Platform privacy policy

1. Definitions

“Agreement” is the Order of Work or Contract Form or any such instruction from the Customer for Wordnerds to undertake consultancy or related work (“Data Analysis Services”).

“Customer” is the organisation that has entered into an Order of Work/Agreement with Wordnerds.

“Company” or “Wordnerds” refers to Nerds with Words Ltd.

“Controller” and “Processor” have the meaning set forth in the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”) within, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Content Authors” are anyone responsible for generating text being analysed by Wordnerds. These could be unknown people writing on Twitter, Customers’ customers filling out surveys, authors of forum posts managed by the Customer, who have agreed to the terms and conditions of the Customer, consumers who have filled out third party online reviews etc.

“Data Analysis Services” refers to the whole process of using the Wordnerds platform to gather insights, from the moment data comes into our remit.

“Data Subject” refers to an individual person who can be identified via an identifier such as name or unique ID etc.

“Platform” refers to the Wordnerds SaaS platform.

The “Policy” is this document in its entirety, including Appendix A.

“PII” means Personally Identifiable Information as set out in the UK GDPR.

“Users” are anyone authorised by the Customer to access and administer the Wordnerds software platform on behalf of the customer. These could be employees of the Customer, contractors, an organisation or person pre-agreed by both the Customer and/or Wordnerds, etc.

“Wordnerds Affiliates” means any person carrying out Data Analysis services for the Wordnerds organisation.

2. The Purpose of this Policy

This Policy sets out the rights and obligations that apply to Wordnerds handling of personal data on behalf of the Customer as part of their access to the Platform and the company’s provision of data analysis services (“Data Analysis Services”). 

Appendix A of this Policy contains details about the security measures implemented to comply with the UK General Data Protection Regulation (UK GDPR).

3. Data Protection Principles

Wordnerds is committed to processing data in accordance with its responsibilities under the UK Data Protection Act and the UK GDPR within.

This legislation requires data to be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that any inaccurate personal data, having regard to the purposes for which it is processed, is erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods so long as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the legislation in order to safeguard the rights and freedoms of individuals; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4. Types of Data and Data Subjects

This Policy covers all data, including Personally Identifiable Information (PII), processed and/or stored by Wordnerds, including:

  • Customer data
  • User data
  • Data processed by the Platform and/or Wordnerds for the purpose of carrying out Data Analysis Services
  • New data (i.e. insights) created from the process of Data Analysis Services

Customer Data

The data processed/stored by Wordnerds relating to the Customer is only for the purposes of doing business and being able to meet the requirements of the Agreement. Examples of such data is as follows:

  • Company name and name(s) of contacts within the company
  • Company address(es)
  • Company and contact telephone numbers
  • Contact email addresses
  • Information revealed under a Non-disclosure Agreement

User Data

The data processed/stored pertaining to Users, including Personally Identifiable Information, is as follows:

  • Name
  • Company
  • Email
  • Password (encrypted version only)
  • IP Address

User activity on the Platform

We automatically collect metrics and information about how Users interact with and use the Service. We use this information to develop and improve our services, and to inform our sales and marketing strategies. We may share or publish this service data with third parties in an aggregate anonymous manner, but we will not include any customer data or identify Users.

We use customer data in an anonymised manner for machine learning that supports certain product features and functionality within the Wordnerds platform.

When you use the Platform, we automatically collect log files. These log files contain certain information about a User’s IT system, a User’s IP address, browser type, domain names, internet service provider (ISP), the files viewed on site (e.g. HTML pages, graphics, etc.), operating system, clickstream data, access times, and referring website addresses. We use this information to ensure the optimum operation of the Platform and for security purposes. We may link log files to personal data, such as name, email address, address, and phone number for these purposes.

Content Authors

Where Wordnerds sources data on the Customer’s behalf, all data processed by Wordnerds for the purpose of customer insight has been published by the Content Author on a public or private forum that we have legitimate access to. Where this is the case, Wordnerds will only process data when it is within the terms and conditions of the public or private forum to do so.  

The data processed/stored pertaining to Content Authors is fairly consistent in type when accessed from a publically accessible source but can vary when data is sourced by the Customer. Examples of data types are as follows:

  • Content of post, which may or may not contain Personally Identifiable Information
  • Date of post
  • Something specific to the Author, such as username, name, unique ID, email.
  • Location, where volunteered by the User or discernible from IP/location tracking

New Data

The data created from the Data Analysis Services will be visualised and accessible by the Customer and Wordnerds via the Platform.

5. Customer’s Instructions

Wordnerds are solely permitted to process data when instructed to do so by the Customer. For the avoidance of doubt, the Policy constitutes such instruction as sending us data to analyse, agreeing to an Order of Work and/or any other communication that implies a request for Data Analysis Services. 

