Privacy

NoNoiseMetrics

Exploité en tant que micro-entreprise sous le droit français

SIREN: 842 134 223

Email: contact@nonoisemetrics.com

Website: nonoisemetrics.com

Établissement: France (Strasbourg)

Activity: Edition and operation of a SaaS analytics platform for professionals.

VAT: As a micro-entreprise below the VAT threshold, NoNoiseMetrics is not subject to VAT registration (franchise en base de TVA — Article 293B CGI). A VAT number will be indicated here if and when registration becomes applicable.

Hostinger EU (UAB Hostinger International)

Registered address: Jolantos g. 2, Kaunas LT-44329, Lithuania — European Union

Website: hostinger.com — Contact: gdpr@hostinger.com

The NoNoiseMetrics application and associated data are hosted exclusively within the European Union.

The publication director is the individual operator of NoNoiseMetrics (micro-entreprise, SIREN 842 134 223). Contact: contact@nonoisemetrics.com

The NoNoiseMetrics brand, logo, platform code, interface design, and all content produced by the operator (excluding Customer data) are protected by intellectual property law. Any reproduction, distribution, or use without prior written authorisation is prohibited.

Third-party trademarks (Stripe, Supabase, PostHog, Brevo, Hostinger) are the property of their respective owners and are referenced solely for descriptive purposes.

This website and its content are governed by French law.

In the event of a dispute relating to the use of this website or the NoNoiseMetrics service, and in the absence of an amicable resolution, the dispute shall be submitted to the exclusive jurisdiction of the:

Tribunal de Commerce de Strasbourg
Palais de Justice, 3 place du Marché Vert
67000 Strasbourg, France

As a B2B service (professionals and legal entities only), disputes fall under commercial law jurisdiction.

NoNoiseMetrics is a B2B service. The EU Online Dispute Resolution platform (ec.europa.eu/consumers/odr) and consumer mediation requirements do not apply. If you are a professional Customer with a dispute, please refer to Section 5 above and the dispute resolution provisions in the Terms of Service.

For any questions relating to this Legal Notice: contact@nonoisemetrics.com

NoNoiseMetrics

Exploité en tant que micro-entreprise sous le droit français

SIREN: 842 134 223

Email: contact@nonoisemetrics.com

Website: nonoisemetrics.com — Établissement: France (Strasbourg)

For all data protection enquiries: contact@nonoisemetrics.com

As a micro-entreprise, NoNoiseMetrics is not required to appoint a formal Data Protection Officer (DPO) under Article 37 GDPR. All data protection requests are handled personally by the operator within 30 days.

We do not sell personal data to any third party. We do not use Stripe billing data or your customers' data to train AI or machine learning models.

Where we rely on legitimate interest (Article 6(1)(f)), we have assessed that our interests do not override your rights:

• Security monitoring: retention of IP addresses and HTTP logs for 12 months is proportionate to the need to protect the platform from abuse and unauthorised access, consistent with ANSSI recommendations.

Analytics (PostHog and Google Analytics 4) are processed on the basis of consent (Art. 6(1)(a)), not legitimate interest. Neither tool loads until you accept via the cookie banner.

Stripe data (your customers' billing records) is fetched live per session and is not transferred to Supabase or any other sub-processor. The only data stored in Supabase is your account data and computed Metrics (aggregate figures such as MRR totals — not raw customer records).

When you log in to NoNoiseMetrics and view your dashboard, or when our scheduled sync runs:

• An API call is made to Stripe — under OAuth using the access token we hold in our vault, or under the API-key flow using your restricted read-only key.
• The resulting data (subscriptions, customers, invoices, charges, refunds, products) is loaded into the runtime to compute your Metrics.
• Raw customer, subscription, invoice, and charge records are not retained between sessions. They are cleared once Metrics computation completes (or at session expiry, 30 minutes of inactivity).
• Only aggregate Metrics (e.g. "MRR was X on date Y", "active subscriptions = N") are written to our database.

