Privacy Policy

Effective: January 1, 2026  ·  Last updated: May 6, 2026
Your privacy matters. This policy explains what data we collect, how we use it, and the rights you have under GDPR (EU), CCPA (California), and PDPA (Thailand). For questions, contact our Data Protection Officer at dpo@nicework.io.
Table of Contents
  1. Information We Collect
  2. How We Use Your Data
  3. Legal Basis (GDPR)
  4. Cookies & Tracking
  5. Sharing & Third Parties
  6. International Data Transfers
  7. Data Security
  8. Data Retention
  9. Your Rights
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact & DPO

1. Information We Collect

1.1 Information You Provide

  • Account Data: full name, email address, company name, phone number, password (hashed).
  • Project Data: business requirements, jurisdiction preferences, technical specifications you submit through our portal.
  • Payment Data: bank transfer slips, cryptocurrency transaction hashes, billing addresses. We do not store credit card numbers.
  • Identity Verification (KYC): when required, government-issued ID, proof of address, beneficial ownership documents — handled via third-party verification providers.
  • Communications: messages, support tickets, and emails exchanged with our team.

1.2 Information Collected Automatically

  • Technical Data: IP address, browser type, operating system, device identifiers.
  • Usage Data: pages visited, features used, time spent, click patterns (only with your consent for analytics cookies).
  • Cookies: see Section 4 for details.

2. How We Use Your Data

We use your information for the following purposes:

  • Service Delivery: creating and managing your account, providing client portal access, executing your service requests.
  • Communication: responding to inquiries, sending service updates, transactional emails (invoices, receipts, project status).
  • Payment Processing: verifying transactions, generating receipts, handling refunds.
  • Compliance: meeting legal obligations including AML/CTF requirements, tax reporting, regulatory inquiries.
  • Security: detecting and preventing fraud, abuse, unauthorized access, and security threats.
  • Improvement: analyzing usage patterns to improve our services (only with analytics consent).
  • Marketing: sending promotional communications about new services — only with your consent, and you may unsubscribe at any time.

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract: processing necessary to perform our services for you.
  • Consent: for marketing emails, optional analytics, and non-essential cookies — withdrawable at any time.
  • Legal Obligation: tax records, AML compliance, regulatory reporting.
  • Legitimate Interest: security monitoring, fraud prevention, service improvement — balanced against your privacy rights.

4. Cookies & Tracking Technologies

Our cookie banner lets you control non-essential cookies. We use the following categories:

  • Strictly Necessary: session management, login state, CSRF tokens, security. Cannot be disabled — the site won't work without them.
  • Analytics: aggregated usage stats (e.g., page views, traffic sources). Only loaded if you opt in.
  • Marketing: ad personalization across third-party platforms. Only loaded if you opt in.
  • Preferences: remember theme (light/dark), language, region. Only loaded if you opt in.

You can change your cookie preferences at any time using the floating button at the bottom-left of every page.

5. Sharing & Third Parties

We do not sell your personal data. We share data only as necessary:

  • Service Providers: hosting, email delivery, payment processors, KYC verification — under data processing agreements that bind them to our privacy standards.
  • Legal Authorities: when required by law, court order, or to protect our legal rights.
  • Regulatory Bodies: for AML reporting, license applications, and broker compliance — only with your knowledge or as legally required.
  • Business Transfers: in the event of a merger, acquisition, or asset sale, your data may be transferred — you will be notified.
  • Blockchain Verification: for crypto payments, we query public blockchain data and exchange APIs (e.g., BscScan, Binance) using only the transaction hash you provide. We do not share other personal data.

6. International Data Transfers

Our servers and service providers may be located outside your country of residence. When we transfer personal data internationally, we use safeguards required by applicable law:

  • EU Standard Contractual Clauses (SCCs) for transfers from the European Economic Area.
  • Adequacy decisions where applicable.
  • Contractual confidentiality obligations with all sub-processors.

7. Data Security

We implement industry-standard security measures, including:

  • HTTPS/TLS encryption for data in transit.
  • Database encryption and hashed passwords (Werkzeug PBKDF2 SHA-256).
  • Role-based access controls — only authorized personnel can access client data.
  • Regular security audits and dependency updates.
  • Network firewalls and intrusion detection.

However, no system is 100% secure. You agree to use strong, unique passwords and to notify us immediately of any suspected compromise.

8. Data Retention

We retain your data only as long as necessary:

  • Active accounts: for as long as you maintain your account.
  • Closed accounts: we keep records for 5 years after closure for tax, AML, and regulatory compliance.
  • Marketing data: until you withdraw consent or unsubscribe.
  • Backups: automatic backups are rotated and deleted on a 90-day cycle.

9. Your Rights

Depending on your jurisdiction, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): request deletion of your data, subject to legal retention obligations.
  • Restriction: request that we limit processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing.
  • Withdraw Consent: at any time, where consent is the legal basis. This won't affect prior lawful processing.
  • Lodge a Complaint: with your local data protection authority (e.g., your country's privacy regulator).

To exercise these rights, email dpo@nicework.io. We respond within 30 days.

10. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected such data, we will delete it promptly. Parents who believe their child has provided us with personal information may contact us at dpo@nicework.io.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or prominent notice on our website at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us & Data Protection Officer

EU Representative: if you are in the EEA and require an EU-based contact under GDPR Article 27, please reach out to our DPO and we will provide the appropriate representative information.

Have questions about these terms? Reach out to our team.

legal@nicework.io Create Account