1. Who We Are and What This Policy Covers
NIRE HQ Limited ("NIRE", "we", "us", "our") is a company registered in England and Wales (Company No. 17241292), with its registered office at 10 Cornflower Close, Wootton, Northampton, NN4 6NG.
We are the data controller for personal data processed through:
- app.nirehq.com – the Investability Assessment (Founder side) and Portfolio Tracker (Investor side)
- nirehq.com – our marketing website
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have.
We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1a. Data Protection Contact
NIRE HQ Limited is not required to designate a Data Protection Officer (DPO) under UK GDPR Article 37 at our current scale. We have designated a Data Protection Contact for privacy-related enquiries, data subject requests, and concerns:
Data Protection Contact: James Clark
Email: privacy@nirehq.com
Response time: We will respond to all data subject requests within one calendar month.
2. Data We Collect
2.1 Founders Using the Investability Assessment
When you complete an Assessment, we collect:
| Data | Why we collect it |
|---|---|
| Your full name | To personalise your report |
| Your email address | To deliver your report link and (if opted in) transactional emails |
| Your company name | To include in your report |
| Your Assessment answers | To calculate your investability score and generate recommendations |
| Your payment details | Processed by Stripe, we receive only a payment reference, not your card details |
| Your report access token | To allow you to return to your report without an account |
| Your opt-in to VC Discoverability | To control whether your summary data is visible to Fund Managers |
Assessment answers are sensitive commercial information. We treat them accordingly and do not use them for any purpose other than generating your report and (if you opt in) presenting a summary to Fund Managers.
2.2 Fund Managers and Invited Users on the Portfolio Tracker
When you use the Portfolio Tracker, we collect:
| Data | Why we collect it |
|---|---|
| Your name and email address | To create and manage your account |
| Your role within your organisation | To apply the correct access permissions |
| Your login activity and session data | For security and to maintain your authenticated session |
| Portfolio company data you enter (KPIs, OKRs, financials, notes) | To provide the Portfolio Tracker service |
| Multi-factor authentication credentials | To secure your account; stored as hashed values only |
Portfolio company financial data (ARR, burn rate, runway, etc.) may relate to identifiable companies and individuals. You are the data controller for that data as between you and your portfolio companies. NIRE processes it as a data processor acting on your instruction. A data processing agreement is available on request.
2.3 All Visitors (nirehq.com and app.nirehq.com)
We collect standard server-side access logs (IP address, browser type, pages visited, timestamps). These are used for security monitoring and are not used for profiling.
We use Vercel Analytics to understand how visitors use our service. Vercel Analytics is cookieless, it collects aggregate, anonymised page-view metrics using server-side signals. No personal identifiers are stored, no cookie is placed on your device, and you are not tracked across sessions or sites. The data collected cannot be used to identify you as an individual.
3. How We Use Your Data
We use your data only for the purposes listed below, each with a lawful basis under UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Delivering the Assessment report (Free and Full) | Performance of a contract (Art. 6(1)(b)) |
| Processing your £49 payment via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (report ready, payment confirmed) | Performance of a contract (Art. 6(1)(b)) |
| Authenticating and securing Fund Manager accounts | Performance of a contract (Art. 6(1)(b)) |
| Providing the Portfolio Tracker service | Performance of a contract (Art. 6(1)(b)) |
| Making your summary visible to Fund Managers (VC Discoverability) | Your explicit consent (Art. 6(1)(a)), opt-in only |
| Cookieless analytics via Vercel Analytics (aggregate page views, no personal data) | Legitimate interests (Art. 6(1)(f)) |
| Improving the accuracy of our scoring models (aggregated, anonymised) | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Investigating abuse, fraud, or security incidents | Legitimate interests (Art. 6(1)(f)) |
We do not use your Assessment answers to train AI models without your separate consent.
4. VC Discoverability, Consent and Withdrawal
If you opt in to VC Discoverability in your report, we process your Assessment summary data (company name, overall score, dimension breakdown, key strengths) for the purpose of presenting it to authenticated Fund Managers as potential deal flow.
- Your consent is required. We will not share your data with Fund Managers unless you explicitly opt in.
