legal
Privacy Policy
Last updated 16 July 2026 · version 4.0
This policy explains what personal data noctixal.com collects, why, who processes it, and the rights you have over it.
1. Who is responsible
This website (noctixal.com) is operated by Noctixal (the operator identified at the top of this page), based in Kayl, Luxembourg. Noctixal is the data controller for personal data processed through this website. For any data-protection question or request, contact contact@noctixal.com. We have not appointed a Data Protection Officer, as our processing is small-scale and low-risk (GDPR Art. 37).
2. Professional scope
Our services are offered to businesses and professionals. The personal data we process is therefore mostly professional contact data (your name, business email, company). The protections in this policy apply to it in full.
3. What we collect and why
Contact form. Name, email, company (optional), and your message, used solely to read and respond to your enquiry. Lawful basis: Art. 6(1)(b) GDPR (pre-contractual steps) and Art. 6(1)(f) (managing business enquiries).
Configurator. The configuration you assemble (tier, options) is not personal data. If you send a configuration to us, we receive it together with the contact fields above. Lawful basis: Art. 6(1)(b).
Orders and contract evidence. When you order, we record your company identity (including VAT/RCS/permit number), the accepted terms version, the time of acceptance, and technical order data (IP address, browser identifier). This is our proof that the contract was concluded. Lawful basis: Art. 6(1)(b) and 6(1)(f) (evidence of contract conclusion).
Payments and SEPA mandates. Payment and mandate data (IBAN, mandate reference) is collected and stored by our payment processor, Stripe. We never store your card or account details on our own systems; we hold only the mandate reference and payment status. Lawful basis: Art. 6(1)(b).
Onboarding content. When you supply content for your project (text, images, logos, business details) through our onboarding flow, we store it to build your project. Access links sent by email (“magic links”) are stored only as cryptographic hashes and expire automatically. Lawful basis: Art. 6(1)(b).
AI-assisted drafts. If you use the optional AI-assisted text drafting during onboarding, your questionnaire answers are processed by our AI provider (Anthropic) to produce a first draft, which is always reviewed by a human before use. No data is used to train third-party models under our agreement. Lawful basis: Art. 6(1)(b).
Server logs. Standard technical logs (IP address, request time) for security and reliability. Lawful basis: Art. 6(1)(f).
We do not collect special-category data and do not carry out automated decision-making or profiling.
4. Analytics
We use a self-hosted instance of Plausible Analytics running on our own EU server (stats.noctixal.com). It is cookieless, collects no personal identifiers, does not track you across sites, and its data never leaves our infrastructure. Lawful basis: Art. 6(1)(f) (measuring aggregate site usage). No consent banner is required because no cookies are set and no personal data is shared with third parties.
5. Cookies
This website sets no tracking cookies. A few strictly functional items are stored in your browser (for example, your configurator selection while you move to the contact form); they identify nothing about you and expire with your session.
6. Who processes your data
| Provider | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Website, database, and upload hosting | Germany (EU) |
| Stripe Payments Europe Ltd | Payments, SEPA mandates, invoicing | Ireland (EU); part of the US Stripe group, safeguarded by EU Standard Contractual Clauses |
| Resend (Plus Five Five, Inc.) | Transactional email (order confirmations, sign-in codes, reminders) | USA, safeguarded by EU Standard Contractual Clauses |
| Plausible (self-hosted) | Cookieless aggregate analytics | Our own server, Germany (EU) |
| Anthropic | AI-assisted first drafts during onboarding (optional) | USA, safeguarded by EU Standard Contractual Clauses |
| Apple (iCloud Mail) | Business mailbox for enquiries | EU data centres; Apple Inc. is US-based |
We do not sell personal data and do not share it for advertising.
7. How long we keep your data
- Enquiries that do not lead to a contract: up to 12 months from last contact, then deleted.
- Contract and terms-acceptance evidence (accepted terms version, timestamp, technical order data): for the duration of the contract plus 10 years, per the Luxembourg commercial 10-year retention and prescription rules.
- Invoices and accounting records: 10 years, as required by Luxembourg law.
- Onboarding uploads and project content: for the duration of the contract; exported and deleted no later than 30 days after the contract ends, except where retention is legally required.
- Magic-link tokens: hashed only, expire automatically after at most 30 days of inactivity.
- Server logs: kept briefly for security, then deleted.
8. Your rights
Under the GDPR you can access your data (Art. 15), correct it (Art. 16), have it erased (Art. 17), restrict processing (Art. 18), receive it in a portable format (Art. 20), and object to legitimate-interest processing (Art. 21). Contact contact@noctixal.com; we respond within one month, at no charge.
You may lodge a complaint with the Commission nationale pour la protection des données (CNPD), 15 boulevard du Jazz, L-4370 Belvaux, cnpd.lu.
9. Changes to this policy
This policy is versioned. The current version is always published on this page. Material changes affecting how your data is processed under an active contract are announced by email.