Back to noll home

Privacy policy

We are noll.to – Yash Khare & Nicolai Schmid GbR and offer a cloud-based translation service for companies. Our application helps documents (e.g. B. PDF, Word, PowerPoint) securely and efficiently – including integrations with tools such as Microsoft 365, Google Drive or Slack.

In doing so, we necessarily process personal data – from simple Contact data to usage data to document content. On this page we explain to you:

  • what data we process,
  • for what purposes we do this,
  • which service providers we work with,
  • and what rights you have under the GDPR.

We have deliberately formulated this privacy policy in a clear and practical way. At If you have any questions, please contact us at any time: team@noll.to.

1. Data protection at a glance

General information

The following tips give a simple overview of what is happening with your personal data happens when you visit this website and use our Use translation service. Personal data is any data with which You can be personally identified. Detailed information on the The topic of data protection can be found in the following sections of this Privacy policy.

Data collection on this website and in our application

Who is responsible for data collection?

Data processing on this website and within our application takes place by the Website and Service Provider:

noll.to – Yash Khare & Nicolai Schmid GbR
Viertelkamp 44
23611 Bad Schwartau
Germany

E-mail: team@noll.to

How do we collect your information?

On the one hand, your data is collected when you provide it to us. This can be, for example, data that you enter into a contact form during registration, or through our integrations provide.

Other data is automatically processed when you visit the website or when you use it. of our services through our IT systems. These are mainly technical Data (e.g. internet browser, operating system or time of page access) as well as usage data in the application. This data is collected automatically when you enter this website or use our services.

What do we use your data for?

Part of the data is collected in order to ensure the error-free provision of the website and our application. Other data is used to determine contractual services (translations, billing), to respond to your enquiries to improve our products or to monitor your user behaviour anonymously or anonymously. pseudonymized (e.g. with PostHog or HubSpot).

As part of our translation service, the data transmitted is used for the purpose of fulfilment of the contractual service, for the provision of translations and for billing purposes.

What rights do you have regarding your data?

You have the right at any time to obtain information free of charge about the origin, recipient and purpose of your stored personal data. You have also a right to request the rectification or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the Right to request the restriction of the processing of your data in certain circumstances. personal data. Furthermore, you have a right to lodge a complaint with the competent supervisory authority.

For this and other questions on the subject of data protection, you can contact us at any time. Contact us.

Analytics and third-party tools

When visiting this website and using our application, your usage behaviour can be statistically evaluated. This is mainly done with so-called analysis programs (e.g. PostHog) as well as via our CRM (HubSpot).

Detailed information about these analysis programs and other service providers can be found in the following sections of this Privacy policy.

2. Personal data – categories at a glance

The following table gives a brief overview of the most important categories personal data that we provide in accordance with this Privacy Policy process.

Category of personal dataExamples of the data we processCategories of third parties/processors with whom we share this data
Profile / Contact DetailsFirst and last name, email address, company name, mailing address, role, phone number (if provided)Hosting & infrastructure providers (e.g., Vercel, Azure), CRM & marketing (HubSpot), email service (Resend), payment service (Polar), internal tools (Google Workspace, Linear), cloud integrations (e.g., Microsoft, Google, Slack)
Account & Authentication DataLogin email, password hash, authentication logs (logins, failed logins), session IDsHosting & infrastructure providers (Vercel, Azure), internal tools (Linear), security / logging tools if applicable
CommunicationContent of contact forms, support requests, e-mail correspondence, newsletter preferencesE-Mail-Dienst (Resend), CRM & Marketing (HubSpot), interne Tools (Google Workspace, Linear)
Document & Translation DataUploaded documents (PDF, Word, PPTX, text), file names, file types, source and target languagesTranslation infrastructure (Azure), hosting & storage (Vercel), internal tools for error analysis in exceptional cases (Linear)
Usage & Service DataFeature usage, number of translations, job IDs, timestamps, language pairs, file types, usage per planAnalytics (PostHog), Hosting & Infrastruktur (Vercel, Azure), interne Tools (Linear), CRM (HubSpot)
Device / technical dataBrowser type and version, operating system, referrer URL, hostname, time of server request (no IP in logs)Hosting & Infrastructure (Vercel), Analytics (PostHog)
Web Analytics DataIn-app events, clicks, session flows, anonymized IPs, technical metadata (browser, OS)Analytics (PostHog)
Payment & Billing InformationName, email, company, billing address, tax details, payment details (e.g. card type, IBAN via Polar), billing and transaction dataPayment service / merchant of record (Polar), accounting / tax service provider if applicable
Marketing & CRM DataLead and customer data, interaction history, campaign data, newsletter subscriptions and unsubscriptionsCRM & Marketing (HubSpot), E-Mail-Dienst (Resend), Analytics (PostHog)
Integration & Platform DataData from connected services (e.g., SharePoint, OneDrive, Google Drive, Teams, Outlook, Slack), such as file references and required access tokensCloud Integration Providers (Microsoft, Google, Slack), Hosting & Infrastructure (Azure, Vercel)

