Cookie and Tracking Technology Policy for Noax
Last Updated: April 19, 2026
1. Introduction
This Cookie Policy explains how Noax (βwe,β βour,β or βusβ) uses cookies and similar tracking technologies when you use the Noax Service, including our website, web application, browser extensions, and mobile applications (collectively, the βServiceβ).
This policy should be read in conjunction with our Privacy Policy.
2. What Are Cookies and Similar Technologies?
Cookies are small text files placed on your device by a website or application. They are widely used to make websites work more efficiently and to provide information to the site owners.
Similar technologies include:
- Local Storage / Session Storage: Browser-based storage mechanisms that allow websites to store data locally on your device
- Authentication tokens: Encoded tokens used for authentication and session management
- CAPTCHA tokens: Tokens used to distinguish human users from bots
3. Technologies We Use
Essential Technologies (Strictly Necessary)
These technologies are required for the Service to function. They cannot be disabled without breaking core functionality. No consent is required for these under Β§ 25 TTDSG and the ePrivacy Directive, as they are strictly necessary for the service you requested.
| Technology | Type | Purpose | Duration | Provider |
|---|---|---|---|---|
| Authentication Token | Local Storage / HTTP Header | Maintains your authenticated session so you don't need to log in on every page | Session / configurable expiry | Noax (first-party) |
| Authentication Session | Cookie | Manages the authentication flow and login state | Session duration | Authentication provider (third-party) |
| Bot Protection | JavaScript token | Bot protection on public-facing forms (e.g., waitlist registration). Replaces traditional CAPTCHA | Per-request (not persistent) | Security provider (third-party) |
| User Preferences | Local Storage | Stores your UI preferences (e.g., theme, view mode) locally in your browser | Persistent until cleared | Noax (first-party) |
Cookieless Product Analytics
We use an EU-hosted product-analytics service to collect aggregate usage events (page views, clicks on instrumented elements, and the core product events listed in our Privacy Policy). We use this data solely to improve the product β we do not track individual browsing behavior, build advertising profiles, or sell any data to third parties. Our analytics integration is configured in a cookieless, storage-less mode:
- No cookies set β our analytics SDK is initialized in memory-only mode, which stores nothing on your device
- No localStorage, sessionStorage, or IndexedDB entries
- No fingerprinting β we do not use session replay or device fingerprinting
- Aggregate heatmaps only β we collect aggregate click-position data to understand which areas of the interface are used most; no individual user sessions are recorded or replayed
- First-party network path β analytics requests are routed through our own domain so no third-party domain is contacted directly from your browser
- IP address excluded β IP addresses are stripped from event payloads before ingestion
- DNT & GPC honored β if your browser sends Do-Not-Track or Global Privacy Control, we disable all analytics capture automatically
Because nothing is stored in your terminal equipment, this processing falls outside the scope of Β§ 25 TTDSG / ePrivacy Art. 5(3) and no consent banner is required for storage. The GDPR still applies to the transmission and processing of event data; see Section 4 below.
Technologies We Do NOT Use
We want to be transparent about what we do not employ:
- No advertising cookies β We do not serve ads or use ad tracking (e.g., Google Ads, Facebook Pixel)
- No analytics cookies β our product analytics is cookieless (see above); we do not use cookie- or localStorage-based analytics tools
- No session replay β we do not record your mouse movements, keystrokes, scrolls, or screen contents
- No social media tracking pixels β We do not embed Facebook, Twitter, or LinkedIn tracking
- No cross-site tracking β We do not track your activity across other websites
- No fingerprinting β We do not use browser fingerprinting techniques
- No third-party marketing cookies β We do not share data with marketing platforms
4. Legal Basis
Under German/EU Law (Β§ 25 TTDSG / ePrivacy Directive)
- Strictly necessary technologies (all technologies listed above): These are exempt from consent requirements under Β§ 25(2) TTDSG, as they are technically necessary to provide the Service you explicitly requested.
- Non-essential technologies: We currently do not use any non-essential cookies or tracking technologies. Should we introduce them in the future, we will obtain your prior informed consent through a compliant consent mechanism before activating them.
