Privacy Policy
Last updated: May 21, 2026
1. Data Controller
TIMPIA S.R.L., operating as Noda Energy ("Noda", "we", "us"), is the controller for personal data described in this notice. This covers the public website (noda.energy), the demo and ROI flows, the AI assistant, and the Founding Partner platform served from app.noda.energy.
- Company: TIMPIA S.R.L., operating as Noda Energy
- Address: Coesi Business Campus, Str. Zaharia Stancu Nr. 6, Brașov, Romania
- Trade Register: J08/2046/2023
- EU VAT: RO53544402
- Email: hello@noda.energy
- Privacy contact: privacy@noda.energy
- Phone: +40 787 578 482
We have not appointed a Data Protection Officer. The privacy contact above handles all data protection matters under Article 37 GDPR.
2. Personal Data We Process
We collect the following categories of personal data, depending on how you interact with us:
- Account data: first name, last name, work email, phone, company name, role, locale
- Billing data: billing address, VAT number, Stripe customer and subscription identifiers, invoice metadata
- Authentication data: password hash, last login timestamps, OAuth subject identifiers when you sign in with Google
- Service data: grid project files, ATR documents, locations, and other inputs you upload to generate a Noda report
- Audit and security logs: IP address (hashed), user agent, timestamps, authentication events, paywall events
- Demo and ROI submissions: contact details and free-text messages submitted through public-site forms
- Chat data: messages you send to the website AI assistant
- Cookie and consent records: language preference, consent choices, last consent timestamp
3. Lawful Basis Per Data Category
We rely on the following grounds in Article 6(1) GDPR:
- Account, authentication, and service data — Art. 6(1)(b) contract: needed to deliver the subscription service you signed up for
- Billing and tax records — Art. 6(1)(c) legal obligation: required by Romanian Law 82/1991 (accounting), Article 319 Fiscal Code (invoicing), and Council Directive 2006/112/EC
- Audit and security logs — Art. 6(1)(f) legitimate interests: security, fraud detection, accountability under Article 32 GDPR. Balancing test favours processing: B2B users, minimal data, expected behaviour
- Demo and ROI requests — Art. 6(1)(b) pre-contractual steps: answering inbound business interest
- Cookies and analytics — Art. 6(1)(a) consent: non-essential trackers only after you opt in
Documented legitimate interests assessments are kept internally and available on request from privacy@noda.energy.
4. Payment Data and Stripe
Card payments are processed by Stripe Payments Europe Ltd ("Stripe"), authorized by the Central Bank of Ireland under the European Communities (Electronic Money) Regulations 2011.
Stripe acts in a dual role:
- as Noda's processor for billing details Noda instructs it to handle (subscription creation, invoice issuance, customer portal)
- as an independent controller for card data, fraud signals, AML and KYC checks, regulatory reporting, and network-level risk scoring
Noda never sees full card numbers. Stripe's handling of card data is governed by Stripe's own policy at stripe.com/privacy and its Data Processing Agreement at stripe.com/legal/dpa. Transfers to the United States rely on the EU Standard Contractual Clauses of 4 June 2021 and Stripe's certification under the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795).
5. Sub-processors
We use the following sub-processors to deliver the Service. A current and dated version is maintained at noda.energy/legal/subprocessors.
| Provider | Data touched | Country | Role |
|---|---|---|---|
| Stripe Payments Europe Ltd | Billing fields, card tokens, VAT ID, subscription IDs | Ireland (HQ) / United States (storage) | Processor + independent controller |
| Vercel Inc. | Site traffic, request logs | United States | Processor |
| Neon Inc. | Application database (accounts, audit logs) | Germany (Frankfurt, EU region) | Processor |
| Self-hosted Hetzner (Falkenstein) | App.noda.energy backend, Postgres, object storage, Valkey cache | Germany | Operated by Noda |
| Resend | Transactional email (signup, billing receipts) | United States | Processor |
| PostHog | Pseudonymous product analytics | Germany (EU cloud) | Processor |
| Mistral AI SAS | Chatbot prompts and replies | France | Processor |
| Anthropic PBC | Grid report generation prompts and outputs | United States | Processor |
| Google LLC (Calendar API) | Demo booking metadata | European Union / United States | Processor |
We give at least 15 days' notice before adding a new sub-processor to this list. Customers under an active subscription may object in writing within that notice period.
