Version 1.0 · Issued 24 May 2026 · Self-authored draft adapted from the SEQ Legal / ICO sample. Solicitor review scheduled for first quarter post-launch.
Privacy Policy
1. Who we are
This privacy policy applies to the NureComp service operated by Nure Group Limited(“Nure Group”, “we”, “us”, “our”), a private limited company registered in England and Wales. Our registered office and ICO registration number will appear here once registered.
For most purposes we are the data controller. Where we process personal data on behalf of a customer organisation (training records, learner pseudonyms, etc.) we are the data processor and the customer organisation is the controller.
Contact: privacy@nuregroup.com. Designated Data Protection Officer function: the founder; same address.
2. What information we collect
2.1 From visitors to our marketing site
- Standard server logs (IP address, user agent, requested URL, timestamp)
- Limited cookie-based analytics (see our Cookie Policy)
- Form submissions (lead capture, contact form, free compliance check)
2.2 From buyers (admins / account holders)
- Full name, work email address, company name, country
- Password hash (scrypt) — never the plaintext password
- Authentication timestamps (last login, IP at last login)
- Payment and billing metadata held by Stripe — we receive only references and last-4 of card
2.3 From learners — SSO mode (Pro / Business / Enterprise tiers)
A pseudonymous identifier only. Derived as HMAC-SHA256 of your IdP subject claim, your organisation's identifier, and a server-held secret. Your name and email are received from the IdP for the duration of each session, are used at runtime to display certificates and personalise the UI, and are never written to our database.
2.4 From learners — email mode (Starter tier)
Name (provided by your admin at invite time), email address, training progress, quiz responses, certificates earned.
2.5 From all learners — training records
- Module assignments and completion timestamps
- Quiz attempts (questions presented, answers chosen, score)
- Certificate metadata (verification code, issued/expiry dates, score)
- Optional learner reflections (visible only to the learner who wrote them; never to admins)
3. Lawful basis
| Processing | Lawful basis |
|---|---|
| Operating your account and the service | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Processing your staff's training data on your behalf | Performance of the DPA between us (Art. 6(1)(b)) |
| Security logging and abuse prevention | Our legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Your consent — opt-in only, freely withdrawable (Art. 6(1)(a)) |
| Tax and accounting records | Compliance with legal obligation (Art. 6(1)(c)) |
4. How we share your information
We share personal data only with the sub-processors required to deliver the service:
See our Sub-processor list for current names, locations, functions, and transfer mechanisms.
We do not sell personal data. We do not share with advertisers.
5. International transfers
All processing is in the EU/UK jurisdiction by default. Where a sub-processor sits outside the UK or EU (e.g. Anthropic for optional AI features available on Pro tier and above), transfers are governed by EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum (IDTA). The relevant transfer mechanism is identified per sub-processor on the sub-processor list.
6. Retention
- Training records: six years from completion (UK Limitation Act 1980 alignment)
- Audit logs: six years
- Evidence pack ZIPs (temporary): 7 days, then auto-deleted; regenerable on demand
- Account data: until you delete your account + 90-day grace period
- Marketing email subscribers: until you unsubscribe
- Tax records: 7 years (HMRC requirement)
7. Your rights (UK GDPR Articles 15–22)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise any right, email privacy@nuregroup.com. We respond within one month.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We hold your data with industry-standard safeguards: encryption in transit (TLS 1.3) and at rest (AES-256 on managed Postgres), per-environment secrets in a managed vault, role-based access for production, hardware- key 2FA on production accounts, immutable hash-chained audit logs. Full detail in our Information Security Policy.
9. Cookies
See our Cookie Policy.
10. Changes to this policy
We will tell you about material changes by email (account holders) and by banner on the marketing site. Minor changes will be reflected in the version number and date at the top of this page.
11. Contact
privacy@nuregroup.com — privacy enquiries
security@nuregroup.com — security reports
legal@nuregroup.com — legal correspondence
Adapted from a SEQ Legal / ICO baseline template. Will be re-issued under solicitor review.