Privacy Policy
Your data. Your control.
Effective: 1 June 2026 · Version 2.0 · Controller: FinalFrame B.V. (operating as Noetis)
1. Who we are
Noetis is a conversion-optimisation platform operated by FinalFrame B.V., a company registered in the Netherlands. FinalFrame acts as data controller for data processed through the Noetis dashboard and as a data processorfor visitor data collected on your customers' sites via our tracking script.
| Role | Who | Which data |
|---|---|---|
| Controller | FinalFrame B.V. (Noetis) | Dashboard accounts, billing, usage telemetry |
| Processor | FinalFrame B.V. (Noetis) | Visitor events collected on your canvas sites |
| Controller | You (our customer) | Visitor events collected on your canvas sites |
For all data-controller enquiries: chris@noetis.nl. For data-processor matters (DPA): chris@noetis.nl.
2. Data we collect from dashboard users
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Authentication, support, billing notifications | Contract (Art. 6(1)(b)) |
| Password hash | Secure login via Supabase Auth | Contract (Art. 6(1)(b)) |
| TOTP factor | Two-factor authentication (mandatory) | Contract (Art. 6(1)(b)) |
| Billing reference | Stripe customer ID only — actual billing data is at Stripe | Contract (Art. 6(1)(b)) |
| Usage telemetry | Sites created, experiments run, brain outputs, page views in dashboard | Legitimate interest (Art. 6(1)(f)) |
| Support conversations | Resolving issues, improving documentation | Legitimate interest (Art. 6(1)(f)) |
| IP address (transient) | Rate-limiting, abuse prevention — never written to DB | Legitimate interest (Art. 6(1)(f)) |
3. Data collected from visitors to Noetis-powered sites
When a visitor browses a website built with Noetis, our tracking script may collect the following data — only after the visitor grants explicit consentvia the site's cookie banner.
| Data point | Detail | Stored? |
|---|---|---|
| Session ID | Random UUID generated per browser tab (sessionStorage) | Yes — canvas_events |
| Visitor ID | Random UUID stored in localStorage, expires after 1 year | Yes — canvas_events |
| Page URL | Full URL of the page viewed | Yes |
| Referrer URL | HTTP Referrer header — may be absent | Yes |
| Event type | pageview, click, goal_conversion, scroll_depth | Yes |
| Element target | data-sp-id attribute on the clicked element (no free text) | Yes |
| Goal value | Revenue amount for conversion events (optional, set by you) | Yes |
| Timestamp | UTC time of the event | Yes |
| IP address | Used transiently for rate-limiting only — never persisted | No |
| User-agent | Device type derived (mobile/tablet/desktop), raw string discarded | No |
| Name / email | Never collected via tracking script | Never |
| Precise location | Never collected | Never |
Noetis does not collect: full IP addresses, names, email addresses, biometric data, or any special category data under GDPR Art. 9.
4. Legal bases for processing
We process personal data only where we have a valid legal basis under GDPR Art. 6.
| Processing activity | Legal basis | Notes |
|---|---|---|
| Account creation and authentication | Contract — Art. 6(1)(b) | Necessary to provide the service |
| Billing and payment | Contract — Art. 6(1)(b) | Stripe processes payment data as an independent controller |
| Visitor tracking (canvas events) | Consent — Art. 6(1)(a) | Visitor must opt in via cookie banner; revocable at any time |
| Dashboard usage analytics | Legitimate interest — Art. 6(1)(f) | Improving the product; you can object |
| Security, fraud prevention, rate-limiting | Legitimate interest — Art. 6(1)(f) | Necessary to protect all users |
| Sending service emails (alerts, billing) | Contract — Art. 6(1)(b) | Essential service communications |
| Sending product update emails | Legitimate interest — Art. 6(1)(f) | You can unsubscribe at any time |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) | E.g. tax records, law enforcement requests |
5. AI processing
To generate experiment hypotheses and optimisation recommendations, anonymised behavioural patterns — including element types, click-rate aggregates, scroll-depth percentages, and user-supplied page text — are sent to Anthropic's Claude AI model.
Safeguards
- No personal identifiers (session IDs, visitor IDs, email addresses) are included in AI prompts.
