Back to noll home

GDPR & AI Act compliance

We're based in the EU and built noll to comply with European privacy regulations from day one. Here's what that means in practice.

GDPR compliance

The General Data Protection Regulation sets strict rules for how companies handle personal data. Here's how we comply:

Data minimization

We only collect data that's necessary to provide the service. No "collect everything, figure it out later" approach.

Purpose limitation

Data we collect is used only for its stated purpose. Account emails are for account management — not marketing lists.

Storage limitation

Documents are deleted automatically after 30 minutes. We don't keep data longer than necessary.

Right to erasure

You can delete your account at any time. When you do, we delete all associated data.

Data processor agreements

Azure (Microsoft) acts as our data processor for translation. They're bound by GDPR-compliant data processing agreements.

EU data residency

All document processing happens in Azure's European data centers. Your files never leave the EU.

EU AI Act compliance

The AI Act is the EU's new framework for regulating artificial intelligence. It's particularly relevant for translation services because many competitors use customer data to train AI models.

We don't train AI on your data

This is the big one. Under the AI Act, using personal data to train AI systems requires explicit consent and transparency. We sidestep this entirely by not training on customer data at all.

  • We use Azure's translation API, which is a pre-trained model
  • Your documents are not used to improve or fine-tune any AI system
  • We have no machine learning pipeline that touches customer content

Transparency

The AI Act requires transparency about how AI systems work. Here's ours: we send your document to Azure's Document Translation API, it comes back translated, we delete both copies. That's it.

What we don't have (yet)

We're a small company, so we don't have enterprise certifications like:

  • SOC 2 Type II
  • ISO 27001
  • HIPAA BAA

If your organization requires these certifications, we may not be the right fit today. We're working on it, but we'd rather be honest than overpromise.

Data Processing Agreement

If your organization needs a formal DPA, email privacy@noll.to. We'll get you one within a few business days.

Next: Why not Google or DeepL? →