25+ Years of Experience

Fixed Service Pricing

24/7 Monitoring

2500+ Fully Managed Users

25+ Years of Experience

Fixed Service Pricing

24/7 Monitoring

1000+ Fully Managed Users

hello@nexusos.co.uk

01392 205095

Customer Portal

nexus logo light

5-star-gold

50+ Reviews

Privacy Notice

This is our general notice to website visitors, prospects and contacts, and customers. Some of these notices may be superseded by our customer data processing agreement.

Last updated: May 2026

WHO WE ARE

We are a provider of IT services to businesses only (our clients).

We are Nexus Open Systems, based at Vale House, Pynes Hill, Exeter EX2 5AZ. For enquiries relating to data protection in our business, email our compliance manager on dataprotection@nexusos.co.uk, call 01392 205095, or discuss with your account manager.

Our company number is 3603046 and we are registered with the ICO as a data controller, number Z5891047.

THE TYPES OF PERSONAL DATA WE PROCESS

  • Related to website visitors and mailing list members
    • IP address
    • Name, email and job role
    • Interaction/activity data and IP/location (clicks and views on emails and on our website, and where you are)
    • Website interaction profiling 
 
  • Related to the staff of our clients
    • Name, contact and company information
    • Role
    • Correspondence, feedback and complaint data
    • Links to quotes, invoices, tickets, projects and IT devices
    • CCTV images
 
  • We also process, directly or incidentally, the data on our clients’ systems.

We provide data processing agreements in respect of our clients’ data and our clients’ customers’ data.

Where we process personal data about the staff or customers of our clients, this information is provided to us by our clients in the course of delivering contracted IT services.
 
Signage is displayed at our premises to inform visitors of CCTV operation.

MONITORING COMMUNICATIONS

All written correspondence with Nexus is likely to be stored. This is principally to retain a record of what has been said, for the fulfilment of a contract, training, quality assurance, monitoring and also in our legitimate interest to defend ourselves against a future claim.

We may record voice calls for the same reasons. Some calls may be handled by our AI call agent, which uses speech recognition to understand your enquiry, make routing decisions, and capture support ticket information. Speech snippets and ticket data from AI-handled calls are processed by OpenAI and Twilio in the US under Standard Contractual Clauses (UK IDTA). The legal basis for AI call handling is our legitimate interests in delivering efficient service and maintaining accurate support records (and, where applicable, the performance of our contract with the relevant client). AI call snippets are only held with our subprocessors long enough to manage the call in hand. You have the right to request that your call be handled by a human agent at any time, you can do this by calling back or sending us an email.

LEGAL BASIS AND PURPOSES

We use cookies and similar tracking technologies on our website. Analytics and functional cookies that pose a low privacy risk may be set without consent, in accordance with the Privacy and Electronic Communications Regulations (as amended). For all other cookies, we obtain your consent via our cookie banner. For full details, see our cookie policy.

We will process personal data:

  1. For the performance of a contract with our clients, to deliver a contract or service:
    • To establish the credit-worthiness of the client
    • To manage and perform that contract
    • To process payments and recover debt
  2. As necessary for our own legitimate interest or those of other persons and organisations, e.g.:
    • To follow up on expressions of interest from potential clients, visitors to trade shows etc.
    • To market our services to existing clients via email, telephone, post, social media and other direct methods
    • To run and host events (based on which, we assume you have an interest in our products and services)
    • To market our services to contacts at potential new business clients via email, telephone, post, social media and other direct methods
    • To optimise our marketing, based on a profile of your use of our emails and website
    • For the good governance of our business, accounting, operational review and internal audit
    • For statistics and analytics on our sales and market
    • For anti-spam, security and crime prevention purposes
  3. As necessary to comply with a legal obligation, e.g.:
    • To comply with data subject requests under data protection law
    • To keep adequate records mandated by law or regulation, such as tax and financial transactional data
    • To detect and prevent fraud or unauthorised use
    • For activities related to the prevention, detection and investigation of crime
  4. Based on consent, e.g.:
    • Marketing communication where we’ve asked for consent, such as for people who sign up for email via our website
 
You can withdraw your consent at any time by contacting us at dataprotection@nexusos.co.uk or by using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

SHARING OF PERSONAL DATA

We have a register of sub-processors to whom we share data, dependent upon circumstances.

