Terms & Privacy

Terms of Service

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

Contents

1. Definitions and parties
2. The service
3. Account and eligibility
4. Subscription, fees and billing
5. Licence grant and restrictions
6. Acceptable use
7. AI and messaging terms
8. Third-party services
9. Data protection
10. Intellectual property
11. Confidentiality
12. Warranties and disclaimers
13. Limitation of liability
14. Your indemnity to us
15. Suspension and termination
16. Changes to the service and features (v1, no SLA)
17. Business use and consumer rights
18. General
19. Governing law and jurisdiction

1. Definitions and parties

1.1 These Terms of Service ("Terms") are a contract between NOWWORX Ltd, a company registered in England and Wales (company no. ⚠️ FILL), whose registered office is at ⚠️ FILL ("NOWWORX", "we", "us", "our"), and the trades business that subscribes to the service ("you", "your", the "Tenant").

1.2 In these Terms:

• "Service" or "Platform" means the NOWWORX software-as-a-service platform, websites, apps and APIs, including the Lead Inbox, AI conversations, quotes, invoices, review requests and (on the Premium tier) the NOWWORX-built website.
• "Tenant Content" means all data you, your Users or your end-customers submit to or generate in the Service, including contact details, message and SMS content, voicemail audio and transcripts, job details, quotes and invoices.
• "End-Customer" means a customer or prospective customer of your trades business who contacts you or whom you contact through the Service.
• "User" means an individual you authorise to access the Service under your account (with a role of owner, member or view-only).
• "Tier" means your subscription plan (Sole Trader, Pro or Premium).
• "Privacy Policy", "Data Processing Addendum" (or "DPA"), "Acceptable Use Policy", "Refund & Cancellation Policy" and the "Subprocessors list" mean those NOWWORX documents as updated from time to time. Each forms part of these Terms by reference.

1.3 By creating an account, clicking to accept, or using the Service, you agree to these Terms. If you do not agree, do not use the Service.

2. The service

2.1 NOWWORX is a SaaS platform for UK trades businesses to handle incoming leads, run AI-assisted SMS conversations, manage quotes and invoices, and request Google reviews. The Service includes:

• Lead Inbox — inbound SMS, voicemail and web-form contacts in one view, captured on a Twilio-managed phone number issued or ported for your account.
• AI conversations — automated classification of inbound messages and AI-generated reply drafting and sending under your configured business identity (see clause 7).
• Quotes and invoices — creation, sending and tracking of branded quote and invoice PDFs to your End-Customers.
• Review requests — automated Google Business Profile review requests after a job is completed.
• Premium website (Premium tier only) — a NOWWORX-built templated website with a bundled domain.

2.2 The Service is provided in version 1 ("v1"). Features may change, be added or be withdrawn (see clause 16). NOWWORX does not offer an uptime or availability service-level agreement in v1.

3. Account and eligibility

3.1 To use the Service you must:

(a) be a business operating in the United Kingdom;

(b) be at least 18 years old; and

(c) have authority to enter into these Terms and bind the business you represent.

3.2 You are responsible for all activity under your account, for keeping login credentials secure, and for the acts and omissions of your Users. You must not exceed the User count for your Tier (see clause 5.3).

3.3 You are responsible for your own equipment, internet connectivity and for the accuracy of the information in your account and business profile (including any certifications you declare, such as Gas Safe, NICEIC or NAPIT — see clause 7.5).

4. Subscription, fees and billing

4.1 Tiers and prices. Subscription prices are in GBP and exclusive of VAT unless stated:

• Sole Trader — £149/mo (1 User).
• Pro — £249/mo (up to 5 Users).
• Premium — £399/mo (up to 10 Users; includes the NOWWORX-built website and bundled domain).
• Optional custom-website add-on — £499 one-off.

4.2 30-day money-back guarantee. Your subscription starts and your chosen payment method is charged when you subscribe; there is no free trial. If NOWWORX is not right for you, email support@nowworx.com within 30 days of your first subscription payment and we will refund that payment in full. The guarantee applies once per account, to the first subscription payment only, and does not cover the optional custom-website add-on (see the Refund & Cancellation Policy) or later monthly renewals.

4.3 Billing. Subscriptions are billed monthly in advance via Stripe and auto-renew monthly until cancelled. You authorise us (through Stripe) to charge your payment method for each renewal.

4.4 Cancellation. Cancellation is self-service via the Stripe Customer Portal and is effective at the end of the current paid month; access continues until then.

4.5 No partial refunds. There is no pro-rata refund for partial months once a paid period has begun, except where required by law. Full cancellation and refund mechanics are in the Refund & Cancellation Policy, which forms part of these Terms.

4.6 Price changes. NOWWORX may change prices on at least 30 days' notice before the next renewal. Your continued use after the change takes effect is acceptance of the new price.

4.7 Late or failed payment. If a payment fails or is overdue we may suspend or terminate the Service under clause 15. Taxes (including VAT) are your responsibility where applicable.

5. Licence grant and restrictions

5.1 Subject to these Terms and payment of fees, NOWWORX grants you a non-exclusive, non-transferable, non-sublicensable right to access and use the Service for your own internal trades business during your subscription.

5.2 You must not, and must not permit any User or third party to:

(a) resell, rent, lease, sublicense or commercially exploit the Service or make it available to any third party except your own End-Customers in the ordinary course of your business;

(b) reverse engineer, decompile or disassemble the Service, or attempt to derive source code, except to the extent this restriction is prohibited by law;

(c) copy, modify or create derivative works of the Service;

(d) remove or obscure any proprietary notices; or

(e) use the Service to build a competing product.

5.3 User-count limits. Your Tier sets the maximum number of Users (Sole Trader 1; Pro up to 5; Premium up to 10). You must not circumvent these limits.

6. Acceptable use

6.1 Your use of the Service is subject to the Acceptable Use Policy, which is incorporated into these Terms by reference. A breach of the Acceptable Use Policy is a breach of these Terms.

7. AI and messaging terms

7.1 Assistive automation, not advice. The AI features are assistive automation generated under your configuration and control. AI output is not professional, legal, safety or trade advice. You are responsible for reviewing AI output and for all messages sent under your business identity.

7.2 Business identity. The AI presents as your business, never in the first person as the owner, and never identifies itself as "AI", a "bot" or an "automated assistant". Inbound messages are classified (work / personal / pending) before any automated reply, and personal messages are never auto-answered.

7.3 Your compliance responsibility. You are responsible for compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), Ofcom rules, and consumer law toward your own End-Customers, and you warrant that you have a lawful basis to message your contacts. NOWWORX is not responsible for the content or lawfulness of the communications you send through the Service.

