Nollie logo

Last Updated: 23 September 2025

Effective Date: Upon UK Launch

Overview

This page lists third-party subprocessors that Nollie engages to assist in providing our Service. These subprocessors may process End-Customer Data on behalf of our Business Subscribers (venues).

We conduct due diligence on all subprocessors and ensure they maintain appropriate security measures and comply with applicable data protection laws through contractual agreements.

Notification of Changes

We will update this list when adding or removing subprocessors. Business Subscribers will be notified of material changes via:

  • Email notification to account administrators (14 days advance notice)
  • Updates to this webpage
  • In-app notifications where applicable

Business Subscribers may object to new subprocessors within 7 days of notification by contacting: support@nollie.ai

Current Subprocessors

Core Infrastructure

SubprocessorPurposeData ProcessedLocationEntity
Amazon Web Services (AWS)Cloud infrastructure and hostingAll Service data including End-Customer DataUK (primary), with failover to IrelandAmazon Web Services EMEA SARL
CloudflareContent delivery network and DDoS protectionCached content, IP addresses for securityGlobal (data processed at edge locations)Cloudflare, Inc.

AI and Analytics

SubprocessorPurposeData ProcessedLocationEntity
OpenAIAI-powered insights and recommendationsMasked/tokenized End-Customer Data (PII removed)United StatesOpenAI, LLC
MixpanelProduct analyticsUsage data, feature adoption metricsEU (data residency)Mixpanel, Inc.
Google AnalyticsProduct AnalyticsUsage dataUnited StatesGoogle, Inc.
Microsoft ClarityProduct AnalyticsUsage data, behavioural dataUnited StatesMicrosoft, Inc

Communications

SubprocessorPurposeData ProcessedLocationEntity
Twilio (SendGrid)Email communicationsEmail addresses, email contentEU/United StatesTwilio Ireland Limited
TwilioSMS communicationsPhone numbers, message contentEU/United StatesTwilio Ireland Limited
WhatsApp BusinessMessaging platformPhone numbers, message contentIreland/United StatesMeta Platforms Ireland Limited

Payment Processing

SubprocessorPurposeData ProcessedLocationEntity
StripePayment processing for subscriptionsVenue billing information (no End-Customer payment data)Ireland/United StatesStripe Payments Europe, Limited
SquarePOS integration supportTransaction references only (no payment data)United KingdomSquare International Ltd.

Business Operations

SubprocessorPurposeData ProcessedLocationEntity
HubSpotCRM and marketing automationVenue contact information, usage dataIreland/United StatesHubSpot Ireland Limited

Integration Partners

SubprocessorPurposeData ProcessedLocationEntity
ResDiaryReservation system integrationBooking data, customer detailsUnited KingdomResDiary Ltd
Various POS ProvidersPoint-of-sale integrationsTransaction data, customer identifiersVaries by providerPer integration agreement

Subprocessor Security Standards

All subprocessors are required to:

  • Implement appropriate technical and organizational security measures
  • Comply with applicable data protection laws
  • Maintain confidentiality of all data
  • Only process data according to our documented instructions
  • Assist with data subject rights and regulatory compliance
  • Delete or return data upon termination
  • Allow for audits and inspections as required

Data Processing Agreements

We maintain executed Data Processing Agreements (DPAs) with all subprocessors that include:

  • Standard Contractual Clauses for international transfers
  • Security requirements and breach notification procedures
  • Limitations on data use and retention
  • Audit and compliance provisions
  • Sub-subprocessor restrictions

Special Categories

AI Model Providers

For AI processing, we implement additional safeguards:

  • PII Masking: Personal identifiers are replaced with tokens before processing
  • Purpose Limitation: AI providers cannot use data for model training without explicit consent
  • Data Minimization: Only necessary data attributes are shared
  • Retention Limits: Processed data is not retained beyond immediate processing needs

High-Risk Processors

For processors handling sensitive operations, we conduct:

  • Enhanced due diligence
  • Annual security reviews
  • Regular compliance audits
  • Incident response testing

International Data Transfers

Where data is transferred outside the UK/EEA, we ensure appropriate safeguards through:

  • Standard Contractual Clauses (UK/EU versions as applicable)
  • Adequacy decisions where available
  • Supplementary measures based on transfer risk assessments
  • Technical safeguards including encryption and pseudonymization

Objection Process

Business Subscribers may object to the appointment of new subprocessors by:

  1. Sending written objection to privacy@nollie.ai within 7 days
  2. Providing specific concerns about the subprocessor
  3. Working with us to address concerns or find alternatives

If we cannot resolve objections and the subprocessor is essential to Service delivery, Business Subscribers may terminate their subscription without penalty.

Audit Information

Business Subscribers may request:

  • Copies of relevant DPA excerpts (confidential terms redacted)
  • Security certifications (ISO 27001, SOC 2, etc.)
  • Summary audit reports
  • Additional information about specific subprocessors

Requests should be sent to: privacy@nollie.ai

Updates and Version History

Core Infrastructure

DateChangeNotification
22 Sep 2025Initial publicationN/A
[Future]Updates logged hereEmail + 14 days notice

Contact

For questions about our subprocessors or data processing practices:

Email: privacy@nollie.ai Data Protection Officer: Jordan Foord Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

This list is incorporated by reference into our Data Processing Agreement and forms part of our contractual commitments to Business Subscribers