Privacy Policy

Home > Privacy Policy

NIMBLE - PRIVACY POLICY

Last updated: MAY 27, 2026

The Data Company Technologies Inc. (D/B/A Nimble) (“Nimble”, “Company”, “we” or “us”) respects your right to privacy and is committed to protecting it. This privacy policy (“Privacy Policy”) explains how Nimble processes Personal Data when it acts as a Data Controller. For Personal Data that Nimble processes as a Data Processor on behalf of its Customers or Partners (including data processed through Nimble's Infrastructure, Web APIs, and other SaaS products and services), please see Section 1.2 below; such processing is governed by the Data Processing Agreement ('DPA') between Nimble and the applicable Customer or Partner, available at https://www.nimbleway.com/data-processing-agreement , which is incorporated into this Privacy Policy by reference.

1. Scope and applicability

1.1. What is covered by this Privacy Policy?

This Privacy Policy applies to data processing activities for which Nimble acts as a Data Controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, 'EU GDPR'), the UK General Data Protection Regulation and the Data Protection Act 2018 ('UK GDPR'), the Israel Privacy Protection Law, 5741-1981 ('PPL'), the California Consumer Privacy Act as amended by the California Privacy Rights Act ('CCPA/CPRA'), and other US state comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and Oregon), as defined under applicable data protection regulations. This means the following data subjects: (1) Visitors to our websites that link to this Privacy Policy (“Visitor” and “Website”, respectively). This category may include candidates that submitted their job application via the Website; (2) and/or a business customer, a business partner that has a contractual relationship with us, or a prospective customer that is yet to be engaged in a contract with us (“Customer”); and/or (3) Customers using our software, application, API and related Services (“User”); (4) and/or Members of our network that are engaged in a business collaboration with us (“Partners”); and/or Unless explicitly mentioned otherwise, the information in this Privacy Policy refers to all the above data subject types (“you” or “your”).

1.2. What is not covered by this Privacy Policy?

This Privacy Policy does not cover any Personal Data that is collected or otherwise processed by our Customers or Partners, i.e., any data processing activities with regard to which we serve as a Data Processor. Where Nimble acts as a Data Processor (or 'service provider' / 'contractor' under US state laws), the processing is governed exclusively by the Data Processing Agreement ('DPA') executed between Nimble and the relevant Customer or Partner (the Data Controller / 'business'), available at https://www.nimbleway.com/dpa, which is incorporated into this Privacy Policy by reference. For the avoidance of doubt, this Privacy Policy does not constitute notice to Web Users or end-users whose data is processed through the Services on behalf of a Customer or Partner; such notice is the responsibility of the Customer or Partner as Data Controller. If you are an end-user or Web User whose data has been processed by Nimble on behalf of one of our Customers or Partners, please direct any privacy requests to that Customer or Partner. Nimble will support its Customers and Partners in responding to such requests in accordance with the DPA.

1.3. Is Nimble a Controller or Processor?

Nimble's role depends on the data processing activity. As a general matter: (a) Nimble acts as a Data Controller in relation to Personal Data of Website Visitors, job applicants/candidates, business contacts of Customers and Partners (including prospective Customers and Partners), and User account holders (sign-up, billing, account administration, and security), as well as for marketing, business operations, and corporate management; (b) Nimble acts as a Data Processor (or 'service provider' / 'contractor' under US state laws) in relation to Personal Data that is transmitted, accessed, or otherwise processed through the Services on behalf of a Customer or Partner. In its Processor capacity, Nimble processes Personal Data only on documented instructions from the Customer or Partner under the DPA. The Controller in those scenarios is the Customer or Partner; the DPA, and not this Privacy Policy, governs that processing. For the purpose of this policy, the “Service(s)” shall include any software licensed by us, application, API, SDK, platforms, or related services provided through such software or by utilizing it. This should include updates, enhancements, new features, support or communication.

1.4. Special jurisdictions and data protection regulations

The Privacy Policy was designed with global standards and principles of transparency and choice in mind and is meant to include the main requirements established by the prominent global regulations, such as the EU and the UK GDPR and the CCPA and CPRA, as well as the Israel Privacy Protection Law, 5741-1981 (the 'PPL') and the Privacy Protection Regulations (Data Security), 5777-2017, and the comprehensive US state privacy laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and Oregon (OCPA). If you are a resident of California, please refer to our CCPA Statement, in addition to this Privacy Policy. Residents of Virginia, Colorado, Connecticut, Utah, Texas, or Oregon should refer to the 'US State Privacy Notice (Multi-State)' section below. Residents of Israel may exercise the rights set out in the 'Data Subjects Rights' section, including the rights afforded under the PPL.

