Terms & Policies

• Deliver checkout pages
• Calculate applicable taxes
• Determine currency and region
• Detect and prevent fraud
  
  

3.4 Cookies and Similar Technologies

We use cookies and similar technologies to support the checkout process.

These may include:

• Strictly necessary cookies required for checkout functionality

• Analytics cookies used to analyse checkout performance

• Marketing cookies used for advertising measurement and conversion attribution

Analytics and marketing cookies are used only where you have provided consent through our cookie consent banner when you first visit the Ecommerce Site.

Further information is available in our Cookie Policy.

4. Purposes and Legal Bases for Processing

Explanation of Legal Bases

Contract performance

Processing necessary to complete your purchase and provide the licences you ordered.

Legal obligation

Processing required to comply with tax, accounting, and regulatory requirements.

Legitimate interests

Processing necessary to protect our services, prevent fraud, improve checkout performance, and operate our business where these interests do not override your rights.

Consent

Processing based on your explicit permission, such as marketing communications or optional cookies.

5. Recipients and Data Sharing

We share your personal data only to the extent necessary for the purposes described above and with the following categories of recipients:

5.1 Nitro Software, Inc.

As set out in Section 3(a) of our Ecommerce Terms, we provide order and account information to Nitro Software, Inc. so that Nitro can provision, activate, and administer the Services you have purchased. Once Nitro receives this data, Nitro acts as an independent data controller and processes your personal data in accordance with its own Terms of Service and Privacy Policy.

• Nitro Software, Inc., 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, United States

• Role: Independent Data Controller (for service provisioning, account administration, product delivery, customer support, analytics, and the ongoing customer relationship)

• Nitro's Privacy Policy: https://www.gonitro.com/legal/privacy-policy

Data shared may include:

• Identity data

• Contact data

• Billing address

• Order details

• Subscription information

Nitro Software, Inc. is certified under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. Nitro is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). To view Nitro's certification, visit https://www.dataprivacyframework.gov/.

5.2 Stripe Payments Europe, Limited

Payment processing is provided by Stripe Payments Europe, Limited and its affiliates (“Stripe”).

Stripe acts primarily as a data processor when processing payments on our behalf.

Stripe may also act as an independent data controller where it processes data for its own regulatory compliance, fraud prevention, and service improvement purposes. If you want to learn more we refer to  Stripe's Privacy Policy: https://stripe.com/privacy

5.3 Service Providers

We may share personal data with service providers acting as data processors, including:

• Tax compliance providers

• Hosting and infrastructure providers

• Analytics providers

• Customer support platforms

These providers process data under contractual obligations and only on our instructions.

5.4 Nitro Group Entities

Data collected through the checkout may be shared with other entities within the Nitro group of companies to support ancillary functions such as performance monitoring, technical support, marketing, and improvements to our services. Such sharing is consistent with the practices described in Nitro’s Privacy Policy and is governed by intra-group data transfer agreements that include appropriate safeguards.

5.5 Advertising and Analytics Partners

Where you consent to marketing cookies, we may share a hashed version of your email address with Google for Google Ads Enhanced Conversions.

The hashed data is used solely to measure advertising effectiveness and is deleted by Google after the matching process.

5.6 Business Transfer

In the event of a restructuring, business transfer or merger and acquisition activity, your personal data may be transferred to the third parties involved in this process.

5.7 Other Third Parties

We may disclose personal data where required to:

• Comply with legal obligations

• Respond to lawful requests by authorities

• Protect legal rights

• Support audits or regulatory compliance

We do not sell personal data.

6. International Transfers

Your personal data may be transferred to, stored, and processed in countries outside your country of residence. Personal data is also transferred to Nitro Software, Inc. in the United States for service provisioning and account administration.

Where personal data originating in the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a country that has not been recognised as providing an adequate level of data protection, we ensure appropriate safeguards are in place, including:

• EU-U.S. Data Privacy Framework (DPF) Nitro Software, Inc. is a certified participant in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Standard Contractual Clauses (SCCs) approved by the European Commission

• UK International Data Transfer Addendum

• Adequacy decisions where available.

• Supplementary measures where appropriate, as determined by transfer impact assessments.
  
  
  

7. Data Retention

We retain personal data collected during checkout for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations:

• Transaction, order, and billing records: retained for the period required by applicable tax, accounting, and commercial law (typically 7–10 years, depending on jurisdiction).

• Subscription and renewal records: retained for the duration of the subscription plus the applicable legal retention period.

• Payment card and bank account data: we do not store full payment credentials. Stripe retains payment data for the term of its agreement with us and any period required to perform post-termination obligations, and in accordance with its own data retention policies and PCI DSS requirements. Upon termination of the agreement, Stripe will (at our choice) delete or return personal data, except to the extent storage is required to exercise its rights under the agreement or is required or authorised by applicable law.

• Marketing consent records: retained for as long as your consent remains active, plus a reasonable period thereafter to evidence compliance.

• Hashed email data (conversion attribution): deleted by Google after the conversion-matching process is completed.
  
  

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit (TLS/HTTPS);

• Access controls and role-based permissions;

• Regular security assessments;

• Contractual security obligations imposed on our processors and sub-processors.

For further information on Nitro's security practices, please refer to the Technical and Organisational Measures.

9. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding the personal data we process during checkout:

• Access — request a copy of the personal data we hold about you.

• Rectification — request correction of inaccurate or incomplete data.

• Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.

• Restriction of processing — request that we limit how we use your data in certain circumstances.

• Data portability — receive your data in a structured, commonly used, machine-readable format.

• Objection — object to processing based on our legitimate interests or to direct marketing.

• Withdrawal of consent — where processing is based on consent (including cookies and conversion attribution), withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. You can withdraw cookie consent via our Cookie Policy and marketing consent via the unsubscribe link in our communications.

• Right not to be subject to automated decision-making — where applicable.

9.1 How to Exercise Your Rights (Checkout and Billing Data)

To exercise rights in relation to checkout, billing, and payment data held by Nitro Ecomm, please contact us using the details in Section 13 or submit a request via our Data Subject Access Request form.

We will respond within the timeframes required by applicable law.

10. Additional Rights for California and U.S. Residents

If you are a California resident or a resident of another U.S. state with comprehensive privacy legislation (such as the CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, or similar laws), you may have additional rights, including:

• Right to know — the categories and specific pieces of personal information we have collected, the sources of collection, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.

• Right to delete — request deletion of your personal information, subject to legal exceptions.

• Right to correct — request correction of inaccurate personal information.

• Right to opt out of "sale" or "sharing" — we do not sell your personal information, and we do not "share" it (as defined under the CCPA) for cross-context behavioural advertising without your consent.

• Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us using the details in Section 13.

11. Cookies and Similar Technologies

The Ecommerce Site checkout pages use the following types of cookies:

• Strictly necessary cookies: required for the checkout to function (e.g., session management, shopping cart, CSRF protection). These do not require your consent.

• Analytics cookies: used to understand how visitors interact with the checkout flow, so we can improve the experience. Deployed only with your consent.

• Marketing/advertising cookies: used to deliver relevant advertising and to support conversion attribution (including Google Ads Enhanced Conversions). Deployed only with your consent.

You can manage your cookie preferences at any time through our cookie banner or by adjusting your browser settings. For full details, including a list of specific cookies, please see our Cookie Policy.

12. Children's Privacy

Our products and checkout process are not directed at individuals under the age of 18 (or the older of 18 and the applicable age of digital consent in your jurisdiction, consistent with our Ecommerce Terms). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us so we can take appropriate action.

13. Contact Us

If you have questions, concerns, or wish to exercise your data protection rights in connection with the checkout process, please contact:

Nitro's Data Protection Office:

• Contact form: https://www.gonitro.com/contact-dpo

• Email: privacy@gonitro.com

• Address: Nitro Software, Inc., 447 Sutter St, STE 405 #1015, San Francisco, CA 94108, USA
  
  
  

14. Supervisory Authority and Dispute Resolution

If you believe your data protection rights have been infringed, you have the right to lodge a complaint with a supervisory authority:

• Ireland (lead authority for Nitro Ecomm): Data Protection Commission (DPC) — 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — https://www.dataprotection.ie

• Other EEA residents: your local Data Protection Authority (a list is available at https://edpb.europa.eu ).

• UK residents: the Information Commissioner's Office (ICO) — https://ico.org.uk .

For complaints relating to personal data transferred to Nitro Software, Inc. under the EU-U.S. Data Privacy Framework, Nitro has committed to cooperate with the panel established by EU DPAs, the UK ICO, and the Swiss FDPIC. Under certain conditions, you may also have the right to invoke binding arbitration as set forth in Annex 1 of the DPF Principles. You can learn more at https://www.dataprivacyframework.gov/.