Privacy Policy
Last updated: March 2026
1. Who we are
Nuso is operated by Nuso Ltd, a company registered in England & Wales (Company No. 12018815). Our registered website is nuso.co.uk and our application is hosted at app.nuso.co.uk.
For any questions about this policy or your personal data, you can contact us at hello@nuso.co.uk.
2. What data we collect
We collect the following personal data when you create an account and use our service:
- Account information: your name, email address and password (stored securely using one-way hashing — we never store plain-text passwords).
- Organisation details: your organisation name, logo and billing information.
- Shopify store data: when you connect your Shopify store, we retrieve order data, product data and store metadata via the Shopify API. This data is used to power your analytics dashboards.
- Payment information: payment processing is handled entirely by Stripe. We do not store your full card number or bank details on our servers. Stripe may collect card details, billing address and transaction history in accordance with their own privacy policy.
- Usage data: we collect basic information about how you use the platform to improve our service, including pages visited and features used.
3. How we use your data
We use your personal data for the following purposes:
- Providing the service: authenticating your account, syncing your Shopify data, generating analytics dashboards and running AI-powered features.
- AI features: certain features (such as AI Studio and Toby AI) send product or store data to Google Gemini for processing. This data is sent only when you explicitly use an AI feature and is not used by Google to train their models.
- Transactional emails: we use Resend to send essential emails such as password resets, invite links and account notifications. Your email address is shared with Resend solely for this purpose.
- Payments: we use Stripe to process subscription payments and manage billing.
- Improving the service: understanding usage patterns to fix issues and develop new features.
4. Legal basis for processing (UK GDPR)
We process your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our legal bases are:
- Contract: processing is necessary to provide you with the service you have signed up for (Article 6(1)(b)).
- Legitimate interests: we have a legitimate interest in improving our service and ensuring its security (Article 6(1)(f)).
- Consent: where required, such as for non-essential cookies, we will ask for your explicit consent (Article 6(1)(a)).
5. Cookies
We use a limited number of cookies:
- Session authentication cookie: an essential cookie that keeps you logged in. This is strictly necessary for the service to function and does not require consent.
- Cookie consent preference: a cookie that remembers whether you have accepted or declined our cookie banner. This is also strictly necessary.
We do not use advertising cookies, tracking pixels or third-party analytics cookies.
6. Third-party services
We share data with the following third-party services, only to the extent necessary to operate the platform:
- Shopify: we connect to the Shopify API to retrieve your store, order and product data. Data flows are governed by your Shopify API credentials and Shopify’s own privacy policy.
- Stripe: processes payments on our behalf. Stripe acts as an independent data controller for payment data. See Stripe’s privacy policy.
- Google Gemini: powers AI features within the platform. Data is sent only when you initiate an AI action and is processed under Google’s API terms. See Google’s API terms.
- Resend: delivers transactional emails on our behalf. Your email address is shared with Resend for this purpose only. See Resend’s privacy policy.
- DigitalOcean: our databases are hosted on DigitalOcean’s managed database service. All data is stored on infrastructure located within DigitalOcean’s data centres. See DigitalOcean’s privacy policy.
7. Data sharing and selling
We do not sell, rent or trade your personal data to any third party. We only share data with the third-party services listed above, and only to the extent necessary to deliver our service to you.
8. Data storage and security
Your data is stored on DigitalOcean managed PostgreSQL databases with encryption at rest and in transit. We use secure, hashed password storage (bcrypt) and session-based authentication with server-side tokens.
Access to production databases is restricted to authorised personnel only. We regularly review our security practices to ensure your data remains protected.
9. Data retention
We retain your account data and associated Shopify store data for as long as your account remains active. If you close your account or request deletion, we will delete your personal data within 30 days, except where we are required by law to retain it for longer (for example, financial records for tax purposes).
Aggregated, anonymised data that cannot identify you may be retained indefinitely for analytical purposes.
10. Your rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request that we correct any inaccurate or incomplete data.
- Right to erasure: request that we delete your personal data.
- Right to restrict processing: request that we limit how we use your data.
- Right to data portability: request your data in a structured, machine-readable format.
- Right to object: object to our processing of your data where we rely on legitimate interests.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, please contact us at hello@nuso.co.uk or use the in-app support feature. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
11. Children’s privacy
Our service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will notify you by email or by placing a notice on our website. We encourage you to review this page periodically.
13. Contact us
If you have any questions, concerns or requests regarding this privacy policy or your personal data, please contact us: