NOCK NOCK

Legal

Privacy Policy

Last updated: 2026-06-17

ENDE

Privacy Policy

Controller

TWENTYELEVEN
Tom Kloevekorn
Eppendorfer Weg 176
20253 Hamburg
Germany
Email: mail@nocknock.cloud

No data protection officer has been appointed.

Purposes and legal bases

We process personal data in order to provide Nock, manage user accounts and workspaces, store feedback tickets and transfer them to connected services, process payments, prevent abuse and monitor the stability of the service.

The legal bases are in particular Art. 6 (1) (b) GDPR (performance of a contract and pre-contractual measures), Art. 6 (1) (c) GDPR (legal obligations, e.g. commercial and tax retention requirements) and Art. 6 (1) (f) GDPR (legitimate interest in secure, stable and data-minimised operation and improvement of the service).

Hosting and storage location

The application is operated on Vercel. Application data such as accounts, organisations, projects, tickets and images is stored on Supabase (Postgres, Storage, Auth). The Supabase project region is eu-central-1.

Processors and services used

  • Vercel – hosting, delivery and operation of the web application.
  • Supabase – database, authentication and file storage.
  • Hostinger – VPS in Germany for the self-hosted Plausible instance.
  • Stripe Payments Europe, Limited – payment processing, subscriptions, invoices and billing.
  • Anthropic (Claude API, USA) – AI-assisted preparation of submitted ticket content. Submitted ticket text may be transferred to Anthropic in the USA for processing.
  • Linear – optional synchronisation of tickets as issues.
  • Resend – delivery of transactional emails.
  • Cloudflare Turnstile – bot and abuse protection during registration and in forms.
  • Upstash / Vercel KV – rate limiting and abuse protection.
  • Sentry (Functional Software, Inc., EU region) – error and crash monitoring. Data categories: technical error data, stack traces, truncated request metadata, data-minimised user and workspace IDs. Processing and storage take place in the EU region, ingest host *.de.sentry.io. A data processing agreement (DPA) is in place.

Where providers process personal data outside the European Economic Area, this takes place on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular the EU Standard Contractual Clauses, where required.

Payments and subscriptions

For paid plans, Stripe processes payment, invoicing and subscription data. We do not store full card data in Nock. Payment processing is handled by Stripe.

Reach measurement (Plausible, self-hosted)

To improve the product and the user experience, we measure reach without cookies using Plausible Analytics, operated self-hosted on a Hostinger VPS in Germany (first-party). No cookies are set, no cross-device profiles are created and no transfer to third parties takes place through Plausible. The measurement also covers the logged-in application (which features are used) exclusively in aggregate and without individual tracking of identified users. URLs are stripped of personal path components such as IDs or tokens before being stored.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in data-minimised product and reach analysis). The depth of intervention is minimal: aggregated, cookieless and without storing the IP address.

Objection (Art. 21 GDPR): You can object to the measurement at any time, for example via the "Do Not Track" or "Global Privacy Control" setting of your browser, or by setting the localStorage key plausible_ignore to true.

As Plausible is operated self-hosted, there is no processing by Plausible as a third party. Hostinger is named above as the hosting provider of the instance.

Cookies and local storage

Only technically necessary cookies and comparable storage technologies are used, in particular for login sessions, security and Cloudflare Turnstile. No tracking with consent-requiring cookies takes place; a cookie banner is therefore not required.

Retention period

Personal data is stored only for as long as is necessary for the respective purposes or as long as statutory retention obligations exist. Account and workspace data is generally stored until the account or workspace is deleted. Invoicing and payment data is stored within the scope of statutory retention obligations.

Your rights

Under the GDPR you have the rights to access, rectification, erasure, restriction of processing, data portability and objection.

  • Erasure (Art. 17 GDPR): You can delete your account and the associated data via the "Account" page.
  • Data export (Art. 20 GDPR): To exercise the right to data portability, contact mail@nocknock.cloud. We will provide your data within 30 days.
  • Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The competent authority may in particular be the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.