The other sections of this Privacy Policy explain in detail how we specifically use these categories of data, on what legal basis and with what protective measures.

3. Hosting

We host the content of our website and our application in the following Provider:

Vercel (EU-Region)

This website and the backend services are hosted by Vercel. The personal data collected on this website will be processed on servers of the hoster in EU regions. This can include, in particular: Request metadata (no IP addresses), contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated through a website.

The hosting is carried out for the purpose of fulfilling the contract vis-à-vis our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest in providing our services safely, quickly and efficiently online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

Our hoster will only process your data to the extent that this is necessary for the fulfilment of its performance obligations is necessary and our instructions with regard to follow these data.

Provider:

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA

Order processing

We have concluded a contract data processing agreement (DPA) with Vercel. This is a contract prescribed by data protection law, ensures that Vercel collects the personal data of our Website visitors only in accordance with our instructions and in compliance with the GDPR processed.

4. General information and mandatory information

Privacy

The operators of these sites take the protection of your personal data very seriously. serious. We treat your personal data confidentially and accordingly the statutory data protection regulations as well as this data protection declaration.

When you use this website or use our services, various personal data is collected. Personal data is data that is used to: You can be personally identified. The present Privacy Policy explains what data we collect and what we use it for. benefit. It also explains how and for what purpose this is done.

We would like to point out that data transmission on the Internet (e.g. during the communication by e-mail) can have security gaps. A seamless It is not possible to protect the data from access by third parties.

Note on the responsible body

The person responsible for data processing on this website is:

noll.to – Yash Khare & Nicolai Schmid GbR
Viertelkamp 44
23611 Bad Schwartau
Germany

E-mail: team@noll.to

The controller is the natural or legal person who alone or jointly with others about the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

A data protection officer has not been appointed. For all Please use the form given above Contact.

Storage period

Unless a more specific storage period is required within this privacy policy your personal data will remain with us until the purpose of for data processing. If you have a legitimate deletion request or revoke consent to data processing, the your data will be deleted, unless we have other legally permissible reasons for have the storage of your personal data (e.g. tax or retention periods under commercial law); in the latter case, the Deletion after these reasons cease to apply.

General information on the legal basis for data processing

If you have consented to the data processing, we will process your personal data on the basis of Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, provided that special categories of data pursuant to Art. 9 (1) GDPR.

Is your data necessary for the performance of the contract or for the execution of pre-contractual measures, we process your data on the basis of Art. 6 (1) (b) GDPR.

Furthermore, we process your data insofar as it is necessary for the fulfilment of a legal obligation, on the basis of Article 6(1) lit. c GDPR.

The data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6 (1) (f) GDPR (e.g. hosting, IT security, internal administrative purposes).

The relevant legal bases in each individual case are discussed in the in the following paragraphs of this Privacy Policy.

Recipients of personal data

As part of our business activities, we work with various external parties Putting together positions. In some cases, it is also necessary to transmit personal data to these external entities.

We will only share personal data with external entities if:

  • if this is necessary in the context of the performance of a contract,
  • where we are required to do so by law (e.g. disclosure of data to tax authorities),
  • if we have a legitimate interest in the pass on or
  • if there is another legal basis that allows the data to be passed on.

When using processors, we disclose personal data to our customers. Customers only on the basis of a valid contract for order processing farther. In the case of joint processing, a contract for joint processing closed.

Withdrawal of your consent to data processing

Many data processing operations can only be carried out with your explicit consent. Consent possible. You can revoke your consent at any time revoke. The legality of the Data processing remains unaffected by the revocation.

