Policy

Privacy Policy

This Privacy Policy explains how PayLoad processes personal data when you use our services, including the dashboard, API, storage, sharing, email jobs, billing, and support. PayLoad is operated by Nugent Brothers Enterprises LTD (company number NI719078) trading as “PayLoad.” PayLoad is the controller for account data and the processor for customer-uploaded content where applicable. We comply with GDPR, UK GDPR, CCPA/CPRA, and similar laws.

Data we collect

  • Account & identity — Email address, hashed password, verification tokens, session identifiers, API keys, TOTP secrets (stored securely), roles, and audit trails for sign-in and security changes.
  • Service usage — File metadata (name, size, storage plan, retention), share tokens, invite tokens, permissions, credit balances, credit caps, payment intents, and email job metadata (to/subject/timestamps; email bodies and attachments are processed for delivery only).
  • Device & telemetry — IP address, user agent, timestamps, request IDs, and limited event logs to secure the service, prevent abuse, and troubleshoot.
  • Payments — Stripe processes payment details. We receive tokens, last4, brand, status, and amounts; we do not store full card numbers.
  • Support — Messages you send to support or security, plus related metadata.

Purposes and lawful bases

  • Contract — Provide and maintain the service; authenticate users; deliver uploads, shares, invites, email jobs; apply credits and caps; send transactional messages (verification, security alerts, receipts).
  • Legitimate interests — Prevent fraud/abuse, secure accounts, improve reliability, measure performance, and defend legal claims. We balance these interests against your rights.
  • Legal obligations — Comply with accounting, tax, KYC/AML (if applicable), law enforcement requests, and regulatory reporting.
  • Consent — Optional marketing (only if you opt in). You may withdraw consent at any time.

Sharing and disclosures

  • Subprocessors — Hosting, storage, email delivery, monitoring, analytics, and payments (e.g., Stripe). These providers act on our instructions and are bound by confidentiality and security obligations.
  • Business operations — Professional advisers (legal, accounting), auditors, and insurers under appropriate NDAs and protections.
  • Legal — Disclosures required by law, court order, or to protect rights, safety, and the integrity of the service.
  • Mergers — If we undergo a merger, acquisition, or sale of assets, data may transfer subject to this Policy and applicable law.

International transfers

Where data moves outside your region (e.g., EU/UK to US), we rely on Standard Contractual Clauses and comparable safeguards. We monitor legal developments and will implement additional measures if required.

Retention

  • Account data — Kept while your account is active. Backups roll off per retention schedules.
  • Content and shares — Stored per your settings (main/temp retention, share expiry). Deleted content is removed from active storage promptly and from backups on their normal schedule.
  • Invites and email jobs — Retained for auditability and abuse prevention; expired or revoked items are flagged but may persist in logs.
  • Billing records — Retained as required by law (e.g., tax/audit obligations).
  • Logs — Security and access logs retained for a limited period necessary to detect and investigate issues.

Security

  • TLS in transit; encryption at rest for files and secrets.
  • Scoped API keys, TOTP, session protections, and audit logging for sensitive events.
  • Access controls for staff and subprocessors; least-privilege enforced.
  • Incident response with notification without undue delay where legally required.

Your rights

Subject to law, you may request access, correction, erasure, restriction, portability, or objection to processing. You may withdraw consent for marketing at any time. File requests at NBE@nugentweb.online. We may verify identity before fulfilling requests.

Cookies and tracking

We use strictly necessary cookies for sessions and security. We do not use third-party advertising cookies. Optional analytics, if enabled, will be disclosed with choice mechanisms.

Children

The service is for users 13+ (or higher where law requires). We do not knowingly collect data from children under the applicable minimum age. If you believe we have such data, contact us for deletion.

Data subject requests

Email NBE@nugentweb.online with the email associated to your account. We respond within statutory timelines. For unresolved EU/UK complaints, you may contact your supervisory authority; for U.S. state privacy rights, you may exercise applicable rights via the same channel.

Changes

We may update this Policy to reflect legal, technical, or business changes. We will post the new version with an updated effective date and, where required, notify you in advance.

Contact

All privacy, security, and DPO correspondence: NBE@nugentweb.online.