1. Introduction

We are committed to protecting your privacy and handling your data transparently, fairly, and lawfully in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to:

• Visitors to our website (nollie.ai)
• Business Subscribers (venues) and their authorised users
• End Customers (diners/guests at our venue partners)
• Marketing contacts and leads
• Job applicants
• Business partners and suppliers

2. Our Role as Data Controller

At Nollie, we act in different roles depending on our relationship with you. Understanding these distinctions is crucial.

2.1 For Venue Partners (Business Subscribers)

When you subscribe to and use the Nollie platform, we act as the Data Controller for personal data we process about you and your staff (e.g., account information, billing details, contact information). We are solely responsible for how this data is collected and used for providing our services to you.

2.2 For Diners (End Customers of Venues)

When you make a booking, place an order, or interact with a venue through Nollie, both Nollie and the venue act as Joint Controllers for your personal data.

This means:

• Both Nollie and the venue are jointly responsible for protecting your data
• We have formal Joint Controller Agreements with venues outlining respective responsibilities
• The Venue is primarily responsible for direct service interactions (bookings, in-person service)
• Nollie is primarily responsible for platform operations, security, analytics, and personalisation
• You can exercise your data protection rights against either Nollie or the venue

3. Introduction

Company: Nollie Limited Company Number: 16151514 Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ Data Protection Officer: Jordan Foord Email: privacy@nollie.ai DPO Contact: dpo@nollie.ai

4. What Data We Collect

4.1 Website Visitors

• Technical Data: IP address, browser type, device information, cookies
• Usage Data: Pages visited, time spent, referral source
• Location Data: Country/region (derived from IP address)

4.2 Business Subscribers (Account Data)

• Identity: Name, job title, company name
• Contact: Business email, phone number
• Account: Username, password (encrypted), preferences
• Billing: Company address, VAT number, payment method (via Stripe)
• Usage: Feature usage, login history, support tickets

4.3 End Customers (Diner Data)

• Identity: Name, title
• Contact: Email, phone number
• Profile: Dining preferences, booking history, visit frequency
• Dietary: Allergies, dietary requirements, preferences (Special Category Data)
• Behavioural: Menu choices, spend patterns, venue preferences
• Feedback: Reviews, ratings, complaints
• Marketing: Communication preferences, engagement history

4.4 Marketing Contacts

• Identity: Name, company, role
• Contact: Email, phone, LinkedIn profile
• Preferences: Communication preferences, interests
• Engagement: Email opens, link clicks, content downloads

4.5 Job Applicants

• Identity: Name, address
• Contact: Email, phone
• Professional: CV, cover letter, portfolio
• Assessment: Interview notes, references

5. Special Category Data (Dietary and Health Information)

We collect information about dietary requirements, allergies, or health-related preferences. This is 'special category data' under data protection law and receives enhanced protection.

5.1 Purpose of Collection

• Enable venues to provide safe and suitable dining experiences
• Prevent allergic reactions and accommodate dietary needs
• Personalise menu recommendations appropriately

5.2 Legal Basis

By providing this information, you give us your explicit consent to process it for these specific purposes.

5.3 Safeguards

• Shared only with the specific venue(s) you interact with
• Strict access controls and encryption
• Regular security audits
• Staff training on handling sensitive data
• You can withdraw consent and request deletion at any time via privacy@nollie.ai or your profile settings.

You can withdraw consent and request deletion at any time via privacy@nollie.ai or your profile settings. Note this may affect our ability to accommodate your dietary needs.

6. How We Use AI and Automated Processing

To enhance experiences and provide insights, we use artificial intelligence (AI) and automated systems transparently:

6.1 Personalisation and Profiling

We analyse your interactions including:

• Booking history and dining frequency
• Menu choices and stated preferences
• Dietary requirements and restrictions
• Feedback and ratings

Our AI creates profiles to enable:

• Personalised recommendations for dishes and venues
• Relevant promotions and special offers
• Customised experiences on the platform
• Predictive booking suggestions

6.2 Business Insights for Venues

• Dining trends and patterns
• Peak hours and capacity planning
• Menu performance and optimisation
• Customer sentiment analysis

6.3 Your Rights Regarding AI Processing

• Our AI processing is based on legitimate interests
• Automated decisions don’t have legal or similarly significant effects
• You can object to profiling at any time
• You can request human intervention and contest decisions
• You can access the logic behind automated processing

Contact privacy@nollie.ai to exercise these rights.

