Privacy Policy

Nowt On (trading as "Nowt On") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard your personal information when you access and use the Nowt On platform, including our website, mobile applications, and integrations with third-party services such as Meta (Facebook and Instagram) and WhatsApp.

By accessing or using our platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this policy.

The Data Controller responsible for your personal information is:

If you have any questions about how we handle your personal data, please contact us at the email address above.

2.1. Visitors

When you browse our website without creating an account, we may collect:

• Technical and usage information (e.g., IP address, browser type, pages visited, session duration)
• Cookies and similar tracking technologies (see Section 6)

This information helps us improve our platform's performance and user experience.

2.2. Registered Users and Customers

When you create a profile or use our services, we collect:

• Name
• Email address
• Authentication tokens (e.g., magic link tokens, Meta access tokens)

2.3. Business Accounts

For businesses that create and manage events on our platform, we collect:

• Business name
• Contact name(s)
• Mobile number
• Business email address
• Event content (titles, URLs, images, descriptions)

2.4. Integrations and Linked Accounts

If you choose to integrate or connect your account with third-party services (such as Meta or WhatsApp):

• We collect information you explicitly authorise through those services (e.g., profile name, Page identifiers, event posts)
• We do not access additional information beyond what you authorise

We use your personal information to:

• Provide and operate the Nowt On platform and its features
• Authenticate and secure your account
• Allow you to create, manage, save, and share events
• Enable integrations with third-party platforms (e.g., Meta, WhatsApp)
• Communicate with you via channels you opt into (e.g., email, WhatsApp)
• Improve our services and troubleshoot issues
• Comply with legal obligations

We do not use your personal information for marketing outside the platform without your explicit consent.

Where applicable under data protection law (UK GDPR / Data Protection Act 2018):

• Contract performance — to provide the services you request (e.g., account management, event listings)
• Consent — when linking third-party accounts or opting into messaging (e.g., WhatsApp notifications). You may withdraw consent at any time by contacting info@nowton.events or adjusting your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Legitimate interests — to improve services and ensure platform security, where those interests do not override your rights and freedoms
• Legal obligation — where we are required to process data to comply with applicable law

5.1. Data Processors and Service Providers

We share personal information with trusted third-party service providers that help us operate the platform. These include:

• Vercel (application hosting and deployment) — United States
• Supabase (backend database and storage) — European Union / United States
• Railway (infrastructure for workflow automation) — United States
• n8n (automated workflows and event processing)
• Meta Platform / WhatsApp Business API (social media integration and messaging) — United States
• Zernio (operated by ARBICHAT, S.L. — Instagram messaging provider; receives and sends Instagram Direct Messages on our behalf; see Section 5.3) — Spain (European Union)
• Mailjet (email delivery) — European Union
• Google Gemini API (AI-assisted processing of post text to detect event information) — United States

Each processor is engaged under appropriate contractual terms and is only permitted to process your data on our instructions and for the stated purpose.

5.2. Third-Party Platforms

When you choose to connect your Meta (Facebook/Instagram) account:

• We receive only the data you authorise through Meta's permissions
• Your use of Meta services is also governed by Meta's Privacy Policy and your settings with Meta
• We do not sell personal data to third parties

5.3. Instagram Direct Messages

Consent. Our automated assistant stays silent until you explicitly activate it by sending the keyword “startnowton”. At that point we reply once with a message linking to this privacy policy and ask you to reply “YES” to consent to data processing under this section. We will not extract event details or send further automated messages until you have consented. Until you activate it, you can message our account normally and a human will respond — the assistant does not process or auto-reply to ordinary messages. You may opt out at any time by replying “STOP”, after which we will stop sending automated replies and will not retain new messages. Your consent is recorded with a version stamp; if this policy materially changes, we may re-prompt you.

When you DM our Instagram business account (@nowtonevents), the message content — including any shared post or story caption and media URL — is relayed to our servers through Zernio, our Instagram messaging provider (acting as our data processor), via a secure webhook so we can help you submit an event listing.