All Customer instructions pass through a Data Protection Impact Assessment (DPIA) phase where we analyse the specific use case and need for the Data Analysis Services and identify any potential risks in relation to legislation compliance (of which Wordnerds is subject to) and data source provider compliance. Wordnerds shall inform the Customer if an instruction, in the opinion of Wordnerds, infringes any relevant data protection laws and/or the terms of our data source providers.

Where the Customer has specific processing requirements that go beyond or are not specified in this Policy, the Customer may provide them in writing to Wordnerds. Wordnerds will comply with all such instructions without additional charge to the extent necessary for Wordnerds to comply with its obligations as a Processor under the Regulation in the performance of the Data Analysis Services. The parties will negotiate in good faith with respect to any other change in the Data Analysis Services and/or fees resulting from any additional instructions.

6. Confidentiality

Wordnerds shall ensure that persons authorised to process personal data on behalf of the Customer have committed themselves to confidentiality or are subject to appropriate statutory obligation of confidentiality.


Wordnerds ensures that only those persons who are currently authorised are able to access the personal data being processed on behalf of the Controller.

7. Controller and Processor of Personal Data and purpose of the Personal Data Processing

The Customer will at all times remain the Controller for the purposes of the Data Analysis Services, the Agreement, and this Policy. The Customer is responsible for compliance with its obligations as a Controller under data protection laws, in particular for justification of any transmission of Personal Data to Wordnerds (including providing any required notices and obtaining any required consents and authorisations), and for its decisions and actions concerning the processing and use of the Personal Data.


The Customer will also act as a Processor on behalf of the Content Authors as defined in this Policy. Wordnerds is a Processor for the purposes of the Data Analysis Services, the Agreement, and this Policy. Wordnerds will Process data solely for the provision of the Data Analysis Services, and will not otherwise:

(i) Process or use data for purposes other than those set forth in this Policy or as instructed by the Customer in accordance with the above, or 

(ii) disclose such data to third parties other than Wordnerds Affiliates or third party Sub-Processors for the aforementioned purposes or as required by law. Wordnerds will comply with all applicable data protection laws to the extent that such laws by their terms impose obligations directly upon Wordnerds as a Processor in connection with the services specified in this Policy.

8. Assistance to the Customer

Wordnerds, taking into account the nature of the processing, shall, as far as possible, assist the Customer by appropriate technical and organisational measures, in the fulfilment of the Customer’s obligations to respond to requests for the exercise of the Data Subjects’ rights pursuant to relevant legislation.


Wordnerds will pass on to the Customer any requests of an individual Data Subject to access, delete, correct or block Personal Data processed under this Policy. Wordnerds will not be responsible for responding directly to the request, unless otherwise required by Law.


Wordnerds shall assist the Customer in ensuring compliance with the Customer’s obligations pursuant to UK GDPR, taking into account Wordnerds’ role and the nature of the processing and the information made available to Wordnerds. The Customer agrees to pay Wordnerds reasonable fees that may be associated with Wordnerds performance of any such assistance to the Customer.

9. Transfer of data to EEA, outside of EEA, or to international organisations

Wordnerds may transfer Personal Data to the EEA, outside of EEA, or international organisations on documented instructions from the Customer, or where a UK GDPR compliant Sub-Processor does so as part of its service.

10. Use of Sub-Processors

The Customer accepts that some or all of Wordnerds’ obligations under this Policy is performed by third party Sub-Processors. Wordnerds maintains a list of Wordnerds Sub-Processors that may process data.

Wordnerds uses the following Sub-Processors:

  • Rackspace Limited
  • Amazon Web Services (AWS)
  • Google 
  • Bugsnag
  • MailGun
  • Pusher


Wordnerds will provide reasonable notice to the Customer of any planned changes with regard to additions to or replacement of other data processors.Wordnerds shall ensure that Sub-Processors are subject to the same data protection obligations as those specified in this Policy on the basis of a contract or other legal document under relevant legislation, in particular providing the sufficient guarantees that the Sub-Processors will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the governing laws.

11. Security

Wordnerds take all the measures required pursuant to the UK GDPR which stipulates that - with consideration for the state of the art, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons - the Customer and Wordnerds shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Wordnerds shall ensure that Personal Data is stored securely using modern software that is kept up-to-date.

Access to Personal Data shall be limited to need access for the purposes of Data Analysis Services.

When data is deleted it is done safely such that the data is irrecoverable.

Appropriate back-up and disaster-recovery solutions are in place.

Additional measures, and information concerning such measures, including the specific security measures and practices for the Platform and particular Data Analysis Services ordered by the Customer, may be specified in the Agreement. 

Appendix A of this Policy specifies the level of security and the measures implemented by Wordnerds to ensure the above.

