// GDPR / AVG
Sub-Processor List
◈ What This Page Is
Under the GDPR (and Dutch AVG), Noetara as data controller must maintain a list of sub-processors — third parties who process personal data on our behalf. This page is our public register. Every processor listed here is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguard. We review and update this list whenever our processing arrangements change.
Data Controller
Noetara
Amsterdam, the Netherlands
Email: support@noetara.ai
Privacy policy: noetara.ai/privacy
Sub-Processors
Render Services, Inc. / Neon (PostgreSQL)
Hosting & Database
Hosts the Noetara application server (Node.js / Express) and the PostgreSQL database (Neon serverless). All user account data, subscription status, alert preferences, and platform activity records are stored on Render infrastructure. Data in transit is protected by TLS 1.2+. Data at rest is encrypted by the hosting layer.
↗ render.com/privacy — DPA & SCCs available on request
Stripe, Inc.
Payment Processing
Processes subscription payments (plans from $29.99/mo). Stripe receives: billing email address, payment card details (stored exclusively by Stripe — never by Noetara), billing address, and subscription status. Noetara receives only a tokenised Stripe customer ID and subscription state. Stripe is PCI-DSS Level 1 certified and handles VAT/BTW calculation and collection via Stripe Tax.
↗ stripe.com/privacy — Stripe's Data Processing Agreement
Polsia (email proxy) → Postmark (ActiveCampaign / Wildbit)
Transactional Email
Delivers transactional emails on behalf of Noetara, including: whale movement alert emails, password reset emails, subscription confirmation and welcome emails, weekly intelligence digest (opted-in subscribers only), and drip marketing sequence for lead nurturing. Personal data processed: recipient email address, first name (when available), alert content. Email addresses are not used for profiling or cross-platform advertising.
↗ postmarkapp.com/privacy-policy — Postmark DPA
Functional Software, Inc. (Sentry)
Error Monitoring
Application error monitoring and performance tracing. Sentry may receive: anonymised stack traces, browser type, operating system, page URL at the point of error, and a hashed (FNV-32) user identifier derived from a logged-in user's email address. No raw email addresses, passwords, or payment data are sent to Sentry. User email is hashed server-side before any Sentry context is set.
↗ sentry.io/privacy — Sentry's Privacy Policy & DPA
Polsia Analytics
Analytics
Privacy-preserving website analytics. Tracks page views, navigation patterns, referral sources, and UTM campaign parameters. IP addresses are SHA-256 hashed server-side before storage — no raw IP is ever written to disk. No cross-site tracking, no advertising profiles, no individual identity linked to analytics data. Geographic resolution is country-level only.
Discord, Inc. (user-configured)
Optional / User-Controlled
Discord webhook delivery is an optional, user-initiated feature. When enabled, Noetara sends whale movement alert notifications to a Discord webhook URL you provide. The webhook URL is your own Discord server endpoint — Noetara does not have access to your Discord account, messages, or server. Data sent to Discord: alert content (coin, amount, chain, transaction hash). No account credentials or personal identifiers are transmitted. Discord is not a Noetara sub-processor in the traditional sense; you are the controller of your own Discord destination. Discord's privacy policy governs processing at their end.
↗ discord.com/privacy — Discord Privacy Policy
What We Do Not Do
- We do not sell personal data to any third party
- We do not share personal data with advertising networks or data brokers
- We do not use personal data for cross-context behavioural advertising
- We do not grant sub-processors the right to further sub-process without our approval
Third-Party Data Sources (No Personal Data)
Noetara also integrates with many external APIs for market data purposes. These integrations do not involve the transfer of any personal data:
| Service | Purpose | Personal Data Transferred |
|---|---|---|
| CoinGecko | Price data, market cap, token unlock enrichment | None |
| CryptoCompare | News articles | None |
| Snapshot GraphQL | DAO governance proposals | None |
| Coinalyze | Liquidation data | None |
| Mempool.space | BTC mempool / on-chain data | None |
| Reddit (public API) | Social sentiment (public posts) | None |
| Etherscan-compatible APIs (Snowtrace, Arbiscan, Optimism, Basescan) | On-chain whale movement detection | None |
These are read-only public data feeds. No user data is transmitted to any of these services.
Changes to This List
We will update this page whenever we add, remove, or materially change a sub-processor. Where a new sub-processor involves a significant change to how personal data is processed, we will notify registered users by email at least 30 days in advance (or as required by our DPA obligations).
The "Last updated" date at the top of this page reflects when this list was last revised.
Questions & DPA Requests
If you are a business customer and require a copy of our Data Processing Agreement or any sub-processor DPA, contact us at support@noetara.ai with subject "DPA Request". We aim to respond within 5 business days.
Noetara — Data Protection
Amsterdam, the Netherlands
Email: support@noetara.ai