Privacy Policy for Noax
Last Updated: April 19, 2026
1. Controller and Contact Information
The data controller responsible for processing your personal data is:
Noax
- General inquiries: [email protected]
- Privacy inquiries: [email protected]
Supervisory Authority: If you have concerns about how your data is handled, please contact us first at [email protected] — we would appreciate the opportunity to address your concerns. You also have the right to lodge a complaint with the competent data protection supervisory authority in your jurisdiction.
Data Protection Officer: Given the current scale and nature of our data processing activities, we are not required to appoint a Data Protection Officer under Art. 37 GDPR / § 38 BDSG. For all data protection inquiries, please contact us at [email protected].
2. Introduction
Welcome to Noax (“we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our browser extension, web application, iOS mobile application, and related services (collectively, the “Service”). This policy applies to users in the European Economic Area (EEA), the United Kingdom, and the United States.
IMPORTANT NOTICE: BETA STAGE
The Service is currently in Beta and available through invitation only. By using this beta version, you acknowledge that the Service is under active development and may be subject to changes, interruptions, or unexpected issues. During the beta period, certain features described in this policy may not yet be fully implemented or may change without notice.
By accessing or using the Service, you acknowledge the collection, use, and processing of your information as described in this Privacy Policy and our Terms of Use. If you do not agree with the terms of this policy, please do not access or use the Service.
3. Information We Collect
A. Personal Identification Information
We use a third-party authentication service to handle user logins and identity management. When you register or log in, we may collect the following personal identification information (PII):
| Data Point | Source | Purpose |
|---|---|---|
| Email address | Registration | Account creation, communication |
| Full name | Registration | Display name, personalization |
| Profile picture URL | Social login provider | User profile display |
| Unique user identifier | Authentication provider | Unique identification, authentication |
| Social media IDs | Social login providers | Authentication via social providers |
This data is stored and managed securely by our authentication provider and our systems solely for authentication and identity verification purposes. We do not sell or share this PII with third parties for marketing purposes.
B. User Content
We collect the content you explicitly choose to save to Noax via our Service (extension, web app, or mobile app):
| Content Type | Description |
|---|---|
| URLs / Crawled Content | When you share a link, our backend crawls the target URL to retrieve, save, and process the full content of the page for your personal archive. |
| Text Notes | Any text notes or comments you add to your saved items. |
| Images | Images you upload or share from the web. |
| Audio Files | Audio files you upload for transcription and storage. |
| PDF Documents | PDF files you upload for content extraction and archiving. |
| Selected Text | Specific text snippets you highlight and save from web pages. |
| AI Agent Chat Messages | Questions and messages you send to the AI Agent. Chat history is maintained for the duration of a conversation session to provide contextual responses. |
C. AI-Generated Metadata
When you save content, our AI systems automatically generate derived metadata to help you organize, search, and retrieve your information. This may include summaries, categorizations, and other structured data derived from your content. AI-generated metadata is stored alongside your content and follows the same retention and deletion policies.
D. Technical and Usage Data
We collect technical information to ensure service functionality, security, and improvement:
| Data Point | Purpose |
|---|---|
| IP address | Security, rate limiting, abuse prevention |
| Browser type and version | Compatibility, debugging |
| Device type | Responsive design optimization |
| Feature usage | Service improvement, product development |
| Product analytics events | Cookieless, EU-hosted event analytics (page views, clicks on instrumented elements, core product events such as saving an entry or sending a chat message). Event payloads exclude entry titles, content, URLs, and search query text. |
| Pseudonymous event identifier | An opaque identifier assigned by our analytics provider to link analytics events to your account once you are logged in. Not used for advertising or cross-site tracking. |
| Request timestamps | Rate limiting, diagnostics |
| API token usage | Usage metering, quota enforcement |
| Error logs | Debugging, service reliability |
E. Cookies and Similar Technologies
We use only essential cookies and similar technologies required for the Service to function. We do not use cookies or local-storage entries for advertising, analytics, or social media tracking.