7.4 Opt-out handling. NOWWORX automatically handles a reply of STOP, UNSUBSCRIBE, END, QUIT, CANCEL, REMOVE or OPT OUT (in any case or whitespace) by suppressing all automated replies, follow-ups, quote/invoice automation and review requests to that number. Automation never resumes without explicit re-engagement from the recipient. You remain responsible for honouring opt-outs beyond NOWWORX's automated handling, including any manual messaging you send.

7.5 AI safety limits. The AI never quotes a price unless you enable it, never confirms a date, time or availability, and never claims certifications you have not declared in your profile. Final responsibility for content sent under your business identity is yours.

7.6 Voicemail. Callers hear that messages may be recorded for service quality. Voicemail audio is deleted after 90 days; the transcript is retained subject to the conversation retention schedule (see clause 15.5 and the Privacy Policy).

8. Third-party services

8.1 The Service relies on third-party providers including Twilio (SMS, voice and voicemail), Anthropic Claude (AI), OpenAI Whisper (transcription), Supabase (database, storage and auth), Stripe (billing and Connect payments), Resend (email), Google Business Profile (reviews), Cloudflare (DNS and domains), Sentry (errors), PostHog (analytics), Vercel (hosting) and Hetzner (worker VPS). The Subprocessors list and the Data Processing Addendum hold the full details.

8.2 Your use of these third-party services through the Service is also subject to their terms, including Twilio's Acceptable Use Policy, Stripe's terms, and Google's terms. You are responsible for complying with them.

8.3 NOWWORX is not liable for outages, changes, suspension or discontinuation of third-party services outside our reasonable control.

9. Data protection

9.1 NOWWORX is the data controller for tenant account data (your own account and login, business profile, billing, usage analytics and support), as described in the Privacy Policy.

9.2 NOWWORX is a data processor acting on your instructions in respect of End-Customer data (your customers' contacts, message and SMS content, voicemail audio and transcripts, and job details). You are the controller of that data and warrant that you have a lawful basis to message your contacts.

9.3 Our processing of End-Customer data is governed by the Data Processing Addendum, which is incorporated into these Terms. To the extent of any conflict on data-processing matters, the DPA prevails.

10. Intellectual property

10.1 NOWWORX and its licensors own all intellectual property rights in the Platform, including software, designs, templates and documentation. No rights are granted except as expressly set out in clause 5.

10.2 You own your Tenant Content. You grant NOWWORX a non-exclusive, worldwide licence to host, store, process and transmit Tenant Content solely to provide, maintain, secure and support the Service, and as instructed by you (including via the Service's configuration).

10.3 You warrant that you have all rights necessary to submit Tenant Content and to grant the licence in clause 10.2.

11. Confidentiality

11.1 Each party may receive confidential information of the other. Each party will use the other's confidential information only to perform these Terms and will protect it with reasonable care, except where disclosure is required by law or to professional advisers under confidentiality.

11.2 This clause does not apply to information that is public through no breach, independently developed, or lawfully received from a third party without restriction.

12. Warranties and disclaimers

12.1 The Service is provided "as is" and "as available". To the maximum extent permitted by law, NOWWORX excludes all implied warranties, conditions and terms.

12.2 NOWWORX does not warrant that the Service will be uninterrupted or error-free, and there is no uptime or availability service-level agreement in v1.

12.3 NOWWORX does not warrant that AI output is accurate, complete or fit for any purpose. AI output is assistive automation generated under your configuration and control; you must review it before it is relied on or sent.

12.4 This clause is subject to clause 13.4 (non-excludable carve-outs) and clause 17 (business use and consumer rights).

13. Limitation of liability

13.1 Cap. NOWWORX's total aggregate liability arising out of or in connection with these Terms or the Service, whether in contract, tort (including negligence), breach of statutory duty or otherwise, is limited to the total subscription fees paid by the Tenant to NOWWORX in the 12 months immediately before the event giving rise to the claim.

13.2 Excluded loss. NOWWORX is not liable for indirect, consequential, special or incidental loss, or for loss of profit, revenue, business, anticipated savings, data or goodwill, however arising.

13.3 As is / as available. The Service is provided "as is" and "as available", with no warranty of uninterrupted or error-free operation and no uptime or availability service-level agreement in v1.

13.4 Non-excludable carve-outs. Nothing in these Terms excludes or limits liability for:

(a) death or personal injury caused by negligence;

(b) fraud or fraudulent misrepresentation;

(c) liability under section 2(1) of the Unfair Contract Terms Act 1977; or

(d) anything else that cannot lawfully be excluded or limited.

13.5 AI output. AI output is assistive automation generated under your configuration and control and is not professional, legal, safety or trade advice. You are responsible for all messages sent under your business identity.

13.6 The limitations and exclusions in this clause are intended to be reasonable under section 11 of the Unfair Contract Terms Act 1977 and are severable; if any is held unenforceable, the remainder continue to apply to the maximum extent permitted by law.

14. Your indemnity to us

14.1 You will indemnify NOWWORX against all losses, damages, liabilities, costs and expenses (including reasonable legal fees) arising from claims relating to:

(a) your use of the Service;

(b) your Tenant Content;

(c) your End-Customers; and

(d) your breach of these Terms or of any applicable law.

15. Suspension and termination

15.1 NOWWORX may suspend or terminate the Service, in whole or in part, for material breach of these Terms or the Acceptable Use Policy, non-payment, or unlawful use, on notice that is reasonable in the circumstances (or immediately where the breach is serious or harmful).

15.2 You may cancel as set out in clause 4.4 and in the Refund & Cancellation Policy.

15.3 On termination, your right to use the Service ends. Outstanding fees remain payable. There is no pro-rata refund for partial months once a paid period has begun, except where required by law.

15.4 Data on termination. You should export your data before access ends. After termination, data is handled in accordance with the retention schedule below and the Data Processing Addendum.

15.5 Retention schedule. Conversation messages (SMS/web-form text and voicemail transcripts) are kept 24 months active, then archived 36 months, then permanently deleted from primary and backups. Voicemail audio is kept 90 days then permanently deleted (the transcript is retained subject to the conversation schedule). Quotes and invoices/PDFs are kept 7 years (UK HMRC statutory). A "Forget this contact" erasure is an immediate soft-delete with a 30-day reversal window, then a permanent hard-delete from primary and backups. Tenant account data is kept for the life of the account plus a reasonable post-closure period for legal, tax and dispute purposes, then deleted.

15.6 Clauses that by their nature should survive termination (including clauses 10–14, 17 and 19) survive.

16. Changes to the service and features (v1, no SLA)

16.1 The Service is in v1. Features may be added, changed, placed in beta, or withdrawn. We will give reasonable notice of material adverse changes where practicable.