What IS stored in our database:

• Your account data (email, hashed password, organisation, plan).
• Connection metadata (provider type, authorisation mode, label, project assignment).
• Under OAuth: the Stripe Connect access token and refresh token, stored in the Supabase vault (encrypted at rest, accessed only via SECURITY DEFINER RPCs from our edge functions). Plain-text tokens never appear in our database tables.
• Under the API-key flow: your restricted read-only Stripe API key (encrypted at rest with AES-256).
• Aggregate Metrics snapshots — daily figures only, not raw customer records.

What is NOT stored: your Stripe customers' email addresses, names, or personal details; raw invoice or charge records tied to individual customers; any personal data of your end-users beyond what is needed for session display.

Disconnect = deleted. When you disconnect a Stripe integration, we immediately delete the associated OAuth tokens (or API key) and the Metrics snapshots tied to that connection. We also handle Stripe's account.application.deauthorized webhook: if you revoke our access from your Stripe Dashboard, the associated tokens and connection record are deleted automatically without further action on your part.

This architecture means that if our database were ever compromised, the attacker would not have access to your customers' personal data — only your account credentials and aggregate Metrics.

If you are based in the EU/EEA, you have the following rights regarding the personal data we hold about you as our Customer (your account data):

• Right of access (Art. 15): request a copy of your personal data.
• Right to rectification (Art. 16): request correction of inaccurate data.
• Right to erasure (Art. 17): request deletion, subject to legal retention obligations.
• Right to data portability (Art. 20): receive your account data in a machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest (e.g., PostHog tracking).
• Right to restriction (Art. 18): request restriction of processing in certain circumstances.
• Right to lodge a complaint: contact the CNIL (cnil.fr) or the supervisory authority in your country of residence.

To exercise your rights: contact@nonoisemetrics.com. We respond within 30 days.

On account closure, all personal data is permanently deleted within 30 days (except billing records retained under tax law). You will receive email confirmation when deletion is complete.

• Encryption in transit: all data transmitted between your browser and our servers uses TLS 1.2+.
• Encryption at rest: Stripe API keys are encrypted with AES-256. Stripe Connect OAuth access and refresh tokens are stored in the Supabase vault (encrypted at rest, accessed only via SECURITY DEFINER RPCs from our edge functions). Account data is encrypted at rest by Supabase.
• Row-Level Security (RLS): Supabase enforces row-level security policies — each Customer can only access their own data.
• No persistent raw Stripe records: customer, subscription, invoice, and charge records are not retained between sessions; only aggregate Metrics are stored.
• Access controls: production system access is restricted to the operator. No third party has standing access to the production database.
• Read-only data flow: under the API-key flow, we ask you to issue a restricted, read-only Stripe key. Under Stripe Connect OAuth, Stripe issues a read_write token by design — Stripe Connect does not currently offer a read-only OAuth scope. Our application code is restricted to GET endpoints (/v1/customers, /v1/subscriptions, /v1/invoices, /v1/charges, /v1/refunds, /v1/prices); we never call POST, PUT, PATCH, or DELETE against your Stripe account, and we never initiate money movement.
• Deauthorisation: we listen for Stripe's account.application.deauthorized Connect webhook and immediately delete the corresponding tokens and connection record when you revoke access from your Stripe Dashboard.

In the event of a personal data breach likely to result in risk to individuals, we will notify the CNIL within 72 hours (Art. 33 GDPR) and affected Customers without undue delay.

Our primary infrastructure (Supabase, Hostinger) is hosted within the European Union. Some sub-processors (notably Stripe) may transfer data to the United States. Where such transfers occur, appropriate safeguards are in place: Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

Stripe session data fetched via the API is processed transiently and is not transferred to any of our other sub-processors.

NoNoiseMetrics is a B2B service for professionals. We do not knowingly collect data from individuals under 18. If you believe we have inadvertently done so, contact contact@nonoisemetrics.com and we will delete it promptly.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and/or in-app notice at least 14 days before the changes take effect. Continued use after the effective date constitutes acceptance. Previous versions are available on request.