Skip to content
Not Nori logo
Language

Legal document

Privacy Policy

Currently published version of this document.

Back to legal pages

Data Controller

The controller of the personal data collected through notnori.com is:

Léandre Desmaretz-Lespagnol, acting in his own name

Data We Collect and Why

Priority access request via /subscriptions

  • Data processed: first name, last name, email address, postal address entered by the user, country, marketing consent, honeypot field, and technical metadata required to secure and process the request
  • Purposes: processing prelaunch signup and priority access requests, estimating prelaunch demand, and following up with the user about the prelaunch
  • Legal basis:
    • legitimate interest for organising the prelaunch and assessing demand;
    • consent for marketing communications when the corresponding option is selected

Interest qualification via /checkout

  • Data processed: first name, last name, email address, postal address entered by the user, country, marketing consent, simulated product selection data when present, honeypot field, and technical metadata required to secure and process the request
  • Purposes: measuring purchase intent and demand, organising the prelaunch, and understanding product interest. No real order is created.
  • Legal basis:
    • legitimate interest for understanding demand and structuring the prelaunch;
    • consent for marketing communications when the corresponding option is selected

Simple prelaunch signup via /account

  • Data processed: email address, optional first name, marketing consent, honeypot field, and security-related technical metadata
  • Purposes: creating a simple prelaunch signup, following up with the user about the prelaunch, and managing priority access
  • Legal basis:
    • legitimate interest for administering the prelaunch;
    • consent for marketing communications when the corresponding option is selected

Cookie consent management and audience measurement

  • Data processed: pseudonymous visitor identifier generated to remember the choice, unique consent action identifier, accepted or rejected categories, consent policy version, page URL, browser language, user agent, and consent and expiry timestamps
  • Purposes: displaying the consent banner, remembering choices, allowing withdrawal or updates, keeping proof of the choices made, and controlling Google Tag Manager and Google Consent Mode v2 according to the user's preferences
  • Legal basis: legal obligation and legitimate interest for consent evidence; consent for non-essential analytics and marketing trackers when accepted

When Google Tag Manager loads, Google Consent Mode v2 is initialised with analytics and marketing purposes denied by default. Until the user accepts the relevant categories, Google tags must operate in restricted mode without setting analytics or advertising cookies. Technical cookieless signals may still be sent to Google as part of advanced consent mode.

Security and abuse prevention

  • Data processed: IP address, timestamps, and request-related technical metadata
  • Purposes: protecting the website against abuse, applying rate limits, detecting automated or abnormal submissions, and maintaining form and API security
  • Legal basis: legitimate interest

Error monitoring and service stability

  • Data processed: technical data related to application errors and website execution, such as browser type, visited page, technical session identifiers, and error traces
  • Purposes: monitoring errors, diagnosing incidents, and improving service stability and security
  • Legal basis: legitimate interest

No Real Payments and No Banking Data

The website does not collect, process, or store banking or payment card data as part of the fake-door prelaunch phase. The /subscriptions, /checkout, and /account flows are used only for prelaunch signup, interest qualification, and priority access management. No real payment is processed.

Retention Periods

| Data category | Retention period | | --- | --- | | Prelaunch signup and fake-door qualification data used to assess demand | 12 months from submission | | Marketing consent and related marketing contact data | 24 months from collection or until consent is withdrawn | | Cookie choices and related consent evidence | 6 months from the choice, unless longer retention is needed to handle a request or dispute | | Technical logs, IP addresses, and anti-abuse data | 90 days | | Sentry error-monitoring data | 90 days |

Recipients and Sub-processors

Personal data may be shared, on a need-to-know basis, with the following sub-processors:

  • Hetzner Online GmbH — infrastructure hosting within the European Union
  • Resend, Inc. — email delivery and marketing synchronisation
  • Functional Software, Inc. (Sentry) — error monitoring and application stability
  • Google Ireland Limited / Google LLC — Google Tag Manager, Google Consent Mode, audience measurement and marketing tags when the corresponding categories are accepted

Personal data is not sold or disclosed to third parties for their own marketing purposes.

International Transfers

Some data may be transferred outside the European Union when processors located in the United States are involved, in particular Resend, Sentry and Google. Such transfers are protected by appropriate safeguards, including standard contractual clauses where required.

Your Rights

Under the GDPR, you may exercise the following rights:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restriction of processing;
  • right to object to processing based on legitimate interest;
  • right to data portability where the legal conditions are met;
  • right to withdraw consent at any time for processing based on consent.

To exercise your rights, write to: [email protected]

We may ask for identity verification where necessary.

Complaints

If you believe that your rights have not been respected, you may lodge a complaint with the competent supervisory authority. In France, this authority is:

Commission Nationale de l'Informatique et des Libertes (CNIL)

  • Website: cnil.fr
  • Address: 3 Place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07, France

Cookies

The website uses trackers that are strictly necessary for the service to operate, including security, language, cart, checkout and consent-choice storage. These trackers cannot be disabled from the banner.

The website may also use analytics and marketing trackers controlled through Google Tag Manager, only according to your choices. You can accept, reject or customise these categories from the banner, then change or withdraw your consent at any time through the “Cookie preferences” link in the footer. Rejecting is as easy as accepting.

Updates

This policy may be updated to reflect changes to the website, the processing actually carried out, or the applicable regulatory framework.

Last updated: April 30, 2026