Privacy Policy
Information provided pursuant to Articles 12–14 of the EU General Data Protection Regulation (GDPR / DSGVO) and §§ 24, 25 Austrian Data Protection Act (DSG), and §165 Telekommunikationsgesetz (TKG 2021).
Last updated: 2026-05-02
1. Who is responsible for your data
The controller under Article 4(7) GDPR is:
Ibrahim Ölmez (nouz — Einzelunternehmen) Markhofgasse 12–18, 1030 Wien, Austria Email: support@nouz.co Phone: +43 660 741 42 47
We have not appointed a Data Protection Officer. For any privacy-related matter, contact us at the email address above.
2. What we collect and why
2.1 Account data
When you sign up we collect and store:
- Email address — for authentication, password reset, and transactional notifications.
- Password — stored only as a salted hash by our authentication provider (Supabase). We never see your plaintext password.
- Business name, location name(s), currency, country — entered by you to configure the service.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract.
2.2 Business data you enter
The app records revenue, expenses, products, categories, fixed costs and any other operational figures you choose to enter. This data is stored under your account and is never shared, sold, or used for training machine-learning models.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract.
2.3 Billing data
When you start a subscription we collect and store:
- Stripe customer ID and subscription ID
- Plan, status, trial end date, cancellation flag
- Invoice metadata (amounts, VAT rate, VAT country, customer country, reverse-charge flag, payment method fingerprint)
Card numbers, CVV and full card details are collected and stored by Stripe directly — they never touch our servers. We only ever see the last four digits for display.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligation — invoice retention under §132 Bundesabgabenordnung).
2.4 Logs and technical data
- Server access logs (IP address, user agent, timestamp, requested URL) — retained up to 30 days for security and abuse prevention.
- Application error reports (sent to Sentry) — scrubbed of user identifiers where technically possible.
- Rate-limit counters (in-memory at Upstash, typically expire within an hour).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping the service secure.
2.5 Cookies and analytics
We use the following cookies and similar storage technologies:
Strictly necessary (set without consent, required for the service to work):
nouz-active-location— remembers which of your business locations you last viewed.nouz-consent-v1— stores your cookie choice so we do not ask again.- Supabase authentication cookies — keep you signed in.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and §165(3) TKG (strictly necessary).
Analytics — only with your consent:
- Google Analytics 4 (
_ga,_ga_*) — aggregate traffic measurement. We see which pages are visited, from where, and on which device class. We do not use Google Analytics for advertising and do not run any ad-tech products. - PostHog (
ph_*,__ph_opt_in_out_*) — product analytics, funnels, feature usage, and session replay. PostHog records your interactions on the app — clicks, navigation, scrolls — so we can see how the dashboard is actually used and fix friction points. Form input values (revenue figures, business names, email, password) are masked at the recorder level and never reach PostHog. Cross-origin iframes (e.g. Stripe Checkout) are not recorded. Data is stored in PostHog's EU region (Frankfurt). Default retention: 30 days for session recordings, 1 year for events. You may request deletion of your recorded sessions at any time at support@nouz.co.
You will see a cookie banner on your first visit. Until you click "Accept", no analytics scripts capture data and no analytics cookies are set. Your single Accept covers both Google Analytics and PostHog (including session replay) — by accepting you consent to both. If you would prefer one without the other, decline and email support@nouz.co; we can also disable session replay for individual users on request. You can change your choice at any time via the Cookies link in the footer.
Legal basis: Art. 6(1)(a) GDPR and §165(3) TKG — consent.
3. Who we share your data with (sub-processors)
We use the following sub-processors to operate the service. All are bound by contract to protect your data under Art. 28 GDPR.
| Sub-processor | Purpose | Location / Region |
|---|---|---|
| Supabase | Database, authentication | EU region |
| Stripe Payments Europe Ltd. | Payment processing, invoicing | Ireland (EU) |
| Resend (Drip, Inc.) | Transactional email delivery | Frankfurt (EU) |
| Vercel Inc. | Web hosting, CDN | Frankfurt (fra1, EU) |
| Sentry (Functional Software GmbH) | Error monitoring | EU region |
| Upstash Inc. | Rate-limit counters | Frankfurt (EU) |
| Google Ireland Ltd. (Google Analytics 4) | Aggregate site analytics — only after your consent | Ireland (EU); onward processing in the US is covered by the EU–US Data Privacy Framework (Google LLC is certified) |
| PostHog Inc. | Product analytics, funnel measurement, session replay — only after your consent | EU region (Frankfurt); contracting entity is US-based and we rely on EU Standard Contractual Clauses (Art. 46 GDPR) for that flow |
We do not sell or rent your data to any third party. Where a sub-processor (e.g. Google) processes data outside the EU/EEA, transfers rely on Art. 45 GDPR (DPF adequacy decision) or EU Standard Contractual Clauses under Art. 46 GDPR. Details available on request.
4. How long we keep your data
- Account and business data: for as long as your account is active.
- After account deletion: we soft-delete your account for 30 days (so you can change your mind and restore). After 30 days your account and all business data are permanently deleted.
- Invoices and billing events: retained for 7 years as required by §132 Bundesabgabenordnung (BAO) — Austrian tax law. We cannot delete these earlier.
- Server access logs: up to 30 days.
- Support emails: up to 2 years after the last correspondence, then deleted.
5. Your rights
Under the GDPR you have the right to:
- Access (Art. 15) — request a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — have your data deleted (subject to the retention obligations above).
- Restriction (Art. 18) — restrict processing of your data.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email support@nouz.co. We respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. The Austrian authority is:
Datenschutzbehörde Barichgasse 40–42, 1030 Wien https://www.dsb.gv.at
6. Children
The service is aimed at business owners. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.
7. Changes to this policy
When we make material changes, we notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after a change constitutes acceptance of the updated policy.