- Anthropic's zero data retention policy is enabled: prompt content and responses are not stored by Anthropic beyond the request.
- All user-supplied strings (page text, CMS content, form values) are sanitised before interpolation into prompts to prevent injection attacks.
- AI-generated content that is applied to your site is stored in
adaptive_pages.graph_jsonand is subject to all standard retention and deletion rules.
6. Automated decision-making
Noetis uses automated processing to: (a) assign website visitors to experiment variant groups; (b) statistically evaluate which variant performs better; (c) automatically apply the winning variant to your page graph.
Visitor assignment is a randomised, pseudonymous process based solely on the visitor ID cookie. It has no legal or similarly significant effect on the visitor. No profiling of individual visitors for personalised advertising takes place.
Winner application is an automated action that updates the content of your site. This affects you (our customer), not your site visitors, and is the core service you have contracted for. You can roll back any AI-applied change at any time from the Revision History panel.
We do not make automated decisions with legal or similarly significant effects on any identifiable natural person within the meaning of GDPR Art. 22(1).
7. Data retention
| Data category | Retention period | Basis for deletion |
|---|---|---|
| Individual canvas events (page views, clicks) | 90 days from collection | Purge cron — runs daily |
| Daily aggregated rollups (no personal data) | Indefinite | Aggregates cannot identify individuals |
| Visitor IDs in browser storage | 1 year or consent revocation | Cleared by spRevokeConsent() |
| Dashboard account data | Duration of subscription + 30 days after termination | Settings → Delete account; or written request |
| Billing records (Stripe reference, invoices) | 7 years | Dutch accounting law (Belastingdienst) |
| Audit logs | 12 months | Security and compliance purposes |
| Support correspondence | 3 years | Legitimate interest — dispute resolution |
| AI prompt inputs (Anthropic) | 0 days | Anthropic zero-data-retention mode |
8. Cookies and browser storage
| Type | Key | Purpose | Duration | Consent required? |
|---|---|---|---|---|
| Cookie | sp_consent | Stores visitor consent choice | 1 year | No (stores the consent itself) |
| Cookie | sp_ea_{siteId} | Experiment variant assignment cookie (one per canvas site) | Session | Yes |
| sessionStorage | sp_session / noetis_sid | Pseudonymous session ID for tab-scoped event correlation | Tab session | Yes |
| localStorage | sp_vid / noetis_vid | Persistent pseudonymous visitor ID for cross-session measurement | 1 year | Yes |
| localStorage | sp_visits | Visit-count counter used for behavioural segment detection | 1 year | Yes |
| localStorage | noetis_variants_* | Client-side variant cache (5-minute TTL) to avoid repeat assignments | 5 minutes | Yes |
All storage marked "Yes" above is created and cleared based on visitor consent. Revoking consent calls window.spRevokeConsent(), which immediately clears all Noetis storage from the browser. You can also delete your data server-side via DELETE /api/track/data?session_id=… or ?visitor_id=….
9. International data transfers
Noetis stores data primarily in the EU (Frankfurt, Germany). Some sub-processors are located in the United States. We ensure adequate safeguards for all transfers outside the EEA:
| Transfer | Destination | Safeguard |
|---|---|---|
| Supabase (DB hosting) | EU-West (Frankfurt) | No transfer — data stays in EU |
| Vercel (compute / CDN) | Global anycast | EU-US Data Privacy Framework (DPF) |
| Anthropic (AI inference) | United States | Standard Contractual Clauses (SCCs, Module 1) + zero data retention |
| Stripe (payment processing) | United States | Own controller; EU-US DPF |
| SendGrid / Twilio (email) | United States | Standard Contractual Clauses (SCCs) |
The Standard Contractual Clauses used are the European Commission's 2021 SCCs (Commission Implementing Decision (EU) 2021/914). For transfers where we act as processor, SCCs are incorporated into the relevant sub-processor DPA. A signed copy is available on request at chris@noetis.nl.
10. Security measures
We implement appropriate technical and organisational measures (TOMs) to protect personal data. A full description of our security controls is published on our Security & Trust page. Key measures include:
- Encryption in transit: TLS 1.2+ for all connections.
