// Legal

Privacy Policy

Last updated: 14 May 2026 · Effective: 8 May 2026 · GDPR Compliant · Data Controller: Netherlands

◈ Summary We collect your email, hashed password, and usage analytics to operate the platform. Subscription payments are processed by Stripe — we never store card details. We do not sell your data. You have full rights under GDPR (and CCPA for California residents) to access, delete, or export your data at any time. Contact us at support@noetara.ai.

1. Who We Are

Noetara ("we", "us", "our") is an AI-powered crypto market intelligence platform. We operate from the Netherlands and are subject to the General Data Protection Regulation (GDPR) and Dutch implementing legislation (UAVG).

Data Controller:
Noetara
Amsterdam, the Netherlands
KVK: [Registration pending] · BTW-id: [Registration pending]
Email: support@noetara.ai

2. Data We Collect

Data	How Collected	Purpose	Legal Basis
Email address	Waitlist signup or registration	Account creation, early access notification, product updates, transactional emails	Consent (Art. 6(1)(a)) / Contract (Art. 6(1)(b) GDPR)
Password (bcrypt hash)	Registration form	Account authentication. We store a one-way hash only — the plaintext password is never stored or accessible.	Contract performance (Art. 6(1)(b) GDPR)
Usage analytics	Analytics beacon / pixel	Understanding page visits, feature usage, performance monitoring	Legitimate interest (Art. 6(1)(f) GDPR)
IP address / request logs	Web server logs (stored as hashed value in analytics)	Security, fraud prevention, server diagnostics	Legitimate interest (Art. 6(1)(f) GDPR)
Payment information	Stripe checkout (not stored by us)	Subscription billing. Payment card data is collected and stored exclusively by Stripe, Inc. We receive only subscription status and a tokenised customer ID.	Contract performance (Art. 6(1)(b) GDPR)
Session cookie (JWT)	Issued on login	Maintaining your authenticated session. HttpOnly flag prevents JavaScript access. Required for platform access.	Contract performance / strictly necessary (Art. 6(1)(b) GDPR)
UTM / referral parameters	URL query string on landing	Attributing traffic to marketing campaigns; conversion funnel analysis	Legitimate interest (Art. 6(1)(f) GDPR)

We do not collect payment card data directly — all payment processing is handled by Stripe, Inc. (PCI-DSS compliant). We do not sell any personal data to third parties.

3. How We Use Your Data

To contact you when Noetara launches or to provide early access
To send product updates, intelligence briefings, and platform announcements
To understand how the platform is used and improve features
To maintain security and prevent abuse
To comply with legal obligations

We will never sell, rent, or trade your personal data to third parties for marketing purposes.

4. Waitlist — Consent

When you submit your email address via our waitlist form, you are providing explicit consent for Noetara to:

Store your email address on our secure servers
Contact you with information about early access and platform updates
Send occasional product announcements related to Noetara

You may withdraw this consent at any time by emailing support@noetara.ai with the subject "Unsubscribe". Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. Analytics and Cookies

We use a lightweight analytics tool to measure page visits and understand user behaviour in aggregate. This may use cookies or similar tracking technologies.

Cookies we use:

Cookie	Type	Purpose	Expires
`session` (JWT)	Strictly necessary	Maintains your authenticated session. HttpOnly and Secure flags are set — this cookie is not accessible via JavaScript. Required for all subscriber-only features.	30 days (rolling)
Analytics beacon	Analytics (functional)	Aggregate page view and referral tracking. IP addresses are hashed before storage — no cross-site tracking.	Session / 12 months

What our analytics track:

Page views and navigation patterns
Geographic region (country level only)
Device/browser type
Referral source and UTM campaign parameters

What we do not track:

Individual identities linked to analytics data
Cross-site tracking or behavioural advertising profiles
Precise location (city, street, coordinates)

You may opt out of non-essential analytics cookies via your browser settings. The session JWT cookie cannot be disabled as it is strictly necessary for the authenticated service to function.

6. Data Retention

Data Type	Retention Period	Reason
Waitlist emails	Until launch + 12 months, or until you unsubscribe	Waitlist management; deleted after product launch window
Account data	Duration of account + 30 days after deletion request	Service delivery; 30-day window for recovery requests
Server/access logs	90 days	Security and diagnostics
Analytics data	24 months (aggregated only after 12 months)	Product improvement
Payment records	7 years	Dutch tax law (Belastingdienst) requirement

7. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

Right of access — Request a copy of the personal data we hold about you
Right to rectification — Request correction of inaccurate or incomplete data
Right to erasure ("right to be forgotten") — Request deletion of your personal data
Right to restriction — Request that we restrict processing of your data
Right to portability — Receive your data in a machine-readable format (JSON or CSV)
Right to object — Object to processing based on legitimate interest
Right to withdraw consent — Withdraw consent at any time for consent-based processing

To exercise any of these rights, email support@noetara.ai. We will respond within 30 days (or 3 months for complex requests). We may need to verify your identity before processing certain requests.