7. Legal Basis for Processing

We process your data based on:

8. Data Security and Breach Notification

8.1 We implement comprehensive security including:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access controls: Role-based access, multi-factor authentication
• Security testing: Regular penetration testing and vulnerability assessments
• Monitoring: 24/7 security monitoring and threat detection
• Training: Regular security awareness training for all staff
• Incident response: Documented procedures tested quarterly

8.2 Data Breach Response

Our Commitments:

1. Regulatory Notification: We notify the ICO within 72 hours of awareness for breaches likely to result in risk to rights and freedoms

2. Individual Notification: For high-risk breaches, we notify affected individuals without undue delay, providing:

• Nature of the breach

• Categories and number of records affected

• Likely consequences

• Measures taken to address and mitigate

• Contact details for more information

3. Support: We provide dedicated support channels and resources to assist affected individuals

8.3 Third-Party Incidents

If a breach occurs at one of our processors:

• We ensure prompt notification under our Data Processing Agreements
• We assess impact and notification requirements
• We coordinate response with the processor
• We notify affected parties as required

9. Data Sharing

9.1 Service Providers (Processors)

See our Subprocessor List for current details.

Key processors include:

• Stripe: Payment processing (PCI DSS compliant)
• AWS: Infrastructure (ISO 27001 certified)
• OpenAI: AI processing (with appropriate safeguards)
• HubSpot: CRM and marketing
• Twilio/SendGrid: Communications
• Square: Point of Sale integration

9.2 Venue Partners (Joint Controllers)

We share relevant diner data with venues for service delivery under Joint Controller Agreements.

9.3 Professional Advisers

• Legal counsel (under confidentiality)
• Accountants and auditors
• Insurance providers
• Regulatory bodies

9.4 Legal Requirements

We may disclose data to:

• Comply with legal obligations
• Respond to lawful requests from authorities
• Protect rights, property, or safety
• Investigate fraud or security issues

9.5 Business Transfers

In case of merger, acquisition, or sale, data may transfer to the new entity with appropriate safeguards.

10. International Transfers

Your data may be transferred outside the UK to:

We ensure all transfers comply with UK GDPR through:

• Transfer Impact Assessments
• Standard Contractual Clauses (SCCs)
• Technical and organisational measures
• Regular reviews of transfer mechanisms

11. Data Retention

12. Your Data Protection Rights

Under UK GDPR, you have the following rights:

12.1 Core Rights

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion (“right to be forgotten”)
• Restriction: Limit processing in certain circumstances
• Portability: Receive data in a structured, machine-readable format
• Object: Object to processing, especially for marketing or profiling
• Automated Decision-Making: Request human review of automated decisions
• Withdraw Consent: Where processing relies on consent

12.2 Exercising Your Rights

To exercise any right:

1. Email: privacy@nollie.ai
2. Include proof of identity
3. Specify which right(s) you’re exercising
4. We respond within 30 days (may extend by 60 days for complex requests)

12.3 Joint Controller Rights

For diner data, you can exercise rights against either nollie or the venue. We coordinate to ensure consistent responses.

13. Marketing and Communications

13.1 Marketing Preferences

You control marketing communications:

• Opt-out: Via unsubscribe links in emails
• Preference Centre: Manage via your account
• Contact: Email: privacy@nollie.ai

12.2 Types of Communications

• Service Communications: Essential updates (always sent)
• Marketing: Promotions, offers, newsletters (with consent/legitimate interest)
• Personalised Recommendations: Based on your profile (can object)

12.3 B2B Marketing

For business contacts, we rely on legitimate interests. You can object at any time, though service communications continue.

14. Cookies and Tracking Technologies

14.1 Cookie Categories

14.2 Managing Cookies

• Via our cookie banner
• Browser settings
• [Cookie Settings] link in footer

14.3 Do Not Track

We respect Do Not Track signals for non-essential cookies.