12. Audit Rights

Wordnerds shall make available to the Customer all information necessary to demonstrate compliance with the outlined duties of a Data Processor and this Policy, and allow for and contribute to audits, including inspections performed by the Controller or another auditor mandated by the Controller.


Any audits are at the Customer's expense. Any request for Wordnerds to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for access to the Platform or the provision of Data Analysis Services. Wordnerds will seek the Customer's written approval and agreement to pay any related fees before performing such audit assistance.

13. Penetration testing

Wordnerds commission penetration tests at the Customer’s request. Unless otherwise agreed, the Customer will pay for an external pen test.

14. Breach Notification

Wordnerds will notify the Customer without undue delay after becoming aware of a personal data breach, which may lead to accidental or unlawful destruction, alteration, unauthorised disclosure of or access to the Customer’s data.

Wordnerds will, taking into account the nature of the processing and information available, assist the Customer in notifying the personal data breach to the supervisory authority and the data subjects.

15. Return and Deletion of Personal Data upon End of Data Analysis Services

On termination of the processing services, Wordnerds shall be under obligation, at the Customer’s discretion, to delete or return all of the personal data to the Customer and to delete existing copies unless governing legislation requires storage of the personal data. All Customer data will be removed from Wordnerds systems upon termination of the contract.

16. Wordnerds staff

As part of our employee induction process, all staff are familiarised with our policies on data protection, email and internet usage, remote working and employee information security.

Wordnerds’ password policy requires all passwords for applications to be managed by the LastPass service. Upon an employee leaving the company or changing role, their LastPass authorisation will be changed or removed accordingly. For staff requiring access to the servers via SSH, SSH keys are required for access and will be removed when necessary. 

17. Legally Required Disclosures

Except as otherwise required by law, Wordnerds will promptly notify the Customer of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority (“Demand”) that it receives and which relates to the processing of Personal Data.


At the Customer’s request, Wordnerds will provide the Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for the Customer to respond to the Demand in a timely manner. The Customer acknowledges that Wordnerds has no responsibility to interact directly with the entity making the Demand, unless required by law.

18. Service Analyses

Wordnerds may:

(i) compile statistical and other information related to the performance, operation and use of the Data Analysis Services, and 

(ii) use data from the Data Analysis Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively “Service Analyses”), 

if no Personal Data is used for the purposes mentioned in (i) or (ii).

19. Processing location

Processing of the personal data under this Policy cannot be performed at other locations than the following without the Customer’s prior written consent:

  • Wordnerds: Processing is limited to the UK
  • Rackspace: Processing is limited to the UK
  • Google: EEA and US (Standard Contract Clauses)
  • Bugsnag: EEA and US (Standard Contract Clauses)
  • MailGun: EEA and US (Standard Contract Clauses)
  • Pusher: EEA and US (Standard Contract Clauses)
  • Amazon Web Services (AWS): Processing is limited to the UK

20. Data Protection Information Assessment

As part of our ongoing commitment to data protection, all Customer instructions pass through a Data Protection Impact Assessment (DPIA) phase where we analyse the specific use case and need for the Data Analysis Services and identify any potential risks in relation to legislation compliance (of which Wordnerds is subject to) and data source provider compliance.

In looking into the need for the data analysis, Wordnerds looks at the proposed data set to be processed and may highlight items that don’t require processing and/or need anonymising at source before being uploaded to and processed by the Platform.

Appendix A

Security of Processing (Level of Security and Measures)

Physical Access Control

Wordnerds employs measures designed to prevent unauthorised persons from gaining access to data processing systems in which Personal Data is Processed. Data is stored and processed and backed up at Rackspace and Amazon Web Services (AWS) data centres, both AWS and Rackspace are compliant with ISO 27001.

System Access Control

All access to Data Analysis Services is managed with authentication via password and access logs are maintained.

Data Access Control

Personal Data is accessible and manageable only by properly authorised staff, direct database access is restricted, and application access rights are established and enforced.

Transmission Control

Except as otherwise specified for the Data Analysis Services, transmissions of confidential data or special categories of data outside the Data Analysis Service environment are encrypted.

Input Control

The Personal Data source is under the control of the Customer, and Personal Data integration into the system is managed by secured transfer (i.e. via encrypted database connection or entered into the application) from the Customer.

Data Backup

For Data Analysis Services hosted at Rackspace: back-ups are taken on a regular basis; backups are secured using a combination of technical and physical controls.

Data Segregation

Customer data being processed under the Agreement is segregated from the Companies other Customers into their own database. These different databases may be on the same physical hardware or different hardware. This is to provide an extra layer of protection against data leakage between customers’ databases. User credentials for different Customers (which includes PII) is kept centrally in order to resolve which platform the User is allowed to access.

Join our CX Newsletter