// LEGAL: PRIVACY_POLICY

Privacy Policy

Last updated: February 20, 2025

TLDR

We sell nothing, but we do collect some data. Here's exactly what, why, and what you can do about it.

1. Data Controller

The data controller for NaaS (Nothing as a Service) is placeholder (handelsnaam), operating NaaS.

No Data Protection Officer (DPO) is required at our current scale of operations.

2. What We Collect & Why

The following table details all personal data we process, the legal basis under GDPR Article 6, the purpose, and retention period.

DataLegal BasisPurposeRetention
EmailContract 6.1.bAccount, auth, receiptsUntil deletion
Display nameConsent 6.1.aLeaderboardUntil changed/deleted
Purchase amountsContract 6.1.bService, leaderboard, receiptsUntil deletion
IP addressLegitimate interest 6.1.fSecurity, fraud prevention90 days
Consent recordsLegal obligation 6.1.cGDPR proof5 years
Null Agent chatsContract 6.1.bService, credit trackingUntil deletion
Cookie prefsConsent 6.1.aRespect choicesUntil changed
AnalyticsConsent 6.1.aImprove serviceAggregated
Transaction recordsLegal obligation 6.1.cDutch tax law7 years

3. Cookies

We use the following categories of cookies:

  • Essential — Always active. Required for authentication, security, and core functionality. Cannot be disabled.
  • Analytics — Firebase Analytics, activated only with your explicit consent. Used to understand how the service is used.
  • Marketing — None currently. If we ever introduce marketing cookies, we will update this policy and request separate consent.

Granular cookie control is available via the consent banner shown on your first visit. You can change your preferences at any time via the cookie settings link in the footer.

4. Third-Party Processors

We share data with the following processors under Data Processing Agreements (DPAs):

ProcessorPurposeData SharedLocation
SupabaseDatabase, authEmail, profile, purchasesEU (Frankfurt)
StripePaymentsEmail, payment infoEU + US
VercelHostingIP, request logsEU
AnthropicNull Agent AIChat messages (anonymized)US
SendGridEmail, receiptsEmail addressUS
FirebaseAnalytics (if consented)Anonymized usageUS

For US-based processors, transfers are covered by the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.

5. Your Rights (GDPR Articles 15–22)

Under the GDPR, you have the following rights:

  • Right of access (Article 15) — Obtain a copy of your personal data and information about how it is processed.
  • Right to rectification (Article 16) — Correct inaccurate or incomplete personal data.
  • Right to erasure (Article 17) — Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Article 18) — Limit how we process your data in certain circumstances.
  • Right to data portability (Article 20) — Receive your data in a structured, commonly-used, machine-readable format.
  • Right to object (Article 21) — Object to processing based on legitimate interests.
  • Right not to be subject to automated decision-making (Article 22) — Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

How to exercise: Email legal@nothingasaservice.co or use the self-service options in your account dashboard. We will respond within 30 days as required by GDPR Article 12.

6. Data Retention

  • Active account — Data is retained for the duration of your account to provide the service.
  • Deleted account — Personal data is purged within 30 days of account deletion, except where legal retention applies.
  • Exception: Transaction records — Retained for 7 years as required by the Algemene wet inzake rijksbelastingen (Dutch General Tax Act), Article 52.
  • Exception: Consent records — Retained for 5 years to demonstrate GDPR compliance.

7. Data Security

  • All data is encrypted at rest and in transit (TLS 1.2+).
  • Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We do not store credit card numbers, CVVs, or other sensitive payment data on our servers.
  • No sensitive authentication data is stored client-side beyond session tokens.
  • In the event of a data breach, we will notify affected users and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR Article 33.

8. Children

NaaS is intended for users aged 18 and older. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly.

9. Future: Data Monetization

We currently do not sell, rent, or trade your personal data to third parties for marketing or any other purpose.

If data monetization is ever considered in the future:

  • Separate, explicit consent will be required before any data is shared.
  • The service will continue to work fully without opting in.
  • Full transparency will be provided about what data is shared, with whom, and for what purpose.
  • Consent can be withdrawn at any time, without penalty.
  • This privacy policy will be updated before any such change takes effect.

We mention this because we believe in being upfront, not because we're planning it.

10. Automated Decision-Making

We do not engage in automated decision-making that significantly affects users. The Null Agent is powered by AI, but it does not make decisions about you, your account, or your rights. It exists solely to provide conversational responses as part of the service.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority:

12. Changes to This Policy

  • Material changes — We will notify you via email at least 30 days before any material changes to this privacy policy take effect.
  • Non-material changes — Updated on this page with a revised "Last updated" date.

13. Contact

For any privacy-related inquiries, contact us at: