This Privacy Policy explains how NOBATECH processes your personal data when you use our services, including the Nobamouse and Nobahub platforms, our corporate website, and our Windows desktop application.
For website terms of use, see the Website Terms of Service.
For beta program participation, see the Beta Participation Agreement.
This Privacy Policy explains how NOBATECH SAS (“NOBATECH”, “we”, “us”, or “our”) processes personal data when you use our services (the “Services”), including our SaaS platforms (Nobamouse and Nobahub), our corporate website, and our Windows desktop application.
This policy applies to visitors, users, beta testers, prospects, and anyone interacting with us through support channels or social media.
If you use the Services on behalf of an organization, your organization may control how your account is used. We remain the controller for the processing described in this policy unless stated otherwise in a contract.
NOBATECH SAS, a société par actions simplifiée registered in France with its registered office at 95 rue des joncs, 57455 Seingbouse, France, is the controller for the processing described in this Privacy Policy.
NOBATECH has not appointed a Data Protection Officer as it does not meet the criteria under Art. 37 GDPR. For privacy matters, contact privacy@nobatech.eu.
Depending on how you use the Services, we may process the following categories of personal data:
Account and profile data (e.g., name, email address, organization, profile picture).
Authentication and security data (e.g., password hash, administrator 2FA settings, audit logs).
Support and communications data (e.g., ticket content, selected support language, emails).
Usage and technical data (e.g., IP address, user agent, browser/device metadata, security logs).
Telemetry and diagnostic data (e.g., interaction events, application behaviour, crash reports) where needed for support or product quality.
Public feedback data (e.g., votes, comments, issue submissions) where such features are available.
Newsletter and waitlist data (e.g., email, name) if you subscribe or join a beta waitlist.
Business development and social media data (e.g., contact details, messages, media content) if you interact with us through those channels.
We do not intentionally collect special categories of personal data. However, some information may be inferred or provided in free-text fields (e.g., support tickets or business discussions). Please avoid sharing sensitive information unless it is necessary.
For the public issues platform (BUS-OPE-005), any sensitive personal information you post is considered manifestly made public by you within the meaning of Article 9(2)(e) GDPR. You should avoid including such information; however, if you choose to post it, it may be viewed by other beta testers and processed as described in this policy. You may request removal of specific content by contacting privacy@nobatech.eu.
We process personal data only to the extent necessary for the purposes described below. Depending on the context, our legal basis is one of the following: performance of a contract, legitimate interests, compliance with legal obligations, and/or your consent.
4.1 Core Service Operations
Maintenance (SaaS): Maintain technical performance, stability, availability, continuity planning, and security monitoring for Nobamouse and Nobahub. Legal basis: legitimate interests. (Ref. BUS-OPE-001)
Product development: Research, analysis, beta testing, engagement analysis, and telemetry for quality improvement. Legal basis: contract. (Ref. BUS-OPE-003)
Ticketing and customer support: Provide technical support, bug tracking, and assistance. Legal basis: contract. (Ref. BUS-OPE-004)
Public issues and feedback: Manage collaborative feedback, guidance, and issue resolution. Legal basis: contract; for sensitive data in public posts: Article 9(2)(e) GDPR (manifestly made public). (Ref. BUS-OPE-005)
4.2 Strategy, Marketing, and Communication
Business development: Manage relationships with prospects, partners, clinics, and investors. Legal basis: legitimate interests. (Ref. BUS-STR-001)
Social media: Communicate, build brand recognition, and interact with users/community on third-party platforms. Legal basis: legitimate interests; where required, consent (e.g., use of identifiable imagery). (Ref. BUS-STR-002)
Newsletters and beta waitlists: Send updates and notifications. Legal basis: consent (newsletter) and/or contract (where applicable). (Ref. BUS-STR-003)
IT maintenance: Maintain our internal IT systems, tools, backups, and (where used) remote support. Legal basis: legitimate interests. (Ref. BUS-INF-001)
Supplier management: Manage operational and commercial relationships with suppliers. Legal basis: legitimate interests. (Ref. BUS-MISC-001)
The following summarises the main processing activities currently recorded in our internal records of processing. It is provided for transparency and to help you understand how we use personal data.
5.0.1 BUS-OPE-001 — Maintenance (SaaS)
Purpose: Maintaining the technical performance, stability, and availability of the Nobamouse and Nobahub SaaS platforms and infrastructure.