16.2 There is no uptime or availability service-level agreement in v1. Beta or experimental features are provided without warranty.

17. Business use and consumer rights

17.1 The Service is supplied for business use. You contract as a business and not as a consumer.

17.2 Where you nonetheless qualify as a "consumer" under the Consumer Rights Act 2015, your non-excludable statutory rights are unaffected and prevail over anything in these Terms that would otherwise conflict with them.

18. General

18.1 Entire agreement. These Terms, together with the Privacy Policy, the Data Processing Addendum, the Acceptable Use Policy, the Refund & Cancellation Policy and the Subprocessors list, are the entire agreement between the parties and supersede prior discussions.

18.2 Variation. NOWWORX may vary these Terms on reasonable notice (and on at least 30 days' notice for price changes per clause 4.6). Continued use after the change takes effect is acceptance.

18.3 Assignment. NOWWORX may assign or transfer these Terms (for example on a sale of the business). You may not assign or transfer your rights or obligations without our prior written consent.

18.4 Force majeure. Neither party is liable for failure or delay caused by events beyond its reasonable control, including third-party provider outages.

18.5 Severability. If any provision is held unenforceable, the rest continue in force and the provision is modified to the minimum extent necessary.

18.6 No waiver. A failure to enforce a provision is not a waiver of it.

18.7 Notices. Legal notices to NOWWORX must be sent to support@nowworx.com. We may give you notices via the Service or to your account email.

18.8 Third-party rights. A person who is not a party has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce these Terms, except as expressly stated.

19. Governing law and jurisdiction

19.1 These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes) are governed by the laws of England and Wales.

19.2 The courts of England and Wales have exclusive jurisdiction.

This is an AI-drafted document and is not legal advice. It must be reviewed by a qualified UK solicitor and all ⚠️ FILL items completed before reliance.

Refund & Cancellation Policy

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

Contents

1. About this policy
2. The 30-day money-back guarantee
3. How billing works
4. How to cancel
5. Refunds
6. The £499 custom-website add-on
7. Your statutory and consumer rights
8. What happens to your data after cancellation
9. Getting help

1. About this policy

1.1 This Refund & Cancellation Policy explains how the 30-day money-back guarantee, billing, cancellation and refunds work for the NOWWORX service. It forms part of, and is consistent with, the Terms of Service. Capitalised terms have the meanings in the Terms of Service.

1.2 The Service is supplied for business use (see clause 7 below and the Terms of Service).

2. The 30-day money-back guarantee

2.1 Your subscription starts when you subscribe and your payment method is charged at that point. There is no free trial.

2.2 If NOWWORX is not right for you, email support@nowworx.com within 30 days of your first subscription payment and we will refund that payment in full. The guarantee applies once per account, to the first subscription payment only, and does not apply to the optional custom-website add-on (see clause 6) or to later monthly renewals (see clause 5).

3. How billing works

3.1 Subscription prices are in GBP and exclusive of VAT unless stated:

• Sole Trader — £149/mo (1 User).
• Pro — £249/mo (up to 5 Users).
• Premium — £399/mo (up to 10 Users; includes the NOWWORX-built website and bundled domain).
• Optional custom-website add-on — £499 one-off.

3.2 Subscriptions are billed monthly in advance via Stripe and auto-renew monthly until cancelled.

3.3 NOWWORX may change prices on at least 30 days' notice before the next renewal. Continued use after the change takes effect is acceptance of the new price.

4. How to cancel

4.1 Cancellation is self-service via the Stripe Customer Portal.

4.2 Cancellation is effective at the end of the current paid month. Your access continues until then, so you keep the Service for the period you have already paid for.

4.3 Cancelling stops the next renewal; it does not trigger a refund of the current paid month (see clause 5).

5. Refunds

5.1 Subscriptions are billed monthly in advance. There is no pro-rata refund for partial months once a paid period has begun, except where required by law or under the 30-day money-back guarantee in clause 2.

5.2 We do not provide refunds for a paid month simply because the Service was used less than expected during that month.

5.3 Nothing in this policy removes a refund that is required by law (see clause 7).

6. The £499 custom-website add-on

6.1 The optional custom-website add-on is a £499 one-off charge for bespoke build work.

6.2 Because this add-on involves bespoke work performed for you, no refund is available for the custom-website add-on once work on it has begun, except where required by law. We consider this reasonable given the bespoke, made-to-order nature of the work.

6.3 If you cancel before work on the custom-website add-on has begun, contact support@nowworx.com and we will discuss the position with you.

7. Your statutory and consumer rights

7.1 The Service is supplied for business use. You contract as a business and not as a consumer.

7.2 Where you nonetheless qualify as a "consumer" under the Consumer Rights Act 2015, your non-excludable statutory rights are unaffected and prevail over anything in this policy that would otherwise conflict with them. Nothing in this policy limits any liability or right that cannot lawfully be limited.

8. What happens to your data after cancellation

8.1 You should export your data before your access ends. After cancellation, data is handled in accordance with the retention schedule below and the Data Processing Addendum.

8.2 Retention schedule. Conversation messages (SMS/web-form text and voicemail transcripts) are kept 24 months active, then archived 36 months, then permanently deleted from primary and backups. Voicemail audio is kept 90 days then permanently deleted (the transcript is retained subject to the conversation schedule). Quotes and invoices/PDFs are kept 7 years (UK HMRC statutory). A "Forget this contact" erasure is an immediate soft-delete with a 30-day reversal window, then a permanent hard-delete from primary and backups. Tenant account data is kept for the life of the account plus a reasonable post-closure period for legal, tax and dispute purposes, then deleted.

8.3 End-customer data. You are the controller of your End-Customer data and NOWWORX is the processor. You can use the in-product "Forget this contact" flow to erase a specific contact, subject to the 30-day reversal window above. Data-subject requests from your End-Customers are routed to you as the controller; NOWWORX assists as processor. See the Data Processing Addendum for full detail.

8.4 Retention periods that exist for legal or tax reasons (for example the 7-year retention of quotes and invoices for UK HMRC) continue to apply after cancellation.

9. Getting help

9.1 For any question about the money-back guarantee, billing, cancellation, refunds or your data, contact us at support@nowworx.com.

This is an AI-drafted document and is not legal advice. It must be reviewed by a qualified UK solicitor and all ⚠️ FILL items completed before reliance.

