logo

Privacy Policy

Thank you for choosing Nasch. Nasch values your privacy and is committed to protecting your personal information. This Privacy Policy outlines how Nasch collects, uses, discloses, and protects the information you provide when you use our website (nasch.io) and related services. By using Nasch, you consent to the practices outlined in this Privacy Policy.

1. Information Collection and Use

1.1 Personal Information
When you visit Nasch or interact with our services, we may collect certain personally identifiable information, including but not limited to your name, email address, phone number, billing address, and payment information. We collect this information when you register for an account, subscribe to our newsletter, make a purchase, or contact us for support.

1.2 Usage Data
We also collect non-personal information about how you interact with our website and services. This may include your IP address, browser type, device information, pages visited, and the date and time of your visit. We use this information to analyze trends, administer the website, improve our services, and customize your experience.

2. Cookies and Tracking Technologies

Nasch is an online platform that enables organizations to measure, improve, and manage employee engagement through various tools and features, including surveys, feedback mechanisms, analytics, and communication tools.

3. Data Security

Nasch employs industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. However, please be aware that no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

3.1 Purpose

This Information Security Policy aims to establish guidelines and procedures to protect the confidentiality, integrity, and availability of data associated with Nasch Employee Engagement Software. The policy ensures compliance with applicable laws, regulations, and standards while safeguarding the interests of employees, clients, and stakeholders.

3.2 Scope

This policy applies to all Nasch employees, contractors, vendors, and partners who have access to the company's information systems and data. It covers all information assets, including but not limited to software, hardware, data, networks, and intellectual property.

3.3 Responsibilities

Executive Management: Responsible for approving and overseeing the implementation of the Information Security Policy.
Third Parties: Must adhere to contractual obligations regarding data protection and information security.

3.4 Information Classification

Confidential:Sensitive information that could cause significant harm if disclosed. Access is restricted to authorized personnel only.
Internal Use: Information that is not publicly available but is less sensitive than confidential information. Access is limited to Nasch employees and authorized contractors.
Public: Information that is intended for public disclosure. No specific access restrictions apply.

3.5 Access Control

User Authentication: Strong authentication methods, such as multi-factor authentication (MFA), are required for accessing Nasch systems.
Role-Based Access Control (RBAC): Access to information and systems is granted based on the principle of least privilege, ensuring that users only have access to the data necessary for their job functions.
Password Management: We recommend that password be changed regularly. Password sharing is strictly prohibited.

3.6 Data Protection

Data Encryption: All sensitive data must be encrypted both at rest and in transit using industry-standard encryption protocols.
Data Backup: Regular backups of critical data must be performed and stored securely. Backup data must be encrypted and tested regularly for integrity.
Data Retention: Data must be retained according to legal, regulatory, and business requirements. Data that is no longer needed must be securely deleted.

3.7 Network Security

Firewalls and Intrusion Detection: Firewalls must be implemented to protect the network from unauthorized access. Intrusion detection and prevention systems (IDPS) must be in place to monitor and respond to security incidents.
Network Segmentation:Critical systems and data must be isolated in separate network segments to minimize the risk of unauthorized access.

3.8 Third-Party Risk Management

Vendor Assessment:Third-party vendors must undergo a security assessment before being granted access to Nasch.io systems or data. Contracts must include security requirements and obligations.
Third-Party Monitoring: Continuous monitoring of third-party compliance with security standards is required. Regular audits should be conducted to ensure adherence to security practices.

3.9 Compliance

Audit and Monitoring:Regular audits of the information security program must be conducted to ensure compliance with this policy. Continuous monitoring of systems and processes must be implemented to detect and respond to security issues.

3.10 Policy Review and Updates

This policy must be reviewed and updated annually or as needed to address new threats, vulnerabilities, or changes in regulatory requirements. All updates must be approved by executive management.

3.11 Disciplinary Action

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract. Legal action may be taken in cases of severe violations.

3.12 Policy Exceptions

Any exceptions to this policy must be approved by the ISO and documented, including the justification for the exception and the duration for which it is granted.