Legal basis: Legitimate interests
Key data: Account data (email, name, organization, profile picture), admin audit logs, connection logs (IP, user agent), approximate location (IP town level).
Retention: Account data: until account closure; admin records: up to 2 years. Connection logs: 1 month then anonymised. Approximate location (IP town): 3 years then anonymised.
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.2 BUS-OPE-002 — Fraud Detection
Purpose: Detecting, preventing, and mitigating fraudulent or abusive activities involving the service, its users, or its infrastructure.
Retention: Account data: until account closure; admin records: up to 2 years. Connection logs: 1 month then anonymised. Approximate location: 3 years then anonymised. Payment transaction IDs: up to 10 years (accounting/audit).
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.3 BUS-OPE-003 — Product Development
Purpose: Research, analysis, and product development activities supporting continuous innovation, improved functionality, and solution quality (including beta testing and telemetry).
Retention: Account data: until account closure; admin records: up to 2 years. Engagement timestamps: up to 3 years then anonymised. Telemetry files: approximately 2 months then anonymised.
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.4 BUS-OPE-004 — Ticketing
Purpose: Technical support and customer assistance; ensuring product functions for clients; bug tracking; additional support via system information (telemetry).
Legal basis: Contract
Key data: Account and profile data; support ticket content (subject/message/status/metadata); selected support language; interaction timestamps; telemetry/diagnostics files.
Retention: Ticket data: until account closure; admin records: up to 2 years. Ticket interaction timestamps: up to 3 years then anonymised. Telemetry files: approximately 2 months then anonymised.
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.5 BUS-OPE-005 — Public Issues
Purpose: Enable collaborative feedback exchange to help shape, identify, understand and resolve issues; provide guidance; anonymise content for publication; inform product decisions.
Retention: Contact data: end of customer relationship + 2 years. Media/content: case-by-case.
Transfers: Certain social media platforms may involve transfers to the USA (e.g., YouTube/Alphabet, Instagram/Meta, LinkedIn, Discord, Reddit). Safeguards may include EU–US Data Privacy Framework for certified providers (where applicable).
5.0.7 BUS-STR-002 — Social Media
Purpose: Business acquisition, brand recognition, communication, content creation, and market analysis/research through social media platforms.
Legal basis: Legitimate interests and/or consent (depending on activity)
Retention: Media content: up to 10 years (notably for publicity rights management scenarios). Comments/interactions: per platform and internal needs.
Transfers: Social media platforms may process data in the USA (e.g., YouTube/Alphabet, Instagram/Meta, LinkedIn, Discord). Safeguards may include EU–US Data Privacy Framework for certified providers (where applicable).
5.0.8 BUS-STR-003 — Newsletters
Purpose: Publish newsletters about product updates and company life; manage beta waiting list notifications.
Legal basis: Consent (newsletter)
Key data: Email address, first name, last name.
Retention: Until unsubscribe or account closure; deleted immediately after end of subscription/account.
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.9 BUS-STR-004 — Corporate Website
Purpose: Develop corporate identity; manage corporate website contact forms for business/HR enquiries.
Legal basis: Legitimate interests
Key data: Contact form data (name, email, phone, subject, message); strictly necessary first-party cookies (CSRF token, authentication callback URL, locale preference); local storage values (cookie-banner state, display theme, authentication session-event metadata).
Retention: Contact form emails: up to 6 months from receipt (no database storage). Cookies: session-scoped (cleared on browser close). Local storage: persistent until cleared by user or application; no personal identifiers stored.
Transfers: No transfers outside the EU/EEA recorded for this processing.
Transfers: No transfers outside the EU/EEA recorded for this processing.
5.0.11 BUS-INF-001 — IT Maintenance
Purpose: Maintenance of internal information systems: infrastructure, terminals (BYOD), communication tools, and digital tools; backups; remote support (AnyDesk).
Legal basis: Legitimate interests
Key data: Device and system logs (Windows logs, application logs), AnyDesk identifiers, tool account data (depending on tool).
Retention: As needed for IT maintenance; backups for source code only.
Transfers: Depends on specific tools used.
5.0.12 BUS-MISC-001 — Suppliers
Purpose: Manage operational and commercial relationships with suppliers and prescribers (e.g., clinics).
Legal basis: Legitimate interests
Key data: Supplier contact details (name, email, phone), business cards.
Retention: End of relationship + 2 years.
Transfers: Depends on CRM selected (future).
