Who We Are & What This Policy Covers
NOMASTAY ("we", "us", or "our") is a certified Digital Twin platform partner, delivering the Meta-dology platform to property developers, architects, governments, and investors. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, submit an enquiry, or engage with any of our services.
This policy is issued in compliance with Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended by the Data (Use and Access) Act 2025 (DUAA). We are committed to handling your personal data transparently, fairly, and in accordance with all applicable UK data protection law.
By accessing our website or submitting your information through any form on this site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not submit your personal data.
Data Controller Identity & Contact Details
NOMASTAY is the data controller for all personal data collected through this website and associated communications. As data controller, we determine the purposes and means of processing your personal data and are responsible for compliance with UK data protection law.
- Controller name: NOMASTAY Ltd
- Registered address: Onyx House, 12 Phoenix Business Park, Avenue Close, Birmingham, West Midlands, England, B7 4NU
- Companies House number: 14069533
- ICO registration number: ZB554893
- Privacy & data enquiries: [email protected]
If you have questions about how we process your personal data, or wish to exercise any of your data rights, please contact us at the email address above. We aim to acknowledge all privacy-related requests within 5 business days and to respond substantively within the statutory timeframes.
Personal Data We Collect
We collect personal data in two ways: directly from you when you interact with our website, and automatically when you browse it.
Data you provide directly:
- Full name and contact details including email address and phone number
- Company or organisation name, job title, and professional role
- Project type, development scale, investment interest, or property enquiry details
- Any additional information you voluntarily include in form submissions or email correspondence
Data collected automatically when you browse:
- IP address and approximate geographic location derived from it
- Browser type, version, operating system, and device type
- Pages visited, time spent on each page, referral URL, and links clicked
- Cookie identifiers and session data (see Section 06 for full details)
We do not collect special category data (such as health, ethnicity, or biometric data) through this website, and we ask that you do not submit any such data through our forms.
Purposes & Legal Basis for Processing
Under UK GDPR, we must have a valid legal basis for each purpose for which we process your personal data. The table below sets out our processing purposes and the corresponding legal basis for each.
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Responding to your enquiry and arranging demonstrations | Legitimate interests (Article 6(1)(f)) — our interest in responding to business enquiries |
| Follow-up communications related to your enquiry | Legitimate interests (Article 6(1)(f)) — subject to your right to object |
| Sending marketing communications where you have opted in | Consent (Article 6(1)(a)) — withdrawable at any time |
| Fulfilling any formal service agreement | Contract performance (Article 6(1)(b)) |
| Compliance with legal and regulatory obligations | Legal obligation (Article 6(1)(c)) |
| Improving our website and services through analytics | Legitimate interests (Article 6(1)(f)) |
Where we rely on legitimate interests as our legal basis, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us at [email protected].
Cookies, PECR & the DUAA 2025
Our website uses cookies and similar tracking technologies. Our use of cookies is governed by the Privacy and Electronic Communications Regulations 2003 (PECR), as amended by the Data (Use and Access) Act 2025 (DUAA), which came into force on 5 February 2026.
Under the updated PECR rules, certain cookies are now exempt from the requirement for prior consent. The table below explains each category we use, whether consent is required, and how you can manage your preferences.
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly necessary | Essential for the website to function. Cannot be switched off. | Exempt |
| First-party analytics | Statistical information about how visitors use our site, used solely to improve our service. No cross-site tracking or profiling. DUAA 2025 exempts these provided users have an opt-out mechanism. | Opt-out |
| Functionality / preference | Remembers your settings and adapts how the site appears on your device. DUAA 2025 exempts these from consent. | Exempt |
| Marketing & third-party tracking | Track enquiry sources, campaign performance, and support personalised advertising across sites. | Consent required |
You may manage or withdraw consent for non-essential cookies at any time through your browser settings or our cookie preference tool. Withdrawing consent will not affect the lawfulness of any prior processing. Note that disabling strictly necessary cookies may impair website functionality.
How Long We Keep Your Data
We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, to comply with legal obligations, or to resolve disputes and enforce agreements. We regularly review the personal data we hold and delete it securely when it is no longer needed.
| Data Type | Retention Period | Reason |
|---|---|---|
| Enquiry and contact data | 3 years from last meaningful contact | Legitimate interest in managing business relationships; limitation period for contract claims |
| Marketing opt-in records | Until consent is withdrawn, then deleted promptly | Proof of consent under PECR |
| Contractual / service records | 6 years from contract end | Limitation Act 1980; statutory and financial record-keeping obligations |
| Website analytics data | 26 months (then aggregated / anonymised) | ICO recommended maximum for analytics retention |
| Legal / compliance records | As required by applicable law | Statutory obligation |
Your Data Protection Rights
Under UK GDPR and the DPA 2018, you have the following rights. To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month. For complex or multiple requests, we may extend this by up to two additional months and will notify you if this is necessary.