6. International Transfers
Some sub-processors operate in the United States. Transfers rely on (a) the European Commission's Standard Contractual Clauses of 4 June 2021 and (b) the EU-US Data Privacy Framework where the recipient is certified (Commission Decision (EU) 2023/1795 of 10 July 2023).
Where possible we select EU regions: Neon is pinned to Frankfurt, PostHog uses the EU cloud, our Hetzner backend runs in Germany, and Mistral processes within France. Supplementary measures include encryption in transit and at rest, contractual audit rights, and minimisation of data sent outside the EU.
7. Data Retention
| Category | Retention | Reason |
|---|---|---|
| Invoices, billing records, VAT IDs | 10 years from end of fiscal year | Romanian Law 82/1991 and Article 25 Fiscal Code |
| Active account data | Duration of subscription + 30 days grace | Contract performance |
| Account data after cancellation | 30 days soft-delete, then anonymised; invoice metadata kept under the 10-year rule above | Article 5(1)(e) GDPR storage limitation |
| Security and audit logs | 12 months | Legitimate interest, balanced against storage limitation |
| Chatbot transcripts and ROI inputs | 90 days unless you opt to retain | Service delivery and dispute window |
| Backups | 35 days rolling | Disaster recovery, no targeted restoration of deleted records |
| Demo and ROI submissions | 24 months from latest interaction | B2B lead handling, legitimate interest |
| Marketing prospect data | 24 months from latest engagement | Documented legitimate interest assessment |
8. Your Rights
Under the GDPR you may request:
- Access to the personal data we hold about you
- Rectification of inaccurate data
- Erasure where the legal conditions are met (note: billing data retained under tax law cannot be deleted before the 10-year period expires)
- Restriction of processing
- Portability of data you provided in a structured machine-readable format
- Objection to processing based on legitimate interests
- Withdrawal of consent at any time without affecting prior lawful processing
Send requests to privacy@noda.energy. We respond within 30 days. If you believe your rights have been infringed, you may also lodge a complaint with the Romanian Data Protection Authority (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Bucharest, anspdcp@dataprotection.ro, +40 318 059 211, or with the supervisory authority of your habitual residence.
9. Automated Processing and AI
Noda uses artificial intelligence to generate preliminary grid risk reports and to power the public website chat assistant. The system does not produce decisions that have legal effects on you or similarly significantly affect you within the meaning of Article 22 GDPR. Reports are advisory and are reviewed by a Noda engineer before delivery. You can request a human review or an explanation of how a report was produced at hello@noda.energy.
See the AI Disclosure page for transparency information required by Article 50 of the EU AI Act (Regulation (EU) 2024/1689).
10. Cookies and Browser Storage
We use both cookies and browser-side storage on the public website.
| Identifier | Stored in | Purpose | Duration | Category |
|---|---|---|---|---|
| NEXT_LOCALE | Cookie | Language preference | Up to 1 year | Necessary |
| noda_cookie_consent | localStorage | Consent record | Up to 6 months | Necessary |
| noda_chat_consent | localStorage | AI chat gate | Until cleared | Necessary |
| noda_beta_account_v1 | localStorage | Founding signup hand-off | Until cleared | Necessary |
| PostHog | Cookie + localStorage | Product analytics after consent | Configured in tool | Analytics |
Non-essential analytics activate only after consent.
11. Children's Data
Noda is a B2B service. We do not knowingly collect personal data from children under 16. If you believe a child has provided data to us, contact privacy@noda.energy and we will delete it where appropriate.
12. Changes
We update this policy when our flows, providers, or legal obligations change. The current version is always on this page with the date above. Material changes are notified to active customers by email.