15. Children’s Privacy

Our Service is not directed to individuals under 16. We don’t knowingly collect children’s data without parental consent. If we discover we’ve collected a child’s data inappropriately, we delete it immediately. Contact privacy@nollie.ai to report concerns.

16. Accountability and Governance

16.1 Our Accountability Measures

• Privacy by Design: Data protection built into all new projects
• Data Protection Impact Assessments (DPIAs): For high-risk processing
• Regular Audits: Annual privacy audits and reviews
• Training: Mandatory data protection training for all staff
• Documentation: Comprehensive records of processing activities
• Vendor Management: Due diligence on all processors

16.2 Privacy Governance

• Data Protection Officer oversees compliance
• Privacy Committee meets quarterly
• Regular reviews of policies and procedures
• Continuous improvement based on incidents and audits

17. Changes to This Policy

We may update this policy to reflect:

• Changes in our services or processing
• Legal or regulatory requirements
• Industry best practices
• User feedback

17.1 Notification of Changes

• Material Changes: 30 days’ notice via email (registered users)
• Minor Changes: Updated on website with revision date
• Archive: Previous versions available on request

18. Complaints and Enforcement

18.1 Our Complaint Process

1. Contact us first: privacy@nollie.ai
2. Acknowledgement: Within 3 business days
3. Investigation: Thorough review of your concern
4. Resolution: Aim to resolve within 30 days
5. Escalation: Senior management review if needed

18.2 Supervisory Authority

You have the right to lodge a complaint with:

Information Commissioner’s Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF Tel: 0303 123 1113 Website: ico.org.uk Report a concern: ico.org.uk/make-a-complaint

18.3 Legal Remedies

You may also seek remedies through the courts if you believe your rights have been infringed.

19. Contact Us

For all privacy queries:

Email: privacy@nollie.ai Data Protection Officer: dpo@nollie.ai Postal Address: Data Protection Officer Nollie Limited 71-75 Shelton Street Covent Garden London WC2H 9JQ

• General queries: 5 business days
• Rights requests: 30 days
• Urgent security matters: 24 hours

20. Additional Provisions

20.1 California Residents (CCPA)

If you’re a California resident, you may have additional rights. Contact privacy@nollie.ai for our CCPA Privacy Notice.

20.2 Accessibility

This policy is available in alternative formats on request.

20.3 Language

This policy may be translated for convenience, but the English version prevails in case of conflict.

Appendix A: Legitimate Interests Assessments (LIAs)

We’ve conducted LIAs for:

A.1 B2B Marketing

• Purpose: Promote services to businesses
• Necessity: Essential for growth
• Balancing: B2B context, easy opt-out, no sensitive data
• Safeguards: Suppression lists, preference management
• Outcome: Justified

A.2 AI Personalisation

• Purpose: Enhance user experience
• Necessity: Competitive service delivery
• Balancing: Necessity: Competitive service delivery
• Safeguards: No discriminatory outcomes, human oversight
• Outcome: Justified

A.3 Security Monitoring

• Purpose: Protect systems and data
• Necessity: Prevent breaches and fraud
• Balancing: Protects all users, proportionate
• Safeguards: Limited retention, access controls
• Outcome: Justified

A.4 Analytics

• Purpose: Improve services
• Necessity: Understand usage patterns
• Balancing: Aggregated insights, no individual tracking
• Safeguards: Anonymisation, data minimisation
• Outcome: Justified

Appendix B: Glossary

• Data Controller: Entity determining purposes and means of processing
• Data Processor: Entity processing data on controller’s behalf
• Joint Controllers: Two or more controllers jointly determining processing
• Personal Data: Information relating to an identified/identifiable person
• Special Category Data: Sensitive data requiring extra protection
• Processing: Any operation performed on personal data
• Data Subject: Individual whose personal data is processed
• Profiling: Automated processing to evaluate personal aspects
• GDPR: General Data Protection Regulation
• ICO: Information Commissioner’s Office
• DPA: Data Processing Agreement
• DPIA: Data Protection Impact Assessment
• LIA: Legitimate Interests Assessment

END OF POLICY

This policy is effective from the date stated above and supersedes all previous versions.

© 2025 Nollie Limited. All rights reserved.