Right to object to data collection in special cases as well as to direct marketing (Art. 21 GDPR)

IF THE DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6 PARA. 1 LIT. E OR F GDPR YOU HAVE THE RIGHT TO WITHDRAW AT ANY TIME FOR REASONS ARISING FROM YOUR SPECIAL SITUATION, AGAINST THE PROCESSING OF THEIR TO OBJECT TO PERSONAL DATA; THIS ALSO APPLIES TO A PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH FOR WHICH PROCESSING IS BASED, PLEASE REFER TO THIS PRIVACY POLICY. IF YOU LODGE AN OBJECTION, WE WILL INFORM YOUR AFFECTED PERSONS PERSONAL DATA UNLESS WE ARE ABLE TO DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT WOULD AFFECT YOUR INTERESTS, RIGHTS AND FREEDOMS PREVAIL OR THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

WILL YOUR PERSONAL DATA BE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSES OF SUCH ADVERTISING; THIS ALSO APPLIES TO PROFILING, INSOFAR AS IT IS IS ASSOCIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR THE PURPOSE OF OF DIRECT MARKETING (OBJECTION ACCORDING TO ART. 21 PARA. 2 GDPR).

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, the data subjects have a right of appeal supervisory authority, in particular in the Member State of its habitual residence, place of work or place of the presumed violation. The right of appeal shall exist without prejudice to other administrative or judicial remedies.

Right to data portability

You have the right to request data that we collect on the basis of your consent or in performance of a contract in an automated manner, in itself or to a third parties in a common, machine-readable format. If you request the direct transfer of the data to another controller, , this is only done to the extent that it is technically feasible.

Information, correction and deletion

You have the right at any time, within the framework of the applicable legal provisions, to receive information about your stored personal data free of charge, their origin and recipients and the purpose of the data processing and, if applicable, a Right to rectify or delete this data. On this and other If you have any questions about personal data, please contact us at any time turn.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. data. You can contact us at any time for this. The law restriction of processing in the following cases:

  • If you want to verify the accuracy of your personal data stored by us , we usually need time to verify this. For the duration of the review, you have the right to request the restriction of processing of your personal data.
  • Where the processing of your personal data is unlawful happened/happens, you can restrict the Require data processing.
  • If we no longer need your personal data, but you do to exercise, defend or assert legal claims , you have the right to request the restriction of the Request processing of your personal data.
  • If you have filed an objection pursuant to Art. 21 (1) GDPR, a trade-off between your interests and ours. As long as it is not yet clear whose interests prevail, you have the Right to object to the restriction of the processing of your personal data demand.

If you have restricted the processing of your personal data, apart from their storage, this data may only be used with your consent or to assert, exercise or defend legal rights or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

5. Data collection on this website and in the application

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are in particular:

  • Browser type and version
  • operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request

IP addresses are not stored in our log files.

Merging this data with other data sources will not be Made.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and the optimization of its website.

Contact

If you send us inquiries via the contact form, your information will be from the enquiry form including the contact details you provide there (name, e-mail, company, message) for the purpose of processing the request and for the case of follow-up questions is stored with us. We do not disclose this data without your consent.

The processing of this data is carried out on the basis of Art. 6 para. 1 lit. b GDPR, if your request is related to the performance of a contract, or is necessary for the implementation of pre-contractual measures. In all other where applicable, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), provided that this was queried.

Enquiry by e-mail

If you contact us by e-mail, your enquiry will be included in all of the personal data (name, e-mail address, enquiry) for the purpose of Purposes of processing your request stored and processed by us. We do not pass on this data without your consent.

The processing of this data is carried out on the basis of Art. 6 para. 1 lit. b GDPR, if your request is related to the performance of a contract, or is necessary for the implementation of pre-contractual measures. In all other where applicable, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), provided that this was queried.

Registration / User Account

You can register on our website to use our translation service. As part of the registration and use of the In particular, we process:

  • Full name
  • E-mail address
  • Access data / authentication data (password hash)
  • authentication and security logs (e.g. logins, failed Login attempts)
  • Usage data (e.g. number of translations, functions used)
  • Billing-relevant data (e.g. usage per tariff, target languages, File Types)

Data processing is carried out on the basis of Art. 6 (1) (b) GDPR (Performance of the contract).

Data in the user account remains stored as long as the account is active. They You can delete your user account yourself at any time. Legal Retention obligations (especially for invoice data) remain untouched.

