Privacy Policy

Last updated: February 18, 2026

This Privacy Policy describes how Nolxy collects, uses, and protects personal data when you use the Nolxy API Gateway platform (the "Service").

Data Controller

The Service is operated by Davide Ricca, Via Antonio Romano 35, 97019 Scoglitti (RG), Sicily, Italy, acting as Data Controller under Regulation (EU) 2016/679 (GDPR).

Contact email: support@nolxy.com

1. Experimental Beta Phase

Nolxy is currently in a free experimental beta phase. No payments or billing are involved. Features and service limits may change without notice. Users will be informed of any changes to data processing when the beta phase ends.

2. Role in Data Processing

Nolxy acts as:

  • Data Controller — for user account data (email, name, OAuth credentials, usage preferences).
  • Data Processor — for data contained in API request logs monitored through the Service. In this context, the customer (user) is the Data Controller, and Nolxy processes data solely to provide the monitoring and analytics service.

Customers who require a formal Data Processing Agreement (DPA) may request one by writing to support@nolxy.com.

3. Data We Collect

3.1 Account Data

Registration is exclusively through OAuth (GitHub or GitLab). We do not collect or store passwords. The data collected includes:

  • Name and email address (from your OAuth provider profile)
  • OAuth provider identifier (GitHub or GitLab user ID)
  • Profile avatar URL
  • Authentication provider used (GitHub or GitLab)
  • Date and version of Terms of Service acceptance

3.2 API Request Logs

We automatically collect data about HTTP requests that transit through your gateway, including:

  • HTTP method, path, status code, response latency
  • Requester IP address and User Agent
  • Request and response size
  • Geolocation derived from IP (country, city)
  • Device information (device type, browser, operating system)
  • Cache and performance metrics
  • Security event indicators
  • HTTP request headers (filtered to exclude sensitive data)
  • Request timestamp

This data powers your analytics dashboard. Logs may contain personal data of your API end-users (e.g., IP addresses). In this context, Nolxy acts as a Data Processor on your behalf.

3.3 Audit Logs

For security and compliance, we maintain a log of sensitive operations performed on your account, including: action taken, affected resource, operator IP address and User Agent.

3.4 Geolocation Data

We use the GeoLite2 database created by MaxMind, available from https://www.maxmind.com.

The geolocation data is approximate and does not identify precise addresses or households. We use this data solely for analytics (e.g., “Requests by Country”) and security (e.g., “Block traffic from Country X”). We respect “Do Not Sell” requests by regularly updating our database to reflect MaxMind's privacy exclusions.

3.5 Cookies

We use strictly necessary cookies for authentication. See our Cookie Policy for full details.

4. Legal Basis for Processing (Art. 6 GDPR)

Each processing activity is based on a specific legal basis:

  • Registration data (email, name, OAuth data) — Performance of a contract (Art. 6.1.b GDPR), necessary to provide access to the Service.
  • API request logs (IP, endpoint, headers, metrics) — Legitimate interest (Art. 6.1.f GDPR), necessary to deliver the monitoring and analytics service and ensure gateway security.
  • Geolocation and device detection — Legitimate interest (Art. 6.1.f GDPR), to provide geographic and device analytics in the dashboard.
  • Audit and security logs — Legitimate interest (Art. 6.1.f GDPR), to prevent fraud and ensure the security of the Service.
  • Service emails (system notifications) — Performance of a contract (Art. 6.1.b GDPR).
  • Strictly necessary cookies — Performance of a contract / legitimate interest, essential for the Service to function.
  • Optional functional cookies (user preferences) — Consent (Art. 6.1.a GDPR).

5. How We Use Your Data

  • Provide and maintain the Service
  • Authenticate requests and manage your account
  • Display analytics and usage metrics on your dashboard
  • Send transactional emails (service notifications)
  • Detect and prevent abuse, fraud, and security threats
  • Improve the Service based on aggregated, anonymized usage patterns

We do not sell your personal data. We do not use your data for advertising.

6. Data Retention

  • Account data — retained while your account is active. Upon account deletion, personal identifiers (name and email) are anonymised immediately. The anonymised account record is retained solely to preserve the integrity of security and audit logs required by law. No personal data can be attributed to you after anonymisation.
  • API request logs — retained for a minimum of 12 hours up to a maximum of 90 days, depending on your plan, and automatically deleted upon expiration. During the beta phase, only the cloud-hosted version is available; retention periods may vary as plans are finalized.
  • Security logs (IP address, timestamp, endpoint, User-Agent, status code) — retained for 6 months (180 days) for law-enforcement and security-incident purposes, regardless of plan.
  • Audit logs (account actions: login, API key management, gateway configuration) — retained for 12 months (365 days) for compliance and fraud-prevention purposes, then automatically deleted.
  • Authentication tokens — session tokens are automatically expired and removed.

7. Data Sharing and Sub-Processors

Nolxy uses the following third-party providers (sub-processors) that may process personal data:

  • GitHub (Microsoft) — OAuth authentication. Data processed: name, email, profile ID. Location: USA. Privacy: GitHub Privacy Statement.
  • GitLab — OAuth authentication. Data processed: name, email, profile ID. Location: USA. Privacy: GitLab Privacy Policy.
  • Brevo (formerly Sendinblue) — Service emails and system notifications. Data processed: email address, name. Location: France (EU). Privacy: Brevo Privacy Policy.
  • netcup GmbH — Hosting and infrastructure. Data processed: all Service data. Location: Germany (EU). Privacy: netcup Privacy Policy.
  • Hetzner Online GmbH — Backup storage (Storage Box). Data processed: encrypted database backups. Location: Germany (EU). Privacy: Hetzner Privacy Policy.
  • Stripe, Inc. — Payment processing (will be activated post-beta for paid plans). Data processed: name, email, billing address, payment method details. Location: USA. Stripe is certified under the EU-US Data Privacy Framework. Privacy: Stripe Privacy Policy. Not active during the current beta phase.

Self-hosted services: our databases and internal tools are hosted on our own infrastructure and do not transfer data to third parties.

Geolocation: the geolocation database is downloaded and used locally. No user data is sent to any third party for geolocation purposes.

User-configured integrations: if you enable log export to Datadog or external webhooks, logs are sent to those destinations under your responsibility as Data Controller.

We reserve the right to update this list. Users will be notified of material changes via email or an in-app notice.

8. International Transfers

Our servers are located in Germany (EU), hosted by netcup GmbH. Email services are provided by Brevo, with data processing located in France (EU). For data transfers to the USA (GitHub, GitLab), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission and/or adequacy decisions where applicable.

9. Your Rights (Art. 15-22 GDPR)

As a data subject, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request the deletion of your data ("right to be forgotten")
  • Restriction — request restriction of processing
  • Objection — object to processing based on legitimate interest
  • Portability — receive your data in a structured, machine-readable format
  • Withdraw consent — withdraw consent at any time where processing is based on consent

How to exercise your rights: send a request to support@nolxy.com with subject line "GDPR Request". We will respond within 30 days.

Right to lodge a complaint: you may file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it if you believe your data is being processed in violation of the GDPR.

10. Security

We implement industry-standard security measures to protect your data. For details, see our Security Policy.

11. Data Breach

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, Nolxy will:

  • Notify the competent supervisory authority (Garante per la Protezione dei Dati Personali) within 72 hours of becoming aware of the breach, where applicable.
  • Inform affected users without undue delay if the breach is likely to result in a high risk to their rights.
  • Document the breach and the remedial measures taken.

To report a potential breach: support@nolxy.com

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For any questions regarding privacy and the processing of personal data, contact us at support@nolxy.com.