O
ONX
← Back

Privacy Policy

Last updated: 18 June 2026

1. Who we are

Optimal Nexus Ltd ("we", "us", "our") operates ONX — an operating system for people businesses spanning Revenue, Talent, Operations and Finance. This policy explains how we handle personal data for which we are the data controller: visitors to our website, ONX account holders, and the B2B contact data we source for the Revenue module. For personal data you process within ONX — such as candidate records in Talent, or client and workforce data in Operations and Finance — you are the controller and we act as your processor under a Data Processing Agreement; that processing is governed by your own privacy notices and our DPA, not this policy. For questions about this policy, contact us at compliance@optimalnexus.com.

2. Data we collect

Account data

Name, email address, company name, and billing information collected when you sign up.

Usage data

Log data, feature interactions, and session information to operate and improve the Service.

B2B contact data (Revenue)

Within the Revenue module, ONX sources business contact information (names, job titles, company email addresses, LinkedIn profiles) from publicly available information and third-party enrichment providers. This data relates to individuals in their professional capacity and is processed for legitimate B2B purposes such as account research and prospecting.

Customer data (Talent, Operations, Finance)

Personal data you upload to or generate within the platform — for example candidate records in Talent, or client, programme and workforce data in Operations and Finance — is processed on your behalf as your processor and is covered by our Data Processing Agreement, not the controller activities described in this policy.

3. How we use your data

  • Providing the Service — account management, billing, and feature delivery.
  • Legitimate interests — improving the platform, preventing fraud, and ensuring security.
  • Legal obligation — compliance with UK GDPR, PECR, and other applicable laws.
  • Consent — marketing communications, where you have opted in.

4. B2B data and GDPR

Within ONX Revenue, contact enrichment data is processed under the lawful basis of legitimate interests for B2B marketing purposes, consistent with Recital 47 of the GDPR. We apply strict data minimisation: only professional contact details relevant to a business context are stored, and all contact records expire automatically (default 12 months).

We maintain a suppression list. Any contact who opts out of communication is immediately suppressed and will not appear in future discovery results.

5. Data retention

  • Account data — retained while your account is active, then 30 days after deletion request.
  • B2B contact records — 12 months from discovery date, then automatically deleted.
  • Billing records — 7 years (legal requirement).
  • Audit logs — 24 months.

6. Who we share data with

We do not sell personal data. We share data only with:

  • Supabase — database and authentication infrastructure (EU region).
  • Stripe — payment processing.
  • Vercel — hosting and edge delivery.
  • n8n — workflow automation for discovery pipelines.
  • Sentry — error monitoring (anonymised where possible).

All processors are GDPR-compliant and operate under Data Processing Agreements.

7. International transfers

Some of our processors operate outside the UK/EEA. Where data is transferred, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

8. Your rights

Under UK GDPR and EU GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — restrict how we use your data in certain circumstances.

To exercise any right, email compliance@optimalnexus.com or use the Data & Privacy controls in your account settings. We respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Cookies

We use essential session cookies required for authentication. We do not use third-party advertising or tracking cookies.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or an in-app notice at least 14 days before taking effect.

11. Contact

Data protection enquiries: compliance@optimalnexus.com