Privacy Policy
nocom Solutions
Privacy Policy
Effective: APRIL 15, 2026
Last Updated: APRIL 15, 2026
This Privacy Policy explains how nocom Solutions (“nocom,” “we,” “us,” “our”) collects, uses, discloses, and protects Personal Data in connection with:
- our websites and marketing pages (“Sites”);
- our IaaS/hosting services, including the customer portal/console, APIs, and related support (“Services”); and
- communications with customers, users, prospects, and visitors.
This Privacy Policy applies when we act as a data controller (or “business” under certain U.S. state laws). When we process Customer Content on behalf of a customer (e.g., data stored in a customer VM or object storage), our customer is typically the controller and we act as a processor; those processor obligations are described in our Data Processing Addendum (“DPA”) and customer contract, consistent with GDPR Article 28 requirements.
If you are using our Services through a business or organization, that organization may control how your Personal Data is processed within Customer Content, and you should direct privacy requests about Customer Content to that organization.
Definitions
For purposes of this Privacy Policy:
- “Personal Data” means information relating to an identified or identifiable natural person.
- “Processing” means operations performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
- “Customer Content” means data and content submitted to the Services by or on behalf of customers
- “Account Data” means account registration/admin, billing, and identity/access data associated with a customer account (controller-context).
- “Service Metadata” means operational telemetry about how Services are configured/used (e.g., resource identifiers, service configuration, usage metrics).
- “Log Data” means security and operational logs (e.g., console logins, API calls, network flow logs) that may include identifiers such as IP addresses.
- “Subprocessor” means a third party engaged to process Customer Content on behalf of customers (processor-context), consistent with Article 28’s subprocessor framing.
Roles: controller vs processor
When we are a controller (this Privacy Policy applies):
We process Personal Data to operate our Sites and business (Account Data, billing, support administration, sales/marketing communications, and certain security/abuse monitoring for our own purposes). These activities are governed by GDPR principles and require a lawful basis under Article 6.
When we are a processor (DPA applies):
We process Customer Content only on documented instructions set out in the Services agreement/DPA; we support customer rights fulfillment, maintain security measures, notify customers of security incidents without undue delay, and delete/return data at end of services as specified—concepts reflected in GDPR Article 28.
Categories of Personal Data we collect
Account and identity data
- Name, email address, username, password (hashed), multi-factor authentication factors (where enabled).
- Organization name, role/title (where provided).
- Account verification information
Billing and transactional data
- Billing address and tax-related fields (where applicable;).
- Payment status, invoices, and transaction records (payment card data handling depends on your PSP;).
Support and communications data
- Support tickets, chat/email correspondence, call recordings
- Attachments and diagnostic data voluntarily provided by customers.
Service and device data
- Device identifiers and signals (browser type, OS, device attributes).
- IP addresses and timestamps.
Log and security telemetry
- Authentication logs (console and API), access logs, administrative actions.
- Network and platform security logs (e.g., firewall events, IDS alerts), which may incidentally include identifiers. Security logging supports integrity/confidentiality and incident response obligations.
Marketing and preferences
- Subscription preferences, opt-in/opt-out status, campaign interactions.
- Cookie and tracking identifiers (see Cookies section).
Sensitive data
We do not intentionally collect sensitive categories unless necessary for specific services or required by law. Where sensitive data is processed, additional safeguards and transparency are required.
Purposes of processing
We process Personal Data for the following purposes, aligned to GDPR purpose limitation and transparency requirements:
- Provide and administer Services (account creation, authentication, authorization, provisioning, service operations, customer support).
- Billing and payments (invoicing, collections, fraud prevention in billing).
- Security and abuse prevention (monitoring, detection, investigation, mitigation of threats and policy violations). GDPR recognizes security measures including encryption and resilience/restore capability as relevant to appropriate security.
- Compliance with legal obligations and enforcement of terms (tax, accounting, subpoenas/court orders, sanctions/export compliance—scope).
- Product improvement and analytics (service reliability, performance, capacity planning) using Service Metadata/Log Data where appropriate (details and lawful basis depend on region;).
- Marketing communications (sending updates to subscribed users; see Marketing and Opt-Out). Under GDPR, data subjects have a right to object to direct marketing, and the controller must stop processing for those purposes once objected.
Lawful bases for processing under GDPR
Where the GDPR applies, we rely on one or more lawful bases, depending on the context:
- Performance of contract: account creation, delivering Services, support.
- Legal obligation: tax/accounting, responding to valid legal process, mandatory recordkeeping.
- Legitimate interests: platform security, fraud prevention, abuse mitigation, service improvement; balanced against rights and freedoms.
- Consent: cookies/tracking (where required), optional marketing subscriptions; consent must be freely given, informed, and unambiguous. The EDPB clarifies that “cookie walls” can invalidate consent, and scrolling/swiping is not valid consent.
Data minimization and purpose limitation
We design collection and processing to be adequate, relevant, and limited to what is necessary, and to avoid incompatible secondary uses without appropriate notice/lawful basis.
Where feasible, we separate:
- data needed to provide Services (contract necessity), from
- data used for optional improvements/marketing (consent or legitimate interests, depending on context).
