage us to manage your online reviews, you remain the controller of the personal data that exists on your review platforms (such as reviewer display names and review content). We act as your processor in respect of that data, under the terms of a written agreement that includes the provisions required by Article 28 of the UK GDPR.

9.1 What we do with reviewer data

• We access reviewer-visible information solely to draft, schedule, and publish responses on your behalf.
• We do not export bulk reviewer data outside the platform unless you specifically instruct us to do so in writing.
• We do not enrich, append, or cross-reference reviewer data against external sources.
• We do not contact reviewers privately unless the platform itself provides that channel and you have authorised it.

9.2 Platform terms

We comply with the published terms of service and policies of each review platform we administer, including but not limited to Google’s prohibited and restricted content policies, Trustpilot’s guidelines for businesses, Facebook’s community standards, and Yelp’s content guidelines. Where a platform’s policy conflicts with a client instruction, we will pause activity and seek revised instructions.

9.3 Disputes and takedown requests

When we submit a takedown or dispute request to a platform on your behalf, we may share limited personal data (such as the name of the platform’s contact or the reviewer’s display name) with the platform as part of that submission. We do not publish any personal data beyond what is already publicly visible on the platform.

10. Sharing and disclosures

We share personal data only where necessary, and always under appropriate safeguards. The recipients fall into the following categories:

• Service providers acting as our processors, such as cloud hosting, customer relationship management, email delivery, analytics, communication and meeting tools, payment processing, accountancy, and IT support. Each is bound by a written contract that meets the requirements of Article 28 of the UK GDPR.
• Review platforms, where access or submissions are required to deliver our services.
• Professional advisers, including our lawyers, accountants, auditors, and insurers, where they need the data for the services they provide to us.
• Regulators, law enforcement, and other authorities, where disclosure is required by law or to establish, exercise, or defend legal claims.
• Purchasers or successors, in the event of a sale, merger, reorganisation, or insolvency of our business. We will notify you in advance where practicable.

We do not sell personal data and we do not share it for the independent marketing purposes of any third party.

11. International data transfers

Some of our service providers are based outside the United Kingdom, including in the European Economic Area and the United States. When we transfer personal data outside the UK, we rely on one of the following safeguards:

• UK adequacy regulations made by the Secretary of State (for example, transfers to EEA countries).
• The UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.
• The UK Extension to the EU and US Data Privacy Framework, where the recipient is certified.
• An alternative safeguard recognised by the UK GDPR, supported by a transfer risk assessment.

You can request a copy of the relevant safeguards by contacting hello@noxvik.com.

12. Retention

We retain personal data only for as long as we have a legitimate reason to do so. Our default retention periods are:

• Enquiry and prospect records: 24 months from the last meaningful contact, then deleted or anonymised.
• Client contractual records: 6 years from the end of the relationship, in line with section 5 of the Limitation Act 1980.
• Tax and accounting records: 6 years plus the current financial year, as required by HMRC.
• Marketing preferences and suppression lists: indefinitely, to ensure we continue to honour your opt-out.
• Website analytics (only if introduced in the future): up to 14 months at session level.
• Support correspondence: 24 months from the date of the last message.
• CCTV, recordings, and call notes: 30 days unless required for a specific dispute or investigation.

Where the retention period above conflicts with a longer period required by law, the longer period applies.

13. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest for systems holding personal data.
• Role-based access controls with the principle of least privilege.
• Multi-factor authentication on all administrative accounts.
• Documented vendor due diligence and ongoing review of our processors.
• Logging, monitoring, and regular review of access to client systems.
• An incident response procedure that includes notification to the ICO within 72 hours where required by Article 33 of the UK GDPR.
• Staff training on data protection and information security.

14. Your rights

Under the UK GDPR you have the following rights, free of charge, in respect of your personal data:

• Right of access (Article 15): to be told whether we hold personal data about you and to receive a copy.
• Right to rectification (Article 16): to have inaccurate or incomplete data corrected.
• Right to erasure (Article 17): to have your data deleted in certain circumstances.
• Right to restrict processing (Article 18): to limit how we use your data while a dispute is resolved.
• Right to data portability (Article 20): to receive certain data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Article 7): where we rely on consent, you can withdraw it at any time.
• Right to complain: to lodge a complaint with the ICO. See section 20.

To exercise any right, please email hello@noxvik.com. We will respond within one calendar month under Article 12(3) of the UK GDPR, with a possible extension of two further months for complex requests, which we will tell you about within the first month. We may need to verify your identity before acting on your request.

15. Automated decision-making and profiling

We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you under Article 22 of the UK GDPR. We do use software tools to assist with monitoring reviews and drafting responses, but every response published is reviewed by a person at Noxvik before going live. The specific role of automated and AI-assisted tools in delivering our services is described in section 16.

16. Use of technology and automated tools

We may use automated tools, including artificial intelligence and large language model technologies, to assist us in delivering the Services. Typical uses include monitoring review platforms, drafting candidate responses for human review, summarising review trends, and analysing rating data for inclusion in your reports.

All outputs that are generated or assisted by automated tools are reviewed and approved by a person at Noxvik before they are published to any platform on your behalf or sent to you. No review response, public-facing communication, or client report leaves Noxvik in a form that has not passed human review.

While we take reasonable steps to verify the accuracy of outputs produced with these tools, automated systems can occasionally produce inaccurate, incomplete, biased, or otherwise unexpected results. Please let us know promptly if you become aware of any such issue so that we can correct it. Our liability for automated or AI-assisted outputs is governed by the limitation of liability provisions in our Terms of service, and we accept no liability beyond what is set out there.

17. DMCC Act 2024 considerations

The Digital Markets, Competition and Consumers Act 2024 (DMCC Act) introduced new consumer-protection rules concerning online reviews, including the prohibition of fake reviews, paid reviews that are not clearly disclosed, and the suppression of genuine reviews. Although the DMCC Act primarily creates consumer-protection obligations rather than data-protection obligations, it shapes how we handle review-related personal data in important ways:

• We never write, commission, or publish a review that has not been left by a genuine customer of our client.
• We do not anonymise or rebrand reviewer identities to disguise their source.
• We do not offer rewards in exchange for positive reviews.
• We do not selectively suppress or hide genuine negative reviews on a client’s behalf, and we will not assist a client to do so.
• Where reviews are gathered through an invitation we have sent on a client’s behalf, we comply with any applicable disclosure requirements under the DMCC Act and CMA guidance.
• Where a client is found to be in breach of the DMCC Act, we may suspend or terminate services in line with our Terms of service.

We monitor guidance from the Competition and Markets Authority and update our practices accordingly.

18. Children’s data

Our services are aimed at businesses and the professionals who work in them. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we hold personal data of someone under 18 without an appropriate basis, we will delete it.

19. Changes to this policy

We review this policy at least annually and update it when our practices, our suppliers, or the law change. The “Last updated” date at the top of the page shows when the current version came into force. Where the changes are material we will notify affected clients and prospective clients by email or by a prominent notice on our website. Previous versions are available on request.

20. Complaints and contact

If you have any questions about this policy, would like to exercise a right, or are concerned about how we have handled your personal data, please contact us first so we can try to resolve it:

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data-protection regulator:

You may also have concerns under the DMCC Act 2024 that fall within the remit of the Competition and Markets Authority. Information on raising those concerns is available on the CMA’s website.