Nichetel
Legal

Privacy Policy

Last updated 2026-05-27

We collect the minimum we need to deliver reports and invoices, store it in the EU, don't sell it, and let you delete it on request. This page explains all of that in detail.

1. Who we are

Nichetel is published by ATLAS LEARNING HOLDINGS LIMITED, registered in United Kingdom. Company registration: 17274155. Registered address: 172 Stafford Street, Wolverhampton, England, WV1 1NA. We're the data controller for any personal data we process about you. Privacy questions: privacy@nichetel.com.

2. What data we collect

Account data: name, email, password (stored as a salted hash, never in plaintext), preferred currency, optional billing country.

Transactional data: orders you place, items in your library, invoice details (including company name and VAT number if you provide them).

Technical data: IP address (anonymised after 7 days), user-agent string, session cookie. We do not run third-party analytics, advertising pixels, or social-network embeds at launch.

Support correspondence: the contents of messages you send via the contact form or by email.

3. Why we collect it

  • To deliver the reports you bought.
  • To process payment and meet tax record-keeping obligations.
  • To respond to your messages.
  • To detect fraud and abuse.
  • To improve the Service based on aggregate (non-identifying) patterns.

4. Legal basis (GDPR / UK GDPR)

  • Contract (Art. 6(1)(b)): to deliver the reports you bought.
  • Legal obligation (Art. 6(1)(c)): to keep tax records.
  • Legitimate interest (Art. 6(1)(f)): to prevent fraud and improve the Service. You may object; see §8.
  • Consent (Art. 6(1)(a)): when you opt in to any future marketing emails (none at launch).

5. Where we store data and for how long

Data is hosted on EU-region infrastructure. Retention:

  • Account data: until you delete your account, or 24 months of inactivity.
  • Invoice and transactional records: 6 years (tax law requirement).
  • Support tickets and contact-form messages: 24 months.
  • Technical logs: 12 months (IP anonymised after 7 days).

6. Who we share data with

We share the minimum necessary data with the following processors, all of whom have a DPA in place:

  • Payment processor: Stripe (or equivalent, TBD at launch). They see your name, email, and the amount charged; we don't see your full card number.
  • Email provider: for sending invoices and account emails. provider TBD until esp_provider is selected.
  • Database/auth provider: Supabase EU region. Stores your account and order data under our control.
  • PDF storage: Cloudflare R2. Stores your library PDFs.

We do not sell, rent, or trade your data. We only share with law enforcement when legally compelled, and we'll tell you unless the order forbids it.

7. Cookies

We use only essential cookies at launch: a session cookie to keep you logged in, a CSRF token cookie for form security, and a currency-preference cookie. No analytics cookies. No tracking pixels. If we add analytics later, we'll ask for consent before setting any non-essential cookie.

8. Your rights

Under GDPR, UK GDPR, and similar laws (including the California Consumer Privacy Act for California residents), you can:

  • Ask for a copy of the data we hold about you (right of access).
  • Correct inaccurate data (rectification).
  • Delete your account and associated data (erasure / "right to be forgotten").
  • Receive your data in a portable format (portability).
  • Object to processing based on legitimate interest.
  • Restrict processing while a dispute is resolved.
  • For California residents: opt-out of any sale of personal information (we don't sell), and we won't discriminate against you for exercising your rights.

Email privacy@nichetel.com to exercise any of these. We respond within 30 days. You can also delete your account directly from workspace settings.

9. International transfers

If we transfer your data outside the European Economic Area (e.g. to a US-based sub-processor), we rely on Standard Contractual Clauses or an equivalent adequacy mechanism. The list of sub-processors in §6 reflects our current setup.

10. Children's data

We don't knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email privacy@nichetel.com and we'll remove it.

11. Changes to this policy

We'll notify registered users by email at least 14 days before any material change takes effect, and post the new policy here with an updated "Last updated" date.

12. Supervisory authority

If you believe we've mishandled your data, you can complain to the supervisory authority in your country of residence. For United Kingdom, the supervisory authority is data-protection authority TBD per holdco_country.

13. Contact

For anything privacy-related: privacy@nichetel.com. We aim to reply within 5 business days, and always within 30 calendar days.