Privacy Policy
Information provided pursuant to Articles 12–14 of the EU General Data Protection Regulation (GDPR / DSGVO) and §§ 24, 25 Austrian Data Protection Act (DSG), and §165 Telekommunikationsgesetz (TKG 2021).
Last updated: 2026-04-20
1. Who is responsible for your data
The controller under Article 4(7) GDPR is:
Ibrahim Ölmez (nouz — Einzelunternehmen) Markhofgasse 12–18, 1030 Wien, Austria Email: support@nouz.co Phone: +43 660 741 42 47
We have not appointed a Data Protection Officer. For any privacy-related matter, contact us at the email address above.
2. What we collect and why
2.1 Account data
When you sign up we collect and store:
- Email address — for authentication, password reset, and transactional notifications.
- Password — stored only as a salted hash by our authentication provider (Supabase). We never see your plaintext password.
- Business name, location name(s), currency, country — entered by you to configure the service.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract.
2.2 Business data you enter
The app records revenue, expenses, products, categories, fixed costs and any other operational figures you choose to enter. This data is stored under your account and is never shared, sold, or used for training machine-learning models.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract.
2.3 Billing data
When you start a subscription we collect and store:
- Stripe customer ID and subscription ID
- Plan, status, trial end date, cancellation flag
- Invoice metadata (amounts, VAT rate, VAT country, customer country, reverse-charge flag, payment method fingerprint)
Card numbers, CVV and full card details are collected and stored by Stripe directly — they never touch our servers. We only ever see the last four digits for display.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligation — invoice retention under §132 Bundesabgabenordnung).
2.4 Logs and technical data
- Server access logs (IP address, user agent, timestamp, requested URL) — retained up to 30 days for security and abuse prevention.
- Application error reports (sent to Sentry) — scrubbed of user identifiers where technically possible.
- Rate-limit counters (in-memory at Upstash, typically expire within an hour).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping the service secure.
2.5 Cookies
We use only strictly necessary cookies at launch:
nouz-active-location— remembers which of your business locations you last viewed.- Supabase authentication cookies — keep you signed in.
No advertising, tracking, or analytics cookies are set at launch. When we introduce product analytics or traffic analytics in the future, we will request your consent via a cookie banner before setting any non-essential cookie, in line with §165 TKG.
3. Who we share your data with (sub-processors)
We use the following sub-processors to operate the service. All are bound by contract to protect your data under Art. 28 GDPR.
| Sub-processor | Purpose | Location / Region |
|---|---|---|
| Supabase | Database, authentication | EU region |
| Stripe Payments Europe Ltd. | Payment processing, invoicing | Ireland (EU) |
| Resend (Drip, Inc.) | Transactional email delivery | Frankfurt (EU) |
| Vercel Inc. | Web hosting, CDN | Frankfurt (fra1, EU) |
| Sentry (Functional Software GmbH) | Error monitoring | EU region |
| Upstash Inc. | Rate-limit counters | Frankfurt (EU) |
We do not sell or rent your data to any third party. We do not transfer personal data outside the EU/EEA, except where a sub-processor's corporate parent is based outside the EU and relies on EU Standard Contractual Clauses for internal data flows. Details available on request.
4. How long we keep your data
- Account and business data: for as long as your account is active.
- After account deletion: we soft-delete your account for 30 days (so you can change your mind and restore). After 30 days your account and all business data are permanently deleted.
- Invoices and billing events: retained for 7 years as required by §132 Bundesabgabenordnung (BAO) — Austrian tax law. We cannot delete these earlier.
- Server access logs: up to 30 days.
- Support emails: up to 2 years after the last correspondence, then deleted.
5. Your rights
Under the GDPR you have the right to:
- Access (Art. 15) — request a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — have your data deleted (subject to the retention obligations above).
- Restriction (Art. 18) — restrict processing of your data.
- Portability (Art. 20) — receive your data in a structured, machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email support@nouz.co. We respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. The Austrian authority is:
Datenschutzbehörde Barichgasse 40–42, 1030 Wien https://www.dsb.gv.at
6. Children
The service is aimed at business owners. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, contact us and we will delete it.
7. Changes to this policy
When we make material changes, we notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after a change constitutes acceptance of the updated policy.