VistaConnect

    VistaConnect Non-Disclosure Agreement

    Version: 2.0 Effective from: 2026-04-22 Last reviewed: 2026-04-22

    About this agreement

    This Agreement governs the confidentiality of the information you share with Data HQ Limited when you use the VistaConnect platform. Because Data HQ handles personal data that you upload, this Agreement also contains the contractual clauses required by Article 28 of the UK GDPR (the "DPA Clauses" in section 17 below), so that Data HQ may lawfully act as a data processor on your behalf. Our Privacy Notice covers Data HQ's own data-handling practices as a controller and sits alongside this Agreement.

    You accept this Agreement when you create a VistaConnect account and tick the acceptance box. No signatures are required on either side — your affirmative acceptance (a recorded click-through with full display of the Agreement text) and Data HQ's offer of the platform together form a binding agreement. We keep an immutable record of the version you accepted, the date, the time and the IP address from which acceptance was recorded.

    Current and past versions are available at vista.datahq.co.uk/legal/nda and a PDF copy is available from your account dashboard.

    1. Parties

    This Agreement is between:

    • Data HQ Limited (company number 03751685), registered at Saxon House, 27 Duke Street, Chelmsford, Essex CM1 1HT ("Data HQ" or "the Recipient"); and
    • the person or organisation accepting these terms through the VistaConnect platform ("you" or "the Client"). Your identifying details are those recorded on your VistaConnect account at the time of acceptance and any subsequent verified update.

    2. Subject matter

    You have chosen to use Data HQ's VistaConnect platform for one or more of the following purposes (the "Project"):

    • uploading data for matching and enrichment against Data HQ's B2B database (the "Data Audit" feature);
    • building targeted company and contact lists (the "List Builder" feature);
    • uploading your existing customer list to generate look-alike selections (the "Find Look-alikes" / ICP Builder feature);
    • accessing Data HQ data via API; and
    • any other functionality Data HQ makes generally available on the platform from time to time.

    To use the Project, it may be necessary for you to disclose confidential information to Data HQ. This Agreement sets out how Data HQ will protect that information.

    3. Confidential Information

    "Confidential Information" means all information you disclose to Data HQ through the VistaConnect platform, or that Data HQ observes while providing the Project, including but not limited to:

    • files you upload (customer lists, prospect lists, CRM exports) and the rows, columns, identifiers and field contents within those files;
    • filter selections and search parameters that reveal commercial intent;
    • saved and purchased lists and their contents;
    • configuration, copy, brand voice and content you enter into any AI-assisted feature;
    • your billing, contact and account-admin information;
    • any other information that you, or someone acting on your behalf, submit to the platform.

    "Confidential Information" also includes analyses, compilations or notes derived from any of the above.

    "Affiliates" has the meaning given in sections 1159 and 1162 of the Companies Act 2006.

    Aggregated data carve-out. Data that has been irreversibly aggregated or anonymised such that it cannot reasonably identify you, an Affiliate, or any natural person, is not Confidential Information. Data HQ may use such aggregated data for platform improvement, benchmarking and internal analytics.

    No client-specific derived outputs. For the avoidance of doubt, Data HQ will not use your Confidential Information — including uploaded records, list filters, saved ICPs, enrichment preferences and query patterns — to derive models, lookalike datasets, targeting logic or other outputs that are specific to you and that are then made available to any other customer. This restriction is independent of, and survives, the aggregated-data carve-out above.

    General learnings. Nothing in this Agreement restricts Data HQ from using the general learnings, statistical patterns, operational metrics and product-improvement insights arising from its provision of the Services (including capacity planning, UX improvements, platform reliability, internal model tuning for non-customer-specific features such as CSV field-mapping heuristics), provided such use does not: (a) identify you or any Affiliate; (b) disclose Confidential Information to any third party; or (c) produce an output that falls within the "No client-specific derived outputs" paragraph above.