Cookies and tracking technologies
We use cookies, SDKs, pixels, and similar technologies (“Cookies”) to:
- authenticate and maintain secure sessions;
- prevent fraud and protect against abuse;
- remember preferences;
- measure site performance; and
- (if enabled) deliver and measure marketing.
We provide cookie preference controls through our customer settings. Where required, we request consent before setting non-essential cookies.
Logging, monitoring, and lawful interception
We collect and process Log Data and security telemetry to:
- secure accounts and prevent unauthorized access;
- detect, investigate, and respond to incidents;
- maintain availability and resilience of Services; and
- comply with legal obligations.
These activities align with the GDPR security-of-processing expectation (confidentiality, integrity, availability, resilience, restore capability, and regular testing).
Lawful interception: If we are legally required to provide information to government authorities, we will do so consistent with applicable law and may limit disclosures to what is legally required. The GDPR allows certain restrictions on rights where necessary and proportionate for objectives like national security or law enforcement, subject to law.
Security measures and encryption
We implement technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The GDPR explicitly references measures such as encryption, resilience, restore capability, and testing.
Baseline control areas (map to internal control library using NIST SP 800-53 categories; specific control selection is [...]):
- Identity and access management (MFA, least privilege, admin separation)
- Encryption in transit (TLS) and at rest (storage encryption)
- Key management (provider-managed keys; customer-managed keys/BYOK)
- Vulnerability management and patching
- Logging/monitoring and alerting
- Segmentation and tenant isolation
- Backup integrity protection (access-separated backup storage)
- Secure software development and change management
Incident response and breach notification
We maintain an incident response program consistent with recognized lifecycle frameworks (preparation; detection/analysis; containment/eradication/recovery; post-incident learning).
GDPR timeline anchors:
- Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach, where feasible, unless unlikely to result in risk.
- Processors must notify the controller without undue delay after becoming aware.
- If high risk is likely, individuals must be informed without undue delay.
Data retention, archival, backups, and deletion
We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, consistent with GDPR storage limitation.
California requires businesses to inform consumers about retention periods (or criteria) and not retain personal or sensitive data longer than reasonably necessary for disclosed purposes; it also emphasizes proportionality in collection/use/retention.
Backups and archives: Deleting data from active systems does not always immediately delete it from backups. We maintain backup retention schedules and secure deletion processes; final timing depends on your selected backup design, and should be disclosed in your retention schedule.
Retention schedule table
| Data category | Typical purpose | Baseline | Backup/archival handling |
|---|---|---|---|
| Account registration data | Account administration | Life of account + 30 days | Present in backups until expiry |
| Billing & invoices | Accounting, tax | 7 years (jurisdiction-dependent) | Archived accounting backups |
| Support tickets | Support delivery, troubleshooting | 24 months | Ticket exports in backups |
| Security/auth logs | Fraud/security monitoring | 90–180 days | Security log archive for limited period |
| API access logs | Abuse detection, troubleshooting | 30–90 days | Rotating log archive |
| Website analytics | Site performance | 13 months | Aggregated/rolled-up metrics |
| Marketing subscriptions | Campaign delivery | Until opt-out + 24 months suppression list | Suppression list retained to honor opt-out |
| Payments metadata | Reconciliation/fraud | 24 months | PSP retention governed by PSP |
| Customer Content (processor) | Hosting services | Per customer instructions/contract | Backups per customer-selected settings |
| Post-termination export window | Customer retrieval | 30 days | After window, queued deletion |
Retention disclosures align with GDPR transparency and storage limitation, and California’s retention disclosure expectations.
Termination, deletion after termination, and export window
Upon termination of Services:
- customers should export Customer Content during an export window (length 7 DATS);
- after the export window, remaining Customer Content is deleted per contract/DPA, subject to legal holds or legal retention requirements.
This structure aligns with common cloud DPA deletion clauses (e.g., return/deletion at end of term).
Sharing and disclosures of Personal Data
We may disclose Personal Data to:
- Service providers (e.g., payment processors, support tooling vendors) acting as processors/service providers;
- Subprocessors (for Customer Content processing) under our DPA;
- Affiliates N/A;
- Authorities where required by law (see Government Requests); and
- Business transferees in mergers/acquisitions.
- Infrastructure and network providers (including Cloudflare) that provide traffic routing, content delivery, and security services, and that may process network traffic data, including IP addresses, request metadata, and data transmitted through the Services, in order to deliver and secure the Sites and Services;
Where we use subprocessors for Customer Content, Article 28 requires authorization and contractual flow-down obligations, and that the controller has an opportunity to object under the “general authorization + notice” model. This is also reflected in major cloud DPA practice (e.g., advance notice and objection/termination options).
Subprocessors, DPA summary, and objection process
DPA availability: We provide a DPA describing our processor obligations for Customer Content and security incident notification.
Subprocessor list: We maintain a list of subprocessors in our Data Processing Addendum (Schedule E our of Terms of Service), including in Annex 3, and may update such list from time to time in accordance with our contractual obligations.
Subprocessors engaged for Customer Content processing may include infrastructure and network delivery providers (such as Cloudflare) and payment processing providers (such as Stripe), as further detailed in our DPA.