6. Our translation service

Type and purpose of data processing

We offer a cloud-based document translation service. Under of this service, we process in particular:

  • Uploaded documents (PDF, Word, PPTX, text)
  • Metadata of the documents (file name, file extension)
  • Language pairs (source and target language)
  • User and Account Information
  • Usage and billing data

The processing is carried out in order to provide the contractually owed translation service. for the provision of results and for accounting (Art. 6 para. 1 lit. b GDPR).

Transmission channels for documents

You can submit documents in the following ways:

  • Web upload via our website
  • Email attachments
  • API
  • Integrations:
    • Microsoft SharePoint
    • Microsoft OneDrive
    • Google Drive
    • Microsoft Teams
    • Outlook
    • Slack

The same security and security measures apply to all transmission channels. Privacy policy.

Sensitive and special categories of personal data

Documents can contain personal data, business-critical information or special categories of personal data within the meaning of Article 9(1) GDPR (e.g. health data, data on criminal proceedings). We advise highly sensitive documents without additional safeguards use.

We reserve the right to suspend the processing of certain documents or use cases if this poses an increased risk to the rights and freedoms of the data subjects.

Technical Processing (Azure)

For the actual translation, we only use Azure Translation Services (Microsoft). Processing takes place exclusively in data centers in the EU (e.g. West Europe, North Europe).

Processed data:

  • Complete document content
  • Metadata (file name, language pairs, file extension)

The data is transmitted to Azure in encrypted form (TLS), and the storage is is encrypted at rest (e.g. AES-256).

There is no use of the customer data for training purposes or for the quality improvement of models. The translations are carried out fully automatic without human intervention.

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of contract).

Azure Subprocessor Standard Formulations

For Azure, in terms of its processor role:

  • Name: Microsoft Corporation
    Adresse: One Microsoft Way, Redmond, WA 98052, USA

  • EU‑Einheit / DPA‑Partei:
    Microsoft Ireland Operations Limited
    One Microsoft Place, South County Business Park, Leopardstown,
    Dublin 18, D18 P521, Ireland

  • Role: Processor for document/text content in the Rahmen der Azure Translation Services; Microsoft Ireland Operations Limited acts as a data exporter and EU representative according to Microsoft Data Protection Addendum (Microsoft Product and Services DPA).

Processing is carried out on the basis of the Microsoft Data Protection Addendum ("Microsoft Products and Services DPA"). Microsoft ensures compliance with the EU Standard Contractual Clauses (SCCs) as well as supplementary security measures sure.

Storage and deletion of documents

  • Source documents and translation results are saved by default for 48 hours to enable re-downloads and to facilitate the use of the service. facilitate.
  • The storage period can be configured by the customer.
  • After the configured period has expired, documents are automatically deleted.

Users have the following options:

  • Independent deletion of documents via the user account
  • Deletion request by e-mail to team@noll.to
  • Deletion of the entire customer account

Regardless, we retain certain log and billing data (long-term without document content) in accordance with statutory retention periods on.

Logs and billing data

For billing and the operation of the service, we store:

  • Job IDs and Timestamps
  • Language Pairs
  • File types (e.g. B. pdf, docx, pptx, txt)
  • Usage metrics (e.g., number of characters, number of documents)
  • Customer and Account References

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR (performance of contract) and Art. 6 (1) (c) GDPR (tax and retention obligations under commercial law).

Access and confidentiality

Only selected roles in access to our company (e.g. founders, engineering / support in the individual case). In principle, such access only takes place if it is necessary to error analysis, to handle support requests or to defend against abuse is mandatory.

The document content will not be passed on to third parties who are not considered to be processors are active in the context of this service (in particular Azure and Vercel as technical infrastructure).

7. Payment Processing

Polar.sh (Merchant of Record)

We use Polar.sh for payment processing and invoicing. Provider is:

POLAR SOFTWARE INC.
Polar Software Inc.
548 Market St PMB 61301
San Francisco, CA 94104-5401
USA

Polar acts as a Merchant of Record (MoR) and is therefore the reseller of our digital services. Polar operates local business units (e.g. in Germany) and in particular:

  • Payment processing (credit card, SEPA, etc.)
  • Invoice
  • Tax treatment (e.g. VAT)

At Polar you will find a clear table of the processed data and the respective purposes directly at the beginning of the privacy policy: https://polar.sh/legal/privacy

As part of the payment processing, the following data is processed, among others:

  • First and last name
  • E-mail address
  • Company name
  • Billing address
  • Payment data (e.g. credit card details, SEPA information)
  • Transaction and billing data

Legal bases:

  • Art. 6 (1) (b) GDPR (performance of a contract)
  • Art. 6 (1) (c) GDPR (statutory retention obligations in the Tax and Commercial Law)

Billing and payment data are generally stored for 10 years after the requirements of § 147 AO and § 257 HGB.