Privacy Policy

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

Contents

1. Who we are and how to contact us
2. Our two roles: controller and processor
3. What account data we collect and why
4. Lawful bases
5. How long we keep data (retention)
6. Your data-subject rights and the ICO
7. Subprocessors
8. International transfers
9. Cookies
10. Security
11. Changes to this policy
12. Effective date

1. Who we are and how to contact us

NOWWORX Ltd ("NOWWORX", "we", "us") provides the NOWWORX service for UK trades businesses — a lead inbox, AI-assisted SMS and voicemail handling, quotes, invoices and Google review requests.

• Entity: NOWWORX Ltd, registered in England and Wales, company no. ⚠️ FILL, registered office ⚠️ FILL.
• All privacy and data-rights contact: support@nowworx.com.
• ICO registration number: ⚠️ FILL.
• DPO-equivalent / privacy contact: ⚠️ FILL (interim: support@nowworx.com).

This policy is the controller-side privacy notice for tenant account data. How we handle your customers' data as your processor is governed by the Data Processing Addendum, not this policy — see section 2.

2. Our two roles: controller and processor

NOWWORX has two distinct data-protection roles, and it matters which applies:

• We are the data controller for your business account data — your account and login, business profile, billing information, usage analytics and support correspondence. This policy explains that processing.
• We are your data processor for your customers' data — your customers' and leads' contact details, the content of their SMS and web-form messages, their voicemail audio and transcripts, and job details. For that data you are the controller and we act only on your documented instructions. You warrant that you have a lawful basis to message your contacts. That processing is governed by the Data Processing Addendum, which forms part of the Terms of Service. We never become controller of your customers' message content.

In plain English: we control your business account data; for your customers' data, you are in charge and we act on your instructions. See the Data Processing Addendum for full processor terms, the categories of customer data, security measures and the "Forget this contact" erasure flow.

3. What account data we collect and why

As controller of tenant account data, we collect and process:

Data	Source	Why we process it
Sign-up and business profile (name, business name, contact email, phone, trade, service area, persona/branding settings)	You, at onboarding and in Settings	To create and operate your account and configure the service
Billing identity and subscription/payment data (and, for tenant payment collection, payout/bank details and transaction history via Stripe Connect)	You and Stripe	To take subscription payment and enable you to collect customer payments
Usage analytics (usage events, pseudonymous identifiers, cohort assignment) via PostHog	Generated as you use the app	To understand usage, run feature flags and improve the service
Error and performance data via Sentry (may incidentally include limited identifiers)	Generated automatically on errors	To detect, diagnose and fix faults and keep the service secure
Support correspondence	You, when you contact support@nowworx.com	To answer your questions and provide support

Billing is processed by Stripe (PCI-DSS); we do not store full card numbers. Subprocessors are listed in section 7.

4. Lawful bases

For account data, where NOWWORX is the controller, our lawful bases under UK GDPR Article 6 are:

• Performance of a contract (Article 6(1)(b)) — to provide, bill and support the NOWWORX subscription you have entered into.
• Legitimate interests (Article 6(1)(f)) — operating, securing, supporting and improving the service, including service analytics (PostHog), error monitoring (Sentry) and fraud/abuse prevention. We have balanced these interests against your rights and consider them not overridden; you may object as described in section 6.

We do not intend to process special-category personal data as controller of account data. We comply with UK GDPR, the Data Protection Act 2018, PECR 2003 and applicable Ofcom numbering rules; the PECR/marketing lawful basis for messaging end-customers rests with you as controller of that data.

5. How long we keep data (retention)

The following retention schedule applies and is identical across this policy, the Data Processing Addendum and the Subprocessors-related documentation:

Data category	Retention rule
Conversation messages (SMS / web-form text + voicemail transcripts)	24 months active, then archived a further 36 months, then permanently deleted from primary storage and backups
Voicemail audio	90 days then permanently deleted (transcript retained, subject to the conversation schedule)
Quotes & invoices / PDFs	7 years (UK HMRC statutory tax records)
"Forget this contact" erasure	Immediate soft-delete, 30-day reversal window, then permanent hard-delete from primary + backups
Tenant account data	Retained for the life of the account and a reasonable period after closure for legal/tax/dispute purposes, then deleted

6. Your data-subject rights and the ICO

You have the rights of access, rectification, erasure, restriction, portability and objection under UK GDPR, and the right not to be subject to solely automated decisions with legal or similarly significant effect.

• Account data (NOWWORX as controller): exercise your rights directly with us at support@nowworx.com.
• Your customers' data (you as controller, NOWWORX as processor): your customers exercise their rights with you; we assist you as your processor, including via the in-product "Forget this contact" erasure flow. See the Data Processing Addendum.

You also have the right to complain to the Information Commissioner's Office (ICO): ⚠️ FILL ICO contact details, online at ico.org.uk. We would appreciate the chance to address your concern first via support@nowworx.com.

7. Subprocessors

We use the third-party subprocessors below to deliver the service. The full, maintained list — with purposes, data categories and transfer details — is the Subprocessors list (subprocessors.md), which the Data Processing Addendum also references. See the Subprocessors subsection within Data Processing below for the full table.

• Twilio — SMS, voice and voicemail capture and delivery.
• Anthropic (Claude API) — AI message classification, reply generation, urgency scoring.
• OpenAI (Whisper) — voicemail audio to text transcription.
• Supabase — primary database (Postgres + Row-Level Security), file storage, authentication.
• Stripe — subscription billing and tenant payment collection (Stripe Connect).
• Resend — transactional email (quote/invoice delivery, account email).
• Google (Business Profile API) — automated Google review requests and Place ID resolution.
• Cloudflare — DNS, CDN, Premium-tier domain registration, email routing.
• Sentry — error and performance monitoring.
• PostHog — product analytics and feature flags.
• Vercel — hosting of the owner app and Premium customer websites.
• Hetzner — VPS hosting the background-processing worker.

We review this list at least annually, give tenants prior notice of new or replacement subprocessors, and tenants may object on reasonable data-protection grounds.

8. International transfers

Some subprocessors process personal data outside the UK (for example, Anthropic, OpenAI and Google in the US). Where data is transferred outside the UK we rely on UK GDPR Article 46 safeguards — the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum ⚠️ FILL — together with a transfer impact assessment. The executed instruments are ⚠️ FILL and must be completed before launch; nothing here represents that any particular mechanism is currently executed. Core data storage runs on UK/EU-resident infrastructure where stated in the Subprocessors list (for example, Supabase data region ⚠️ FILL (EU/UK) and the Hetzner worker in Germany (EU)).

9. Cookies

The app and our sites use a limited set of cookies and similar technologies for authentication, security and product analytics (PostHog). Full details, categories and how to manage your choices are in the Cookie Policy.

