Who we are
This website is owned by Nehloo Interactive LLC (Nehloo), a Domestic Limited Liability Company (LLC) registered in the U.S. with the State of Indiana and certified by the Office of the Secretary of State. We are a private company offering technology products and services to private companies, public companies, and state or federal government agencies.. Nehloo Interactive (‘we’ or ‘us’) are a ‘data controller’ for the purposes of the applicable U.S. Legislation and Data Protection Act 1998 and as of 25 May 2018, the General Data Protection Regulation (‘GDPR’) (as applicable the “Legislation”) where we control the purposes for which we process your personal information. We are the data processor where we are processing your or your end users personal information in order to provide the Nehloo Service to our clients. We will take all appropriate steps to ensure compliance with the Legislation. Any questions about our data protection policy or how we handle your personal data should be addressed to firstname.lastname@example.org (See ‘How to contact us’ below.)
What information do we collect?
We collect personal information about you (such as your name, phone number, email address, credit card address details and contact details), when you make an enquiry, subscribe to our email lists, register with us or purchase the Nehloo Service from us. We also collect personal information when you contact us via the online form. We may send information about you to other parties other companies within our agents, associates and service providers and law enforcement agencies in connection with any investigation to help prevent unlawful activity.
Personal information about end users
We also collect personal information about your end-users when providing the Nehloo Service. If you give us personal information on behalf of someone else such as your end-users, you confirm that either;
- the other person has a contractual relationship with you and knows that you will be transferring their personal data to us for specific purposes and/or
- s/he has appointed you to act on his/her behalf and has provided consent to the processing of his/her personal data.
Sensitive/special category personal information
We may process sensitive personal information in certain situations, for example when carrying out recruitment checks if you apply for a job with us. If we request such information, we will explain why we are requesting it and how we intend to use it. Sensitive personal information includes information relating to:
- ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health or condition
- sexual life
We will only process your sensitive personal information with your explicit consent.
How will we use the information about you?
We process information about you so that we can: identify you and manage any accounts you hold with us provide the Nehloo Service to you and your end-users if you agree, let you know about other products or services that may be of interest to you (see ‘Marketing’ section below) detect and prevent fraud customize our website and its content to your particular preferences notify you of any changes to our website or to our services that may affect you improve our services
We may use the personal information you have submitted to us on this website (or otherwise) to provide you with further information by email about the products and services we offer which you have requested and/or which may be of interest to you provided that you give us your explicit consent. You can choose to unsubscribe at any point by clicking on the link at the bottom of the email. Email marketing campaigns published by us may contain tracking facilities within the actual email. Subscribed activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include: the opening of emails, forwarding of emails, the clicking of links within the email consent, times, dates and frequency of activity.
Keeping your data secure
Our staff and associates are also bound by obligations of confidentiality and trained in the protection of personal data. We will take all reasonable steps to comply with the Legislation and use the appropriate technical and organizational measures necessary to safeguard your personal data. All Nehloo production services and database servers are hosted in the AWS US-Ohio region, which is located in Ohio, USA. We are committed to using industry standard network security procedures. These include but are not limited to the following:
- Regular system updates and security patches are applied to the Nehloo Services.
- To maximize availability, production systems are hosted across a minimum of 2 availability zones within an AWS region.
- Production systems are designed to tolerate the failure of any individual machine and restore the desired redundancy levels without human intervention.
- In the event of normal spikes in usage, scale up / down of server instances is designed to happen without human intervention. Failover to another availability zone in the event of widespread issues in a single availability zone should happen without human intervention.
- Encrypted connections are used in all cases that sensitive data is transferred between Nehloo systems, and between the client systems and the Nehloo Service.
- All API connections between the client and the Nehloo Service, and internal data transfers are encrypted with industry standard techniques.
- No unencrypted connections are allowed to our web server, except those needed to redirect insecure requests to a secure resource.
- Security groups and firewall rules are configured to permit access only from the specific machines / networks and using only the network ports that are required to operate the Service.
- Two-factor authentication is used wherever practical by Nehloo employees to help prevent unauthorized access to email and other internal systems.
Our database services are configured to create continuous rolling backups. Additional off-site backups are automatically taken at least hourly. For disaster recovery, backups are stored in a different AWS region from production systems, generally in US regions.
Nehloo’s credit card payment processor is Stripe, who are certified to PCI Service Provider Level 1 standards. All payment card related data is sent direct from the client’s browser to Stripe’s API over encrypted connections. Nehloo’s servers may store non-PCI payment data such as the last 4 digits of the card number to help the client manage their payment card.
Nehloo’s development team use industry-standard policies to maintain a high quality codebase. These policies include:
- Access to Nehloo’s code is only be granted to employees who have signed the IP assignment, confidentiality contracts and supplied references.
- Application code libraries are regularly reviewed by developers for update and security-related updates are applied as soon as practical.
- Passwords and API keys are not committed to the code repository.
- Access to the code repository is protected by two-factor authentication.
- Static code analysis and automatic unit tests are run automatically on every check-in.
- Developers peer-review any security-sensitive code.
- A short release cycle allows bugs and issues to be fixed quickly.
Account Access Policy
On occasion it may be necessary for Nehloo employees to have access to personal data. This is generally restricted to 1) clients success team assisting clients with support and 2) development team investigating issues specific to a client.
The only Nehloo employees with the ability to access customer accounts are senior developers and client success managers who have signed the confidentiality agreement and supplied references.
Data Breach Response Policy
As soon as a theft, data breach or exposure containing personal data is identified:
- The process of removing all access to that resource will begin.
- The CEO will be notified of the theft, breach or exposure.
- The CEO will chair and form an incident response team to handle the breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.
- The CEO will work with Nehloo’s communications, legal and human resource departments to decide how to communicate the breach to: internal employees, customers, those directly affected.
While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us (see ‘How can you contact us?’ below).
Unless the law requires us to store the data for a longer period, we retain your personal data on secure servers for a period of:
- 90 days from the date on which you cease to be a customer of ours.
- or until you ask us to destroy it.
The U.S. Legislation and GDPR provides the following rights for individuals whose personal data is processed:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to processing
Right to access – i.e., to request a copy of your information
You can request a copy of your information which we hold (this is known as a subject access request). If you would like a copy of some or all of it, please:
- email or write to us (see ‘How can you contact us?’ below);
- let us have proof of your identity (a copy of your driving license or passport); and
- let us know what information you want.
Right to correct any mistakes in your information
You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please:
- email or write to us (see ‘How can you contact us?’ below)
- let us have enough information to identify you
- let us know the information that is incorrect and what it should be replaced with.
Right to remove your details from our records or restrict how we use your information
You can ask us to stop contacting you for particular purposes or remove your information completely from our records. There may be a legal reason why we need to keep your personal data and in that circumstance we will destroy your personal information as soon as we are legally entitled to do so. If you would like us to stop contacting you with information about our services, please: email or write to us (see ‘How can you contact us?’ below). You can also click on the ‘unsubscribe’ button at the bottom of the email and/or newsletter
Right to lodge a complaint with the Supervising Authority
If you have any concerns or complaints about how we use your personal data we hope you will alert us to these directly (see the Contact information below). Furthermore, you may alert the local Supervising Authority.
How to contact us