This Privacy Policy explains how personal data is processed in connection with the Noola Impact platform (the "Service").
We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 of 5 December on Data Protection and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 (LSSI-CE).
This Policy forms part of, and should be read together with, our Terms & Conditions of Service and Cookie Policy.
This Policy applies to the personal data of: visitors to our website; individuals who register and use an Account; representatives and staff of customer organisations; and any individuals whose personal data may appear within data uploaded to the Service.
The Service is contracted by professionals in the course of their business. The statutory 14-day right of withdrawal applicable to consumers under the Spanish consumer-protection legislation (TRLGDCU) does not apply to this contract.
For data we determine the purposes of — account registration, authentication, billing, customer support, marketing, and website analytics — Noola acts as data controller.
Where a customer uploads Customer Data (such as utility bills) that contains personal data of third parties (for example, the name of an account holder or contact), Noola processes that data as a processor, on the customer's documented instructions and solely to provide the Service. This processing is governed by a data processing agreement (Article 28 GDPR) between Noola and the customer. The customer is the controller of that data and is responsible for having a lawful basis to provide it.
| Category | Examples | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
| Account data | Name, email, role, company, password | Create and manage your Account; authenticate access | Performance of a contract (6.1.b) |
| Property & building data | Property details, supply points, CUPS, occupancy data | Generate diagnostics, recommendations, and verification | Performance of a contract (6.1.b) |
| Customer Data (uploaded) | Utility bills and related documents (may contain personal data) | Analyse consumption; produce outputs; verify savings | Processed for the customer as processor (Section 3.2) |
| Billing data | Billing details, transaction records (card data handled by Stripe — we do not store full card numbers) | Process payments; comply with accounting and tax law | Contract (6.1.b); legal obligation (6.1.c) |
| Usage & technical data | IP address, device/browser data, log data, interactions | Operate, secure, and improve the Service | Legitimate interest (6.1.f) |
| Communications | Support messages, emails | Respond to and manage your requests | Legitimate interest (6.1.f); contract (6.1.b) |
| Marketing data | Email, marketing preferences | Send commercial communications about the Service | Consent (6.1.a) or legitimate interest for existing customers under LSSI Art. 21 |
You are not legally obliged to provide personal data, but some data is necessary to use the Service; without it we cannot create an Account or deliver the Service.
We share personal data with trusted providers who process it on our behalf, under contracts that meet GDPR requirements. Current providers include:
| Provider | Function | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner | Hosting and object storage | Germany (EEA) | No transfer outside the EEA |
| Stripe | Payment processing | EU / United States | SCCs / adequacy as applicable |
| Google (Gemini API) | OCR and parsing of uploaded bills | EU / United States | SCCs; data not used for model training |
| Resend / Amazon SES | Transactional email | EU / United States | SCCs |
| Google Workspace | Business email and productivity | EU / United States | SCCs / adequacy |
We do not sell personal data. We disclose data to third parties only as described in this Policy, or where required by law or competent authority.
Note on automated parsing. Uploaded bills are processed by an automated OCR/parsing service (Google Gemini API) to extract consumption and tariff data. Where bills contain personal data, that data is transmitted to this service solely for parsing and is not used to train third-party models.
Where personal data is transferred outside the European Economic Area, we rely on a valid transfer mechanism under Chapter V GDPR — an adequacy decision, the European Commission's Standard Contractual Clauses, or another approved safeguard. You may request a copy of the relevant safeguards by contacting us at hello@noola.eco.
The Service produces diagnostics, ratings, and recommendations through automated analysis. These outputs are estimates that inform your decisions; they do not produce legal or similarly significant effects on any individual within the meaning of Article 22 GDPR. No solely automated decisions with legal effects are made about individuals.
We retain personal data only as long as necessary for the purposes described:
Under the GDPR and LOPDGDD, you have the right to:
To exercise these rights, contacthello@noola.eco. We may need to verify your identity. We will respond within one month, extendable as permitted by law.
Where Noola acts as processor (Section 3.2), requests concerning data within uploaded Customer Data should be directed to the relevant customer (the controller); we will assist that customer as required.
Right to complain. You may not assign these Terms without our consent. We may assign them in connection with a reorganisation, merger, or sale of business. www.aepd.es) or your local supervisory authority.
We implement appropriate technical and organisational measures to protect personal data, including encrypted transport, access controls, authentication, and hosting with a provider offering EEA-based infrastructure. No system is perfectly secure; we cannot guarantee absolute security but we work to protect your data and will notify you and the authorities of any breach as required by law.
The Service is contracted by professionals in the course of their business. The statutory 14-day right of withdrawal applicable to consumers under the Spanish consumer-protection legislation (TRLGDCU) does not apply to this contract.
Our website uses cookies and similar technologies. Non-essential cookies are set only with your consent, in accordance with LSSI Article 22. Details of the cookies used, their purposes, and how to manage your preferences are set out in our Cookie Policy.
We may update this Policy from time to time. Material changes will be notified by appropriate means before they take effect. The version date at the top indicates when it was last revised.
For any question about this Policy or about how your personal data is processed, contact:
Emailhello@noola.eco