10. Security

We apply appropriate technical and organisational measures, including: per-tenant Row-Level Security so tenants' data is strictly isolated; TLS 1.3 for data in transit; AES-256 encryption for data at rest; role-based access controls and least-privilege service credentials; audit logging of access and changes; and UK/EU-resident core infrastructure where stated in the Subprocessors list. No system is perfectly secure; we will notify affected tenants without undue delay on becoming aware of a personal-data breach and assist with the tenant's Article 33/34 duties, including the 72-hour ICO timeline, as set out in the Data Processing Addendum.

11. Changes to this policy

We may update this policy to reflect changes to the service, our subprocessors or the law. We will revise the version and "Last updated" date above and, for material changes, give tenants reasonable prior notice. Continued use of the service after the effective date constitutes acceptance of the updated policy. See also the Terms of Service and the Acceptable Use Policy.

12. Effective date

This Privacy Policy is effective from ⚠️ FILL. Questions: support@nowworx.com. Governed by the law of England and Wales, with the exclusive jurisdiction of the courts of England and Wales.

Cookie Policy

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

1. About this policy

This Cookie Policy explains how NOWWORX Ltd ("NOWWORX", "we", "us") uses cookies and similar storage technologies across:

• the NOWWORX marketing website — a static site (internally nowworx-landing); and
• the NOWWORX owner app — a Next.js application hosted on Vercel and used by paying tenants to sign in and manage their account.

It should be read together with our Privacy Policy (see privacy-policy.md), which explains, more broadly, how we handle personal data. This policy covers cookies and equivalent technologies; it does not by itself describe all of our processing.

This policy concerns NOWWORX's own sites and app. It does not govern the websites of the trades businesses that use NOWWORX, nor does it govern the SMS, voicemail or web-form messaging handled on a trades business's behalf (see sms-messaging-terms.md).

2. What cookies and similar technologies are

A cookie is a small text file placed on your device by a website you visit. Similar technologies include browser localStorage/sessionStorage, and identifiers used for diagnostics. We use the term "cookies" loosely below to cover all of these.

Cookies are broadly either:

• Strictly necessary — required to provide a service you have actively asked for (for example, keeping you logged in). Under the Privacy and Electronic Communications Regulations 2003 (PECR), these do not require consent.
• Non-essential — everything else (for example, product analytics). Under PECR these require your consent before they are set, and you must be able to withdraw that consent.

3. Cookies and storage we actually use

We do not use any third-party advertising or cross-site tracking cookies. The categories actually used are:

Category	Purpose	Examples	Strictly necessary?	Consent required?
Essential — authentication & session	Keeps a signed-in tenant user logged in to the owner app and maintains the session securely	Supabase Auth session and refresh cookies (owner app login)	Yes	No
Essential — onboarding	Maintains state safely through the signup/onboarding flow	Signed signup-flow cookie (set during onboarding only)	Yes	No
Essential — payments & fraud prevention	Enables Stripe-hosted Checkout and the Customer Portal to work and to prevent payment fraud	Cookies set by Stripe on its hosted Checkout / Customer Portal and for fraud prevention	Yes	No
Analytics & feature flags	Product analytics and feature-flag delivery on the app and marketing site, to understand and improve usage	PostHog product-analytics and feature-flag cookies/storage	No	Yes
Error & security monitoring	Detects, diagnoses and fixes faults and keeps the service secure and reliable	Sentry diagnostic identifiers/storage	Yes	No — relied on as strictly necessary for service security and integrity (UK GDPR legitimate interests; see the Privacy Policy). Final strictly-necessary vs. consent classification to be confirmed on solicitor review ⚠️ FILL

⚠️ FILL: the exact cookie names, expiry/durations and domains for each item above (Supabase Auth, signup cookie, Stripe, PostHog, Sentry) once finalised at launch.

4. Our consent posture (UK / PECR)

Essential cookies (authentication, onboarding, Stripe payments and fraud prevention, and Sentry error & security monitoring) are set without consent because they are strictly necessary to deliver the owner app and the payment service you have asked for and to keep the service secure. They cannot be switched off without breaking or degrading the service. Sentry error & security monitoring is relied on as strictly necessary for service security and integrity, consistent with the legitimate-interests basis in the Privacy Policy (final classification to be confirmed on solicitor review ⚠️ FILL).

Non-essential cookies — PostHog product analytics and feature flags — are subject to consent under PECR. Our UK posture is that these are consent-gated: they should not be set until a UK visitor has accepted them, and the visitor must be able to accept, reject and later withdraw.

A UK visitor can:

• Accept or reject non-essential cookies via the consent mechanism presented on the site/app ⚠️ FILL (confirm whether a consent banner / preference centre is deployed and live at launch, and the precise accept/reject UX);
• Withdraw previously given consent at any time, as easily as it was given, via the same consent mechanism ⚠️ FILL (link/location of the preference control); and
• Additionally control or delete cookies through their browser settings (see section 5).

If a consent mechanism is not live at launch, non-essential analytics/monitoring must remain disabled by default until consent can be collected. ⚠️ FILL (confirm launch state).

Rejecting or withdrawing consent for non-essential cookies does not affect your ability to use the core service; only analytics/monitoring is affected.

5. Managing and controlling cookies

You can control cookies in several ways:

• Consent mechanism — accept, reject or withdraw consent for non-essential cookies via the on-site control ⚠️ FILL (location/link).
• Browser settings — most browsers let you block or delete cookies and clear local storage. Blocking essential cookies will prevent you from logging in to or using the owner app. Help pages: Chrome, Safari, Edge and Firefox each publish instructions in their support documentation ⚠️ FILL (add direct links if these are to be cited).
• Third-party controls — for cookies set by our providers:
  • Stripe — see Stripe's cookie/privacy documentation ⚠️ FILL (link).
  • PostHog — see PostHog's privacy documentation and opt-out guidance ⚠️ FILL (link).
  • Sentry — see Sentry's privacy documentation ⚠️ FILL (link).

6. Changes to this policy

We may update this Cookie Policy from time to time, for example if we add or remove a provider or change our consent approach. The "Last updated" date above shows when it last changed. Material changes will be reflected by a version bump. Please check back periodically.

7. Contact

Questions about this Cookie Policy, or about cookies and tracking on our site or app, can be sent to support@nowworx.com.

For how we handle personal data more generally — including your data-protection rights and the right to complain to the Information Commissioner's Office (ICO) — see our Privacy Policy (privacy-policy.md).