Data transfer to Polar and, if applicable, integrated payment service providers is based on EU Standard Contractual Clauses (SCCs) and additional technical and organisational measures (e.g. encryption).

Further information: https://polar.sh/legal/privacy

Order processing

We have concluded a data processing agreement (DPA) with Polar, that ensures GDPR-compliant processing.

8. E-mail communication and newsletters

Resend (transactional emails and newsletter dispatch)

For sending e-mails (transactional e-mails and newsletters) we use Resend. Legal entity is:

Name: PLUS FIVE FIVE, INC.
Adresse: 2261 Market Street #5039, San Francisco, CA 94114, USA
Kontakt (Datenschutz): Resend Security – privacy@resend.com

Resend is used to send:

  • transactional emails (e.g., account creation, password reset, Notifications, translation results, invoices)
  • Newsletters (if you have explicitly consented to receive them)

Processed data:

  • E-mail address
  • Name (if provided)
  • Email content
  • Delivery and open rates (delivery and open tracking, without IP addresses)

Resend hosts data in Dublin (EU). The use is based on Art. 6 para. 1 lit. b GDPR (performance of contract in the case of transactional e-mails) and Art. 6 (1) (a) GDPR (consent when sending newsletters).

You can revoke your consent to receive newsletters at any time (e.g. via the unsubscribe link in the newsletter).

Resend's Data Processing Agreement (DPA): https://resend.com/legal/dpa

Further information: https://resend.com/legal/privacy-policy

Order processing

We have entered into a DPA with Resend that enables GDPR-compliant processing Ensures.

Newsletter und Marketing-E-Mails (Resend & HubSpot)

If you would like to subscribe to our newsletter or receive marketing emails, we use Resend and HubSpot for this:

  • Processing only after explicit consent (Art. 6 para. 1 lit. a GDPR)
  • You can unsubscribe at any time via the unsubscribe link or contact us

We do not use unsolicited e-mail advertising to private individuals. For B2B contacts an approach can be made within the framework of the legitimate interest, provided that this is legally permissible (e.g. § 7 UWG).

9. Analysis-Tools

PostHog

We use PostHog to analyze user and product behavior. The provider is:

PostHog Inc.
2261 Market St PMB 4008
San Francisco, CA 94114
USA

PostHog is operated by us in an EU region.

Processed data:

  • events within the application (e.g. use of certain Functions, clicks)
  • Timestamp
  • Anonymized IP addresses
  • Technical metadata (e.g. browser, operating system)

The processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in product improvement and usage analysis).

We use PostHog without creating personal user profiles with Consequences. The IP addresses are processed anonymously.

Order processing

We have concluded a DPA with PostHog. The processing is carried out exclusively according to our instructions and in EU regions.

10. CRM and Sales

HubSpot CRM & Marketing

We use HubSpot as a CRM and marketing platform. The provider is:

HubSpot Inc.
25 First Street
Cambridge, MA 02141
USA

HubSpot is used by us to manage:

  • Leads and Customers (Contact Management)
  • Email communication (partial)
  • Marketing measures (e.g. newsletters, campaigns)
  • Forms and landing pages (e.g. contact forms)
  • Integration of certain tracking functions on marketing pages

Processed data may include:

  • Name
  • E-mail address
  • Enterprise
  • Telephone number
  • Website
  • Interaction history (e.g., email history, notes)
  • Marketing and campaign data

The processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient sales and marketing) and, to the extent that necessary, on the basis of your consent (Art. 6 para. 1 lit. a GDPR), especially with the newsletter.

HubSpot may use tracking technologies (e.g., pixels, cookies) to: Track visits to our marketing pages. We use HubSpot tracking without a separate cookie banner, but we rely on our legitimate interest (Art. 6 para. 1 lit. f GDPR) and implement the tracking functionality in a data-saving way.