1.5. Data Protection Officer and Contact Options

1. If you have any requests regarding the data collected under this Privacy Policy, including but not limited to requests to remove, delete, amend, modify or transfer personal data processed about you, please contact us at: privacy@nimbleway.com. Please include sufficient details about your inquiry or request, in order to allow us to verify your request and address it.

2. If you have questions, comments or complaints regarding the Privacy Policy or data practices, please contact us directly at: privacy@nimbleway.com. Nimble has appointed a Data Protection Officer ('DPO'), who can be reached at dpo@nimbleway.com. For matters relating to the EU and the UK, Nimble's EU Representative (Article 27 EU GDPR) and UK Representative (Article 27 UK GDPR) details are available on request via privacy@nimbleway.com.

2. Changes, updates and modifications

We are obliged, and reserve the right to modify this Privacy Policy at any time, to reflect updates to the Services, API Application, Websites or to reflect an applicable regulatory requirement. Such changes will be effective immediately upon the display of the revised Privacy Policy, or its delivery to you by email if that is a form of agreed communication between us. The last revision date will be reflected in the “Last Updated” heading. If we make material changes to this Privacy Policy, we will make our best efforts to notify you, by email or by means of a notice on our Website.

3. Personal Data we process

3.1. Type of data. Depending on your interaction with us, meaning, if you are a Visitor who just browsing our Website, or if you are a User who maintains an account with our Services, a business Partner or Customer, we may collect one of two types of information about you, your device or your chosen activities with us:

Note: This Section 3 describes only Personal Data processed by Nimble as a Data Controller. Personal Data processed by Nimble as a Data Processor through the Services on behalf of a Customer or Partner is governed by the DPA, not by this Privacy Policy.

  • Non-Personal Information/Data: The first type of information is non-personal and non-identifiable information that cannot personally identify or lead to identifying a natural person. For example, statistics or aggregated information, or any other type of data that can no longer be attributed to you.
  • Personal Information/Data: The second type of information is information that identifies you as a natural person, or that may be used, either alone or in combination with other information, to personally identify you as a natural person. In some jurisdictions (such as the EU, UK, and Israel), an IP address, device ID and cookies are considered Personal Information as well (“Personal Information”).

You are not obliged by law to provide us with any information. You can always avoid providing us with certain Personal Information, and if you gave your consent to process certain Personal Information, you may withdraw such consent. However, you acknowledge that it may prevent us from providing certain Services.

3.2. Personal Data of Visitors of the Website

When you visit our Website, contact us, subscribe to our communications, or apply for a role, Nimble (as Data Controller) processes the following categories of Personal Data:

Category Examples When collected Purpose
Identifiers and business contact details Name, business email, phone, company, website URL, country, subject of inquiry When you submit a contact form, request a demo, or otherwise reach out to us Respond to your inquiry; pre-contractual steps with prospective Customers and Partners; CRM
Marketing and subscription data Email address and communication preferences When you subscribe to a newsletter, beta program, blog, or event Send the requested communications; you may unsubscribe at any time
Online identifiers and device data IP address, cookie IDs, pixel tags, user agent (browser type, version, language, country), device type (mobile / desktop) Automatically when you visit the Website Website functionality (necessary cookies); analytics and, with your consent, marketing or retargeting
Website activity data Pages viewed, clicks, session duration, referring URL, timestamps Automatically as you interact with the Website Operate and improve the Website; detect fraud or abuse; produce aggregate analytics
Recruiting data Name, email, phone, CV, links to LinkedIn or personal website, application responses When you submit a job application via the Website or via one of our recruiting partners (Comeet, HiBob) Evaluate your application; communicate with you; if you are hired, onboard you

Nimble does not knowingly request sensitive personal data (including special category data under Articles 9 to 10 of the EU/UK GDPR, "sensitive personal information" under US state privacy laws, or "sensitive data" under the Israel Privacy Protection Law). Where such data is voluntarily provided in connection with recruiting, it is processed only for the recruiting purpose and in accordance with the lawful bases set out in Section 5.