- You can withdraw consent at any time from your report page. On withdrawal, your data is removed from Fund Manager search results within 24 hours.
- Withdrawal of consent does not affect any processing that occurred before withdrawal.
5. Who We Share Your Data With
We do not sell your personal data. We share data only with the following categories of recipients:
5.1 Subprocessors
We use the following subprocessors to deliver the service. All are subject to data processing agreements and appropriate safeguards.
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database and authentication | AWS, US/EU | Standard Contractual Clauses (SCCs); UK IDTA addendum available |
| Stripe | Payment processing | EU/US | Stripe is itself PCI-DSS compliant; SCCs apply for UK-US transfers |
| Resend | Transactional email delivery | US | SCCs apply |
| Vercel | Application hosting, CDN, and cookieless analytics (Vercel Analytics) | US/EU | SCCs apply |
5.2 Fund Managers (Founders Who Opt In Only)
If you opt in to VC Discoverability, your Assessment summary is visible to authenticated Fund Managers on the Portfolio Tracker. This is not a disclosure to a third party acting independently, it is a presentation of your data within our platform at your request.
5.3 Legal and Regulatory Requirements
We may disclose your data where required by law, court order, or to protect the rights, property, or safety of NIRE, our users, or the public.
6. International Transfers
Some of our subprocessors (Supabase, Stripe, Resend, Vercel) process data outside the UK. Where they do, we ensure appropriate safeguards are in place, typically Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or reliance on the UK's adequacy regulations where applicable.
7. Cookies and Tracking
We use cookies and similar technologies. For full details, see our Cookie Policy.
8. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Assessment answers and report | 3 years from the date of completion, then deleted or anonymised |
| Founder email and name | 3 years from the date of completion, or until you request deletion |
| Fund Manager account data | For the duration of your account, plus 12 months after account closure |
| Portfolio company KPI/OKR data | For the duration of the Fund Manager's account, plus 12 months |
| Payment records | 7 years (required by UK tax law) |
| Server access logs | 90 days |
If you request deletion of your data, we will delete it within 30 days, except where retention is required by law (e.g. payment records).
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your data ("right to be forgotten") |
| Restriction | Ask us to restrict how we process your data in certain circumstances |
| Portability | Receive your data in a machine-readable format (where processing is consent or contract-based) |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time where processing is consent-based (e.g. VC Discoverability) |
| Automated decisions | Not to be subject to solely automated decisions with significant effects, our scoring is advisory and does not constitute such a decision |
To exercise any of these rights, email us at privacy@nirehq.com. We will respond within one month. If a request is complex or numerous, we may extend this to three months and will notify you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9.1 Exercising Your Right to Erasure
Under UK GDPR Article 17, you have the right to request deletion of your personal data. To request deletion:
- Email privacy@nirehq.com from the email address associated with your account or assessment
- We will verify your identity (we may ask for additional confirmation if needed)
- We will respond within 30 days
- Once verified, we will delete your assessment data, account data, and any derived data within our control. Payment records may be retained for 7 years as required by HMRC.
- Some data may be retained where we have a legal obligation or legitimate interest (e.g. fraud prevention, ongoing legal proceedings); we will inform you in writing if any data is retained on those bases.
10. Security
We take reasonable technical and organisational measures to protect your data, including:
- Encryption of data at rest and in transit (TLS)
- Row-level security policies in the database ensuring users can only access their own organisation's data
- Multi-factor authentication available for all accounts
- Access restricted to minimum necessary roles
No system is perfectly secure. If you believe your data has been compromised, contact us immediately at privacy@nirehq.com.
If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.
11. Children
Our services are not directed at persons under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify authenticated users by email and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
13. Contact
For privacy enquiries, data subject requests, or complaints:
NIRE HQ Limited
Email: privacy@nirehq.com
Website: nirehq.com
10 Cornflower Close, Wootton, Northampton, NN4 6NG
Company No. 17241292
Registered with the UK Information Commissioner's Office (ICO), registration number: [ICO_TIER_AND_NUMBER]
If your enquiry is urgent or concerns a suspected data breach, use the subject line: URGENT: DATA PROTECTION.