Legal

Privacy Policy

Effective Date: May 14, 2026
Version: 1.0
Last Updated: May 14, 2026

1. Who We Are

This Privacy Policy applies to personal data processed by Nevant Global, a trading division of Anduin Enterprises LLC, a limited liability company registered in the State of Georgia, USA (collectively, "Nevant Global", "we", "us", or "our").

For purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), Anduin Enterprises LLC is the Data Controller of personal data collected through this website and through the engagements it conducts.

Contact details:

2. Scope of This Policy

This Privacy Policy describes how we collect, use, disclose, and protect personal data:

  • when you visit nevantglobal.com or any subdomain
  • when you submit information through the Free Gap Report request form
  • when you subscribe to receive updates from Nevant Global
  • when you engage Nevant Global as a client under a Statement of Work, in which case the Data Processing Addendum to that engagement governs in addition to this policy

This policy does not apply to information you provide to third parties — including your own clients, candidates, employees, or counterparties — even where Nevant Global subsequently processes that information at your direction. In those circumstances, you act as Data Controller and Nevant Global acts as Data Processor under your instructions.

3. Personal Data We Collect

You provide directly:

  • Name, professional title, employer name, and business contact details (email, phone, postal address) you submit through web forms or correspondence
  • Information about your organisation and its AI systems, where you provide it in the course of evaluating or commencing an engagement
  • Communications content (emails, meeting recordings if you consent, written notes from interviews)
  • Payment and billing information for paid engagements (collected and processed by our payment processor; we do not store full card numbers)

We collect automatically through the website:

  • Standard server log data: IP address, browser type, device identifiers, referring page, timestamp of access
  • Limited cookie data (see Section 10 below)
  • Analytics data sufficient to measure aggregate website performance (page views, navigation paths, bounce rates)

We do not collect:

  • Special categories of personal data under Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation), unless you affirmatively choose to provide such information in the course of an engagement and consent in writing to its processing
  • Data of children under 16

4. Purposes and Legal Bases for Processing

We process personal data for the following purposes, each grounded in a specific legal basis under Article 6 GDPR:

PurposeLegal Basis
To respond to your inquiries and prepare a Free Gap Report on requestLegitimate interests (Article 6(1)(f)) — providing the information you have requested
To deliver paid engagements (Tier 1–3 assessments, the Self-Assessment Portal)Performance of a contract (Article 6(1)(b))
To send you operational communications related to active engagements or requestsPerformance of a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f))
To send you marketing communications, where you have opted inConsent (Article 6(1)(a)) — withdrawable at any time
To meet our legal, regulatory, accounting, and tax obligationsCompliance with a legal obligation (Article 6(1)(c))
To protect our rights, prevent fraud, and ensure platform securityLegitimate interests (Article 6(1)(f))
To process your data subject requestsCompliance with a legal obligation (Article 6(1)(c))

Where we rely on legitimate interests, we have conducted a balancing test and concluded that our processing does not override your fundamental rights and freedoms. You may request a summary of the balancing analysis at any time.

5. Sub-Processors and Disclosure

To deliver our services, we engage a limited number of trusted third parties as sub-processors. Sub-processors fall into the following categories:

  • Infrastructure and data storage — primary storage of files and operational data
  • Email and document collaboration — business communications, file delivery
  • Payment processing — collection of engagement fees
  • Generative AI analytical tooling — analytical workflow supporting Nevant Global's compliance assessment methodology, under formal Data Processing Agreement with the provider

The current sub-processor list, with named providers and their roles, is available on request through the contact details in Section 13 and is disclosed in the Data Processing Addendum to any client engagement.

Each sub-processor is bound by a written Data Processing Agreement that imposes obligations no less protective than those in this Privacy Policy. Where any sub-processor processes data outside the European Economic Area, the transfer is governed by Standard Contractual Clauses or another mechanism approved under Articles 44–50 GDPR.

We do not sell, rent, or otherwise commercially license your personal data to third parties.

