BackNopex

Privacy Policy

Last updated: April 19, 2026

1. Controller

Nopex GmbH
Karlstraße 89, 76137 Karlsruhe, Germany
Commercial register: Amtsgericht Mannheim, HRB 757462
Managing Director (Geschäftsführer): Philip Blatter
Phone: +49 721 603218-0
Email: privacy@nopex.cloud

A Data Protection Officer has not been appointed at this time.

2. Scope

This Privacy Policy applies to the use of the SaaS platform "nopex console" at https://console.nopex.cloud. It does not apply to self-hosted instances of the software.

3. Data Processed, Purposes, and Legal Bases

3.1 Account Data

When you create and manage an account, we process your email address, your password (stored in encrypted form), and the verification status of your email address. This data is required for account creation, login, and communication with you. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

You may optionally provide your first name, last name, a profile picture, and your preferred language setting. This information is used to personalize your account. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a user-friendly platform experience).

3.2 Session Data

Each time you use the platform, your IP address, browser identifier (user agent), and session timestamps are collected. This data is used for authentication, security, and abuse prevention. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in platform security).

3.3 Organization and Usage Data

To provide platform functionality, we process your organization name, memberships, project assignments, and roles. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

We also process billing reference data such as your subscription ID and credit balance for billing and account management purposes. The legal basis is likewise Art. 6(1)(b) GDPR (performance of a contract).

Payment details (e.g., credit card numbers) are not stored directly by us but are processed by our payment service provider (see Section 6).

3.4 AI Usage Data

We process data on token consumption and cost per AI call for billing purposes. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

We also store AI task history, which includes task descriptions, AI summaries, duration, and costs. This data is used for usage analytics and billing. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in usage analytics).

Raw token consumption data is aggregated after 2 days; the raw data is then deleted. Aggregated data is retained for billing purposes.

3.5 Data Transmitted to AI Providers

When you use AI features of the platform (e.g., Swarm, Chat), the following data is transmitted to external AI providers (see Section 6):

  • User prompts (chat messages, task descriptions)
  • Project source code (files in the Git repository)
  • Project documents (uploaded files)
  • Conversation history (previous messages in the session)
  • File attachments

Important notice: Please be aware that inputs to AI features are transmitted to external providers without automatic filtering. Please do not enter special categories of personal data within the meaning of Art. 9 GDPR into AI features.

Nopex contractually ensures that the AI providers used do not use your data for training or improving their AI models.

Some AI providers are based in the United States. Transfers are made on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR (see Section 6 for details).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — provision of AI features as part of the contractual service).

3.6 Error Data

For troubleshooting and operational reliability, we process technical error messages, stack traces, request URLs, HTTP headers, IP addresses, and browser identifiers. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in stable and secure operations).

3.7 Transactional Emails

Your email address is used to send verification, password reset, invitation, and notification emails. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

4. Cookies and Tracking

The platform uses the following cookies, all strictly necessary:

  • "authjs.session-token" — authentication and session management, stored for 7 days.
  • "nopex_link_intent" — OAuth account linking, expires after 10 minutes.

Your consent choices are stored locally in your browser (localStorage entry "nopex_consent_local") and on your account record once you register. They are not transmitted as a cookie.

Analytics and Marketing Tools

We use the following tools to understand product usage and measure marketing effectiveness. You can change your consent at any time under Account Settings → Analytics & marketing.

  • Umami (always active) — a self-hosted, cookie-free analytics tool. Visitor identification uses a daily hash of IP, user-agent, and a server-side salt; no persistent identifier is stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding product usage). No consent is required because no personal data within the meaning of GDPR is stored on your device.
  • Google Analytics 4 (consent-gated, server-side only) — events are sent server-side via the GA4 Measurement Protocol; no Google Analytics script or cookie runs in your browser. Used to measure signup, onboarding, and order conversion funnels. Recipient: Google Ireland Limited; data may be transferred to the United States under Standard Contractual Clauses. Legal basis: Art. 6(1)(a) GDPR (consent). Active only when you have opted in to the "Analytics" category.
  • Meta Conversions API (consent-gated, server-side only) — signup and order events are transmitted server-side to Meta with hashed email and IP/user-agent for attribution of Meta ad campaigns. No Meta Pixel script runs in your browser. Recipient: Meta Platforms Ireland Limited; data may be transferred to the United States under Standard Contractual Clauses. Legal basis: Art. 6(1)(a) GDPR (consent). Active only when you have opted in to the "Marketing" category.
  • LinkedIn Conversions API (consent-gated, server-side only) — signup events are transmitted server-side to LinkedIn with hashed email for attribution of LinkedIn ad campaigns. No LinkedIn Insight Tag runs in your browser. Recipient: LinkedIn Ireland Unlimited Company; data may be transferred to the United States under Standard Contractual Clauses. Legal basis: Art. 6(1)(a) GDPR (consent). Active only when you have opted in to the "Marketing" category.

