Privacy Notice

Last updated on 26 September 2025.

This notice details how we handle personal data through Nuix Discovery (the “technology”) and informs you about your rights regarding personal data. To ensure our practices are transparent, we will update this notice regularly; the latest version will be accessible here and effective from its publication date.

For clarity, in this notice, “PwC”, “us”, and “we” refer to the PwC firm responsible for controlling your personal data, as specified below. We define any information about you or that identifies you as “personal data”. Throughout this document, terms such as handling, collecting, or storing your personal data are collectively referred to as “processing”. When referring to “you”, this means you as an individual client or you acting on behalf of your organisation, which is a client of PwC.

Note that this privacy notice applies only for services in which PwC is acting as a data controller as defined in the contract or engagement letter between PwC and our client or you if you are an individual client.

What does this technology do?

Nuix Discovery is an eDiscovery and investigation platform which focuses on searching, reviewing, analysing and producing electronically stored information during legal or compliance matters.

Providing the technology

The personal data processed includes your email address, name, IP address, user actions, device information, and country of residence. We process this data to:

• ensure the provision, operation, maintenance, and security of the technology;
• manage user authentication and authorisation; and
• enhance the technology’s functionality.

These activities typically involve using small text files known as “cookies”, which we place on your device. For more details on the cookies we use, please refer to our cookie notice linked here.

This is based on our legitimate interest to provide the technology as part of our professional services or to comply with legal obligations such as implementing technical security measures. For non-essential cookies, processing is based on your consent and for the duration outlined in our cookie notice.

Provision of professional services

The client or you will provide us with a comprehensive set of data which it deems required for us to provide our professional services (each a “dataset”). This may contain both structured data and unstructured data (such as extracted emails, attachments and files in various formats (e.g. photo, video, audio, text). The dataset may also contain sensitive personal data, which includes race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and criminal records. This data should not be provided, unless it is required for the engagement. In such cases, we ensure processing is based on a relevant public interest condition or on individual consent, especially when dealing with personal clients. We process this data to:

• deliver professional services and work deliverables effectively.

This processing is essential for our legitimate interest in providing professional services to you. In certain situations, we are legally obligated to deliver services in a specific manner—such as statutory audit services—which determine how we process data.

You have access to the technology as you or the organisation you work for are clients of a PwC firm who delivers professional services. This firm is called the “controller” of your data and as each PwC firm is a separate legal entity, they are also separate controllers. If you are unsure which PwC firm this is, you can find this detailed in the engagement letter in place with you. Alternatively, you can consult our list of PwC firms linked here.

PwC firms

We may share personal data with other PwC firms when this is necessary to delivering professional services to you.

Third-party providers

We rely on third-party providers to efficiently manage the technology and share your data with them for providing the technology. This includes providers specialising in identity management, cloud storage services or application security. The providers we use run secure data centres globally and we require them to uphold security and confidentiality obligations, process data based on PwC’s instructions, and to impose equivalent obligations on their sub-processors.

Other recipients

Additionally, we may disclose personal data under specific circumstances:

• to professional advisers (e.g., auditors or law firms) as required to establish, exercise, or defend our legal rights and to seek legal counsel in running our business;
• upon your explicit request; or
• to law enforcement or other government/regulatory agencies, or other third parties as mandated by applicable laws and regulations.

Occasionally, third parties authorised by law may request personal data disclosures, such as verifying compliance with legal regulations, investigating alleged crimes, or establishing, exercising, or defending legal rights. We will only fulfil these requests when required by applicable laws and regulations.

We will only keep your personal data for as long as necessary to fulfil the purposes for which we collected it and to comply with any applicable legal, regulatory, accounting or reporting requirements.

When permissible, we may anonymise your personal data instead of deleting it. In such cases, all identifying information is removed, making it impossible to associate the data with you or your identity.

If you would like to know more about a specific retention period, please contact us using one of the ways described in the “How to contact us” section below.

While processing your personal data, it may be transferred beyond the borders of your current location. This includes transfers to countries outside the European Economic Area (“EEA”) and to regions that may not have established laws specifically protecting personal data. When your personal data is collected within the EEA, we ensure transfers occur under the following conditions:

• to recipients in countries recognised for providing an adequate level of protection for your personal data; or
• pursuant to an agreement meeting EU requirements for transferring personal data to processors or controllers outside the EEA, such as the Standard Contractual Clauses approved by the European Commission.

We follow internationally recognised standards for technology and operational security to safeguard personal data against loss, misuse, alteration, and destruction. The data centres we use are aligned with ISO 27001 security standards, and only authorised personnel have access to personal data, all of whom are bound to maintaining confidentiality. We have established a comprehensive framework of policies and procedures addressing data protection, confidentiality, and security, and we continuously review and enhance our security measures to ensure your data remains secure.

Depending on local laws, you may have certain rights concerning your data. Note that not all these rights are absolute and we will assess whether we can meet your request on a case by case basis. These rights may include:

Right to information: You can ask for details from us at any time about the personal data we process about you.

Right to rectification: If the personal data we hold about you is incorrect or incomplete, you can ask us to correct it. You can also ask that the processing is limited while we are dealing with your request.

Right to erasure: You can ask for your data to be deleted if it is no longer required for our processing or if you consider our processing is unlawful. This may result in us not being able to provide you with services.

Right to restriction: You can ask us to limit how we process your personal data.

Right to data portability: You may have the right to receive your personal data in a common data format, and you can also request that this data be transferred directly to another controller if processing is based on your consent.

Right to object: If we process your data based on legitimate interests, you have the right to object to the processing. This may result in us not being able to provide you with services.

Right to withdraw consent: If we process your data based on your consent, you can withdraw your consent for data processing at any time. However, this does not affect the lawfulness of any processing conducted prior to withdrawal.

Right to lodge a complaint: If you believe that the processing of your personal data violates applicable laws, you may have the right to file a complaint with the data protection supervisory authority in your area of residence, workplace, or where the alleged infringement occurred.

Should you have any questions on how we process personal data, want to exercise your rights or to find out who is processing your data, please reach out to your usual PwC contact or by submitting a request using the form linked here.

By using the technology, you confirm that you have read and understood this privacy notice. Where applicable law requires your consent, you consent to the processing of your personal data by us as detailed in this privacy notice.