Under GDPR (Art. 6)
Where personal data is processed through these technologies, the legal basis is:
- Art. 6(1)(b) GDPR β Performance of a contract (authentication, session management, essential functionality)
- Art. 6(1)(f) GDPR β Legitimate interest in product improvement and service-quality monitoring (cookieless analytics). Our balancing test relied on the following mitigating measures: memory-only persistence, IP suppression, DNT/GPC honored, opt-in autocapture, EU processing, and 12-month retention. You can object to this processing at any time (see below).
Right to Object (GDPR Art. 21)
Where we rely on legitimate interest, you have the right to object to the processing of your personal data. You can exercise this right by:
- Enabling Do Not Track (DNT) or Global Privacy Control (GPC) in your browser β we honor both signals automatically, which disables all analytics capture for the session
- Emailing [email protected] and requesting a manual opt-out
5. Browser Extensions
Our browser extensions (Chrome, Safari, Firefox) use the following technologies:
| Technology | Purpose | Data Stored |
|---|---|---|
| Extension Local Storage | Store authentication state and user preferences | Authentication token, extension settings |
| Background Service Worker | Process share/save actions | Temporary request data (not persisted) |
The browser extensions do not:
- Track your general browsing activity
- Inject scripts into pages you visit (except when you explicitly activate the save function)
- Collect browsing history
- Communicate with any server other than Noax's own backend
6. Mobile Application (iOS)
The iOS application uses:
| Technology | Purpose | Data Stored |
|---|---|---|
| Keychain | Securely store authentication credentials | Encrypted authentication token |
| UserDefaults | Store app preferences | Non-sensitive UI preferences |
| Share Extension Storage | Temporary storage during share action | Shared content (cleared after processing) |
The mobile application does not use any third-party SDKs for analytics, advertising, or tracking.
7. Your Choices
Managing Browser Cookies and Storage
You can control cookies and local storage through your browser settings:
- Chrome: Settings > Privacy and Security > Cookies and other site data
- Safari: Preferences > Privacy > Manage Website Data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
Note: Blocking or deleting essential cookies/storage will prevent you from using the Service, as authentication will not function.
Managing Extension Data
You can manage extension data through your browser's extension settings:
- Remove the extension to delete all associated data
- Extension data is automatically cleared when the extension is uninstalled
Do Not Track (DNT)
We respect the Do Not Track (DNT) browser signal. However, since we do not engage in cross-site tracking or serve targeted advertising, the DNT signal does not change our behavior β we already do not track you.
Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal as required by applicable US state privacy laws (CCPA/CPRA, etc.). Since we do not sell or share personal information for advertising purposes, the GPC signal confirms our existing practice.
8. Third-Party Technologies
The following third-party services may set cookies or use similar technologies in connection with the Service:
Authentication Provider
- Purpose: Authentication and login management
- Cookies Set: Session cookies for login flow
- Data Processing Location: United States (covered by SCCs)
Security / Bot Protection Provider
- Purpose: Bot protection on public forms
- Technologies Used: JavaScript challenge tokens (no persistent cookies)
- Data Processing Location: Global CDN (EU processing available)
Product Analytics Provider (EU)
- Purpose: Cookieless, first-party-proxied product analytics (page views and instrumented events). See Section 3 above.
- Technologies Used: None stored on your device β no cookies, no localStorage, no sessionStorage, no IndexedDB
- Data Processing Location: European Union (Frankfurt)
- Safeguards: Data Processing Agreement (DPA), EU-only hosting, IP address stripped from payloads, 12-month event retention
You may request the identity of our current third-party service providers and links to their privacy policies by contacting [email protected].
9. Changes to This Cookie Policy
We will update this Cookie Policy if we introduce new tracking technologies or change our practices. Material changes will be communicated via email and through a notice in the Service.
If we ever introduce cookies or device-stored technologies that are not strictly necessary (for example, cookie-based analytics, advertising pixels, or session replay), we will implement a consent management mechanism that:
- Requests your explicit, informed consent before activating non-essential technologies
- Allows you to granularly accept or reject categories of technologies
- Provides an easy way to withdraw consent at any time
- Does not use deceptive design patterns (dark patterns)
10. Contact Us
If you have questions about our use of cookies and tracking technologies, please contact us at:
Email: [email protected]
Noax