Privacy Policy

Last updated: February 27, 2026

1. Data Controller

This Privacy Policy applies to the Noxu mobile app and related cloud services.

Pascal Fan Wetzel, trading as Ordiia Software
Luisenstrasse 25
65185 Wiesbaden
Germany
Email: privacy@noxu.app

2. Categories of Personal Data

Subject to your use of the service, we process the following categories of personal data.

• Account and Authentication Data: for example email, authentication provider identifiers, and account IDs.
• Contract Data and Related Files: content you store in the app, including encrypted sync payloads, snapshots, and attachment blobs.
• Subscription and Billing Metadata: status data received via payment/subscription providers.
• Device and Technical Data: data required for service operation, for example app/device identifiers, push token, and security/sync metadata.
• Operational Service Metadata: for example model name, token counts, latency, and timestamps.
• Optional Anonymous Analytics Data: if you opt in, aggregated in-app usage events (for example feature interactions and timestamps), without contract content.
• Feedback and Support Data: data you submit, for example feedback category, message, optional diagnostics, and contact email.
• AI Processing Input: document text sent to cloud AI only when AI processing is enabled by you.

3. Data Sources

We primarily receive personal data directly from you, from your use of the app, and from integrated service providers (for example authentication, subscription/billing, and cloud infrastructure providers).

4. Purposes and Legal Bases (GDPR)

We process personal data for the following purposes and on the following legal bases.

• Core Account and Contract Operation: account management, synchronization, contract tracking, and core app operation. Legal basis: Art. 6(1)(b) GDPR.
• Subscription Lifecycle: payment status synchronization and subscription handling. Legal basis: Art. 6(1)(b) GDPR.
• Security and Service Integrity: fraud/abuse prevention, technical reliability, and integrity controls. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
• Crash and Stability Telemetry (Firebase Crashlytics): reliability diagnostics and incident response. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
• Request Attestation (Firebase App Check): abuse prevention and service security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
• Optional Anonymous In-App Analytics: analytics only when you consent. Legal basis: Art. 6(1)(a) GDPR (consent); where applicable for device-side storage/access, Section 25(1) TDDDG.
• Legal Compliance: accounting, tax, and mandatory legal records. Legal basis: Art. 6(1)(c) GDPR.
• Optional Cloud AI Processing: AI scan/summary processing when you opt in. Legal basis: Art. 6(1)(a) GDPR (consent).
• Support and Feedback Handling: customer support and product quality handling. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Our legitimate interests under Art. 6(1)(f) include secure operation of the service, incident response, abuse prevention, and ongoing service quality and reliability improvements.

5. AI Cloud Processing

AI cloud processing is optional and requires explicit opt-in. When you initiate AI processing, selected content is processed locally and, where applicable, decrypted locally before transmission over HTTPS/TLS to our EU-based AI provider, Mistral AI SAS (France), for extraction and summary generation. We store AI operational metadata (for example token usage, latency, and processing timestamps) for security, billing, and reliability purposes; we do not store raw contract text in AI operational logs.

6. Security Measures

The following technical and organizational safeguards are implemented.

• Encrypted Transport: HTTPS/TLS.
• Client-Side Encryption: contract data at rest and encrypted sync payloads.
• Access Controls: checks for account and vault operations.
• Log Protections: default sanitization and redaction controls.
• Security Governance: technical and organizational measures designed to protect confidentiality, integrity, and availability.

Crash and stability telemetry (Firebase Crashlytics) is configured for technical diagnostics (for example stack traces, device model, and OS version) and is not intended to include personal contract content or encrypted vault payloads.

If you enable AI processing, selected text is sent to the AI provider only for the requested AI functionality as described in Section 5.

Contract data and attachments are encrypted on your device before cloud synchronization; cloud storage contains encrypted payloads. We do not store plaintext decryption keys in the cloud; cloud key material is stored only in wrapped form.

Because we do not have access to your plaintext decryption keys, we cannot access your encrypted contract content. If you lose both your master password and your recovery phrase, we cannot recover your encrypted data.

7. Processors and International Transfers

We engage the following processors and service providers.

• Google Firebase / Google Cloud: Auth, Firestore, Storage, Functions, App Check, and FCM.
• Mistral AI SAS (France): AI inference.
• RevenueCat: subscription management.
• Firebase Analytics: anonymous in-app usage analytics (opt-in only).
• Firebase Crashlytics: stability telemetry.
• Webhook Notification Provider: support alert delivery with minimal metadata only (for example feedback category, ticket ID, timestamp).

We engage processors under data processing agreements pursuant to Art. 28 GDPR. Some processors may process data outside the EEA. Where this occurs, we rely on an adequacy decision (Art. 45 GDPR) where available, or otherwise on appropriate safeguards under Art. 46 GDPR (in particular Standard Contractual Clauses), with supplementary measures where required. You can request information about the applicable transfer safeguards using the contact details in Section 13.

8. Retention

We retain personal data only as long as necessary for the stated purposes, unless longer retention is required or permitted by law. Retention may vary by data type and legal context.

• Account, Contract, and Attachment Data: retained while your account is active. After account deletion, production data is deleted without undue delay. Backup/tombstone and deletion-audit artifacts may remain for up to 14 days for recovery and integrity controls, then are deleted.
• Subscription and Billing Records: retained according to contractual and statutory retention duties.
• Push Token and Device Sync Metadata: retained while needed for background sync delivery and removed when invalid, replaced, or no longer required.
• Feedback and Support Records: retained for up to 90 days to process and follow up on support requests and product quality issues.
• Anonymous Analytics Events: retained according to configured Firebase Analytics retention settings (currently up to 14 months).
• Crash and Stability Telemetry (Firebase Crashlytics): retained for up to 90 days.
• AI Operational Usage Logs: 14 days.
• GDPR Export Logs: 90 days.
• Deletion Audit and Tombstones: 14 days.
• Reservation and Rate-Limit Records: minutes to hours, then cleanup/TTL.

9. Required Data and Consequences of Not Providing It

Some data is required to provide core app functionality (for example account/authentication data, sync/security metadata, and subscription status data for paid features). If such data is not provided, certain features or the service as a whole may not function.

Anonymous analytics consent and AI cloud processing consent are each optional and not required for core app functionality.

10. Your Rights

You may request access, rectification, deletion, restriction, objection, and portability where applicable. You may also withdraw consent for AI cloud processing and anonymous analytics at any time (without affecting processing carried out before withdrawal). When analytics consent is withdrawn, we stop future analytics collection and reset analytics data stored on your device.

To exercise your rights, use the contact details in Section 13. We may request information necessary to verify your identity before fulfilling your request.

11. Automated Decision-Making

We do not use solely automated decision-making, including profiling, that produces legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the most recent changes were made. We encourage you to review this page periodically.

13. Contact and Complaints

For privacy requests, contact privacy@noxu.app. You also have the right to lodge a complaint with a supervisory authority, in particular with the Hessian Commissioner for Data Protection and Freedom of Information (HBDI): https://datenschutz.hessen.de/service/beschwerde-uebermitteln. You may alternatively contact the supervisory authority in your habitual residence, place of work, or place of the alleged infringement.