Privacy policy
Last updated: July 2, 2026
Early-access draft. This document is pending legal review and will be finalized before public launch. Questions: [email protected].
1. Controller
Controller within the meaning of the GDPR: [COMPANY_LEGAL_NAME], [REGISTERED_ADDRESS], email: [email protected] (see the imprint). We have not appointed a data protection officer; we are not required to. Contact for all privacy matters: [email protected].
2. What we process, and why
Account data. Name or company name, email address, password (stored only as a salted hash), VAT-payer status, and your in-app settings. Purpose: providing your account and the service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Amazon seller data.After you authorize us through Amazon's Selling Partner API, we sync the data the repricer needs: your catalog and listings, offer and Buy Box data (including competing offers as returned by Amazon), your fees as reported by Amazon, and your orders. Order data is limited to business records — order IDs, amounts, statuses, marketplace and item/SKU details. We do not request, receive or store your buyers' personal data — no buyer names, emails or delivery addresses. Purpose: syncing, margin calculation and repricing. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Data you enter. Product costs, shipping cost tiers, repricing rules and their settings. Purpose: computing honest margins and the Protected Floor. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Notification emails. If something needs your attention (for example your Amazon connection expires or syncing fails repeatedly), we email you at your account address. Legal basis: performance of a contract / legitimate interest in keeping the service functional for you (Art. 6(1)(b) and (f) GDPR). We do not send marketing emails.
Technical logs. Our servers keep standard technical logs (IP address, timestamps, requested URLs) for security and troubleshooting. Legal basis: legitimate interest in operating the service securely (Art. 6(1)(f) GDPR).
3. What we do not do
- No analytics or tracking scripts — neither on this website nor in the app.
- No advertising, no sale of data, no sharing of your business data with other customers.
- No marketing emails.
- No automated decisions about people. The repricing automation acts on product prices according to rules you configure; it does not make decisions with legal or similar effects on natural persons (Art. 22 GDPR does not apply).
4. Cookies
This website sets no cookies. The app (app.noxeni.com) sets strictly necessary session cookies required for login — nothing else. Because we use no tracking cookies, there is no cookie consent banner.
5. Recipients and processors
We use a small number of service providers (processors) to run the service:
- Hetzner Online GmbH (Germany) — server hosting in EU data centers.
- Cloudflare, Inc. (USA/EU) — DNS, TLS and reverse proxy in front of the service, and encrypted off-site database backups (Cloudflare R2). Transfers to the USA are safeguarded by the EU–US Data Privacy Framework and/or standard contractual clauses.
- Resend, Inc. (USA) — delivery of transactional notification emails (recipient address and message content only). Transfers are safeguarded by standard contractual clauses.
Amazon (Amazon Services Europe S.à r.l. and affiliates) is not our processor: it is the platform you sell on. We retrieve data from Amazon and submit price changes to Amazon based on your authorization and instructions; Amazon processes that data under its own terms and privacy notice.
6. Retention
- Account and seller data: kept while your account is active.
- After account deletion: production data is deleted within 30 days.
- Encrypted off-site backups rotate out automatically within approximately 3 months (daily/weekly/monthly retention scheme).
- Data we must keep for statutory retention duties (e.g. invoices) is kept for the statutory period.
- Amazon authorization tokens are stored encrypted (AES-256) and are deleted when you disconnect your Amazon account or delete your NOXENI account. You can additionally revoke the authorization in Amazon Seller Central at any time.
7. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you (Art. 15),
- rectification of inaccurate data (Art. 16),
- erasure (Art. 17) and restriction of processing (Art. 18),
- data portability (Art. 20),
- object to processing based on legitimate interest (Art. 21),
- lodge a complaint with a supervisory authority — for us: [SUPERVISORY_AUTHORITY], or the authority of your habitual residence.
To exercise any of these rights, email [email protected]. We answer within one month.
8. Security
Data is encrypted in transit (TLS). Amazon refresh tokens are stored encrypted at the application level. Access to production systems is restricted, and each customer's data is strictly separated per tenant in the application and database layer. Backups are encrypted before leaving the server.
9. Changes
We will update this policy as the service evolves (for example when a billing provider is added) and note the date above. Material changes are announced by email or in the app.