3.3. Personal Data of Customers, Users and Partners

If you are a Customer, an authorized User of a Customer, or a Partner, Nimble (as Data Controller) processes the following additional categories of Personal Data:

Category Examples Purpose
Business contact details Full name, work email, phone, job title, company, country Account administration, contract preparation and management, customer support, relationship management
Authentication and access credentials First and Last name, Username (work email), hashed password, SSO / OAuth tokens (e.g., Google), MFA factors Verify identity, protect your account, and grant authorised access to the Services. Authentication is handled by Auth0 (an Okta company) as our identity sub-processor
Account and profile information Full name, email, business address, billing address, profile preferences Open and maintain your account, render invoices, and provide support
Billing and payment data Billing name, email, address, VAT or tax ID, payment-method tokens (Nimble does not store full card numbers directly) Process payments and comply with tax and accounting obligations. Payment processing is handled by our third party payment processor
Analytics and dashboard data Aggregated activity statistics derived from your use of the Services Present account analytics to you, monitor service quality, and improve the Services
Usage data and operational metadata API call metadata (timestamps, origin and target IP addresses, root domain, geolocation, segment, country, packet length and size); activity logs Deliver, secure, and improve the Services; detect abuse, fraud, or violations of the Acceptable Use Policy; bill metered usage

important - data processed through the Services. Personal Data that is transmitted, queried, or otherwise processed through the Services on behalf of a Customer or Partner (for example, Personal Data that may be contained in publicly available web content) is processed by Nimble as a Data Processor under the DPA, not under this Privacy Policy. See Sections 1.2 and 1.3.

4. How we collect or process Personal Data

Depending on the nature of your interaction with us and the Services, we may collect information automatically (via Cookies, tags and log files), directly from you (via forms, registration, contact and authentication), or from publicly available sources or third-party service providers. All such collection is performed in our capacity as a Data Controller and on a lawful basis (see Section 5). Where Nimble obtains Personal Data from a third-party source, Nimble takes reasonable steps to verify that the third party had a lawful basis to share that data and, where required, has provided appropriate notice to the data subject.

5. Lawful basis for processing

In addition to the lawful basis explained respectively to each data processing activity above, we rely on the following general lawful bases under the EU GDPR, UK GDPR, PPL, and applicable US state laws:

  • Consent (Article 6(1)(a) EU GDPR; Section 1 PPL), for cookies and marketing communications;
  • Contract (Article 6(1)(b) EU GDPR), for performing services for Customers and Users;
  • Legitimate interests (Article 6(1)(f) EU GDPR), for business operations, security, fraud prevention, and direct marketing of similar services;
  • Legal obligation (Article 6(1)(c) EU GDPR), for tax, audit and regulatory compliance.

Under Israel's PPL, processing is lawful where the data subject has consented or where the processing is necessary for a legitimate purpose, including the performance of a contract, the protection of legitimate interests, or compliance with law. Under the CCPA/CPRA and other US state comprehensive privacy laws, Nimble processes Personal Information for the business and commercial purposes disclosed in this Privacy Policy and the CCPA Statement.

6. Cookies and web technologies

Nimble uses cookies and similar technologies on the Website as described in our Cookie Notice, available from the cookie consent banner that woill be displayed in the applicable jurisdictions requiring such policy. Where required by law (e.g., in the EEA, UK, and Israel), non-essential cookies are set only after the Visitor has provided consent through the cookie banner. Visitors can manage preferences via the Cookie Settings link.

7. Retention of Data

Retention principles as detailed in the existing policy. Retention periods applicable to Personal Data processed by Nimble as a Data Processor are governed by the DPA and by the instructions of the relevant Customer or Partner as Data Controller. Nimble's internal data retention controls are described in its Data Retention Policy, available to enterprise customers on request and confidentiality agreement.

8. Third-Parties

1. Where Nimble acts as a Data Processor, the third parties that Nimble engages to deliver the Services ('Sub-processors') are listed at a dedicated log that is made available to buissiness customers (controllers) and are subject to the DPA between Nimble and the Customer or Partner. Sub-processors are bound by written agreements that impose data protection obligations.