Our EU-hosted product analytics provider is configured in a cookieless, storage-less mode: it does not write any cookies, localStorage, sessionStorage, or IndexedDB entries to your device. IP addresses are stripped from event payloads, and Do-Not-Track / Global Privacy Control signals are honored automatically. This data is used solely for product improvement — we do not track individual browsing behavior, build advertising profiles, or sell any data to third parties. For full details see our Cookie Policy.
| Technology | Type | Purpose |
|---|---|---|
| Authentication tokens | Essential | User authentication, session management |
| Bot protection service | Essential | Bot protection, abuse prevention |
| Local Storage | Essential | User preferences, UI state persistence |
4. Legal Basis for Processing (GDPR Art. 6)
We process your personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of contract | Art. 6(1)(b) |
| Storing and organizing your content | Performance of contract | Art. 6(1)(b) |
| AI processing of content (metadata generation) | Performance of contract / Legitimate interest | Art. 6(1)(b) / Art. 6(1)(f) |
| Security measures and abuse prevention | Legitimate interest | Art. 6(1)(f) |
| Service improvement and analytics | Legitimate interest | Art. 6(1)(f) |
| Product analytics (cookieless, event-based) | Legitimate interest (balanced; IP suppressed, memory-only, DNT/GPC honored, 12-month retention) | Art. 6(1)(f) |
| Email communications about the Service | Legitimate interest | Art. 6(1)(f) |
| Legal compliance | Legal obligation | Art. 6(1)(c) |
| Marketing communications (if applicable) | Consent | Art. 6(1)(a) |
Legitimate Interest Balancing: Where we rely on legitimate interest as the legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at [email protected].
5. AI Processing and Data Privacy
We utilize advanced Artificial Intelligence (AI) technologies to enhance your experience, specifically to understand, tag, and categorize your saved content for better search and recommendation results.
How AI Processing Works
- You save content to Noax.
- Our backend extracts and preprocesses the raw content.
- The content is sent to AI models for analysis through our private cloud infrastructure — stripped of personally identifiable information.
- AI generates derived metadata to power search and organization features.
- The generated metadata is stored alongside your content.
Third-Party AI Processing
We use third-party AI services to process your content. These services analyze your saved content and generate derived metadata to provide core Service features such as search, organization, and the AI Agent.
AI Agent
The Service includes an AI Agent that allows you to interact with your saved content. When you use the AI Agent, your messages and relevant content are processed through our private cloud infrastructure and sent to a third-party AI processing provider to generate a response. No account-level personal data (name, email, user identifier) is sent to the AI processing provider.
IMPORTANT: User Responsibility for Personal Data in Chat
While we do not send your account information (name, email, or user identifiers) to third-party AI processors, any personal data you voluntarily include in your chat messages or that is contained within your saved content may be transmitted to our AI sub-processors as part of generating a response. You are solely responsible for the personal data you include in your messages to the AI Agent and in content you save to Noax. We strongly recommend that you do not include sensitive personal data (such as financial information, health records, government-issued identifiers, or passwords) in chat messages or saved content.
Private Cloud Processing
All AI processing occurs within private, secure cloud environments. Your content is anonymized before being sent to AI processors — it is not bound to your specific user identity during processing.
Safeguards
- Data Processing Agreement (DPA): We require DPAs with our third-party AI processors that govern how your data is handled.
- No model training: Your data is not used to train any third-party AI models.
- Zero retention: Our AI processors operate under a zero-retention policy for API inputs and outputs — your content is not stored by them after processing.
- Standard Contractual Clauses (SCCs): International data transfers to AI processors are protected by EU-approved Standard Contractual Clauses.
What AI Does NOT Do
- AI does not make any decisions that produce legal or similarly significant effects on you.
- AI does not profile you for advertising or marketing purposes.
- AI does not share your data with any third party beyond our contracted sub-processors.
- AI does not retain or store your content after processing is complete.
6. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of account | Required for service provision |
| Library entries | Duration of account | Core service functionality |
| Deleted entries | Until permanently deleted by user | Moved to “Recently Deleted” until user permanently removes them |
| AI-generated metadata | Same as associated entry | Linked to parent content lifecycle |
| Vector embeddings | Same as associated entry | Deleted when parent content is removed |
| Authentication tokens | Until expiration or logout | Session management |
| Server logs | 30 days | Debugging, security monitoring |
| Product analytics events | 12 months | Aggregate product-improvement analysis (cookieless, EU-hosted) |
| Beta feedback | Duration of beta + 12 months | Product improvement |
| Backup copies | 30 days after source deletion | Disaster recovery |
7. Third-Party Service Providers
We engage third-party service providers to operate the Service. We do not sell your personal data to any third party. The categories of service providers we use include:
| Category | Data Processed | Location | Legal Safeguard |
|---|---|---|---|
| Authentication provider | PII, credentials | US / EU | SCCs, DPA |
| AI processing provider | Anonymized content | US | SCCs, DPA, zero retention |
| Cloud hosting and storage | All service data | EU | DPA, GDPR-compliant region |
| Vector search provider | Embeddings | EU | DPA |
| CDN and security provider | IP addresses, traffic data | Global | SCCs, DPA |
| Transactional email provider | Email addresses | US / EU | SCCs, DPA |
| Product analytics provider | Pseudonymous user ID, page URL, event metadata (no content, no IP, no PII) | EU (Frankfurt) | DPA, GDPR-compliant EU region, 12-month retention |
You may request a complete list of our current sub-processors by contacting us at [email protected].
Sub-processor obligations: All third-party service providers are contractually required to:
- Process data only on our documented instructions
- Ensure confidentiality of all data processed
- Implement appropriate technical and organizational security measures
- Assist us in fulfilling data subject access requests
- Delete or return all personal data upon termination of services
- Submit to audits and inspections
8. International Data Transfers
Some of our third-party service providers are located outside the European Economic Area (EEA). In particular, AI processing involves data transfers to US-based providers. Your data is stored in the EU, but content may be temporarily transmitted to non-EEA processors for AI analysis. All data sent to non-EEA processors is encrypted in transit, stripped of account-level personal identifiers, and processed under zero-retention terms.
We are in the process of putting appropriate transfer safeguards in place in accordance with GDPR Chapter V. For details on the current status of our transfer safeguards, please contact us at [email protected].
9. Your Rights as a Data Subject
GDPR Rights (EEA and UK Residents)
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you (Art. 15). |
| Right to Rectification | Request correction of inaccurate or incomplete personal data (Art. 16). |
| Right to Erasure | Request deletion of your personal data (“right to be forgotten”) (Art. 17). |
| Right to Restriction | Request that we limit the processing of your personal data (Art. 18). |
| Right to Data Portability | Receive your data in a structured, machine-readable format or have it transferred to another controller (Art. 20). |
| Right to Object | Object to processing based on legitimate interests or for direct marketing purposes (Art. 21). |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent, without affecting prior lawfulness (Art. 7(3)). |
| Right to Lodge a Complaint | File a complaint with a supervisory authority if you believe your rights have been violated (Art. 77). |
To exercise any of these rights, please contact us at [email protected]. We aim to respond within 30 days. For complex or numerous requests, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for the delay.
Objecting to Legitimate-Interest Processing (Art. 21 GDPR)
Our cookieless product analytics relies on Art. 6(1)(f) GDPR (legitimate interest). You can object to this processing at any time:
- Enable Do Not Track (DNT) or Global Privacy Control (GPC) in your browser — both signals are honored automatically and immediately disable analytics capture in your session.
- Email [email protected] to request a manual, durable opt-out.