Information about data processing by HubSpot: https://legal.hubspot.com/de/product-privacy-policy

The transfer to the USA is based on Standard Contractual Clauses (SCC) and additional safeguards.

Order processing

We've signed a DPA with HubSpot.

LinkedIn Sales Navigator

We use LinkedIn Sales Navigator exclusively internally as part of our B2B sales activities. No LinkedIn pixels or plugins appear of our website.

In LinkedIn Sales Navigator, we can create corporate and Research contact information and use our CRM (HubSpot) align. The use is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in effective sales in the B2B sector).

11. Internal Tools and Product Improvement

Google Workspace

We use Google Workspace (Gmail, Docs, Sheets, Drive) exclusively for internal communication and documentation.

Processed data:

  • Email communication with customers and partners (Gmail)
  • Internal documents on contracts, offers, roadmaps, etc. (Docs, Sheets)
  • Internal files (Drive), no storage of customer documents from the Translation

Google Workspace is configured for EU data regions. Processing is carried out on the basis of Art. 6 (1) (b) GDPR (performance of the contract in the Customer Communication) and Art. 6 (1) (f) GDPR (legitimate interest in efficient internal collaboration).

Order processing

We have concluded a DPA with Google in accordance with Art. 28 GDPR.

Linear (product management and support)

We use Linear to manage product development, roadmaps, and support. Legal entity is:

Linear Orbit, Inc.
a Delaware corporation
Address: 2261 Market St STE 10632, San Francisco, CA 94114, USA

In Linear, the following are typically processed:

  • Customer names and email addresses as part of support tickets
  • Debugging information (e.g. error logs, error descriptions)
  • Product feedback and feature requests

Linear hosts data in EU regions and is SOC 2 Type II and SOC 2 GDPR compliant (see DPA: https://linear.app/dpa).

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in effective product management, troubleshooting and support).

Order processing

We have concluded a DPA with Linear that complies with the GDPR processing.

12. Cookies

Our website only uses technically necessary cookies, e.g. for Session management (session cookies). These cookies are necessary to improve the functions of the website.

Technically necessary cookies are stored on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in an error-free and secure provision of our services).

We do not use a separate cookie banner because we do not cookies that require consent (e.g. for third-party tracking, advertising purposes).

13. International Data Transfers

We configure our services in such a way that, as far as possible, the processing and available – in EU regions. This applies in particular:

  • Vercel (Hosting, EU-Region)
  • Azure (Translation Service, EU Data Centers)
  • PostHog (Analytics, EU-Region)
  • Resend (E-Mail, Dublin)
  • Google Workspace (EU data region)
  • Linear (EU-Region)

For services where providers are based outside the EU/EEA (e.g. Polar, HubSpot, PostHog, Vercel, Linear, Resend, Microsoft), we ensure that there is an adequate level of data protection, in particular by:

  • Conclusion of EU Standard Contractual Clauses (SCC)
  • Encryption of data in transit and at rest
  • Minimization of personal data processed
  • Role-based access control and 2-factor authentication

Access from third countries (e.g. from the USA) cannot be granted in individual cases completely excluded (e.g. for maintenance purposes), but the only in compliance with the relevant data protection regulations.

14. Security

We take appropriate technical and organisational measures to ensure that your data from loss, misuse, unauthorized access, or disclosure. protect. These include, in particular:

  • Encryption of data transmission via TLS
  • Encryption of data at rest (e.g., AES-256)
  • Role-based access control (need-to-know principle)
  • 2-factor authentication for internal accounts
  • Regular security updates and patches
  • Restrictive assignment of rights for production systems

15. No automated decision-making

We do not use automated decision-making, including profiling within the meaning of Art. 22 GDPR, which has legal effect on you or similarly significantly affect you.

16. Your rights as a data subject

You have the following rights vis-à-vis us in relation to the data concerning you Personal data:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure ("right to be forgotten", Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to revoke consent given (Art. 7 para. 3 GDPR)

To exercise your rights, please contact:

E-mail: team@noll.to

In addition, you have the right to lodge a complaint with a data protection supervisory authority complain about the processing of your personal data by us.

17. Changes to this Privacy Policy

We reserve the right to amend this privacy policy so that it is always current legal requirements or to make changes to our services in the privacy policy (e.g. when introducing new services, tools, or integrations).

The current version will then apply to your return visit.

Last updated: 24 November 2025