Privacy Policy
noot8.com · Effective date: 18 June 2026 · Version 1.0
This policy explains how Noot8 collects, uses, and protects your personal data when you visit www.noot8.com or use our services. It is written in compliance with the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and applicable Italian data-protection law.
1. Data Controller
Company name: Noot8
Privacy contact email: info@noot8.com
Website: www.noot8.com
As the data controller, Noot8 determines why and how your personal data is processed. If you have any questions or wish to exercise your rights, please use the contact details above.
2. Who This Policy Covers
This Privacy Policy applies to three distinct groups of people whose personal data Noot8 may process:
Data Subject | Who they are | Where their data arises |
|---|---|---|
Website Visitors | Anyone who browses noot8.com | Cookies, contact form, newsletter sign-up, demo booking |
Account Owners (Customers) | The individual or company that purchases a Noot 8 Subscription | Order placement, billing, support communications, remote onboarding |
Authorised Users | Team members who create personal accounts on the Noot 8 Device under an Account Owner's Subscription | In-app account creation, EUA acceptance, query activity on the Device |
Each group is addressed specifically in Section 3 below. Data processed within the Noot 8 Device (your organisation's uploaded documents) remains entirely under your control — Noot8 does not access or hold that data on its own servers.
3. Personal Data We Collect, Why, and For How Long
3.1 Website Visitors
Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
Name, email, subject, message (contact form) | Respond to enquiries | Legitimate interest (Art. 6(1)(f)) | 3 years from last contact |
Email address (newsletter) | Send product updates and news | Consent (Art. 6(1)(a)) | Until consent withdrawn |
Name, email, date/time, timezone (demo booking) | Schedule remote demo sessions | Pre-contractual steps (Art. 6(1)(b)) | 3 years from booking date |
IP address, pages visited, session duration, device/browser (Google Analytics) | Web analytics — pseudonymised | Consent (Art. 6(1)(a)) | 26 months |
Ad interaction data (Google Ads) | Measure campaign performance | Consent (Art. 6(1)(a)) | 90 days |
Language preference, session token (Odoo cookies) | Core website functionality | Legitimate interest (Art. 6(1)(f)) | Session / 1 year |
3.2 Account Owners (Customers)
Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
Name, company name, email, billing address, P.IVA | Create and manage the Subscription account | Contract (Art. 6(1)(b)) | Duration of Subscription + 10 years (Italian accounting law) |
Payment method details (tokenised via Stripe) | Process recurring Subscription payments | Contract (Art. 6(1)(b)) | Duration of Subscription + legal retention period |
Device delivery address | Ship the Noot 8 Device | Contract (Art. 6(1)(b)) | Duration of Subscription + 3 years |
Support communications (email) | Provide technical and account support | Legitimate interest (Art. 6(1)(f)) | 3 years from last interaction |
Remote onboarding session details | Assist with setup and configuration | Contract (Art. 6(1)(b)) | 3 years |
EUA acceptance records for Authorised Users (on request) | Compliance documentation | Legal obligation (Art. 6(1)(c)) | Duration of Subscription + 3 years |
3.3 Authorised Users
Authorised Users are individuals who create personal accounts on the Noot 8 Device at the invitation of the Account Owner. The Account Owner is also a data controller for Authorised Users (as their employer or contracting organisation). Noot8 processes the following Authorised User data as data controller in its own right:
Data Collected | Purpose | Legal Basis | Retention |
|---|---|---|---|
Username, hashed password | Authenticate the user account on the Device | Legitimate interest (Art. 6(1)(f)) — service operation | Duration of account |
EUA acceptance record: username, timestamp, local IP at acceptance | Proof of agreement to the End User Agreement; compliance documentation | Legal obligation / legitimate interest (Art. 6(1)(c)/(f)) | Duration of Subscription + 3 years |
Query excerpts transmitted for cloud reasoning (transient) | AI reasoning via Google Gemini on Vertex AI | Consent given at EUA acceptance (Art. 6(1)(a)) | Not retained after response — transient processing only |
On-device query activity logs | Service quality monitoring; audit trail | Legitimate interest (Art. 6(1)(f)) | 90 days rolling on-device, then deleted automatically |
Authorised Users' uploaded documents are not personal data collected by Noot8. They are stored entirely on the Device under the control of the Account Owner's organisation. Noot8 has no access to them. |
4. Special Categories of Data
Noot8 does not intentionally collect or process special categories of personal data (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, criminal record information, etc.) through the noot8.com website or the Device.
If an Authorised User uploads documents containing special categories of data belonging to third parties (e.g. medical records, HR files), the Account Owner is responsible for ensuring they have a lawful basis for that processing. Noot8 recommends that organisations processing sensitive categories contact us to execute a Data Processing Agreement (clause 9.3).
5. How We Collect Your Data
5.1 Data you provide directly
Submitting the contact form on noot8.com (name, email, message).
Subscribing to the newsletter (email address).
Booking a remote demo (name, email, date, timezone).
Placing an order for a Subscription (billing and delivery details).
Creating an Authorised User account on the Noot UI (username, password, EUA acceptance).
5.2 Data collected automatically
Cookies and tracking technologies on noot8.com — see our Cookie Policy.