In addition, we may have to share personal data:

  • With courts, to comply with legal requirements, or for the administration of justice
  • In an emergency or to otherwise protect the interests of data subject(s)
  • If we restructure or sell our business or its assets, or merge with another business
  • With business consultants or other reputable advisers who may be appointed from time to time
  • If a client arranges with us to pass specific data to a specific third party, provided the client has the legal right to authorise the transfer
Where we act as joint data controllers with a third party (such as GoCardless for direct debit payments), we have arrangements in place that set out our respective responsibilities for complying with data protection law. Details are available on request.
 
 CCTV footage is restricted to authorised personnel.

INTERNATIONAL TRANSFERS

We prefer to keep and process personal data within the UK or countries covered by UK adequacy regulations.
Where our service providers process data outside the UK (see our list of sub-processors), we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V (as amended by the Data (Use and Access) Act 2025). These safeguards include the UK International Data Transfer Agreement (UK IDTA), the UK Addendum to EU Standard Contractual Clauses, and the UK Extension to the EU-U.S. Data Privacy Framework, as applicable to each transfer.

RETENTION PERIODS

Legal and regulatory requirements normally take precedence to determine the retention periods for data. For example, financial records such as invoices are kept by us for 7 years to honour HMRC requirements.

We keep email correspondence as a reference to support sales, projects and to defend ourselves against claims. Our default retention period for email correspondence is 5 years and 3 months, but may be more or less on a case-by-case basis.

We keep ticket correspondence for similar reasons, but anonymise the name attached to the ticket 5 years after activity ceases.

Retention periods for other data are based on a combination of factors:

  • Legal/regulatory stipulations
  • The basis of the processing, implying a timeframe of need for the data
  • Risks and benefits associated with storing and processing the data
 
Our standard retention periods for specific categories of data include:
  • Website analytics data (IP addresses, browsing activity): retained in anonymised/pseudonymised form for up to 14 months
  • Ticketing system: contacts are anonymised 5-6 years after last activity.
  • CCTV footage: retained for up to 30 days unless required for an investigation or legal proceedings
  • Marketing CRM data (HubSpot): retained for the duration of the business relationship and for up to 5-6 years after last contact

AUTOMATED DECISION-MAKING AND PROFILING

We use limited automated processing in the following ways:
 
Our mailing system and website profile your activity (clicks, pages visited). This is used by our sales and marketing team to assess your interest in our services and to tailor marketing activity. This profiling does not produce legal or similarly significant effects.
 
Our AI call agent may handle initial telephone enquiries, including making call-routing decisions and capturing support ticket information. If the AI makes a decision that significantly affects you, you have the right to request human intervention, to make representations, and to challenge the decision. You can request to speak with a human agent at any time during an AI-handled call.

MARKETING PREFERENCES

You have an absolute right to object to us using your personal data for direct marketing at any time. To exercise this right, email dataprotection@nexusos.co.uk or use the unsubscribe link in any marketing email. In each marketing email, we include a link to update your preferences. The options we offer may change over time, and we may periodically ask you to confirm your details and preferences.
 

YOUR PERSONAL RIGHTS

To exercise these rights, please contact us using the details at the top of the page. Please note that these rights don’t apply in all circumstances.

  • You have the right to access personal data we hold about you. In the first instance, please contact us with a brief description of what you are seeking.
  • You have the right to have data corrected or updated, if it’s inaccurate or incomplete.
  • You have the right to have your personal data erased (the right to be forgotten).
  • You have the right to restrict processing of your personal data.
  • You can object to the processing of your personal data where we rely on legitimate interests as the legal basis for that processing
 
You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible (data portability).
You have rights to object to, or query, automated decision-making and profiling.

HOW TO MAKE A DATA PROTECTION COMPLAINT

If you wish to make a complaint about how we have handled your personal data, please contact us first at dataprotection@nexusos.co.uk or call 01392 205095. We will acknowledge your complaint within 30 days and investigate it without undue delay. We will keep you informed of our progress and tell you the outcome of our investigation.
 
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office. Visit www.ico.org.uk.