NC

Privacy Policy

Version 1.1 · April 2026

1. Who we are

NKnet Consulting d.o.o., headquartered in Pančevo, Serbia, is the data controller for the nocodeon.click platform.

Data protection contact: dpo@nocodeon.click

2. What data we collect

  • Identification: email, name, username
  • Technical: IP address, user agent, device ID
  • Behavioral: token usage, projects, AI conversations (compressed)
  • Payment: handled by Paddle (Merchant of Record), we don’t store card data

3. Why we process it (legal basis)

  • Contract performance — providing the subscription and platform
  • Consent — marketing, analytics
  • Legitimate interest — security, fraud prevention
  • Legal obligation — billing audit log

4. Who has access

Our team on a need-to-know basis + vendors with signed DPAs:

  • Firebase (Google Cloud) — database hosting in europe-west3 (Frankfurt)
  • Paddle — payment processing
  • OpenClaw — chat agents
  • AI providers for processing (LLM) — app generation and AI responses; processing of your prompts/conversations. Includes providers OUTSIDE the European Economic Area (data transfer under standard contractual clauses).
  • HeyGen, ElevenLabs — Captain Bogdan production (only if you use it)

We never sell data to third parties.

5. How long we keep it

  • Active account: while the account is active
  • Cancelled account: 30 days grace, then soft-delete
  • Soft-delete: 90 days retention
  • Hard-delete: 120 days auto, or immediately on request
  • AI conversations: 90 days detailed, then summary only
  • Audit log: 1 year (regulatory)

6. Your rights (GDPR)

You have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Erasure (right to be forgotten)
  • Data portability (export)
  • Object to processing

Exercise all rights via pomoc@nocodeon.click or directly from the dashboard.

7. Security

We implement: HTTPS everywhere, KMS for secrets, key rotation, annual pentest, anomaly monitoring, principle of least privilege.

8. Children (GDPR-K specific)

Users under 16 do NOT create accounts on their own. A parent must create a family account, give consent, and create a sub-profile for the child. The parent controls all aspects including data deletion.

9. Cookies

We use essential cookies (auth) and optional analytics cookies. More in Cookie Policy.

10. Platform improvement and AI agents (Skills system)

For our AI agents to deliver better results over time, we maintain an internal curated technical knowledge base called the Skills system. This base contains general technical patterns (e.g. “for Serbian TTS use ElevenLabs”, “Firestore requires a composite index for where + orderBy”) and does NOT contain your code, projects, or personal data.

What we MAY use from your sessions (with your consent):

  • Anonymized technical patterns— after we strip all your code, names, IDs, and any identifiers, we may derive a general technical solution (e.g. “which provider supports Serbian TTS”). This is called Tier 2 auto-extraction.
  • Before publishing, every such pattern goes through manual review by our team to verify no link to you or your project remains.

What we will NEVER do:

  • Share your code, projects, or AI conversation content with third parties
  • Use your personal data or names in the skills base
  • Train external AI models on your data (the skills base is our internal prompt config, not fine-tuning)

Your control:

  • Opt-out: in Settings → Privacy you can disable participation in Tier 2 auto-extraction.
  • Tier 1 (knowledge we wrote ourselves, without user sessions) is always active.
  • The skills base is publicly visible in our repository.

Legal basis: legitimate interest (service improvement) for Tier 1. Consent (opt-in default) for Tier 2.

11. Contact and complaints

Questions: dpo@nocodeon.click

You have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia.