ByNoon — Privacy Policy
Last updated: 2026-05-23.
This Privacy Policy describes how ByNoon ("ByNoon", "we", "us"), a company registered in the Netherlands with KVK number 99844664 and BTW number NL005415979B23, processes Personal Data as a controller in the course of operating the ByNoon platform (the "Services"). For Personal Data we process as a processor on your behalf when you build websites with the Services, see the separate Data Processing Agreement (DPA) at /legal/dpa.
This Policy is published in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch Implementation Act ("UAVG").
1. Controller and GDPR contact
- Controller: ByNoon, Grotelseboslaan 8, 3451 HD, Vleuten, The Netherlands
- KVK number: 99844664
- BTW number: NL005415979B23
- GDPR contact: [email protected]
- General contact: [email protected]
We have not formally appointed a Data Protection Officer (DPO). Pre-launch ByNoon does not yet meet the GDPR Article 37 threshold for mandatory DPO appointment (large-scale systematic monitoring of data subjects or large-scale processing of special-category data). The Privacy Policy will be updated when this changes.
2. Personal Data we process as a controller
We process Personal Data about the natural people who hold ByNoon Accounts and Workspace memberships. We do not, in our role as controller, process Personal Data about the visitors to websites that our Customers build with the Services — that data is processed by our Customer as the controller and by us as a processor under the DPA.
Categories:
| Category | Examples | Lawful basis (GDPR Art 6) |
|---|---|---|
| Account identifiers | email, password hash (Supabase Auth), display name | Contract (Art 6(1)(b)) |
| Workspace metadata | workspace name, slug, role, membership relationships | Contract (Art 6(1)(b)) |
| Billing | billing address, VAT-ID, payment-method identifiers (Stripe customer + subscription IDs — never card numbers, which Stripe holds) | Contract (Art 6(1)(b)) + Legal obligation (Art 6(1)(c), Dutch tax law) |
| Communications | emails sent via Resend (magic-link, transactional notices); your inbound messages to support | Contract (Art 6(1)(b)) + Legitimate interest (Art 6(1)(f)) |
| Logs and telemetry | server logs (IP, user-agent, timestamps, request paths); rate-limit and audit records | Legitimate interest (Art 6(1)(f)) — security, debugging, abuse prevention |
| Consent records | proof of acceptance of these documents, with timestamp + IP + user-agent + a snapshot of the document text | Legal obligation (Art 6(1)(c), GDPR Art 7) |
3. Purposes of processing
We process this Personal Data only to:
- provide the Services (create your Account, host your Workspace, deliver email);
- bill you and meet our tax and accounting obligations under Dutch law;
- secure the platform (detect, prevent, and respond to abuse and security incidents);
- communicate with you about the Services;
- comply with applicable legal obligations.
We do not use your Personal Data for advertising, profiling, or automated decision-making in the sense of GDPR Article 22.
4. Retention
| Data | Retention period |
|---|---|
| Account + Workspace records | While the Account is active; 30 days after a deletion request is confirmed |
| Invoices and billing records | Seven (7) years from issue (Dutch tax law, Algemene wet inzake rijksbelastingen Art 52) |
| Consent records | Seven (7) years from acceptance (proof of consent obligation, GDPR Art 7(1)) |
| Server logs | 90 days |
| Email content | Per Resend's retention; ByNoon does not store email bodies after delivery |
After a retention period expires, we erase or anonymise the data unless a legal obligation requires longer retention.
5. Recipients
We share Personal Data only with the processors listed at /subprocessors, which are bound by contractual data-processing terms equivalent to those of GDPR Article 28. Subprocessors today include Supabase (auth + database + storage), Stripe (payments + tax), Cloudflare (storage + edge compute), Fly.io (compute), Resend (transactional email), and GitHub (per-customer repository sync). We notify Customers at least 30 days before adding a new subprocessor, via the email address on file for the Workspace owner.
We do not sell Personal Data, do not exchange it for advertising, and do not use it for any purpose outside the scope of providing the Services.
6. International transfers
ByNoon operates an EU-only data residency posture:
- Supabase project hosted in the EU
- Cloudflare R2 buckets in the EU
- Fly.io customer machines in Amsterdam (AMS)
The one exception is Stripe, which is headquartered in the United States and operates under the EU–US Data Privacy Framework (DPF). We rely on Stripe's DPF certification for cross-border transfers of Personal Data necessary for payment processing. If the DPF is invalidated, we will switch to Standard Contractual Clauses (Article 46 SCCs) within 30 days and notify Customers of the change.
7. Your rights under the GDPR
You have the following rights:
- Access (Art 15) — a copy of the Personal Data we hold about you. ByNoon offers a self-service "Download my data" button in your Account settings.
- Rectification (Art 16) — correction of inaccurate Personal Data.
- Erasure (Art 17) — deletion of your Personal Data. ByNoon offers a self-service "Delete my account" flow in your Account settings, subject to the legal retention obligations in section 4.
- Restriction (Art 18) — temporary suspension of processing pending a dispute.
- Portability (Art 20) — a machine-readable export of Personal Data you provided to us. The same "Download my data" button provides this in JSON format.
- Object (Art 21) — to processing based on legitimate interest.
- Lodge a complaint with the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (
autoriteitpersoonsgegevens.nl), at any time.
To exercise any of these rights, contact us at [email protected]. We respond within 30 days; for complex requests we may extend by a further 60 days as permitted by Article 12(3).
8. Security
We operate the Services with security measures appropriate to the risk, including:
- TLS in transit for every customer-facing connection;
- encryption at rest for the Supabase database and Cloudflare R2 buckets;
- access controls (Row Level Security on every database table; service-role access restricted to backend processes);
- separation of staging and production environments;
- subprocessor agreements requiring equivalent measures.
In the event of a Personal-Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we notify Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, and notify affected data subjects without undue delay where the breach is likely to result in a "high risk."
9. Cookies and tracking
ByNoon's marketing pages set only strictly necessary cookies (authentication session, CSRF protection). We do not set analytics or marketing cookies. No cookie consent banner is shown because none is required for strictly necessary cookies (ePrivacy directive Art 5(3)).
If this changes in the future, this Policy will be updated and a cookie consent banner will be added.
10. Changes
We may revise this Privacy Policy. Material revisions will be communicated via the in-app re-consent gate; you will be asked to accept the new version on your next sign-in. The "Last updated" date at the top of this Policy reflects the most recent revision.