Noola Impact

Privacy Policy

How personal data is processed in connection with the Noola Impact platform, in accordance with GDPR and Spanish data protection law.

Last updated:March 31, 2026

1

Who we are

This Privacy Policy explains how personal data is processed in connection with the Noola Impact platform (the "Service").

We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 of 5 December on Data Protection and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 (LSSI-CE).

This Policy forms part of, and should be read together with, our Terms & Conditions of Service and Cookie Policy.

2

Scope

This Policy applies to the personal data of: visitors to our website; individuals who register and use an Account; representatives and staff of customer organisations; and any individuals whose personal data may appear within data uploaded to the Service.

The Service is contracted by professionals in the course of their business. The statutory 14-day right of withdrawal applicable to consumers under the Spanish consumer-protection legislation (TRLGDCU) does not apply to this contract.

3

Our role: controller and processor

3.1 As controller

For data we determine the purposes of — account registration, authentication, billing, customer support, marketing, and website analytics — Noola acts as data controller.

3.2 As processor

Where a customer uploads Customer Data (such as utility bills) that contains personal data of third parties (for example, the name of an account holder or contact), Noola processes that data as a processor, on the customer's documented instructions and solely to provide the Service. This processing is governed by a data processing agreement (Article 28 GDPR) between Noola and the customer. The customer is the controller of that data and is responsible for having a lawful basis to provide it.

4

What data we collect and why

CategoryExamplesPurposeLegal basis (Art. 6 GDPR)
Account dataName, email, role, company, passwordCreate and manage your Account; authenticate accessPerformance of a contract (6.1.b)
Property & building dataProperty details, supply points, CUPS, occupancy dataGenerate diagnostics, recommendations, and verificationPerformance of a contract (6.1.b)
Customer Data (uploaded)Utility bills and related documents (may contain personal data)Analyse consumption; produce outputs; verify savingsProcessed for the customer as processor (Section 3.2)
Billing dataBilling details, transaction records (card data handled by Stripe — we do not store full card numbers)Process payments; comply with accounting and tax lawContract (6.1.b); legal obligation (6.1.c)
Usage & technical dataIP address, device/browser data, log data, interactionsOperate, secure, and improve the ServiceLegitimate interest (6.1.f)
CommunicationsSupport messages, emailsRespond to and manage your requestsLegitimate interest (6.1.f); contract (6.1.b)
Marketing dataEmail, marketing preferencesSend commercial communications about the ServiceConsent (6.1.a) or legitimate interest for existing customers under LSSI Art. 21

You are not legally obliged to provide personal data, but some data is necessary to use the Service; without it we cannot create an Account or deliver the Service.

5

Service providers and subprocessors

We share personal data with trusted providers who process it on our behalf, under contracts that meet GDPR requirements. Current providers include:

ProviderFunctionLocationTransfer mechanism
HetznerHosting and object storageGermany (EEA)No transfer outside the EEA
StripePayment processingEU / United StatesSCCs / adequacy as applicable
Google (Gemini API)OCR and parsing of uploaded billsEU / United StatesSCCs; data not used for model training
Resend / Amazon SESTransactional emailEU / United StatesSCCs
Google WorkspaceBusiness email and productivityEU / United StatesSCCs / adequacy

We do not sell personal data. We disclose data to third parties only as described in this Policy, or where required by law or competent authority.

Note on automated parsing. Uploaded bills are processed by an automated OCR/parsing service (Google Gemini API) to extract consumption and tariff data. Where bills contain personal data, that data is transmitted to this service solely for parsing and is not used to train third-party models.

6

International transfers

Where personal data is transferred outside the European Economic Area, we rely on a valid transfer mechanism under Chapter V GDPR — an adequacy decision, the European Commission's Standard Contractual Clauses, or another approved safeguard. You may request a copy of the relevant safeguards by contacting us at hello@noola.eco.

7

Automated decision-making

The Service produces diagnostics, ratings, and recommendations through automated analysis. These outputs are estimates that inform your decisions; they do not produce legal or similarly significant effects on any individual within the meaning of Article 22 GDPR. No solely automated decisions with legal effects are made about individuals.

8

Retention

We retain personal data only as long as necessary for the purposes described:

  • Account and Property data: for the duration of the subscription and a reasonable export window after termination, then deleted in accordance with the data processing agreement.
  • Customer Data. for the duration of the subscription and a reasonable export window after termination, then deleted in accordance with the data processing agreement.
  • Billing and accounting records: for the periods required by Spanish commercial and tax law (generally up to 6 years under Article 30 of the Commercial Code; tax records as required).
  • Marketing data: until you withdraw consent or object.
  • Aggregated and anonymised data that no longer identifies any individual is not subject to these limits and may be retained indefinitely.
9

Your rights

Under the GDPR and LOPDGDD, you have the right to:

  • access your personal data;
  • request rectification of inaccurate data;
  • request erasure ("right to be forgotten");
  • request restriction of processing;
  • object to processing based on legitimate interest or to direct marketing;
  • data portability; and
  • withdraw consent at any time, without affecting prior lawful processing.

To exercise these rights, contacthello@noola.eco. We may need to verify your identity. We will respond within one month, extendable as permitted by law.

Where Noola acts as processor (Section 3.2), requests concerning data within uploaded Customer Data should be directed to the relevant customer (the controller); we will assist that customer as required.

Right to complain. You may not assign these Terms without our consent. We may assign them in connection with a reorganisation, merger, or sale of business. www.aepd.es) or your local supervisory authority.

10

Security

We implement appropriate technical and organisational measures to protect personal data, including encrypted transport, access controls, authentication, and hosting with a provider offering EEA-based infrastructure. No system is perfectly secure; we cannot guarantee absolute security but we work to protect your data and will notify you and the authorities of any breach as required by law.

11

Children

The Service is contracted by professionals in the course of their business. The statutory 14-day right of withdrawal applicable to consumers under the Spanish consumer-protection legislation (TRLGDCU) does not apply to this contract.

12

Cookies

Our website uses cookies and similar technologies. Non-essential cookies are set only with your consent, in accordance with LSSI Article 22. Details of the cookies used, their purposes, and how to manage your preferences are set out in our Cookie Policy.

13

Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by appropriate means before they take effect. The version date at the top indicates when it was last revised.

14

Contact

For any question about this Policy or about how your personal data is processed, contact:

Emailhello@noola.eco