2. Where Nimble acts as a Data Controller (Categories of Recipients). In our role as a Data Controller, Nimble shares Personal Data only as necessary for the purposes described in this Privacy Policy and only with the categories of recipients listed below. Each recipient is engaged under a written contract that includes (where the recipient acts as a processor on Nimble's behalf) a data processing addendum that satisfies Article 28 of the EU/UK GDPR and applicable Israeli and US state law requirements (including the "service provider" and "contractor" restrictions under the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and OCPA). Where a transfer involves a recipient in a country that is not the subject of an adequacy decision, the safeguards described in Section 10 (Data Transfers) apply.

a. Cloud hosting and infrastructure providers. For example, WebFlow (Website hosting), Amazon Web Services (AWS), Oracle Cloud Infrastructure (OCI), DigitalOcean, and Snowflake host the Website, the Services, and Nimble's internal systems, and provide compute, storage, backup, and data-warehouse capabilities. Purpose: operating and securing the Website and Services. Safeguards: written agreements containing data-protection and confidentiality obligations; EU SCCs and UK Addendum where applicable.

b. Identity, authentication and authorization providers. Authentication services such as Cognito (AWS) and, where users elect single sign-on, Google. Purpose: secure user authentication, MFA, and account access management. Safeguards: written agreements with data-protection terms; SCCs where applicable.

c. Analytics and product telemetry. Web and product analytics providers, including Google Analytics. Purpose: understanding Website and product use, debugging, and improving user experience. Safeguards: cookie-consent gating in the EEA, UK, and Israel; IP truncation and other privacy-enhancing configurations where available; SCCs where applicable.

d. Customer relationship management and sales operations. Salesforce and DealHub. Purpose: managing prospects, customer accounts, opportunities, and contract operations. Safeguards: written agreements with data-protection terms; SCCs where applicable.

e. Marketing, email, and lead generation. Marketing email and automation platforms, the website host (Webflow), and lead-generation service providers such as Sopro and Belkins. Purpose: delivering marketing communications, hosting marketing pages, and B2B prospect outreach. Safeguards: written agreements with data-protection terms; consent or legitimate interests as the lawful basis; an opt-out is included in every marketing email.

f. Advertising and retargeting. B2B advertising platforms such as LinkedIn Ads and Google Ads, used to promote Nimble's services to other businesses. Purpose: business-to-business advertising. Safeguards: cookie consent in the EEA, the UK, and Israel; opt-out mechanisms (including Global Privacy Control) recognised where required by US state law. Nimble does not engage in "cross-context behavioral advertising" as defined under the CCPA/CPRA, nor "targeted advertising" to consumers as defined under VCDPA, CPA, CTDPA, OCPA, or TDPSA.

g. Recruitment and HR platforms. Such as Comeet (applicant tracking) and HiBob (HR information system). Purpose: managing candidate applications and the employment lifecycle. Safeguards: written agreements with data-protection terms; SCCs where applicable.

h. Payment processing. Such as Paddle, Card and bank-payment processors used to bill Customers and process refunds. Purpose: processing payments for the Services. Safeguards: PCI-DSS compliance by the processor; the processor may act as an independent controller for fraud prevention and regulatory reporting purposes.

i. Customer support and ticketing. Customer-support and ticketing platforms used to handle support requests. Purpose: responding to support, billing, and account inquiries. Safeguards: written agreements with data-protection terms.

j. Professional advisors and auditors. External legal counsel, accountants, tax advisors, and independent auditors. Purpose: legal advice, audit, accounting, and regulatory compliance. Safeguards: professional duties of confidentiality and engagement-letter terms.

k. Affiliated companies. Entities under common control with Nimble. Purpose: shared internal operations and delivery of the Services. Safeguards: intra-group data-sharing arrangements consistent with this Privacy Policy and with the EU SCCs / UK Addendum where applicable.

l. Business transitions. Counterparties to a merger, acquisition, financing, or sale of all or substantially all of Nimble's assets, and their professional advisers. Purpose: due diligence and completion of the transaction. Safeguards: written confidentiality undertakings; where required, notice to data subjects via email or a prominent notice on the Website.

m. Legal, regulatory, and safety disclosures. Courts, law-enforcement authorities, regulators (including data-protection authorities), and other competent public authorities. Purpose: complying with a legal obligation (e.g., court order, subpoena, lawful request), establishing or defending legal claims, preventing fraud, and protecting the rights, property, or safety of Nimble, its Customers and Partners, its personnel, or the public. Safeguards: disclosures are limited to what is strictly required by the relevant Legal Requirement.