    4. Data HQ's obligations

    All Confidential Information received by Data HQ from you:

    • (a) will be held in confidence and not disclosed to any third party without your prior written consent, except to Data HQ sub-processors listed in the Privacy Notice as necessary to provide the Project;
    • (b) will not be used for any purpose other than providing the Project to you;
    • (c) will be retained for no longer than set out in the VistaConnect Data Retention Schedule, published at vista.datahq.co.uk/legal/retention and updated from time to time;
    • (d) will be deleted within 24 hours of receipt of a written request from you (for example emailed to legal@datahq.co.uk), subject to the statutory exceptions set out in the Retention Schedule and to the backup retention period described in section 17.9 below.

    5. Exceptions

    The obligations in section 4 do not apply to any information which:

    • (a) is already in the public domain, or becomes available to the public through no breach of this Agreement by Data HQ;
    • (b) was in Data HQ's possession before you disclosed it, provided Data HQ can demonstrate that prior possession;
    • (c) is received by Data HQ from an independent third party who is not bound by an obligation of confidentiality to you; or
    • (d) is independently developed by Data HQ without using your Confidential Information.

    6. Legal or regulatory disclosure

    If Data HQ is compelled by law, a court order, a regulator or a government agency to disclose any of your Confidential Information, Data HQ will notify you in writing as soon as reasonably practicable (unless notifying you is itself unlawful) so that you can either waive the obligation or seek a protective remedy. Data HQ will disclose only the portion of Confidential Information that it is legally required to disclose and will cooperate with reasonable steps you take to limit disclosure.

    7. Access by Data HQ personnel

    Data HQ will only allow its Confidential Information to be accessed by those employees, contractors and sub-processors who need access in order to provide the Project. All such personnel are bound by contractual confidentiality obligations consistent with this Agreement.

    8. Return or deletion on request or account closure

    On written request from you, or when you close your VistaConnect account, Data HQ will delete your Confidential Information in accordance with the Retention Schedule, except for records it is legally required to keep (such as VAT invoices and payment history, retained under UK tax law for up to seven years).

    9. No licence or partnership

    Nothing in this Agreement grants you or Data HQ any licence over the other party's intellectual property, trademarks, patents or copyrights. Nothing in this Agreement creates a partnership, agency, joint venture or employment relationship between the parties.

    10. No obligation to transact

    Nothing in this Agreement obliges either party to enter into any further commercial arrangement. Your subscription and any paid use of VistaConnect are governed by the separate VistaConnect Terms of Service and the published pricing.

    11. No warranty

    Data HQ makes no representation or warranty, express or implied, as to the accuracy or completeness of any information you disclose under this Agreement, and has no liability under this Agreement for the content of the information itself.

    12. Remedies for breach

    Without limiting section 13 (Limitation of liability), you may seek an injunction to restrain a threatened or actual breach of this Agreement by Data HQ, in addition to any other remedy available to you at law or in equity. The existence of injunctive relief does not exclude any other remedy.

    13. Limitation of liability

    13.1 Standard cap

    Subject to sections 13.2 and 13.3, Data HQ's total aggregate liability to you under or in connection with this Agreement is limited to the greater of:

    • (a) the fees paid to Data HQ by you for the VistaConnect platform in the 12 months immediately preceding the event giving rise to the claim; and
    • (b) £10,000.

    13.2 Liability that remains uncapped

    Nothing in this Agreement limits or excludes Data HQ's liability for:

    • fraud or fraudulent misrepresentation;
    • death or personal injury caused by Data HQ's negligence; or
    • any other liability that cannot lawfully be excluded or limited under English law.

    13.3 Enhanced cap for serious breach

    The standard cap in section 13.1 does not apply to Data HQ's liability for: (a) wilful misconduct; (b) gross negligence; or (c) deliberate breach of section 4 (Data HQ's obligations in respect of Confidential Information) or section 7 (Access by Data HQ personnel). For such claims, Data HQ's total aggregate liability is instead limited to the greater of:

    • (i) the fees paid to Data HQ by you for the VistaConnect platform in the 24 months immediately preceding the event giving rise to the claim; and
    • (ii) £250,000.