Acceptable Use Policy

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

Contents

1. About this policy
2. Lawful and honest messaging
3. Opt-outs and PECR
4. Use of the AI business-identity model
5. Content you must not send
6. Platform integrity and multi-tenant isolation
7. Third-party rules (Twilio and others)
8. Prohibited industries and uses
9. Consequences of breach
10. Reporting abuse

1. About this policy

1.1 This Acceptable Use Policy ("AUP") is binding on every Tenant and User and is incorporated into the Terms of Service. A breach of this AUP is a breach of the Terms of Service. Capitalised terms have the meanings in the Terms of Service.

1.2 You are responsible for the acts and omissions of your Users and for all activity under your account, including all messages sent under your business identity.

2. Lawful and honest messaging

2.1 You must not use the Service for any unlawful, fraudulent, harassing, abusive, threatening or deceptive messaging.

2.2 You must not send spam, and you must not message any person without a lawful basis to do so under the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. You warrant that you have a lawful basis to message every contact you load into or message through the Service.

2.3 You are responsible for compliance with PECR, Ofcom rules and consumer law toward your own End-Customers. NOWWORX provides the platform; the lawful basis and the content of your communications are yours.

3. Opt-outs and PECR

3.1 NOWWORX automatically handles a reply of STOP, UNSUBSCRIBE, END, QUIT, CANCEL, REMOVE or OPT OUT (in any case or whitespace) by suppressing all automated replies, follow-ups, quote/invoice automation and review requests to that number. Automation never resumes without explicit re-engagement from the recipient.

3.2 You remain responsible for honouring opt-outs beyond NOWWORX's automated handling, including any manual messaging you send and any opt-out request made by other means. You must not attempt to circumvent, disable or work around the opt-out handling.

4. Use of the AI business-identity model

4.1 The AI presents as your business, never in the first person as the owner, and never identifies itself as "AI", a "bot" or an "automated assistant". The AI business-identity model may be used only for your own genuine business communications.

4.2 You must not:

(a) impersonate any third party or any business other than your own;

(b) deceive recipients about who they are dealing with, beyond the configured business persona;

(c) instruct or configure the AI to make false claims, including false certifications (such as Gas Safe, NICEIC or NAPIT), false prices, or false dates, times or availability; or

(d) use the AI to misrepresent the nature of your services.

4.3 The AI never quotes a price unless you enable it, never confirms a date, time or availability, and never claims certifications you have not declared. You are responsible for reviewing and for the final content of everything sent under your business identity. AI output is assistive automation under your configuration and control and is not professional, legal, safety or trade advice.

5. Content you must not send

5.1 You must not use the Service to send or process content that is unlawful, defamatory, obscene, discriminatory, harassing or that infringes another person's rights.

5.2 You must not message special-category or other high-risk personal data through the Service unnecessarily or unlawfully, or use the Service for high-risk communications for which it is not designed.

6. Platform integrity and multi-tenant isolation

6.1 You must not scrape, resell, sublicense, rent or otherwise make the Service available to any third party except your own End-Customers in the ordinary course of your business.

6.2 You must not circumvent or attempt to circumvent any security, authentication, rate-limiting or access controls, probe or penetration-test the Service without authorisation, or introduce malicious code.

6.3 You must not abuse system load, send automated traffic that degrades the Service, or interfere with or attempt to access another tenant's data or environment. The Service is multi-tenant with per-tenant isolation; any attempt to defeat that isolation is a serious breach.

6.4 You must not exceed the User count for your Tier or otherwise circumvent licensing limits.

7. Third-party rules (Twilio and others)

7.1 SMS, voice and voicemail are delivered through Twilio. Your messaging must comply with Twilio's Acceptable Use Policy and Twilio's SMS and messaging rules and policies, which mirror and supplement this AUP.

7.2 Your use of other third-party services through the Service (including Stripe and Google) is also subject to their terms. You are responsible for compliance with all of them.

8. Prohibited industries and uses

8.1 The Service must not be used for any industry or use prohibited by Twilio's Acceptable Use Policy, by any other applicable third-party provider policy, or by law.

8.2 Additional NOWWORX-specific prohibited industries or uses: ⚠️ FILL.

9. Consequences of breach

9.1 If you breach this AUP, NOWWORX may, at its discretion and in proportion to the breach: issue a warning; restrict, suspend or terminate the Service in whole or in part; remove or disable offending content; and take any step required to protect the Service, other tenants or third parties.

9.2 NOWWORX may cooperate with regulators, law enforcement, Twilio and other providers in relation to suspected misuse, and may disclose information where required or permitted by law.

9.3 Suspension or termination for breach of this AUP does not entitle you to a refund (see the Refund & Cancellation Policy), and outstanding fees remain payable.

10. Reporting abuse

10.1 To report suspected abuse or misuse of the Service, contact support@nowworx.com.

This is an AI-drafted document and is not legal advice. It must be reviewed by a qualified UK solicitor and all ⚠️ FILL items completed before reliance.

Data Processing Addendum

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

Contents

1. Parties, roles and precedence
2. Subject-matter, duration, nature and purpose of processing
3. Categories of personal data and data subjects
4. Processor obligations
5. Subprocessors
6. International transfers
7. Personal-data breach
8. Audit
9. Return and deletion on termination
10. Retention schedule
11. General

1. Parties, roles and precedence

This Data Processing Addendum ("DPA") forms part of, and is governed by, the Terms of Service between NOWWORX Ltd ("NOWWORX", "we", "the processor") and the tenant (the trades business that subscribes to the NOWWORX service) ("you", "the tenant", "the controller").

For the personal data of the tenant's own customers and leads ("end-customer data") processed through the NOWWORX service — contact details, SMS and web-form message content, voicemail audio and transcripts, and job details — the tenant is the data controller and NOWWORX is the data processor, acting only on the tenant's documented instructions. The tenant warrants that it has a lawful basis to message its contacts and to instruct the processing described here.

For tenant account data (account/login, business profile, billing, usage analytics, support correspondence) NOWWORX is the data controller in its own right; that processing is governed by the Privacy Policy, not this DPA.

This DPA is the parties' agreement under Article 28 UK GDPR. Where there is any conflict on data-protection matters, this DPA prevails over the rest of the Terms of Service. Defined terms not defined here have the meaning given in the UK GDPR and the Data Protection Act 2018.

2. Subject-matter, duration, nature and purpose of processing

• Subject-matter: processing of end-customer data necessary to provide the NOWWORX service to the tenant.
• Duration: for the term of the Terms of Service plus the post-termination periods in the retention schedule at section 10.
• Nature of processing: receipt, capture, storage, transcription, AI classification and reply generation, automated and manual messaging, organisation, hosting, backup, archival and deletion.
• Purpose: operating the tenant's lead inbox and conversations — capturing inbound SMS, web-form and voicemail contacts via Twilio; transcribing voicemail audio via OpenAI (Whisper); classifying each inbound message and generating draft or automated replies via Anthropic (Claude API) under the AI rules below; storing data in Supabase under per-tenant Row-Level Security; and delivering quotes, invoices and review requests on the tenant's behalf.