If you believe your rights have been violated, you may lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl.

8. Data Transfers Outside the EEA

Some of our processors are based in the United States. Specifically:

Render (hosting) — our application and database are hosted on Render Services, Inc. (US). Data processing is governed by Render's Data Processing Agreement with Standard Contractual Clauses (SCCs).
Stripe (payments) — subscription billing is handled by Stripe, Inc. (US). Stripe is certified under the EU-US Data Privacy Framework and operates under SCCs.

Where processors are located outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, adequacy decisions, or equivalent mechanisms. You may request a copy of applicable safeguards by contacting us.

9. Third-Party Processors (Sub-Processors)

We share data with the following processors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguard. A full, detailed sub-processor register — including registered addresses, processing locations, and direct links to each provider's DPA — is available at noetara.ai/sub-processors.

Processor	Purpose	Location	Safeguard
Render / Neon (Render Services, Inc.)	Application hosting and PostgreSQL database storage	United States	DPA + SCCs
Stripe, Inc.	Subscription payment processing; VAT/BTW calculation and collection via Stripe Tax	United States	EU-US DPF + SCCs
Polsia / Postmark (email proxy → Wildbit LLC / ActiveCampaign)	Transactional email delivery (alerts, receipts, password resets, digest)	Netherlands / United States	DPA + SCCs
Sentry (Functional Software, Inc.)	Error monitoring and performance tracing; anonymised stack traces only	United States	DPA + SCCs
Polsia Analytics	Privacy-preserving page view analytics; hashed IPs, no cross-site tracking	European Union	EU controller-processor DPA
Discord, Inc. (optional, user-configured)	Alert webhook delivery — only when user provides their own Discord webhook URL	United States	User consent; user-controlled endpoint
CoinGecko / CryptoCompare / others	Market data APIs — no personal data shared; public market data only	N/A	No personal data transferred

We do not sell personal data, nor do we share it with advertising networks or data brokers. The complete sub-processor register with full addresses and DPA links is maintained at noetara.ai/sub-processors.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (HTTPS/TLS)
Encryption of sensitive data at rest
Access controls limiting who can access personal data
Regular security reviews

In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay, as required under Article 33–34 GDPR.

11. Children

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to waitlist and registered users at least 30 days before taking effect. The "Effective" date at the top of this page indicates when the policy was last updated. Continued use of the Service after an update constitutes acceptance of the revised policy.

13. VAT / BTW Disclosure

Our subscription price is displayed exclusive of Value Added Tax (VAT / Dutch btw) unless explicitly stated otherwise. The applicable VAT rate depends on your country of residence or tax jurisdiction. Stripe Tax calculates and collects the correct VAT or equivalent tax at checkout based on your billing address.

EU business customers with a valid VAT ID may be eligible for zero-rated VAT under the reverse-charge mechanism. Please provide your VAT number at checkout. Stripe will handle the validation. For non-EU customers, local taxes may apply in accordance with your jurisdiction's rules.

VAT invoices are issued by Stripe on behalf of Noetara and are available in your Stripe billing portal after each payment.

14. California Residents — CCPA Disclosure

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights regarding your personal information.

Categories of personal information we collect:

Identifiers (email address, IP address hash)
Account credentials (password hash — plaintext never stored or accessible)
Commercial information (subscription status and billing history via Stripe)
Internet or other electronic network activity (page views, feature usage, referral source)

We do not sell or share your personal information with third parties for cross-context behavioural advertising. We do not sell personal information to data brokers.

Your California rights:

Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties we share it with.
Right to delete — Request deletion of personal information we have collected, subject to certain exceptions.
Right to correct — Request correction of inaccurate personal information.
Right to opt out of sale/sharing — We do not sell or share personal information, so this right is satisfied by our existing practices.
Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise your California rights, email support@noetara.ai with subject "California Privacy Request". We will respond within 45 days (extendable by a further 45 days with notice). We may need to verify your identity before processing the request.

15. Contact

For privacy-related questions, data subject rights requests, or concerns:

Noetara — Privacy
Amsterdam, the Netherlands
KVK: [Registration pending] · BTW-id: [Registration pending]
Email: support@noetara.ai

We aim to respond to all privacy requests within 5 business days.