Objection process:
- We will notify customers of new subprocessors 30 DAYS before they begin processing Customer Content.
- Customers may object by contacting [email protected] within 30 DAYS.
- If unresolved, customers may terminate the affected Services per contract.
Cross-border transfers
Personal Data may be processed in countries where nocom Solutions or its subprocessors maintain facilities. Where Personal Data is transferred outside the European Economic Area (EEA), nocom Solutions relies on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism.
The Parties agree that Module Two (Controller to Processor) applies, and the Standard Contractual Clauses are incorporated into this Agreement by reference or as set out in Annex 4.
nocom Solutions implements supplementary technical and organizational measures, including encryption, access controls, and data minimization, to ensure an adequate level of protection for Personal Data transferred internationally.
Data subject rights under GDPR
Where the GDPR applies, individuals may have the right to:
- Access (Article 15)
- Rectification (Article 16)
- Erasure (Article 17)
- Restriction (Article 18)
- Portability (Article 20)
- Objection, including to direct marketing (Article 21)
- Not be subject to certain solely automated decisions with legal/similarly significant effects (Article 22)
How we respond: We respond without undue delay and generally within one month, extendable by two months where necessary depending on complexity/volume, and we may request additional information to verify identity.
CCPA/CPRA rights (California module)
If the CCPA/CPRA applies to nocom Solutions, California residents may have rights including:
- Right to know/access categories and specific pieces of personal information (statutory-based).
- Right to delete.
- Right to correct (CPRA).
- Right to opt out of sale/sharing of personal information.
- Right to limit use/disclosure of sensitive personal information (where applicable).
- Special terms for consumers under 16 in sale/share contexts (where applicable).
Required disclosures: California requires notice of categories collected, purposes, and retention (or criteria).
Required links (where applicable): “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information,” or an alternative mechanism, and restrictions on “dark pattern” friction (e.g., not forcing scroll through policies to find opt-out mechanisms).
Automated decision-making, profiling, and AI usage
GDPR (Article 22): Individuals have the right not to be subject to certain decisions based solely on automated processing with legal or similarly significant effects, with specified exceptions and safeguards (human intervention, ability to contest).
California (ADMT module): California regulations define ADMT and establish obligations for significant decisions and timelines (implementation deadlines depend on activity type and date).
nocom’s use (template—choose what is true):
- We use automated systems for security, fraud detection, and abuse prevention
- We do not use ADMT to make “significant decisions” about consumers beyond security/fraud controls.
- If we do, we provide disclosures and opt-out/appeal routes as required.
Marketing communications and opt-outs
We may send marketing communications where permitted by law and your preferences. You can opt out by using the unsubscribe link in emails or contacting [PRIVACY EMAIL: [email protected]].
Under GDPR, individuals can object to processing of personal data for direct marketing at any time; once objected, the data must no longer be processed for those purposes.
California “Shine the Light” provides a mechanism related to certain third‑party direct marketing disclosures.
Children’s data
We do not knowingly collect Personal Data from children in contexts where parental consent is required. If GDPR Article 8 applies in relation to information society services offered directly to children, Member States may set age thresholds (between 13 and 16).
If we learn we have collected children’s data unlawfully, we will take steps to delete it.
Third-party integrations and analytics
Customers may integrate third-party services (e.g., backups, monitoring, SIEM, ticketing). When customers enable third-party integrations, those third parties may process data under their own privacy terms; customers are responsible for reviewing and configuring them.
Our Sites utilize both first-party and third-party analytics technologies. Third-party analytics providers, including Google Analytics and Microsoft Clarity, may process Personal Data such as device information, usage data, and interaction data in accordance with their respective privacy policies. These providers act as processors or service providers when processing Personal Data on our behalf in a controller context. We obtain consent for such technologies where required by applicable law.
Law enforcement and government requests
We may disclose Personal Data when we have a good-faith belief disclosure is required to comply with applicable law, regulation, legal process, or enforceable governmental request. Where legally permitted, we may notify affected customers/users of requests and may challenge overbroad requests
Under GDPR, certain restrictions of rights/obligations may occur when necessary and proportionate under law for objectives such as national security or law enforcement.
Recordkeeping, audits, and privacy governance
We maintain internal records and documentation where required. GDPR requires controllers (and processors) to maintain records of processing activities containing categories, recipients, transfer details, and (where possible) time limits for erasure and security measures.
We implement “privacy by design and by default” measures where applicable, meaning safeguards and minimization are integrated into processing design.
For higher-risk processing, GDPR contemplates Data Protection Impact Assessments (DPIAs) and consultation where required.
Certifications and compliance reports
Current certifications: NONE AT THE TIME OF DOCUMENT CREATION.
Contact points for privacy questions and rights requests
Privacy contact: [email protected]
Support contact: [email protected]
Mailing address: 23600 Mercantile Road, Suite C-100 POBOX JF027131, Beachwood, Ohio, 44122, United States of America
EU/UK representative (if required under GDPR Article 27): Contact [email protected] for information.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last Updated” date. California regulations also contemplate listing the last updated date in the privacy policy.