9. Security

Nimble implements organizational and technical measures to protect Personal Data, including encryption in transit and at rest, role-based access control, multi-factor authentication, and regular security testing. Nimble's security program is aligned to the SOC 2 Trust Services Criteria (Security, Confidentiality, Availability), the GDPR Article 32 'appropriate technical and organisational measures' standard, and the Israel Privacy Protection Regulations (Data Security), 5777-2017.

Nimble has successfully completed a SOC 2 Type 2 audit. The SOC 2 attestation letter is available to enterprise customers under NDA via security@nimbleway.com.

10. Data Transfers

Nimble may store or process Personal Information in cloud infrastructure based in the United States, Canada, Israel, or other countries, as the operation of the Services may require. International transfers are subject to the safeguards described below.

Where Personal Data is transferred from the European Economic Area ('EEA'), the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, Nimble relies on the European Commission's 2021 Standard Contractual Clauses ('EU SCCs'), and, for transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (the 'UK Addendum') or the UK International Data Transfer Agreement ('UK IDTA') issued by the Information Commissioner's Office, together with any supplementary required measures.

11. Data Subjects Rights

Important: The rights set out below relate to Personal Data for which Nimble is the Data Controller. If you are a Web User or other end-user whose data has been processed by Nimble as a Data Processor on behalf of a Customer or Partner, please direct your request to that Customer or Partner (the Data Controller). Nimble will support its Customers and Partners in responding to such requests in accordance with the DPA.

If you are a resident of California (or another US state with a comprehensive privacy law), the relevant section below applies to you.

11.1. EU / EEA and UK residents

Where the EU GDPR or UK GDPR applies, you have the rights of access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent. 

To exercise any of these rights, please reach out to us at privacy@nimbleway.com. Our Data Protection Officer would always prefer to address your concerns directly, and we will work with you in good faith to resolve any matter relating to your Personal Data.

If, after contacting us, you remain dissatisfied with how we have handled your request or your Personal Data, you also have the right to lodge a complaint with your local supervisory authority.

11.2. Israel residents

Under the Israel Privacy Protection Law, 5741-1981, you have the right to review the Personal Data we hold about you (PPL Section 13), the right to correct or delete inaccurate, incomplete, unclear or outdated Personal Data (PPL Section 14), and the right to opt out of direct marketing under Section 17F. To exercise these rights, please contact privacy@nimbleway.com. You also have the right to lodge a complaint with the Israeli Privacy Protection Authority (PPA).

11.3. Exercising your rights

Please reach out to privacy@nimbleway.com to exercise any of the rights described in this Section 11. We will respond within the timeframes required by applicable law (generally, 30 days under GDPR/UK GDPR, with a possible 60-day extension; 45 days under CCPA/CPRA and other US state laws, with a possible 45-day extension).

12. Children

Nimble does not direct the Website or Services to children under 16, and does not knowingly process Personal Data of children under 16 as a Data Controller. Under the US Children's Online Privacy Protection Act ('COPPA'), Nimble does not knowingly collect Personal Data from children under 13. If you believe a child's Personal Data has been provided to Nimble, please contact privacy@nimbleway.com.

13. Contact

For questions and inquiries: info@nimbleway.com (general), privacy@nimbleway.com (privacy and data subject rights), dpo@nimbleway.com (Data Protection Officer), security@nimbleway.com (security).

*** Additional Jurisdictions ***

A. US State Privacy Notice (Multi-State)

Last Updated: May 27, 2026

This section supplements the CCPA Statement available below, and applies to residents of US states (other than California) with comprehensive privacy laws in effect as of the Last Updated date, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and Oregon (OCPA).