5. Retention Periods

Retention periods depend on the respective data category:

  • Account data — We retain your account data until you delete your account. After deletion, we retain it only to the extent required by statutory retention obligations (e.g., §§ 147 AO, 257 HGB).
  • Session data — Session data is automatically deleted after 7 days.
  • Organization and usage data — Organization and usage data is retained until the organization account is deleted, then removed within 30 days unless statutory retention periods apply.
  • AI task history — AI task history is retained until the user account or the associated project is deleted.
  • AI usage data (raw) — Raw data is aggregated after 2 days and then deleted.
  • AI usage data (aggregates) — Aggregated AI usage data is retained for billing purposes for the duration of the contractual relationship.
  • Error data — We have configured Sentry to automatically delete error data after 90 days.
  • Email delivery data — Transactional email log data is stored by Brevo for a maximum of 30 days.

6. Recipients and Processors

We use the following service providers to deliver our services. Data processing agreements pursuant to Art. 28 GDPR have been concluded with each provider:

  • DigitalOcean (represented by DigitalOcean Netherlands B.V.): Server infrastructure, Frankfurt FRA1 region (Germany). No third-country transfer. Processing based on a DPA pursuant to Art. 28 GDPR.

  • Hetzner Online GmbH, Gunzenhausen, Germany: Server infrastructure, Nuremberg NBG1 data center. No third-country transfer. Processing based on a DPA pursuant to Art. 28 GDPR.

  • Brevo (Sendinblue) — Transactional emails. Data location: EU (France). No third-country transfer.

  • Sentry (Sentry.io) — Error tracking. We use Sentry's EU data residency; all data is processed exclusively on EU servers. No third-country transfer.

  • OpenAI, Inc. — AI language model. Data location: USA. Safeguard: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

  • Anthropic, PBC — AI language model. Data location: USA. Safeguard: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

  • Google LLC — AI language model (Gemini / Vertex AI). Data location: USA / EU. Safeguard: Standard Contractual Clauses (SCCs) / adequacy decision.

  • Stripe Payments Europe, Ltd. — Payment processing. The contracting entity is Stripe Payments Europe, Ltd., Dublin, Ireland. For certain operations, data may be forwarded to Stripe, Inc. (USA); Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework apply.

The AI providers (OpenAI, Anthropic, Google) only receive data when you actively use AI features of the platform.

7. International Data Transfers

Where personal data is transferred to countries outside the European Economic Area (EEA), we ensure an adequate level of data protection through:

  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented where necessary by additional technical and organizational measures; or
  • an adequacy decision of the European Commission pursuant to Art. 45 GDPR.

For details on individual recipients, please refer to Section 6.

8. Your Rights

As a data subject, you have the following rights:

  • Access (Art. 15 GDPR) — You may request information about the personal data we process about you.
  • Rectification (Art. 16 GDPR) — You may request the correction of inaccurate data.
  • Erasure (Art. 17 GDPR) — You may request the deletion of your data, provided no statutory retention obligations apply. Deletion can be initiated via the account deletion feature on the platform or by contacting privacy@nopex.cloud.
  • Restriction of processing (Art. 18 GDPR) — Under certain conditions, you may request the restriction of processing.
  • Data portability (Art. 20 GDPR) — You may request to receive your data in a structured, commonly used, and machine-readable format.
  • Objection (Art. 21 GDPR) — You may object to the processing of your data where such processing is based on a legitimate interest (Art. 6(1)(f) GDPR).

To exercise your rights, please contact: privacy@nopex.cloud

Obligation to provide data: Providing your email address and a password is mandatory to use the platform. Providing optional data (first name, last name, profile picture) is voluntary and does not affect core functionality.

9. Automated Decision-Making and Profiling

No automated decision-making within the meaning of Art. 22 GDPR, including profiling, takes place. The AI features of the platform do not make automated individual decisions that produce legal effects or similarly significant effects.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
(State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg)
https://www.baden-wuerttemberg.datenschutz.de

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as necessary to reflect changes in legal requirements or our services. In the event of material changes, we will additionally notify you by email or by a notice within the platform. The current version is always available at https://console.nopex.cloud/privacy.