    13.4 Exclusions

    In no event, whether under the standard cap or the enhanced cap, is Data HQ liable for: loss of profits; loss of business opportunity; loss of goodwill; or any indirect, consequential or punitive damages, in each case howsoever arising.

    13.5 One cap across all VistaConnect documents

    The caps in sections 13.1 and 13.3 apply to Data HQ's total liability arising out of or in connection with this Agreement, the Terms of Service and the VistaConnect Services, taken together and in aggregate. If a claim could be framed both under this Agreement and under the Terms of Service, the caps are not cumulative and you may recover only once, up to the applicable cap above.

    14. Changes to this Agreement

    Data HQ may update this Agreement from time to time. A change is material if it:

    • (a) reduces or limits any right or remedy you have under this Agreement;
    • (b) expands the permitted purposes for which Data HQ may use your Confidential Information;
    • (c) weakens any obligation of confidentiality or security; or
    • (d) adds a new category of sub-processor or changes the location of primary processing.

    For material changes, Data HQ will notify you by email at least 14 days before the change takes effect and you will be prompted to explicitly re-accept on next login. Continued use after the effective date of a material change, following a prompt and opportunity to re-accept, constitutes acceptance.

    Non-material changes (such as typographical corrections, clarifications, or updates to public-facing links) may be made without re-acceptance, but the changelog published at vista.datahq.co.uk/legal/nda/changelog records each update.

    15. Governing law, jurisdiction and third-party rights

    This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the English courts in respect of any dispute arising out of or in connection with this Agreement. No term of this Agreement is enforceable under the Contracts (Rights of Third Parties) Act 1999 by a person who is not a party to it.

    16. General

    • Notices. Written notices under this Agreement may be given: to Data HQ, by email to legal@datahq.co.uk with postal copy to Saxon House, 27 Duke Street, Chelmsford, Essex CM1 1HT; to you, by email to the address associated with your VistaConnect account.
    • Force majeure. Neither party is liable for any failure or delay in performance caused by events beyond its reasonable control, including acts of God, industrial action, telecommunications or utility failures, acts of government, or pandemic, provided the affected party takes reasonable steps to mitigate and keeps the other informed.
    • Severability. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions continue in full force.
    • Waiver. No failure or delay in exercising any right under this Agreement is a waiver of that right, and no single or partial exercise of a right prevents its further exercise.
    • Survival. Sections 4, 5, 6, 8, 9, 11, 12, 13, 15, 16 and 17 survive termination of this Agreement.
    • Entire agreement. This Agreement, the Privacy Notice, the Retention Schedule and the Terms of Service constitute the entire agreement between you and Data HQ in respect of the VistaConnect platform and supersede any previous understandings relating to the same subject matter, except for any manually signed bilateral agreement that expressly overrides these terms.

    17. Data processing (Article 28 UK GDPR)

    This section sets out the terms on which Data HQ processes personal data on your behalf as a data processor, where you are the data controller in respect of data you upload to the platform. This section applies in addition to, and does not displace, the preceding sections of this Agreement.

    17.1 Subject-matter, duration, nature and purpose

    Data HQ processes personal data you submit through the VistaConnect platform for the duration of your account, strictly for the purpose of providing the Project features described in section 2.

    17.2 Categories of personal data

    The personal data processed may include: names, job titles, work email addresses, work telephone numbers, business postal addresses, company identifiers, and any other personal data contained in the files you upload. You agree not to upload special-category personal data (UK GDPR Article 9) to the platform.

    17.3 Categories of data subjects

    Typically: your employees, prospects, customers, contacts at companies in your business network, and individuals referenced in lists you upload for matching.

    17.4 Instructions

    Data HQ processes personal data only on your documented instructions. Acceptance of this Agreement and normal use of the platform constitute those instructions. You may issue additional instructions via legal@datahq.co.uk; Data HQ will confirm feasibility before acting on them.

    17.5 Confidentiality

    Data HQ ensures that personnel authorised to process personal data are bound by enforceable confidentiality obligations.