This summary is based on our internal records of processing. Details may vary depending on your use of the Services.
We share personal data only on a need-to-know basis:
Within NOBATECH (e.g., operations/product, technical/IT, strategy/marketing) to operate and improve the Services.
With service providers acting as processors under contractual safeguards. Our primary infrastructure provider is OVHcloud (OVH SAS, 2 rue Kellermann, 59100 Roubaix, France), which provides hosting and private network services under a data processing agreement (available at ovhcloud.com/legal/data-processing-agreement). OVHcloud does not have access to personal data at rest or in transit due to encryption measures; full processing authority remains with NOBATECH.
With third-party platforms where you choose to interact with us (e.g., social media). In those cases, the platform may act as an independent controller.
We do not sell personal data.
Some third-party platforms and service providers may process personal data outside the European Union/EEA (for example, certain social media platforms). Where required, we rely on appropriate safeguards such as adequacy decisions (including Data Privacy Framework certification where applicable) and/or Standard Contractual Clauses.
We retain personal data only as long as necessary for the purposes described above, and then delete or anonymise it. The exact period depends on the processing activity, legal requirements, and operational needs. Key examples from our current setup include:
Account and profile data: retained until account closure; certain administrator records may be kept up to 2 years to support maintenance and decision-making.
Security and connection logs: typically retained up to 1 month and then anonymised.
Approximate location based on IP (town level): typically retained up to 3 years and then anonymised.
Telemetry and diagnostic files: typically retained up to 2 months and then anonymised.
Support tickets: retained until account closure; certain interaction timestamps may be retained up to 3 years and then anonymised.
Payment-related identifiers (e.g., transaction IDs): retained up to 10 years in compliance with legal obligations under French commercial law (Art. L123-22 Code de commerce).
Corporate website contact enquiries: typically retained up to 6 months.
Website cookies (CSRF, authentication callback, locale): session-scoped; cleared when the browser session ends. Website local storage (cookie-banner state, display theme, authentication metadata): persistent until cleared by the user or the application; no personal identifiers are stored.
Newsletters: retained until you unsubscribe (or your account is closed).
Public issues/comments: de-identified on closure and retained up to 1 year; then anonymised (for example, for internal rephrasing and analysis).
We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures may include, depending on the system and role:
Encryption at rest for databases and role-based access control (including row-level security).
Strong authentication, including 2-factor authentication and audit logging for administrator access.
Network and infrastructure access controls (e.g., VPN-based access) and secure transport (TLS) where applicable.
Subject to applicable law, you may have the following rights regarding your personal data:
Access to your personal data.
Rectification of inaccurate or incomplete data.
Erasure of your data (in certain cases).
Restriction of processing (in certain cases).
Data portability (where applicable).
Objection to processing based on legitimate interests (in certain cases).
Withdrawal of consent at any time, where processing is based on consent (this does not affect prior processing).
Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently make any such automated decisions. Where activity scores or similar metrics are used (e.g., in the Beta Program), they serve informational and product development purposes only and are not used to make decisions with legal or similarly significant effects on you.
To exercise your rights, contact us at privacy@nobatech.eu. We may need to verify your identity before responding.
You have the right to lodge a complaint with your local data protection supervisory authority, or with the competent data protection supervisory authority in the Member State of your residence, place of work, or place of the alleged infringement. In France, the competent authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
The Website uses strictly necessary first-party cookies and browser local storage to operate the service. These technologies qualify as strictly necessary within the meaning of Article 5(3) of Directive 2002/58/EC (ePrivacy Directive) and do not require your consent.
Specifically, the Website sets the following cookies:
a CSRF protection token used by the authentication framework (session-scoped, Secure, HttpOnly);
an authentication callback URL used during sign-in (session-scoped, Secure, HttpOnly); and
a locale cookie storing your selected language preference (session-scoped).
The Website also uses browser local storage to retain:
whether the cookie information banner has been displayed;
your selected display theme (light or dark mode); and
session-event metadata required by the authentication framework.
The Website does not use analytics cookies, advertising cookies, social-media plug-ins, pixel trackers, browser fingerprinting, or any other tracking technology. No data collected through these mechanisms is shared with third parties.
We may update this Privacy Policy from time to time for legal, technical, or operational reasons. The updated version will be published on our website. The updated policy applies from its effective date. We will notify users of material changes through the Services.
If you have questions about this Privacy Policy, please contact us: