Data Privacy & Processing Agreement for Nada 

Between:
NADA ARCHITECTS LTD (Company No. 09148789), registered in the United Kingdom and having its principal place of business at 169 Kingsway, Manchester, England, M19 2ND (“Data Controller”)

and

HMI RETAIL LIMITED, registered in the United Kingdom and having its principal place of business at First Floor, 1 Mounthooly Way, Aberdeen, Scotland, AB24 3ER (“Data Processor”).

Effective Date: 23rd October 2025

1. Purpose

This Agreement outlines the terms under which the Data Processor will process personal data on behalf of the Data Controller for the purpose of managing and optimising digital marketing campaigns, including Google Ads, Google Analytics, and conversion tracking.

2. Roles of the Parties

• Data Controller: NADA ARCHITECTS LTD determines the purposes and means of processing personal data.
  
• Data Processor: HMI RETAIL LIMITED processes data solely on behalf of and in accordance with the written instructions of NADA ARCHITECTS LTD.
  

3. Nature and Scope of Processing

The Data Processor may process the following types of personal data:

• Website usage data and analytics (via Google Ads, Analytics, Tag Manager, or other tracking tools)
  
• Conversion and event data (e.g., contact form submissions, page interactions, ad click identifiers)
  
• Cookie and device information
  

The processing shall be limited to the purposes of performance tracking, advertising optimisation, and reporting.

4. Data Processor Obligations

The Data Processor agrees to:

1. Process personal data only on documented instructions from the Data Controller.
   
2. Maintain confidentiality and ensure all personnel with access to data are bound by confidentiality agreements.
   
3. Implement appropriate technical and organisational measures to protect data against unauthorised access, alteration, or loss.
   
4. Not share or subcontract processing to third parties without prior written consent from the Data Controller.
   
5. Promptly assist the Data Controller in fulfilling obligations relating to data subject rights and data breach notifications.
   
6. Delete or return all personal data to the Data Controller upon termination of this Agreement.
   

5. Subprocessors

The Data Processor may use subprocessors solely for enabling campaign tracking (e.g., Google LLC and other standard marketing platforms). The Data Processor remains responsible for ensuring subprocessors comply with equivalent data protection obligations.

6. International Transfers

Where personal data is transferred outside the UK or EEA, the Data Processor shall ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent protection mechanisms.

7. Data Retention

The Data Processor shall not retain personal data longer than necessary for the fulfilment of the marketing services and shall ensure secure deletion upon completion of the services or upon written request from the Data Controller.

8. Term & Termination

This Agreement shall remain in effect for the duration of the marketing services engagement. Upon termination, all personal data processed on behalf of the Data Controller shall be securely deleted or returned.

9. Governing Law

This Agreement is governed by and construed in accordance with the laws of England and Wales.