top of page

Privacy Policy

Nolatech OÜ – Privacy Notice (GDPR)

Version: 2025‑10‑21

 

Company: Nolatech OÜ  |  Registration code: 17157869

Postal address: Harju County, Tallinn, Kesklinn District, Jõe 2a, 10151

Data protection contact: ai@nola.ac

Web: nola.ac

 

This notice explains, in a brief and clear way, how Nolatech OÜ collects, uses, stores, shares and protects personal data, and what choices and rights you have. It applies to our website and landing pages, the client portal / cloud services and, where applicable, mobile apps, as well as to our software and communications via email, phone, messaging apps and the product interface.

 

1. Our role in processing

We act in two roles:

Controller — we determine the purposes and means of processing (e.g., website visitors, user accounts).

Processor — we process data on a business customer’s instructions under signed agreements.

 

2. Key terms

Personal data: information that can directly or indirectly identify a person.

Processing: any operation on data (e.g., collection, storage, use, transfer, deletion).

We / Company: Nolatech OÜ. You / User / Client: a natural person whose data we process.

 

3. What data we process and where it comes from

3.1 Categories of data

Identification and contact data: name, (for B2B) company and role, email, phone, preferred language.

Account data: username and identifiers, profile settings, logins, session logs, tokens.

Technical and usage data: IP, browser / device / OS, time zone, cookies and local storage, page views, clicks, errors.

Communications data: support requests, correspondence, in‑product messages, call recordings and transcripts (with consent).

Billing and payments: transaction statuses, tokens, partial card numbers (we do not store full card details; providers process them).

User‑uploaded content: files, texts, images and metadata.

Recruitment data (candidates): CV, cover letter, portfolio, interview notes, test results.

 

3.2 Sources

From you directly (forms, registration, correspondence).

From your employer or partner (for a company account).

Automatically when services are used (cookies / SDK).

From payment, analytics and communications providers.

From public sources only if you supply the link yourself.

 

4. Why and on what legal basis we process data

Purpose — Examples — Legal basis

• Service onboarding and delivery — account creation, authentication, access to features — GDPR Art. 6(1)(b)

• Communication and support — responding to requests, guides, onboarding — GDPR Art. 6(1)(b)/(f)

• Product analytics and development — usage metrics, A/B tests, bug analysis — GDPR Art. 6(1)(f)

• Information security — abuse prevention, incident handling — GDPR Art. 6(1)(f)

• Marketing (where applicable) — newsletters, events, recommendations — GDPR Art. 6(1)(a)

• Compliance with legal obligations — accounting, taxes, responses to authorities — GDPR Art. 6(1)(c)

• Hiring — candidate assessment, communication — GDPR Art. 6(1)(b)/(f)

• Protection of rights and interests — claims, disputes, complaints — GDPR Art. 6(1)(f)

Where processing is based on consent, you may withdraw it at any time; this does not affect processing carried out before withdrawal.

 

5. Cookies and SDKs

We use four types of mechanisms:

• necessary — to ensure core service functions and security;

• functional — to remember language and preferences;

• analytics — to understand usage and improve the product;

• marketing — to show relevant messages (only with consent).

You can manage choices in the cookie banner and your browser settings. A separate cookie policy describes the purpose and lifetime of each cookie / SDK.

 

6. How we share data

We disclose data only when necessary and under protective agreements. Typical recipients:

• cloud and hosting platforms, CDNs, email / SMS services;

• payment solutions, monitoring and analytics;

• service‑desk and video‑call tools;

• intra‑group entities (where applicable);

• auditors, accountants and lawyers (under confidentiality obligations);

• public authorities — where required by law;

• legal successors — in case of a corporate restructuring.

A core list of key processors is available on request: ai@nola.ac.

 

7. Transfers outside the EEA

• European Commission Standard Contractual Clauses (SCCs);

• supplementary safeguards (e.g., encryption, pseudonymisation);

• other mechanisms under GDPR Art. 46.

We provide details on specific providers upon request.

 

8. Retention

We retain personal data only as long as necessary to achieve the purposes or as required by law. Afterwards, the data are deleted or irreversibly anonymised.

Practical guidelines (adjust as needed):

• account and technical logs: 12–24 months after account closure;

• billing / accounting: 7–10 years (Estonian law);

• support tickets and communications: 24 months;

• marketing: until consent is withdrawn or the campaign ends + 6–12 months of archiving;

• recruitment: 6–12 months; longer with consent.

 

9. Security practices

We apply a layered approach: least‑privilege access, identity management and MFA, encryption in transit and, where needed, at rest, logging and anomaly detection, backup and recovery procedures, segregated environments, regular staff training and internal policies.

 

10. Your choices and rights

You have the right to access your data, request rectification or deletion, restrict processing, object to processing, receive data in a machine‑readable format, withdraw consent and avoid decisions based solely on automated processing. You may lodge a complaint with the Estonian Data Protection Inspectorate.

To exercise your rights, write to: ai@nola.ac.

 

11. Marketing communications

You can unsubscribe at any time via the link in an email, in account settings, or by contacting us. Service‑related notices (invoices, security information) will continue, as they are necessary to provide the service.

 

12. Processing on a client’s behalf (as processor)

Where we serve a business client, the client is the controller. We act on their instructions, engage sub‑processors under contracts and support data‑subject requests and regulatory obligations.

 

13. Minors

Our services are not directed to individuals under 18. We do not knowingly collect data of this age group. If you believe a minor has provided us with data, please let us know — we will remove it without undue delay.

 

14. Automated decision‑making

We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect a person, without a clear basis and prior notice.

 

15. Changes to this notice

We update this privacy notice from time to time. We will inform about material changes on the website, in the product interface and/or by email. The version date above reflects the current status.

 

16. Contact

Email: ai@nola.ac

Postal address: Harju County, Tallinn, Kesklinn District, Jõe 2a, 10151

Web: nola.ac

bottom of page