NocodeXport
Legal

Privacy Policy

Effective date: July 9, 2026. This Privacy Policy explains how NoCodeXport (“NoCodeXport”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you use the nocodexport.com website, our desktop applications, APIs and related services (the “Service”). It is drafted to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and applicable ePrivacy rules.

Controller. NoCodeXport is the controller of the personal data described in this Policy. For any privacy matter, including the exercise of your rights, contact clarence@nocodexport.com.

1.Personal Data We Collect

  • Account data. When you sign in with Google or by email, we receive your name, email address and profile picture, together with an account identifier.
  • Billing data. When you purchase a plan, our payment processor Stripe collects your payment details. We never store full card numbers; we receive payment status, plan, amount, currency and billing country.
  • Export data. The URLs you submit for export, the generated archives and previews, and related metadata (file counts, sizes, export identifiers).
  • Technical and security logs. IP addresses, timestamps, user-agent, device and browser information, and audit records of exports and downloads, kept for security, fraud prevention and abuse investigation.
  • Usage data. Interactions with the Service (pages viewed, features used) collected through our analytics tooling, and, where you have not objected, session replays used to diagnose UX issues.
  • Rights-holder notice data. Where a company or individual submits an export-blocking or takedown request, we process the notifier’s identity, contact details, evidence of rights and the domains concerned.
  • Support data. Messages, attachments and contact details you share with us through the in-app chat or by email.

We do not knowingly collect data from children under 16, and the Service is not directed at them. We do not process special categories of personal data.

2.Purposes and Legal Bases (Art. 6 GDPR)

  • Providing the Service (account management, running exports, previews, hosting, downloads, support): performance of a contract, Art. 6(1)(b).
  • Payments and billing (processing purchases, invoices, refunds, tax records): performance of a contract, Art. 6(1)(b), and compliance with legal obligations, Art. 6(1)(c).
  • Security, fraud and abuse prevention (IP and audit logging, rate limiting, enforcement of our Terms, including the ownership and IP-fraud provisions): our legitimate interest in protecting the Service, its users and third-party rights holders, Art. 6(1)(f).
  • Product analytics (aggregate usage measurement, performance monitoring): our legitimate interest in improving the Service, Art. 6(1)(f); you may object at any time.
  • Session replay (diagnosing UX problems): our legitimate interest, Art. 6(1)(f), with masking of sensitive inputs; you may object at any time.
  • Marketing communications (news and offers about our own services): your consent, Art. 6(1)(a), or, for existing customers, our legitimate interest in line with ePrivacy soft opt-in rules; every message includes an unsubscribe link.
  • Rights-holder notices and export blocking (receiving, assessing and executing export-blocking and takedown requests under our Terms of Service, maintaining the resulting domain blocklists, and processing the identification data of the notifying rights holder): compliance with legal obligations, Art. 6(1)(c), and our legitimate interest in preventing infringing use of the Service, Art. 6(1)(f).
  • Legal claims and requests (responding to valid requests from courts, law enforcement and rights holders): compliance with legal obligations, Art. 6(1)(c), and our legitimate interest in establishing, exercising or defending legal claims, Art. 6(1)(f).

Where we rely on legitimate interest, we have balanced that interest against your rights and freedoms; you can request a copy of the relevant assessment through the contact above. You are not subject to any decision based solely on automated processing that produces legal or similarly significant effects (Art. 22 GDPR).

3.Processors and Recipients

We share personal data only with processors bound by data processing agreements under Art. 28 GDPR, and only to the extent necessary:

  • Stripe payment processing and fraud screening;
  • Google authentication (Sign in with Google);
  • Vercel application hosting and delivery;
  • Cloudflare content delivery and storage of export archives and previews;
  • Crisp in-app customer support chat;
  • PostHog product analytics and session replay;
  • Transactional email providers delivery of receipts and service emails.

We may also disclose data to competent authorities, courts or rights holders where required by law or as described in our Terms of Service, and to a successor entity in the context of a merger, acquisition or asset sale, under confidentiality safeguards. We do not sell personal data.

4.International Transfers

Some of our processors are located outside the European Economic Area, notably in the United States. Where personal data is transferred outside the EEA, we rely on an adequacy decision of the European Commission (including the EU-US Data Privacy Framework where the recipient is certified) or on the Commission’s Standard Contractual Clauses, supplemented where necessary by additional safeguards. You may obtain a copy of the relevant safeguards by contacting us.

5.Retention Periods

  • Account data: for the life of your account and up to thirty (30) days after deletion.
  • Billing records: up to ten (10) years, as required by accounting and tax law.
  • Export archives and previews: for the operational period needed to provide the Service, after which they may be purged.
  • Security and audit logs (including IP logs): up to three (3) years, consistent with our Terms of Service, or longer where required for an ongoing investigation or legal claim.
  • Takedown notices and domain blocklist entries: for as long as the block remains in force and thereafter as necessary to establish, exercise or defend legal claims.
  • Support conversations: up to two (2) years.
  • Analytics telemetry: retained in aggregated or pseudonymised form only.

When a retention period expires, data is deleted or irreversibly anonymised.

6.Your Rights (Art. 15 to 21 GDPR)

Subject to the conditions of the GDPR, you have the right to:

  • access the personal data we hold about you (Art. 15);
  • have inaccurate data rectified (Art. 16);
  • obtain erasure of your data (“right to be forgotten”, Art. 17);
  • restrict processing (Art. 18);
  • receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller (portability, Art. 20);
  • object to processing based on legitimate interest, including analytics and session replay, and to direct marketing at any time (Art. 21);
  • withdraw consent at any time where processing is based on consent, without affecting prior processing (Art. 7(3)).

To exercise any of these rights, email clarence@nocodexport.com. We respond within one (1) month, extendable by two (2) further months for complex requests, and we may ask you to verify your identity. Exercising your rights is free of charge. You also have the right to lodge a complaint with your local supervisory authority (in France, the CNIL at cnil.fr; the authority of your habitual residence, place of work or place of the alleged infringement elsewhere in the EU).

7.Cookies and Similar Technologies

We use strictly necessary cookies (authentication, security, currency and region preferences such as our country cookie) which require no consent, and analytics/support cookies set by the processors listed in Section 3. Where consent is required for non-essential cookies, it is collected in accordance with ePrivacy rules and can be withdrawn at any time; you can also configure your browser to refuse cookies, although parts of the Service may then not function correctly.

8.Security

We apply appropriate technical and organisational measures under Art. 32 GDPR, including transport-layer encryption (TLS 1.2 or higher) for all data in transit, role-based access controls and the principle of least privilege, segregation and rotation of production credentials, and server-side, timestamped audit logging. No method of transmission or storage is completely secure; in the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours and, where the risk is high, the affected users, in accordance with Arts. 33 and 34 GDPR.

9.Data You Export

The websites you export may themselves contain personal data of third parties. For that content, you act as controller and we act as your processor within the meaning of Art. 28 GDPR: we process it only on your documented instructions (running the export you requested), and you are responsible for having a lawful basis for that processing, in line with the ownership and authorisation requirements of our Terms of Service.

10.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page with an updated effective date and, where appropriate, notified to you by email or in-app notice. Your continued use of the Service after the changes take effect constitutes acknowledgment of the updated Policy.

11.Contact

Privacy questions and requests: clarence@nocodexport.com or the in-app chat.