Privacy Notice

This privacy notice tells you what to expect us to do with your personal information. It outlines how Nomos Research (the "Data Controller," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use our website, products, and services.

We collect and use personal information for various purposes, relying on different lawful bases under UK data protection law. The types of information we collect and how we use them are detailed below:

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website. Which lawful basis we rely on may affect your data protection rights which are set out in brief below.

You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

• Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
• Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure – You have the right to ask us to delete your personal information. (Note: This right is not absolute and may not apply if we have a legal obligation to retain the data).
• Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.
• Your right to object to processing – You have the right to object to the processing of your personal data where we are relying on legitimate interests as our lawful basis.
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. (Note: This right typically applies only to data processed by automated means where the lawful bases are consent or contract).
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details provided in this privacy notice.

We collect personal information from:

• Directly from you: When you register for an account, use the Platform, provide feedback, or contact us.
• Suppliers and service providers: For example, authentication services (like Google sign-in if used) or analytics providers.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Here's a suggested retention schedule tailored to your operations:

• User Account Information: Retain for the duration of the user's active account and for up to 12 months after account closure to address any residual queries or legal obligations.
• Usage Data (e.g., interaction logs): Retain for up to 24 months to analyze trends and improve service functionality.
• Support Correspondence (e.g., emails, chat logs): Retain for 6 years to comply with legal requirements and for potential dispute resolution.
• Anonymized Data: May be retained indefinitely, as it no longer constitutes personal data under UK GDPR.

We may share your personal information with the following categories of recipients:

• Data Processors and Service Providers:
  • Cloud Infrastructure and AI Service Providers: (e.g., Google LLC for cloud infrastructure and large language model inference). These providers perform activities such as hosting and running the Nomos Research platform, including storage of user account information, logging user queries, and delivering AI-generated legal research outputs. They act only under our instructions and are bound by data processing agreements that comply with UK GDPR.
  • Identity and Access Management Service Provider: (e.g., Clerk, Inc.). Clerk provides identity and access management services, including user authentication, session handling, and account recovery for Nomos Research. They process login credentials, manage sign-in flows (including via third-party providers like Google), and ensure secure access to user accounts. This helps us maintain a secure platform and comply with user access control best practices.
• Other organisations we're legally obliged to share personal information with: Such as regulators, law enforcement agencies, or other public authorities, when required by law.
• Professional Advisors: Such as lawyers, auditors, and insurers, where necessary for their professional services.

Where necessary, our data processors will share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place. For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

We implement appropriate technical and organisational measures designed to protect your personal data from accidental loss, unauthorised access, use, alteration, or disclosure. These measures include encryption of data in transit and at rest, access controls, regular security audits, employee training, data minimisation. While we strive to protect your personal data, we cannot guarantee its absolute security.

We do not use automated decision-making processes that produce legal or similarly significant effects on you. We also do not engage in profiling for purposes such as targeting or segmentation for marketing purposes.

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.