  1. Categories of personal data collected, sources, purposes, and recipients: As described in Sections 3, 4 and 8 of this Privacy Policy and in the CCPA Statement. Nimble does not sell your personal data for monetary consideration and does not engage in cross-context behavioral advertising or targeted advertising as defined under these laws. Nimble does not process personal data for profiling that produces legal or similarly significant effects.
  2. Sensitive data: Where Nimble processes 'sensitive data' (as defined under VCDPA, CPA, CTDPA, OCPA) or 'sensitive personal information' (CPRA), it does so only where required for a disclosed business purpose, where you have consented, or where otherwise permitted by law. Nimble does not knowingly process sensitive data of a known child (under 13).
  3. Your rights: Subject to the conditions and exceptions of the applicable state law, you have the right to: (a) confirm whether Nimble is processing your personal data and access that data; (b) correct inaccurate personal data; (c) delete personal data; (d) obtain a portable copy; (e) opt out of the sale of personal data, targeted advertising, and certain profiling activities; (f) limit the use of sensitive data (in some states), if applicable. You also have the right to appeal a denial of a rights request.
  4. Universal opt-out / Global Privacy Control: Where required by Colorado, Connecticut, Oregon, or Texas law, Nimble recognizes valid universal opt-out mechanisms (including the Global Privacy Control browser signal) for opting out of sale and targeted advertising.
  5. How to exercise your rights: Submit a verifiable request to privacy@nimbleway.com. We will respond within 45 days (subject to a 45-day extension where reasonably necessary). You may designate an authorized agent to make a request on your behalf, subject to verification. If we deny your request, you may appeal by replying to our response within 45 days; if your appeal is denied, you may contact your state Attorney General.
  6. Non-discrimination: Nimble will not discriminate against you for exercising any of your rights under these laws.

B. California Notice (CCPA and CPRA)

Last Updated: May 27, 2026

This privacy notice for California residents supplements the information contained in the Privacy Policy (the "Policy") of The Data Company Technologies Inc. (D/B/A Nimble) ("Nimble", "we" or the "Company") and applies to our Visitors, Users, Customers and Partners residing in the State of California ("you").

We adopt this notice to comply with the California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act of 2020 ("CPRA"), and other applicable California privacy laws. Any terms defined in the CCPA or CPRA have the same meaning when used in this notice.

Notice at Collection. This California notice serves as Nimble's notice at collection under CCPA Section 1798.100(a). It identifies the categories of Personal Information and Sensitive Personal Information Nimble collects, the purposes for which each category is collected, whether the information is sold or shared, the length of time Nimble retains each category, and a link to this notice. By interacting with the Website or Services, you acknowledge that you have received this notice.

1. Categories of Personal Information collected about you

As described in our general Privacy Policy.In the preceding 12 months, Nimble has collected the following categories of Personal Information about California residents, as those categories are enumerated in CCPA Section 1798.140(v):

Category Status
Identifiers (e.g., name, email address, IP address, account identifier, online identifier) Collected
Personal information under Cal. Civ. Code Section 1798.80(e) (e.g., business contact details, signature) Collected, to the extent provided by Customers and business contacts
Protected classification characteristics (e.g., age, gender, race, national origin) Not collected
Commercial information (e.g., records of products or services purchased, considered, or billed) Collected
Biometric information Not collected
Internet or other electronic network activity (e.g., browsing, search, and Website interaction) Collected
Geolocation data (approximate, country / region level only) Collected
Audio, electronic, visual, thermal, olfactory, or similar information Not collected, except customer-support recordings where you consent
Professional or employment-related information (e.g., job title, employer, work history for candidates) Collected from candidates and business contacts
Non-public education information Not collected
Inferences drawn from any of the above to create a profile Not collected in the consumer context
Sensitive Personal Information (CCPA Section 1798.140(ae)) See Section 1A below

1A. Sensitive Personal Information. Nimble does not collect or use Sensitive Personal Information for the purpose of inferring characteristics about California residents. To the extent Nimble processes any data that qualifies as Sensitive Personal Information under CCPA Section 1798.140(ae) (for example, account log-in credentials, or precise geolocation if ever collected), Nimble uses and discloses it only for the business purposes permitted by CCPA Section 1798.121 and the implementing regulations (Cal. Code Regs. tit. 11, Section 7027), namely: providing the Services you requested, ensuring security and integrity, detecting and responding to security incidents, short-term transient use, performing services on behalf of the business, and verifying or maintaining the quality of the Services. Because Nimble does not use Sensitive Personal Information for purposes beyond those permitted uses, the Right to Limit the Use and Disclosure of Sensitive Personal Information has no practical application. If our practices change, we will provide a clear mechanism to exercise that right.