Review before publication. After you share an event post or story, we extract the event details and send you a private link to a short review page where you confirm or correct each event before anything is published. Nothing is listed on Nowt On until you have reviewed it via that link. The link expires after 24 hours.

Submission and attribution. After you consent, any event post or story you share is processed and returned to you as a private review link (see above) before anything is published. If you have a Nowt On business account, you can link your Instagram account — generate a one-time code in your Nowt On dashboard and DM it to @nowtonevents to verify ownership — so that events you submit are attributed to your business and manageable from your dashboard. You may unlink at any time. Without a linked account, your submissions are still reviewed by you via the link and may be listed subject to our manual review, but you cannot later edit the published listing yourself — see the responsibility note below.

Automated processing. Messages you send to @nowtonevents are processed by an automated assistant that uses large language models (LLMs) to extract event details. The assistant cannot make legally binding decisions about you. Every event listing is reviewed by a human before publication, and you can pause the assistant and request a real person at any time by replying “HUMAN” (this puts the assistant on hold for 24 hours so we can follow up directly), or opt out entirely by replying “STOP”.

Purpose limitation. We only access Instagram messages directed to our business account, and only to provide the event listing service you have requested. We do not retain, share, or use this data for advertising, profiling, training AI models, or any other purpose.

How this integration works. Our Facebook Page integration (Section 5.2) requires you to authenticate with Facebook and explicitly grant permissions. Our Instagram DM integration works differently: Instagram Direct Messages are handled through Zernio, a third-party messaging provider acting as our data processor. The owner of @nowtonevents has authorised Zernio (once, via Meta) to receive and send messages for the account. When you DM @nowtonevents, Zernio relays your message securely to our servers; we extract the event details and send our reply back to you through Zernio. End users who DM @nowtonevents do not log in to our app or grant permissions to it — you interact with us only by sending an Instagram message, in the same way you would message any other Instagram business account. By messaging us, you consent to the data processing described in this section (subject to the YES consent gate above).

We collect and store:

• Your Instagram Scoped User ID (a platform-specific identifier assigned by Meta)
• Your Instagram username (handle), retrieved via the Instagram Graph API (instagram_basic permission) and displayed on the resulting event listing as attribution
• The message ID and timestamp
• The caption and media URL of any post you share with us
• Our assistant's replies to you

This data is retained for up to 90 days, after which the raw message payload is automatically purged. Conversation metadata (message ID, timestamps) may be retained for audit and compliance purposes.

We use this data solely to extract event details and help you list an event on Nowt On. We do not use it for advertising, profiling, or share it with third parties outside the processors listed above.

Your responsibility for unlinked submissions. Events submitted via Instagram by users without a Nowt On business account become public listings on nowton.events. The submitter is solely responsible for the accuracy of the information they provide. If event details change, dates move, or an event is cancelled, you must contact info@nowton.events to request an update or removal — without a linked account you cannot edit listings yourself. Nowt On accepts no liability for out-of-date or inaccurate listings sourced from unlinked Instagram submissions, but we will action reasonable removal or update requests within 7 days. To gain self-service control over your listings, sign up at nowton.events and link your Instagram account from the Integrations panel.

You can request deletion of your Instagram messaging data at any time by emailing info@nowton.events. We will action deletion requests within 30 days. Meta may also submit deletion requests on your behalf via our Data Deletion Callback, which we process automatically.

If you delete or unsend a message in Instagram, Meta sends us a deletion notification and we automatically remove the corresponding message from our records.

The Meta permissions involved are:

• Instagram messaging (via Zernio): the ability to read incoming DMs to @nowtonevents and reply to them is held by Zernio (our messaging provider) on its own Meta application, authorised once by the owner of @nowtonevents. Our own Meta app uses instagram_basic to identify our Instagram Business Account and resolve sender @handles for attribution.
• Facebook Pages (user-granted via OAuth when connecting your Page): pages_show_list, pages_read_engagement, pages_manage_metadata

5.4. Legal Obligations

We may disclose personal information if required to:

• Comply with a legal obligation or court order
• Protect and defend our rights or property
• Respond to lawful requests by public authorities

Some of our third-party processors are based outside the United Kingdom and the European Economic Area (EEA), including in the United States (Vercel, Railway, Google, Meta). When we transfer your personal data to these processors, we ensure appropriate safeguards are in place, which may include:

• UK International Data Transfer Agreements (IDTAs) or UK Addendum to Standard Contractual Clauses (SCCs)
• UK adequacy regulations (where the destination country has been deemed adequate by the UK Secretary of State)
• Processor-maintained certifications or binding corporate rules

You may request details of the specific transfer safeguards we rely on by contacting info@nowton.events.