- Encryption at rest: AES-256 via Supabase on AWS infrastructure.
- Tenant isolation: Row-level security (RLS) enforced at the database layer. One tenant cannot access another's data.
- Access control: RBAC with five roles; 2FA enforced on all accounts.
- Audit logging: All write operations logged for 12 months.
- Breach notification: We will notify you and, where required, the competent supervisory authority within 72 hours of becoming aware of a personal data breach.
- Responsible disclosure: Security researchers may report vulnerabilities to chris@noetis.nl. We target a 24-hour acknowledgement and 72-hour remediation for critical issues.
11. Children's data
The Noetis platform and tracking script are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided data to us, please contact chris@noetis.nl and we will delete it within 72 hours of verification.
Customers using Noetis on sites that are directed at children must ensure they have appropriate legal grounds to do so and must configure the service accordingly. Using the Noetis tracking script on a site targeted at children under 16 without a lawful basis constitutes a material breach of the Terms of Service.
12. Your rights under GDPR (EEA / UK)
If you are located in the European Economic Area or the United Kingdom, you have the following rights:
| Right | What it means | How to exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you | Email chris@noetis.nl |
| Rectification (Art. 16) | Correct inaccurate data | Email chris@noetis.nl |
| Erasure (Art. 17) | Delete your data ("right to be forgotten") | Dashboard → Settings → Delete account, or email chris@noetis.nl |
| Portability (Art. 20) | Receive your data in machine-readable format | Email chris@noetis.nl (JSON/CSV export) |
| Restriction (Art. 18) | Limit how we use your data while a dispute is resolved | Email chris@noetis.nl |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email chris@noetis.nl |
| Withdraw consent | Revoke consent for visitor tracking at any time | Call window.spRevokeConsent() or use the cookie banner |
| Lodge a complaint | Complain to the Dutch DPA (Autoriteit Persoonsgegevens) | autoriteitpersoonsgegevens.nl |
We will respond to verifiable data subject requests within 30 days (extendable by 60 days for complex requests with notice). We will not charge a fee unless requests are manifestly unfounded or excessive.
13. California privacy rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights.
Categories of personal information collected
In the preceding 12 months, Noetis has collected: identifiers (email address, pseudonymous session/visitor IDs), internet or other network activity (page views, clicks, experiment variant assignments), and commercial information (billing records). We do not sell or share personal information for cross-context behavioural advertising.
Your California rights
- Right to know — you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes, and any third parties we share it with.
- Right to delete — you may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct — you may request correction of inaccurate personal information.
- Right to opt out of sale / sharing — Noetis does not sell personal information. We do not share personal information for cross-context behavioural advertising.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA.
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
To submit a verifiable consumer request: email chris@noetis.nl with subject line CCPA Request. We will respond within 45 days. You may designate an authorised agent to submit a request on your behalf.
14. Sub-processors
| Sub-processor | Purpose | Location | DPA / safeguard |
|---|---|---|---|
| Supabase Inc. | Database hosting, auth, storage | EU (Frankfurt) | SCCs + AWS sub-DPA |
| Vercel Inc. | CDN, serverless compute, Edge Config | Global | EU-US DPF |
| Anthropic PBC | AI model inference | United States | SCCs + zero data retention |
| Stripe Inc. | Payment processing | United States | Own controller; EU-US DPF |
| Twilio / SendGrid | Transactional email | United States | SCCs |
Sub-processors are updated on the DPA page. Changes are notified to account owners at least 30 days in advance. You may object to a new sub-processor by contacting chris@noetis.nl.
15. Contact and policy updates
For privacy questions or to exercise your rights: chris@noetis.nl
For DPA / data-processor enquiries: chris@noetis.nl
For security-related matters: chris@noetis.nl
Policy updates
We will notify you of material changes to this policy by email at least 14 days before the new version takes effect. The current version is always available at noetis.nl/privacy. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
| Version | Date | Summary of changes |
|---|---|---|
| 2.0 | 1 June 2026 | Enterprise rewrite: legal-bases table, CCPA section, international transfers, automated decisions, children's data, ToC |
| 1.0 | 1 June 2026 (original) | Initial policy |
© 2026 FinalFrame B.V. · Noetis