CCPA / CPRA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights. The following table describes the categories of personal information we collect:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, user ID | Yes |
| Internet activity | Interactions with the Service (not general browsing history) | Yes |
| Geolocation data | IP-based approximate location | Yes |
| Sensory data | Audio files uploaded by users | Yes |
| Professional / employment | N/A | No |
| Protected classifications | N/A | No |
Your CCPA / CPRA rights include:
- Right to Know: Request disclosure of the personal information we collect, use, and disclose about you.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out: Opt out of the “sale” or “sharing” of personal information. Note: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Other US State Privacy Laws
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other states with comprehensive privacy laws, you may have similar rights to access, delete, correct, and opt out of certain processing activities. Please contact us at [email protected] to exercise these rights.
10. Automated Decision-Making and Profiling
Our AI systems perform automated processing of your content to generate metadata such as summaries, tags, and categories. This processing is designed to help you organize and retrieve your saved content more effectively.
What this processing does: Our AI systems generate derived metadata from your content to improve organization and search within your personal library.
What this processing does NOT do:
- It does not make decisions that produce legal or similarly significant effects on you
- It does not determine your eligibility for services, credit, employment, or other opportunities
- It does not profile you for advertising or marketing purposes
Under GDPR Art. 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. As our automated processing does not produce such effects, Art. 22 does not apply. However, you may contact us at any time if you have concerns about our automated processing.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
Technical Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication with industry-standard OAuth flow
- Rate limiting and abuse prevention
- Regular security updates and patching
- Network segmentation and firewall protection
- Automated vulnerability scanning
- Secure API design with token-based authentication
Organizational Measures
- Strict access controls based on the principle of least privilege
- Data Processing Agreements (DPAs) with all sub-processors
- Regular review of data processing activities
- Incident response procedures for data breaches
- Adherence to data protection best practices and ongoing security awareness
While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will make reasonable efforts to address any security incidents in accordance with applicable law.
12. Children's Privacy
The Service is not directed at children, and we do not knowingly collect personal data from children.
- EEA: Under the GDPR, we do not knowingly process personal data of children under the age of 16 years without verifiable parental consent.
- United States (COPPA): We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal data from children under the age of 13 years.
If we discover that we have collected personal data from a child without appropriate parental consent, we will take reasonable steps to delete the information as soon as reasonably practicable. If you believe that we have inadvertently collected personal data from a child, please contact us immediately at [email protected].
13. Data Retention and Beta Limitations
BETA NOTICE
The following limitations apply during the beta period and may affect data retention:
- Database Resets: While database resets are not expected, the Service is in beta and unforeseen technical issues could result in data loss.
- Data Loss: While we take reasonable precautions to protect your data, unexpected issues may occur during the beta period. We advise against using Noax as the sole repository for critical or irreplaceable information.
- Feature Changes: Features and data processing capabilities may change, be added, or be removed during the beta period. Such changes may affect how your data is stored, processed, or displayed.
14. Disclosure of Your Information
We do not sell, trade, rent, or otherwise share your personal information with third parties, except in the following limited circumstances:
- Service Providers: We share data with trusted third-party service providers (as listed in Section 7) solely to perform functions on our behalf and in accordance with our instructions.
- Legal Requirements: We may disclose information if required to do so by law, regulation, or in response to valid legal process (e.g., subpoena, court order, or government request).
- Protection of Rights: We may disclose information to protect the rights, property, or safety of Noax, our users, or the public, including to enforce our terms of service and prevent fraud.
- Business Transfer: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you via email or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
- With Your Consent: We may share your information for any other purpose with your explicit consent.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
- Material Changes: For significant changes that affect your rights or how we process your data, we will use reasonable efforts to provide at least 30 days' notice via email to the address associated with your account before the changes take effect, except where changes are required by law or necessary to address a security issue.
- Minor Changes: For non-material changes (e.g., clarifications, formatting), we will update the “Last Updated” date at the top of this policy.
- Continued Use: Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
We encourage you to periodically review this Privacy Policy to stay informed of updates.
16. Contact Us
If you have questions, comments, or concerns about this Privacy Policy or our data practices, please contact us:
- General support: [email protected]
- Privacy inquiries: [email protected]
Noax