1B. Categories of sources. Nimble obtains Personal Information from the following sources: (a) directly from you, including through Website forms, account registration, support requests, and job applications; (b) automatically from your device when you interact with the Website or Services, including via cookies and similar technologies; (c) from service providers acting on Nimble's behalf (e.g., analytics, authentication, lead-generation providers); and (d) from publicly available sources (e.g., business directories, professional networks).

1C. Business or commercial purposes for collection. Nimble collects Personal Information for the following business and commercial purposes (as defined in CCPA Section 1798.140(e)): (a) providing, operating, securing, and improving the Website and Services; (b) managing Customer accounts and processing transactions; (c) responding to inquiries and providing customer support; (d) recruiting and managing candidates; (e) marketing and B2B prospecting; (f) detecting and preventing fraud and abuse; (g) complying with legal obligations and enforcing our agreements; and (h) corporate governance and internal operations.

2. Sharing Information

a. We do not sell your Personal Information or share it for monetary gain. We also do not share your Personal Information for cross-context behavioral advertising, as defined under the CPRA. We may disclose your Personal Information to a third party for legitimate business purposes. When we do so, we enter into contracts that describe the purpose and require the recipient to both keep that personal information confidential and not use it for any purpose except for performing the contract.

Nimble does not "sell" your Personal Information for monetary or other valuable consideration, and does not "share" Personal Information for cross-context behavioral advertising, in each case as those terms are defined by the CCPA / CPRA. Nimble has not engaged in such sales or sharing in the preceding 12 months. Nimble does not knowingly sell or share Personal Information of consumers under 16 years of age. Nimble discloses Personal Information to third parties only for the business purposes described in this notice, and under written contracts that limit the recipient's use of that Personal Information to the purposes set out in the contract and require the recipient to maintain its confidentiality.

b. In the preceding twelve (12) months, we have shared disclosed the following categories of Personal Information for a business purpose:

Category of Personal Information Categories of Third Parties and Business Purpose
All categories collected Cloud hosting and infrastructure providers (AWS, Oracle Cloud Infrastructure, DigitalOcean, Snowflake), for hosting, compute, storage, and backup
Identifiers; Internet activity Identity and authentication providers (e.g., Cognito (AWS), Google SSO), for user authentication and MFA
Identifiers; Internet activity Analytics and product telemetry providers (e.g., Google Analytics), for understanding Website and product use
Identifiers; commercial information; professional information CRM and sales operations platforms (Salesforce, DealHub), for managing prospects, customers, and opportunities
Identifiers; professional information Marketing, email, and lead-generation providers (e.g., Webflow)
Identifiers; Internet activity B2B advertising platforms (e.g., LinkedIn Ads, Google Ads), for business-to-business advertising
Identifiers; professional information; employment-related information Recruitment and HR platforms (Comeet, HiBob), for candidate and employment management
Identifiers; commercial information; financial account identifiers Payment processors, for billing and refunds
Identifiers; commercial information Customer support and ticketing platforms
All categories as relevant Professional advisors and auditors (external counsel, accountants, SOC 2 Type 2 auditor)
All categories as relevant Affiliated companies under common control with Nimble
All categories as relevant Counterparties to a merger, acquisition, financing, or asset sale, and their advisers
All categories as relevant Courts, law enforcement, regulators, and other competent public authorities

3. Your Rights

The California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides California residents with specific rights regarding their personal information. Below we describe your privacy rights under California law and explain how to exercise them.

3.1. Access to Certain Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and verify your request, we will disclose: the categories of personal information we collected about you; the categories of sources for the personal information; the business or commercial purpose for collecting or sharing that personal information; the categories of third parties with whom we disclose that personal information; the specific pieces of personal information we collected about you (also called a data portability request); and the categories of personal information we disclosed for a business purpose.

3.1A. Right to Correct. You have the right to request that we correct inaccurate Personal Information we maintain about you, taking into account the nature of the Personal Information and the purposes of the processing. We will use commercially reasonable efforts to correct the information, and will direct our service providers and contractors to do the same. We may deny a correction request if we determine that the contested information is more likely than not accurate based on the totality of the circumstances; if we do, we will explain why.