4. Information Sharing

We may share your personal information with third-party service providers who assist us in providing, maintaining, and improving our services. These service providers are contractually obligated to protect your information and use it only for the purposes specified by Nasch.
We may also disclose your information in response to legal requirements, enforce our policies, respond to claims that content violates the rights of others, or protect the rights, property, or safety of Nasch, its users, or the public.

5. Third-Party Links

Nasch may contain links to third-party websites or services that are not owned or controlled by Nasch. This Privacy Policy applies only to information collected by Nasch. We are not responsible for the privacy practices or content of third-party websites or services. We encourage you to review the privacy policies of those third parties before providing any personal information.

6. Children's Privacy

Nasch does not knowingly collect personal information from children under the age of 13. If you are under 13, please do not provide any information on Nasch or use our services. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information.

7. Changes to this Privacy Policy

Nasch reserves the right to update or change this Privacy Policy at any time. We will notify you of any changes by posting the new Privacy Policy on this page with a revised "last updated" date. Your continued use of Nasch after any modifications to the Privacy Policy constitutes acceptance of those changes.

8. Data Disposal After Retention Period or Contract Expiration

The purpose of this section is to outline the procedures for securely disposing of data once the retention period has expired or upon the termination of a contract. The goal is to ensure that data is irretrievably destroyed to prevent unauthorized access, disclosure, or misuse.

8.1 Data Disposal Methods

Data Deletion: All digital data must be securely deleted using methods that prevent recovery. This includes overwriting data with random patterns (e.g., using a secure deletion tool) or using built-in data sanitization features of storage devices.
Cryptographic Erasure:If the data was encrypted, cryptographic erasure may be used, where encryption keys are securely deleted, rendering the data unrecoverable.
Physical Destruction: For storage media that can no longer be used, physical destruction (e.g., shredding, degaussing, or crushing) must be performed to ensure that the data cannot be recovered.
Paper Records: All paper records containing sensitive or confidential information must be shredded or incinerated to ensure that the information cannot be reconstructed.
Optical Media: CDs, DVDs, and other optical media must be physically destroyed, such as by shredding or pulverizing.

8.2 Data Disposal Procedures

Retention Period Review: Before data disposal, a review of the data retention period must be conducted to ensure that the data is no longer needed for legal, regulatory, or business purposes.
Authorization: Data disposal must be authorized by the Information Security Officer (ISO) or an appointed designee from the client end.
Verification: After data disposal, verification must be conducted to ensure that all copies of the data have been securely disposed of and cannot be recovered. This may include checking for residual data on backup systems or other storage locations.

8.3 Documentation and Audit

Record Keeping: Detailed records of the data disposal process must be maintained, including the date of disposal, method used, the person responsible, and any third-party involvement.
Audit Trail: An audit trail of data disposal activities must be maintained to provide evidence of compliance with this policy and to support any legal or regulatory inquiries.
Annual Review: The data disposal procedures must be reviewed annually to ensure they remain effective and compliant with current laws, regulations, and industry standards.

8.4 Contract Expiration

Client Data: Upon contract expiration, all client data must be securely disposed of according to the terms specified in the contract after 3 months of date of expiry. This may involve returning the data to the client, securely deleting it, or a combination of both.

8.5 Exceptions and Extensions

Legal Holds: In cases where data is subject to a legal hold or ongoing investigation, the disposal process may be delayed. The data must be securely retained until the hold is lifted, after which the disposal process must proceed as outlined.
Client Requests: If a client requests an extension of data retention beyond the standard period, this must be documented, and the disposal process adjusted accordingly.

8.6 Non-Compliance

Failure to comply with the data disposal policy may result in disciplinary action and potential legal consequences. All incidents of non-compliance must be reported to the ISO and investigated thoroughly.

9. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at nina@nasch.io . We are committed to resolving any issues regarding your privacy and will respond to inquiries in a timely manner.
By using Nasch, you acknowledge that you have read and understood this Privacy Policy and agree to abide by its terms and conditions. Thank you for choosing Nasch.