Home  /  Data Processing Information

Legal & policies

Data Processing Information

Last updated: 30 June 2026

ForgeAI Studio, trading as NovaStacks ("we", "us", "our"), is committed to processing personal data lawfully, fairly and securely. This page explains how we handle personal data in our own business operations and in the software we design, build and operate for our clients.

It should be read alongside our Privacy Policy. Where a separate written agreement (including a Data Processing Agreement) applies to a specific engagement, that agreement takes precedence over this page in the event of any conflict.

1. Who we are

ForgeAI Studio is a software company registered in England & Wales under company number 17175307. We design and build custom SaaS platforms, AI-powered business software, bespoke web applications, internal business systems, workflow automation, portals, dashboards and customer platforms. We also launch and continue to support software after release.

The only channel for data protection enquiries is email: support@novastacks.co.uk.

2. The two capacities in which we process personal data

We process personal data in two distinct roles, and the responsibilities attached to each differ.

2.1 As a controller

We act as a controller when we decide why and how personal data is processed. This applies to our own business activities, including:

  • enquiries, correspondence and support requests sent to us;
  • managing relationships with clients, prospective clients and suppliers;
  • account administration, billing and contractual records;
  • operating and securing our website;
  • meeting our legal, regulatory and accounting obligations.

In this capacity we determine the purposes and means of processing and are directly responsible for the personal data concerned.

2.2 As a processor

We act as a processor when we build, host or operate software on behalf of a client and process personal data contained within that software on the client's behalf. In these engagements:

  • the client is the controller and decides the purposes and means of processing;
  • we process personal data only on the client's documented instructions, as set out in our agreement with them;
  • we do not use client data for our own purposes, and we do not sell client data.

Where we process personal data as a processor, the relevant individuals (for example, the client's own customers, staff or end users) should direct data protection requests to the client as controller. We will support our clients in responding to such requests in accordance with our agreements with them.

3. Processing on documented instructions

When acting as a processor, we follow the principle of processing only on documented instructions. In practice this means we:

  • process personal data only as needed to deliver the agreed software and services;
  • act on the controller's written instructions regarding the scope, nature and purpose of processing;
  • assist the controller, where appropriate, with data subject requests and with the controller's own compliance obligations;
  • inform the controller if, in our opinion, an instruction appears to conflict with applicable data protection law;
  • return or delete personal data at the end of an engagement in line with the controller's instructions, subject to any retention required by law.

The specific categories of personal data, categories of data subjects, processing activities, duration and security obligations for each engagement are recorded in the applicable contract or Data Processing Agreement.

4. Sub-processors

To deliver our software and services reliably and securely, we engage trusted third-party providers ("sub-processors") that may process personal data on our behalf. We use sub-processors in the following generic categories:

  • Cloud hosting and infrastructure — to host applications, databases and supporting services.
  • Email and communications — to send and receive transactional and operational email and to manage support correspondence.
  • Analytics — to understand how our software and websites are used and to maintain performance, reliability and security.
  • AI and model providers — to deliver AI-powered features within our platforms, such as content generation, processing and automation.

When engaging sub-processors, we take the following measures:

  • we select providers that offer appropriate technical and organisational safeguards;
  • we put written terms in place that impose data protection obligations consistent with our own;
  • sub-processors are permitted to process personal data only to provide the services we have engaged them for.

For client engagements where we act as a processor, we will identify the sub-processors relevant to that engagement and address authorisation of, and changes to, sub-processors through the applicable Data Processing Agreement. Clients can request current sub-processor information for their engagement by emailing support@novastacks.co.uk.

5. Security measures

We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures are kept under review and include, as appropriate:

  • Encryption in transit for data moving between users, applications and services.
  • Access controls that restrict access to personal data on a least-privilege, need-to-know basis.
  • Authentication safeguards for systems and administrative interfaces.
  • Tenant separation in multi-tenant platforms so that one client's data is logically isolated from another's.
  • Secure development practices applied across the software we design and build.
  • Logging and monitoring to help detect and respond to security events.
  • Backups and recovery measures appropriate to the systems concerned.
  • Confidentiality obligations binding those who process personal data on our behalf.

No method of transmission or storage can be guaranteed to be completely secure; however, we work to ensure our measures remain appropriate to the nature of the data and the risks involved.

6. Data location

We use cloud infrastructure and service providers to host and process personal data. Depending on the provider and the engagement, personal data may be processed within the United Kingdom, the European Economic Area or other locations.

Where personal data is transferred outside the United Kingdom or the European Economic Area, we take steps to ensure that appropriate safeguards are in place in accordance with applicable data protection law, such as recognised transfer mechanisms and contractual protections.

For client engagements, data location and any specific hosting requirements can be agreed and documented as part of the applicable Data Processing Agreement.

7. Records of processing

We maintain internal records of our processing activities as required under applicable data protection law. These records support our accountability obligations and help us:

  • document the purposes of processing and the role in which we act;
  • describe the categories of personal data and data subjects involved;
  • record the categories of recipients and sub-processors;
  • describe, in general terms, the security measures applied;
  • track applicable retention periods.

For engagements in which we act as a processor, we keep records of the categories of processing carried out on behalf of each controller, consistent with our contractual and legal obligations.

8. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required to meet legal, regulatory, accounting or contractual obligations. When acting as a processor, retention and deletion are governed by the controller's instructions and the applicable agreement.

9. Data Processing Agreements for client engagements

For client engagements where we build or operate software that processes personal data on the client's behalf, we offer bespoke Data Processing Agreements (DPAs). A DPA sets out, among other things:

  • the subject matter, nature, purpose and duration of processing;
  • the categories of personal data and data subjects;
  • the obligations and rights of the controller;
  • our obligations as processor, including confidentiality and security;
  • arrangements for sub-processors;
  • provisions for assisting with data subject requests and compliance obligations;
  • arrangements for return or deletion of personal data at the end of the engagement.

To request a Data Processing Agreement or to discuss data processing arrangements for an engagement, please contact us at support@novastacks.co.uk.

10. Changes to this page

We may update this page from time to time to reflect changes in our practices, our services or applicable law. The "Last updated" date at the top of this page indicates when it was most recently revised.

11. Contact us

If you have any questions about how we process personal data, or if you wish to discuss a Data Processing Agreement, please contact us by email:

Email: support@novastacks.co.uk Website: https://novastacks.co.uk

ForgeAI Studio (trading as NovaStacks) — registered in England & Wales, company number 17175307.