3.1B. Retention. Nimble retains each category of Personal Information for no longer than is reasonably necessary for the disclosed business purpose. Specifically: account and contract data are retained for the duration of the customer relationship plus seven (7) years for tax, audit, and limitation-of-actions purposes; candidate data is retained for six (6) months following a non-hire decision unless you consent to a longer period; marketing contact data is retained until you opt out or after a reasonable period of inactivity; Website analytics data is retained for the period configured with our analytics provider (currently no more than 26 months); and system and security logs are retained for up to 12 months. Retention of data processed by Nimble as a Data Processor is governed by the applicable Data Processing Agreement.

3.2. Deletion Request Rights

You have the right to request that we delete Personal Information we collected and retained about you, subject to certain exceptions. When applicable, once we receive and verify your request, we will delete (and direct our service providers and contractors to delete) your Personal Information from our records, unless an exception under CCPA Section 1798.105(d) applies.

3.3. Right to Opt Out of Sale or Sharing of Personal Information

You have the right to opt out of the sale or sharing of your Personal Information with third parties for cross-context behavioral advertising. We do not sell or share your Personal Information as defined under California law. If that changes in the future, we will provide you with notice and the ability to opt out.

3.4. Exercising your rights and choices

To exercise your access, correction, data portability, deletion, or other rights described above, please submit a verifiable request to privacy@nimbleway.com, or via your account if you are a business customer. Only you or someone legally authorized to act on your behalf may make a verifiable request. You may also submit a request on behalf of your minor child. You may make a request up to twice within a 12-month period. The request must include sufficient information to verify your identity and describe your request in detail. We will only use the information in the request to verify your identity or authority and process the request.

3.5. Response Timing and Format

We aim to respond within 45 days of receiving a verifiable request. If more time is needed (up to 90 days), we will notify you of the reason and extension.We respond within 45 days of receipt of a verifiable consumer request. We may extend the response period by an additional 45 days where reasonably necessary and where we have notified you of the extension and the reason for it within the initial 45-day period. If we cannot verify your request, we will inform you.

If you do not have an account, we will respond via email. Our response will cover the 12-month period preceding your request. For data portability requests, we will provide your data in a readily usable format. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, in which case we will inform you of the cost or refuse to act on the request and explain why.

4. Non-Discrimination

We will not discriminate against you for exercising any of your rights under the CCPA or CPRA. Unless permitted by law, we will not: deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you with a different level or quality of goods or services; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

5. Opt-Out Preference Signals

Do Not Track (DNT) is a privacy preference that can be configured in certain web browsers. When enabled, it signals websites that you do not want your online activity tracked. We do not currently respond to DNT signals. However, California law requires us to disclose whether we honor opt-out preference signals (such as a browser-based Global Privacy Control (GPC)). We currently do not recognize GPC signals but provide other mechanisms to exercise your rights as described in this notice.Nimble does not currently sell or share Personal Information as those terms are defined by the CCPA / CPRA, and therefore there is no active sale or sharing for an opt-out preference signal to act on. 

To the extent that any processing in the future would constitute a sale or sharing, Nimble will treat a valid opt-out preference signal, including the Global Privacy Control (GPC) browser signal, as a request to opt out of the sale and sharing of Personal Information from the browser that transmits the signal, in accordance with Cal. Code Regs. tit. 11, Section 7025. 

Where you are logged into your Nimble account when the signal is detected, we will use commercially reasonable efforts to apply the signal to your account. Nimble does not currently respond to legacy Do Not Track (DNT) browser headers, which do not have a uniform standard.

6. Changes to this Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes, we will update the effective date at the top of the notice and, where required by law, provide you with appropriate notice or obtain your consent. This may include email notifications, in-product messages, or website banners, in accordance with the mechanism described in our general Privacy Policy.

7. Contact Information

If you have any questions or comments about this privacy notice or Policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at: privacy@nimbleway.com.

You can contact Nimble about this notice or to exercise your rights by email at privacy@nimbleway.com. If you wish to designate an authorized agent to make a request on your behalf, please email privacy@nimbleway.com so we can provide our agent verification instructions.

8. California "Shine the Light"

California Civil Code Section 1798.83 permits California residents who have an established business relationship with us to request information about the categories of Personal Information (if any) we have shared with third parties for those third parties' own direct marketing purposes during the prior calendar year. Nimble does not share Personal Information with third parties for their own direct marketing purposes.