GDPR Compliance Statement

2.1Scope

This statement covers processing of personal data of individuals in the EU and EEA by Nutan. It addresses Articles 5 (Principles), 6 (Lawful Basis), 7 (Consent), 12–22 (Data Subject Rights), 25 (Privacy by Design), 28 (Processor Obligations), 30 (Records of Processing), 32 (Security), 33–34 (Breach Notification), 35 (DPIA), 44–49 (International Transfers).

2.2Roles

Nutan acts as a data processor when handling data on behalf of a customer (meeting transcripts, deal data, intelligence) and as a data controller for account and marketing data.

2.3Article 5 · Principles of Processing

Processing is lawful, fair, and transparent; purpose-limited; minimised; accurate; storage-limited; and confidential. Accountability is demonstrated by this document and the accompanying attestations.

• Lawfulness: Every processing activity has a documented lawful basis (see Article 6).
• Purpose limitation: Data is used only for the product's stated purposes.
• Minimisation: Meeting content is processed on-device; Nutan never receives it absent explicit sync.
• Accuracy: Users may correct their own data in-product at any time.
• Storage limitation: Audio is deleted immediately after transcription; retained data is deleted on request.
• Integrity and confidentiality: See Article 32.
• Accountability: Attestation documents are published at nutan.ai/trust-center.

2.4Article 6 · Lawful Basis

Each processing activity is grounded in a specific lawful basis:

• Contract performance: account creation, authentication, product operation
• Legitimate interest: security monitoring, product analytics, spam prevention
• Consent: optional cloud sync, optional CRM integration, marketing communications
• Legal obligation: audit logs retained per Article 17(3)(e)

2.5Article 7 · Consent

Where consent is the lawful basis, it is freely given, specific, informed, and unambiguous. Consent records are logged at first activation with a timestamp and the exact text shown to the user. Consent can be withdrawn at any time in-product.

2.6Articles 12–14 · Transparency

Users are informed of data practices through the privacy policy at nutan.ai/privacy, through in-product disclosures before first capture, and through this attestation. Information is provided in concise, plain English.

2.7Article 15 · Right of Access

Users can view all personal data held about them directly in-product. Written requests are fulfilled within 30 days.

2.8Article 16 · Right to Rectification

Users can correct personal data in-product at any time. For data held only in the audit log, correction requests are honoured within 30 days.

2.9Article 17 · Right to Erasure

Granular deletion controls let users remove profile, deals, meetings, chats, knowledge, or all data. Full account erasure runs as a single atomic operation. Audit logs are retained per Article 17(3)(e) for demonstration of lawful processing.

2.10Article 18 · Right to Restriction

Users may request processing restriction pending verification of erasure, rectification, or objection requests. Restriction is implemented by marking the record and suspending processing operations on it.

2.11Article 20 · Right to Portability

Users can export their data in a structured, commonly used, machine-readable format (JSON) directly from the product.

2.12Article 21 · Right to Object

Users may object to processing based on legitimate interest at any time. Objection triggers a review by the legal agent and either cessation of processing or a documented override where the interest is demonstrably compelling.

2.13Article 22 · Automated Decision-making

Nutan's AI outputs are advisory, not decisional. No automated decision produces a legal or similarly significant effect on a data subject.

2.14Article 25 · Privacy by Design and by Default

The on-device architecture is the highest-order implementation of privacy by design in Nutan's environment. Default settings favour minimisation: cloud sync is off, CRM sync is off, marketing consent is off.

2.15Article 28 · Processor Obligations

As a processor, Nutan: (a) processes personal data only on documented instructions from the controller, (b) ensures that persons authorised to process personal data have committed to confidentiality, (c) applies appropriate technical and organisational measures (see Article 32), (d) engages sub-processors only with authorisation, (e) assists the controller with data subject requests, (f) assists with compliance for security and breach notification, (g) deletes or returns personal data at end of processing, (h) makes available information necessary to demonstrate compliance.

2.16Article 30 · Records of Processing

A record of processing activities is maintained automatically by the attestor. The record covers categories of data subjects, categories of data, purposes, recipients, transfers, retention periods, and security measures.

2.17Article 32 · Security of Processing

Security measures follow the current state of the art and the risks of processing. Specifically:

• Pseudonymisation and encryption of personal data: industry-standard strong encryption at rest; modern TLS in transit; field-level encryption of contact PII
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience: immutable audit logging, automated rollback, local-first architecture
• Ability to restore the availability and access to personal data in the event of an incident: user-device primary plus optional encrypted sync
• Process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures: this attestation, regenerated on each release

2.18Articles 33–34 · Breach Notification

Nutan notifies the supervisory authority within 72 hours and affected data subjects without undue delay for breaches likely to result in a high risk to rights and freedoms. The incident response agent (see SOC 2 CC7.3) executes this workflow automatically.

2.19Article 35 · Data Protection Impact Assessment

A DPIA is maintained for Nutan's data processing. The current version is published at /trust-center/reports/pia.

2.20Articles 44–49 · International Transfers

Cross-border transfers are covered by Standard Contractual Clauses (SCCs, 2021 edition). Where SCCs are not sufficient, supplementary measures are applied, including industry-standard strong encryption in transit and at rest and contractual commitments from sub-processors. Regional data residency options are on the roadmap.

2.21Supervisory Authority

For EU data subjects, the competent supervisory authority is that of the data subject's habitual residence. Nutan does not claim main establishment in the EU under Article 56.

2.22Data Protection Officer

Nutan is not required to designate a DPO under Article 37. A dedicated privacy agent operates the DPO function (monitoring compliance, advising on DPIAs, cooperating with supervisory authorities). Contact: privacy@nutan.ai.

2.23Summary

Each material GDPR obligation maps to an implemented control. Nutan's local-first architecture reduces processor footprint and simplifies downstream compliance for controllers. No residual risk is assessed as material as of the effective date.