AI and automated-messaging processing characteristics (processor acts on the tenant's instructions and configuration): the AI presents as the tenant's business and never as the owner in the first person and never identifies itself as AI or a bot; every inbound message is classified before any automated reply; messages classified as personal are never auto-answered; automated opt-out is honoured on STOP / UNSUBSCRIBE / END / QUIT / CANCEL / REMOVE / OPT OUT; voicemail callers hear that "messages may be recorded for service quality"; AI conversation memory is bounded to the last 20 messages or the last 6 months. End-customer messaging is the tenant's processing as controller; NOWWORX provides the tools and acts on the tenant's documented instructions.

3. Categories of personal data and data subjects

Categories of data subjects: the tenant's customers, prospective customers and leads who contact the tenant's NOWWORX number or web form.

Categories of personal data:

• contact details (name, phone number, email address, postal/site address);
• message content (inbound and outbound SMS and web-form text);
• voicemail audio recordings and their transcripts;
• job details (description of the work, urgency, site access notes and similar information the customer provides);
• quote and invoice data relating to the customer.

No special-category personal data is intended or solicited. The tenant must not instruct NOWWORX to process special-category data through free-text fields; if a customer volunteers such data in a message, it is processed only incidentally as part of the conversation record.

4. Processor obligations

NOWWORX shall:

1. Documented instructions. Process end-customer data only on the tenant's documented instructions (including the configuration the tenant selects in the product and the instructions contained in the Terms of Service and this DPA), including for international transfers, unless required to do otherwise by UK or EU law, in which case NOWWORX will inform the tenant unless that law prohibits it. NOWWORX will inform the tenant if, in its opinion, an instruction infringes data-protection law.
2. Confidentiality. Ensure that persons authorised to process end-customer data are bound by an appropriate duty of confidentiality and process the data only as instructed.
3. Article 32 security. Implement appropriate technical and organisational measures including: per-tenant Row-Level Security in the database; TLS 1.3 for data in transit; AES-256 encryption for data at rest; role-based access controls and least-privilege service credentials; audit logging of access and changes; and UK/EU-resident core infrastructure where stated in the Subprocessors list.
4. Assistance with data-subject rights. Taking into account the nature of the processing, assist the tenant by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). The tenant, as controller, leads on these requests; NOWWORX assists as processor, including via the in-product "Forget this contact" erasure flow (immediate soft-delete, a 30-day reversal window, then permanent hard-delete from primary storage and backups).
5. Assistance with Articles 32–36. Assist the tenant in ensuring compliance with the obligations in Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessment and prior consultation), taking into account the nature of processing and the information available to NOWWORX.
6. Records. Maintain records of processing carried out on the tenant's behalf and make available to the tenant the information necessary to demonstrate compliance with Article 28, subject to section 8 (Audit).

5. Subprocessors

The tenant grants NOWWORX general written authorisation to engage subprocessors. The authorised subprocessors are listed in the maintained Subprocessors list (subprocessors.md), reproduced below as at the version date of this DPA. See the Subprocessors subsection below for the maintained table.

Subprocessor	Purpose	Data categories	Location / transfer
Twilio	SMS, voice & voicemail capture and delivery	end-customer phone numbers, message text, voicemail audio	UK/EU processing; DPA in place
Anthropic (Claude API)	AI message classification, reply generation, urgency scoring	conversation/message content	US — UK GDPR Art. 46 safeguards (UK IDTA / EU SCCs + UK Addendum) ⚠️ FILL executed instrument
OpenAI (Whisper)	voicemail audio → text transcription	voicemail audio	US — UK GDPR Art. 46 safeguards ⚠️ FILL
Supabase	primary database (Postgres + Row-Level Security), file storage, authentication	all tenant + end-customer data; voicemail audio at rest	data region ⚠️ FILL (EU/UK); DPA in place; AES-256 at rest, TLS 1.3 in transit
Stripe	subscription billing (NOWWORX platform) + tenant payment collection (Stripe Connect)	tenant business + billing identity, payout/bank details, transaction history	UK/EU; DPA in place; PCI-DSS
Resend	transactional email (quote/invoice delivery, account email)	recipient email addresses, quote/invoice PDFs	location/transfer ⚠️ FILL
Google (Business Profile API)	automated Google review requests; business Place ID resolution	tenant business name/address, review-request metadata	US — UK GDPR Art. 46 safeguards ⚠️ FILL
Cloudflare	DNS, CDN, Premium-tier domain registration, email routing	tenant domain/DNS config, email-forwarding rules	global edge; DPA in place; transfer ⚠️ FILL
Sentry	error & performance monitoring	diagnostic/error data (may incidentally include limited identifiers)	location/transfer ⚠️ FILL
PostHog	product analytics & feature flags	usage events, pseudonymous identifiers, cohort assignment	location/transfer ⚠️ FILL
Vercel	hosting of the owner app and Premium customer websites	app session data, hosted static assets	location/transfer ⚠️ FILL
Hetzner	virtual private server hosting the background-processing worker	data transiently processed by the worker (messages in flight)	Germany (EU)

NOWWORX maintains this list, reviews it at least annually, gives tenants prior notice of new/replacement subprocessors, and tenants may object on reasonable data-protection grounds. If the tenant objects on reasonable grounds and the parties cannot resolve the objection, the tenant may, as its sole remedy, terminate the affected service in accordance with the Terms of Service. NOWWORX imposes on each subprocessor data-protection obligations that are in substance no less protective than this DPA (back-to-back terms) and remains liable to the tenant for the acts and omissions of its subprocessors as if they were its own.

The Subprocessors list (subprocessors.md) is the maintained source; if it diverges from the table above, the maintained list governs as at its own version date.

6. International transfers

Some subprocessors process personal data outside the UK. Where personal data is transferred outside the UK, NOWWORX relies on UK GDPR Article 46 safeguards — the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum ⚠️ FILL — supported by a transfer impact assessment. NOWWORX commits to completing and executing the relevant Article 46 instruments and transfer impact assessment for each cross-border subprocessor ⚠️ FILL before such transfers are relied upon in production. Nothing in this DPA should be read as a representation that any particular transfer mechanism is currently executed; the status is tracked in the Subprocessors list.

