Privacy Policy
Last updated: February 11, 2026
1. Data Controller
NMA Venture Capital GmbH
Am Sandtorkai 27
D-20457 Hamburg, Germany
Email: info@nma.vc
Phone: +49 178 4497585
2. What Data We Collect
Account Data
When you create an ETALON Cloud account, we collect:
- Email address (for authentication via magic link or GitHub OAuth)
- GitHub profile information (if you sign in with GitHub)
Usage Data (with consent)
If you accept analytics cookies, we collect anonymized usage data via PostHog (EU cloud, hosted in Frankfurt):
- Pages visited and navigation patterns
- Feature usage (scans run, dashboard interactions)
- Device type and browser (aggregated)
This data is not collected if you decline cookies. PostHog is configured with opt_out_capturing_by_default: true.
Scan Data
When you run a privacy audit (via CLI or Cloud), ETALON processes:
- The URL or source code you submit for scanning
- Scan results (detected trackers, findings, compliance scores)
Scan data is stored in your account and is not shared with third parties.
Payment Data
Payments are processed by Stripe. We store only your Stripe customer ID and subscription status. We never see or store your credit card number.
3. Legal Basis for Processing
| Processing | Legal Basis (GDPR) |
|---|---|
| Account creation & login | Art. 6(1)(b) - Contract performance |
| Running scans | Art. 6(1)(b) - Contract performance |
| Analytics cookies (PostHog) | Art. 6(1)(a) - Consent |
| Payment processing (Stripe) | Art. 6(1)(b) - Contract performance |
| Sidebar state cookie | Art. 6(1)(f) - Legitimate interest (functional) |
4. Third-Party Processors
| Service | Purpose | Data Location |
|---|---|---|
| Supabase | Authentication & database | EU (Frankfurt) |
| PostHog | Product analytics (consent-gated) | EU (Frankfurt) |
| Stripe | Payment processing | EU/US (SCCs) |
| Vercel | Hosting & CDN | EU (Frankfurt) |
5. Your Rights (GDPR Art. 15–21)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17)
- Restrict processing (Art. 18)
- Data portability - receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time for analytics cookies
To exercise any of these rights, email info@nma.vc.
6. Data Retention
- Account data: Retained until you delete your account
- Scan results: Retained until you delete them or close your account
- Analytics data: Anonymized after 12 months
- Payment records: Retained for 10 years (German tax law)
7. Data Security
We implement appropriate technical measures including:
- TLS encryption in transit
- Row-Level Security (RLS) on all database tables
- Content Security Policy headers
- Secure, SameSite cookies
- No PII in server logs
8. Cookies
For details on the cookies we use, please see our Cookie Policy.
9. Supervisory Authority
You have the right to lodge a complaint with a data protection authority. Our lead supervisory authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 20459 Hamburg.
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.