    17.6 Security (Article 32)

    Data HQ implements appropriate technical and organisational measures to protect personal data, including (without limitation): TLS encryption in transit; encryption at rest for databases and backups; role-based access control with mandatory multi-factor authentication for production systems; network segmentation; regular security patching; and incident-response procedures.

    17.7 Sub-processors

    Data HQ engages sub-processors to deliver the platform. A current list is published in the Privacy Notice. Data HQ will give you at least 30 days' notice of any proposed addition or change of sub-processor and you may object within that period on reasonable grounds. Data HQ and you will discuss the objection in good faith. If the parties cannot agree on a mutually acceptable outcome, your sole and exclusive remedy is to discontinue use of the feature that depends on the objected-to sub-processor (or, where no lesser remedy is feasible, to terminate use of the Project in accordance with section 8); no other remedy, damages or right to withhold fees arises from the change.

    17.8 Assistance with data subject rights

    Data HQ assists you in responding to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). Data HQ will inform you of any request it receives directly from one of your data subjects and will not respond without your instructions, unless legally compelled.

    17.9 Deletion and return

    Deletion of personal data from Data HQ's live systems ordinarily occurs within 24 hours of a valid written request or of the retention periods in the Retention Schedule expiring, whichever is sooner. On termination of your use of the Project, or on your written instruction, Data HQ will complete deletion or return of all personal data it processes on your behalf (including any derived or cached copies outside the primary data stores) within 30 days. Residual data on time-limited system backups persists for up to 7 additional days while the backup window rolls forward; this residual data is not accessible for operational use and will be automatically aged out. Data that Data HQ is required to retain under applicable law (for example, financial records under UK tax law) may be retained for as long as required.

    17.10 Audit

    Data HQ will make available to you information reasonably necessary to demonstrate compliance with this section 17, including summary descriptions of its information-security programme. For on-site audits, Data HQ reserves the right to request reasonable notice, scope limitation and a mutually agreed cost contribution.

    17.11 International transfers

    Primary processing takes place in the United Kingdom (Microsoft Azure UK South). Where personal data is transferred to a country without a UK adequacy decision, Data HQ relies on the UK International Data Transfer Agreement, or on EU Standard Contractual Clauses with the UK Addendum, together with supplementary measures as appropriate.

    17.12 Breach

    Data HQ will notify you of any personal-data breach affecting data it processes on your behalf without undue delay, and in any event within 72 hours of Data HQ becoming aware, providing the information reasonably required for you to meet your own obligations under UK GDPR Article 33.

    17.13 Client warranties on uploaded data

    You warrant and represent that, for any personal data you upload, submit, or otherwise cause Data HQ to process through the Project:

    • (a) you have a lawful basis under UK GDPR for the processing you instruct Data HQ to carry out;
    • (b) the data was collected lawfully, fairly and transparently, and individuals have received any notice required under Articles 13 or 14 UK GDPR;
    • (c) you have not breached any contractual, licensing or other restriction placed on you by the source of the data;
    • (d) the data does not include special-category data (Article 9) or criminal-offence data (Article 10) unless you have explicitly notified Data HQ and obtained written confirmation that the Project may lawfully process that category; and
    • (e) you will notify Data HQ without undue delay if you become aware that any of the above has ceased to be true.

    If a data-subject complaint, regulator enquiry or third-party claim arises from a breach of this section, you will indemnify Data HQ against the reasonable costs Data HQ incurs in responding, to the extent those costs are attributable to your breach. This indemnity is without prejudice to Data HQ's own obligations as processor.

    Acceptance

    By ticking the acceptance box and clicking Create account (or equivalent action) on the VistaConnect signup or terms-update page, you confirm that:

    • you have read, understood and agree to be bound by this Agreement;
    • you are at least 18 years old; and
    • where you are accepting on behalf of an organisation, you have the authority to bind that organisation, and references to "you" in this Agreement are to that organisation.

    Questions about this document? Email legal@datahq.co.uk.