7. Personal-data breach

NOWWORX shall notify the tenant without undue delay after becoming aware of a personal-data breach affecting end-customer data. The notification shall, to the extent known and as it becomes available, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. NOWWORX shall provide reasonable assistance to the tenant in meeting the tenant's own obligations under Articles 33 and 34 UK GDPR, including the controller's 72-hour notification timeline to the ICO where applicable. NOWWORX's notification is not an acknowledgement of fault or liability.

8. Audit

NOWWORX shall make available to the tenant the information necessary to demonstrate compliance with Article 28 UK GDPR. The tenant's audit and inspection right is satisfied primarily by NOWWORX providing relevant documentation, written responses to reasonable data-protection questionnaires, and available third-party certifications and reports. Any on-site or more detailed audit may be conducted on reasonable prior written notice, during business hours, in a manner that does not disrupt NOWWORX's operations or compromise other tenants' data, subject to confidentiality, and not more than once per year — save where required by a supervisory authority or reasonably necessary following a confirmed personal-data breach.

9. Return and deletion on termination

On termination of the Terms of Service, and at the tenant's choice, NOWWORX shall return or delete end-customer data in accordance with the retention schedule in section 10 and otherwise on the tenant's documented request, unless UK or EU law requires continued storage (for example, the 7-year statutory retention of quotes and invoices for HMRC tax records). Deletion is from primary storage and backups in accordance with the schedule. The in-product "Forget this contact" flow remains available until termination.

10. Retention schedule

The following retention schedule applies and is identical across the Privacy Policy, this DPA and the Subprocessors-related documentation:

Data category	Retention rule
Conversation messages (SMS / web-form text + voicemail transcripts)	24 months active, then archived a further 36 months, then permanently deleted from primary storage and backups
Voicemail audio	90 days then permanently deleted (transcript retained, subject to the conversation schedule)
Quotes & invoices / PDFs	7 years (UK HMRC statutory tax records)
"Forget this contact" erasure	Immediate soft-delete, 30-day reversal window, then permanent hard-delete from primary + backups
Tenant account data	Retained for the life of the account and a reasonable period after closure for legal/tax/dispute purposes, then deleted

11. General

• Liability. The parties' liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, except where the law does not permit such limitation.
• Order of precedence. This DPA prevails over any conflicting term of the Terms of Service on data-protection matters. The Subprocessors list governs the current subprocessor roster as at its own version date.
• Cross-references. See also the Privacy Policy, the Subprocessors list, the Terms of Service, the Cookie Policy and the Acceptable Use Policy.
• Contact. All data-protection matters under this DPA: support@nowworx.com.
• Governing law. This DPA is governed by the law of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Subprocessors

NOWWORX Ltd — registered in England and Wales (company no. ⚠️ FILL).

Version 1.0 — Last updated: ⚠️ FILL

Not legal advice. Draft pending review by a qualified UK solicitor; all ⚠️ FILL items must be completed before reliance.

This subprocessor list belongs to the Data Processing Addendum above and is its maintained source.

Contents

1. About this list
2. Subprocessors
3. Change governance
4. Status of transfer instruments

1. About this list

The third parties below ("subprocessors") process personal data on NOWWORX Ltd's behalf to deliver the NOWWORX service — including capturing and delivering SMS, voice and voicemail, transcribing voicemail audio, classifying and generating AI replies, hosting and storing data, billing, transactional email, review requests, DNS/CDN, monitoring and analytics. This list is the single canonical source referenced by the Privacy Policy and the Data Processing Addendum. NOWWORX maintains this list and notifies tenants of changes as set out in section 3.

For end-customer personal data, the tenant is the data controller and NOWWORX is the data processor; these subprocessors are engaged by NOWWORX under the tenant's general written authorisation in the Data Processing Addendum.

2. Subprocessors

Subprocessor	Purpose	Data categories	Location / transfer
Twilio	SMS, voice & voicemail capture and delivery	end-customer phone numbers, message text, voicemail audio	UK/EU processing; DPA in place
Anthropic (Claude API)	AI message classification, reply generation, urgency scoring	conversation/message content	US — UK GDPR Art. 46 safeguards (UK IDTA / EU SCCs + UK Addendum) ⚠️ FILL executed instrument
OpenAI (Whisper)	voicemail audio → text transcription	voicemail audio	US — UK GDPR Art. 46 safeguards ⚠️ FILL
Supabase	primary database (Postgres + Row-Level Security), file storage, authentication	all tenant + end-customer data; voicemail audio at rest	data region ⚠️ FILL (EU/UK); DPA in place; AES-256 at rest, TLS 1.3 in transit
Stripe	subscription billing (NOWWORX platform) + tenant payment collection (Stripe Connect)	tenant business + billing identity, payout/bank details, transaction history	UK/EU; DPA in place; PCI-DSS
Resend	transactional email (quote/invoice delivery, account email)	recipient email addresses, quote/invoice PDFs	location/transfer ⚠️ FILL
Google (Business Profile API)	automated Google review requests; business Place ID resolution	tenant business name/address, review-request metadata	US — UK GDPR Art. 46 safeguards ⚠️ FILL
Cloudflare	DNS, CDN, Premium-tier domain registration, email routing	tenant domain/DNS config, email-forwarding rules	global edge; DPA in place; transfer ⚠️ FILL
Sentry	error & performance monitoring	diagnostic/error data (may incidentally include limited identifiers)	location/transfer ⚠️ FILL
PostHog	product analytics & feature flags	usage events, pseudonymous identifiers, cohort assignment	location/transfer ⚠️ FILL
Vercel	hosting of the owner app and Premium customer websites	app session data, hosted static assets	location/transfer ⚠️ FILL
Hetzner	virtual private server hosting the background-processing worker	data transiently processed by the worker (messages in flight)	Germany (EU)

3. Change governance

NOWWORX maintains this list, reviews it at least annually, gives tenants prior notice of new/replacement subprocessors, and tenants may object on reasonable data-protection grounds. The objection process and consequences are set out in the Data Processing Addendum. NOWWORX remains liable for the acts and omissions of its subprocessors as if they were its own.

Questions about this list, or objections to a subprocessor, should be sent to support@nowworx.com.

4. Status of transfer instruments

Several subprocessors process personal data outside the UK. Where a transfer relies on UK GDPR Article 46 safeguards (UK IDTA, or EU SCCs with the UK Addendum), the executed instruments and the associated transfer impact assessment are marked ⚠️ FILL above and must be completed and executed before launch. Until completed, no document in this cluster should be read as a representation that any specific transfer mechanism is currently in force.

Last updated: ⚠️ FILL

Cross-references: the Privacy Policy, the Data Processing Addendum, the Terms of Service, the Cookie Policy, the Acceptable Use Policy.