We may disclose personal data to law enforcement or regulatory authorities where required by law, where compelled by valid legal process, or where we determine in good faith that disclosure is necessary to prevent imminent harm.

6. International Data Transfers

Anduin Enterprises LLC is established in the United States, and certain of our sub-processors process data outside the European Economic Area. Where personal data of EU residents is transferred outside the EEA, we rely on the following transfer mechanisms:

  • 2021 Standard Contractual Clauses (Module 2: controller-to-processor; Module 3: processor-to-processor) executed with each sub-processor that processes data outside the EEA
  • Supplementary technical and organisational measures including encryption in transit and at rest, access controls, and where supported by the sub-processor, EU data residency for inference and storage at rest

A copy of the relevant transfer mechanism is available on request through the contact details in Section 13.

7. Your Data Subject Rights

Under GDPR Articles 15–22, you have the following rights with respect to your personal data:

  • Right of access (Article 15) — to receive confirmation of whether we process your data, and a copy of the data we hold
  • Right to rectification (Article 16) — to have inaccurate or incomplete data corrected
  • Right to erasure (Article 17) — to have your data deleted in defined circumstances
  • Right to restriction of processing (Article 18) — to limit how we use your data in defined circumstances
  • Right to data portability (Article 20) — to receive your data in a structured, machine-readable format
  • Right to object (Article 21) — to processing based on legitimate interests, including for direct marketing
  • Right to withdraw consent (Article 7) — for any processing based on consent, at any time, without retroactive effect
  • Right not to be subject to automated decision-making (Article 22) — Nevant Global does not make decisions about you that produce legal effects on the basis of automated processing alone

To exercise any right, contact us through the details in Section 13. We will respond within one calendar month of receipt and may extend this by two further months for complex requests, in which case we will notify you within the first month.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority for the Netherlands is the Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl.

8. Data Retention

CategoryRetention period
Website inquiry data (no engagement followed)12 months from last contact
Engagement working files (active engagement)Duration of engagement
Engagement working files (post-completion)7 years for professional liability and regulatory inquiry purposes
Marketing subscriber dataUntil withdrawal of consent, then deleted within 30 days
Financial and tax records7 years (Dutch tax law) or longer if required by US tax law
Server logs90 days

After the applicable retention period expires, data is securely deleted or fully anonymised.

9. Security Measures

We implement appropriate technical and organisational measures (Article 32 GDPR) to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for all primary storage
  • Strong access controls with multi-factor authentication
  • Principle of least privilege for sub-processor access
  • Logging and monitoring of access to personal data
  • Periodic review of sub-processor security posture
  • Incident response procedures supporting GDPR Article 33 breach notification within 72 hours of awareness

10. Cookies and Tracking

The Nevant Global website uses:

  • Strictly necessary cookies — required for the website to function (e.g., session cookies, security tokens). These are set by default and cannot be disabled.
  • Analytics cookies — to measure aggregate website performance. These are set only with your consent.
  • No advertising cookies — we do not use third-party advertising networks or behavioural retargeting.

You can manage cookie preferences through the cookie banner displayed on first visit and through your browser settings.

11. Automated Decision-Making

We do not engage in automated decision-making that produces legal effects on you or significantly affects you within the meaning of Article 22 GDPR. The compliance assessments we deliver are diagnostic professional opinions reviewed and signed by the Engagement Principal — they are not automated decisions.

12. Children

Our services are directed to professionals and organisations, not to individuals under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact us immediately and we will delete the information.

13. Contact and Complaints

Data Controller:

Supervisory Authority (Netherlands):

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective Date" at the top of this page indicates when it was last revised. Material changes will be notified by email to active subscribers and clients, and will be posted on the website at least 30 days before they take effect. Continued use of the website after the Effective Date of a revised policy constitutes acceptance of that revision.

This policy is governed by Dutch law for matters relating to data subjects in the Netherlands and the European Union. For all other matters, the governing law is the law of the State of Georgia, USA, without prejudice to mandatory provisions of EU and Member State law that apply by operation of law.