There is no charge for exercising your rights in most circumstances. If a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or decline to act, and will inform you accordingly.
Automated Decision-Making & Profiling
We do not currently make any decisions about you solely by automated means that produce legal or similarly significant effects on you. Your enquiry data is reviewed by members of our team before any response or follow-up action is taken.
We may use automated tools (such as CRM scoring or email open-rate tracking) to understand engagement levels, but these are used only to inform how our team communicates with you — not to make binding decisions about you.
If our practices change and we introduce automated decision-making with significant effects, we will update this policy and provide you with the appropriate information and rights as required under UK GDPR.
How We Protect Your Data & What Happens If There Is a Breach
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. These include:
- Encrypted data transmission using SSL/TLS protocols across all pages
- Access controls ensuring personal data is accessible only to authorised personnel with a legitimate need
- Written data processing agreements with all third-party service providers
- Regular review and testing of our security measures and those of our processors
- Staff awareness of data protection responsibilities
Personal data breaches: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we are required under UK GDPR Article 33 to notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Article 34, explaining the nature of the breach and the steps we have taken to address it.
While we take all reasonable steps to protect your data, no method of internet transmission is entirely secure. If you suspect your data has been compromised, please contact us immediately at [email protected].
Transfers Outside the UK
When you submit an enquiry through this website, your personal data will be transferred to Meta-dology, LLC, which is incorporated and operates in the United States (governed by the laws of the State of Illinois). The United States does not currently hold a UK adequacy decision. This transfer therefore takes place under one of the following appropriate safeguards:
- UK International Data Transfer Agreement (IDTA): The UK's post-Brexit standard contractual mechanism, approved by the ICO, which we seek to put in place with Meta-dology, LLC as recipient
- UK Addendum to EU Standard Contractual Clauses: Where applicable as an alternative transfer mechanism
- Article 49 derogation: Where the transfer is necessary for the performance of pre-contractual steps taken at your request — i.e. arranging the demonstration you have requested
Meta-dology, LLC processes your data in the US under its own Privacy Policy (available at meta-dology.com/privacy-policy), which incorporates US data protection standards including CCPA/CPRA compliance. By submitting your enquiry, you are informed of and acknowledge this international transfer.
NOMASTAY Ltd also works with service providers who may be located outside the UK. In all such cases we ensure appropriate safeguards are in place in compliance with UK GDPR. You may request details of the specific transfer safeguards applicable to your data by contacting us at [email protected].
Children's Privacy
Our services are intended exclusively for business and investment professionals. We do not knowingly collect, process, or retain personal data from anyone under the age of 18. Our website is not directed at children, and we do not market to them.
If you believe we have inadvertently received personal data relating to a child under 18, please contact us immediately at [email protected] and we will take prompt steps to delete that data.
How to Raise a Complaint
We take data protection seriously and are committed to handling all privacy concerns promptly and fairly. If you have a complaint about how we have handled your personal data, we ask that you first raise it with us directly so we have the opportunity to resolve it.
Step 1 — Contact us internally:
- Email: [email protected]
- Subject line: "Data Protection Complaint"
- Please describe your concern clearly and include your contact details
- We will acknowledge your complaint within 5 business days and aim to resolve it within 30 calendar days
Step 2 — Escalate to the ICO: If you are not satisfied with our response, or if we fail to respond within the required timeframe, you may raise your concern with the Information Commissioner's Office (ICO), the UK's independent data protection supervisory authority.
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Under the Data (Use and Access) Act 2025, you retain the ability to raise concerns with the ICO. The ICO continues to facilitate complaints under s.165 of the DPA 2018. We encourage you to contact us first, as we can often resolve concerns more quickly directly.
Changes to This Privacy Policy
We review and update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law — including guidance issued by the ICO following the Data (Use and Access) Act 2025 implementation. When we make material changes, we will update the version number and "Last Updated" date at the top of this page.
Where changes are material and affect how we process your personal data, we will notify you by email (where we hold your contact details) before the changes take effect, giving you the opportunity to review the updated policy and, where relevant, withdraw consent for any new processing.
Your continued use of our website and services after the effective date of any changes will constitute your acknowledgement of the updated policy.