Server logs: IP address, browser type, pages visited, timestamps.
On-Device: query activity logs generated when Authorised Users interact with the Noot UI.
6. Legal Bases for Processing
Consent (Art. 6(1)(a)): newsletter, analytics cookies, advertising cookies, cloud query processing for Authorised Users. Consent can be withdrawn at any time.
Contract / pre-contractual steps (Art. 6(1)(b)): processing orders, managing Subscriptions, delivering the Device, scheduling remote demos.
Legal obligation (Art. 6(1)(c)): retaining billing records under Italian accounting law; maintaining EUA acceptance records.
Legitimate interest (Art. 6(1)(f)): responding to enquiries, operating core website and Device functions, providing support, on-device activity logs for service quality. We have conducted balancing tests and determined our interests do not override your rights.
7. Who We Share Data With
We do not sell personal data. We share data only with the processors below, each under a Data Processing Agreement or equivalent safeguard.
Recipient | Role | Data Shared | Safeguard / Location |
|---|---|---|---|
Odoo S.A. | Processor — website & CRM platform | Website visitor data, contact form, booking data, order data | EU (Belgium). DPA in place. |
Stripe Inc. | Processor — payment processing | Account Owner billing data (tokenised) | USA. SCCs + Privacy Shield successor. Stripe DPA. |
Google LLC (Analytics) | Processor — web analytics | Pseudonymised IP, browsing behaviour (website visitors) | USA. Standard Contractual Clauses (SCCs). |
Google LLC (Ads) | Processor — ad measurement | Ad interaction events (website visitors) | USA. Standard Contractual Clauses (SCCs). |
Google LLC (Gemini / Vertex AI) | Processor — cloud AI reasoning | Query text + retrieved excerpts (Authorised Users, when using cloud queries) | EU processing. Enterprise DPA. No data retained after response. No model training on customer data. |
Shipping / logistics provider | Processor — Device delivery | Account Owner delivery address and name | EU. DPA in place. [Update with actual provider] |
We may also disclose data where required by Italian or EU law, court order, or to protect the safety and legal rights of Noot8 or third parties.
8. International Data Transfers
Google LLC and Stripe Inc. are based in the United States. Transfers to these processors are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, and where applicable by the EU–US Data Privacy Framework.
Google Gemini / Vertex AI query processing occurs within the EU — no transfer to the US takes place for Authorised User query data.
You may request a copy of the relevant transfer safeguards by contacting info@noot8.com.
9. Your Rights Under GDPR
All data subjects (website visitors, Account Owners, and Authorised Users) have the following rights. Submit requests to info@noot8.com — we respond within 30 days (extendable to 90 days for complex cases).
Access (Art. 15): Obtain a copy of the personal data we hold about you.
Rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
Erasure (Art. 17): Ask us to delete your data where it is no longer necessary, or where you withdraw consent.
Restriction (Art. 18): Ask us to pause processing while a dispute is resolved.
Portability (Art. 20): Receive your data in a machine-readable format where processing is based on consent or contract.
Object (Art. 21): Object to processing based on legitimate interest; we will stop unless we can show compelling grounds.
Withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing (newsletter, analytics cookies, cloud query processing). Withdrawal does not affect prior lawful processing.
9.1 Note for Authorised Users
If you are an Authorised User, some of your data (e.g. on-device query logs) is held on the Device controlled by the Account Owner's organisation. For data held on-device, you should also contact your Account Owner, who has administrative access to on-device data. Noot8 can assist with EUA acceptance records and any data held on Noot8's own servers.
9.2 Supervisory Authority
You have the right to lodge a complaint with the Italian data protection authority:
9.3 Data Processing Agreement
Where Account Owners upload documents containing personal data of third parties to the Device, they act as data controller and Noot8 acts as data processor for any incidental processing that occurs within Noot8-supplied infrastructure. A formal Data Processing Agreement is available on request at info@noot8.com.
10. Cookies
For a full description of every cookie used on noot8.com, please see our Cookie Policy: www.noot8.com/cookie-policy.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including:
HTTPS / TLS encryption on all noot8.com traffic;
HSTS headers enforced at server level;
end-to-end encryption for data in transit between the Device and Google Gemini;
on-device index encryption for data at rest;
access controls limiting Noot8 staff access to personal data;
automatic deletion of on-device query logs after 90 days.
No transmission over the internet is completely secure. If you believe your data has been compromised, contact info@noot8.com immediately.
12. Children's Privacy
Our website and services are not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will revise the effective date at the top and, for material changes, notify Account Owners by email. Authorised Users will be prompted to review the updated Privacy Policy the next time they log in to the Noot UI.
14. Contact
Email: info@noot8.com
Cookie Policy: www.noot8.com/cookie-policy
Terms of Service: www.noot8.com/terms
We aim to respond to all privacy enquiries within 30 days.
This Privacy Policy was prepared in accordance with GDPR (EU) 2016/679 and Italian Legislative Decree 196/2003 (as amended by D.Lgs. 101/2018). The authoritative Italian version is available at www.noot8.com/it/privacy-policy.
© 2026 Noot8. All rights reserved.