We use cookies and similar technologies to operate and improve the Platform:

• Essential cookies — required for authentication, session management, and core platform functionality. These cannot be disabled without affecting platform use. No consent is required for these cookies.
• Google Analytics 4 — we use Google Analytics to understand how visitors discover and interact with the platform. GA4 may set cookies (_ga, _gid) to help distinguish users and sessions. Data collected is anonymised and used only for aggregate reporting (page views, traffic sources, device types). No personally identifiable information is sent to Google. You can opt out via your Account Settings or by using the Google Analytics opt-out browser add-on.
• Interaction tracking — when you view or click on events, anonymised interaction records (event views, outbound link clicks, saves) are stored in our own database (Supabase). These records are linked to events, not to individual users, unless you are logged in, in which case your user ID is stored alongside the interaction to enable personalised features such as saved events.

You can manage or disable essential cookies through your browser settings, though this will affect platform functionality. Analytics tracking can be disabled at any time via Account Settings → Privacy.

We use AI/LLM services in two places on the platform:

• Connected social media accounts — when you connect a Facebook Page, we use the Google Gemini API to analyse the text of your public posts to detect potential event information.
• Instagram and WhatsApp messaging assistants — when you message @nowtonevents on Instagram or our WhatsApp business number, your messages are processed by large language models (currently provided via OpenRouter) to understand your intent and extract event details. See Section 5.3 for the Instagram-specific terms.

In both cases this processing:

• Is used solely to generate draft event suggestions for your review
• Is always subject to human review — no draft is published without explicit approval
• Does not involve any solely automated decisions with legal or similarly significant effects on you (as defined under UK GDPR Article 22)
• Is not used to train any third-party AI models — your messages and post content are not made available to LLM providers for training

We implement commercially reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration. These include encryption of personal information at rest and in transit, secure storage practices, and access controls.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours as required by law, and will notify affected users without undue delay where the breach is likely to result in high risk to those individuals.

We retain personal information only as long as necessary. Our retention periods are as follows:

• Active account data — retained while your account remains active
• Account data after deletion — permanently erased from active systems within 30 days of account deletion or a verified deletion request
• Event content — erased with your account (or sooner on request)
• Server and access logs — retained for up to 12 months for security and performance purposes
• Financial or legal records (if applicable) — retained for up to 7 years in accordance with HMRC record-keeping requirements

For detailed instructions on data deletion, see nowton.events/data-deletion.

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

• Access — request a copy of the personal information we hold about you
• Correction — update or correct inaccurate personal data
• Erasure — request deletion of your account and personal information ("right to be forgotten")
• Restriction — ask us to restrict processing of your data in certain circumstances
• Portability — receive your personal data in a structured, machine-readable format and transfer it to another controller
• Object — object to processing based on legitimate interests or for direct marketing
• Withdraw consent — withdraw consent at any time for processing based on consent (e.g., WhatsApp notifications, or Instagram DM event submissions — reply “STOP” to our Instagram account), without affecting prior lawful processing
• Automated decision-making — not be subject to solely automated decisions that produce legal or similarly significant effects

To exercise any of these rights, contact us at info@nowton.events. We will respond within one calendar month as required by law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data in accordance with the law:

• Website: ico.org.uk/make-a-complaint
• Phone: 0303 123 1113

Nowt On is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us at info@nowton.events and we will delete it promptly.

We may update this policy from time to time. Significant changes will be reflected with an updated effective date on this page, and where appropriate we will notify you by email or in-platform notice. Your continued use of our services after changes take effect indicates your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy, or wish to exercise your data rights, contact: