Privacy policy

Effective date: 5 March 2026

This privacy policy explains how Wudaku Oy ("Noste", "we", "us"), a Finnish company, collects, uses, and protects your personal data when you use the Noste platform at noste.app ("Service").

We are committed to compliance with the EU General Data Protection Regulation (GDPR) and Finnish data-protection legislation.

1. Data controller

Wudaku Oy (business ID 2838111-6) Email: [email protected]

2. Personal data we collect

2.1 Account data

When you register we collect:

  • Name
  • Email address
  • Profile photo (if you sign in with Google)

2.2 Payment data

Payments are processed by Stripe, Inc. We do not store your full credit card number. Stripe provides us with a token, card brand, last four digits, and billing address. See Stripe's privacy policy for details.

2.3 Usage data

We automatically collect:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Timestamps of actions
  • Device and operating system information

2.4 Content data

Any data, text, or files you provide to the Service or that your AI agents generate on your behalf.

2.5 Cookies and similar technologies

We use strictly necessary cookies for authentication and session management. We do not use advertising or tracking cookies. Analytics, if used, rely on privacy-friendly, cookie-free tools.

3. Legal bases for processing (GDPR Article 6)

Purpose Legal basis
Providing the Service and managing your Account Performance of contract (Art. 6(1)(b))
Processing payments Performance of contract (Art. 6(1)(b))
Sending transactional emails (e.g. receipts, security alerts) Performance of contract (Art. 6(1)(b))
Improving the Service, debugging, security monitoring Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (e.g. tax, accounting) Legal obligation (Art. 6(1)(c))
Sending product updates and feature announcements Legitimate interest (Art. 6(1)(f)); you can opt out at any time

4. How we use your data

We use personal data to:

  • create and manage your Account;
  • provision and operate your AI agent environments;
  • process payments and manage Subscriptions;
  • provide customer support;
  • monitor, maintain, and improve the Service;
  • detect and prevent fraud, abuse, and security incidents;
  • comply with applicable laws.

We do not sell your personal data. We do not use your Content to train AI models.

5. Data sharing

We share personal data only with:

Recipient Purpose Location
Stripe Payment processing USA (EU SCCs)
Hetzner Infrastructure hosting Germany / Finland (EU)
Google OAuth authentication (if you use Google sign-in) USA (EU SCCs)
OpenRouter AI model inference USA (EU SCCs)
Resend Transactional email delivery USA (EU SCCs)

Where data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or adequacy decisions to ensure an adequate level of protection.

We may also disclose data if required by law, court order, or to protect our rights and safety.

6. Data retention

  • Account data — retained for the duration of your Account and deleted within 30 days of Account closure, unless longer retention is required by law (e.g. accounting records for 6 years under Finnish law).
  • Content data — deleted when you delete it or within 30 days of Account closure.
  • Usage data — retained in aggregated, anonymised form for up to 24 months for analytics purposes.
  • Payment records — retained as required by Finnish tax and accounting law (typically 6 years).

7. Data security

We implement appropriate technical and organisational measures, including:

  • encryption in transit (TLS) and at rest;
  • isolated container environments per Team;
  • vault-managed credentials for agent integrations;
  • access controls and audit logging;
  • regular security monitoring.

No system is completely secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with GDPR requirements.

8. Your rights under GDPR

You have the right to:

  • Access your personal data (Art. 15);
  • Rectify inaccurate data (Art. 16);
  • Erase your data ("right to be forgotten") (Art. 17);
  • Restrict processing (Art. 18);
  • Data portability — receive your data in a structured, machine-readable format (Art. 20);
  • Object to processing based on legitimate interest (Art. 21);
  • Withdraw consent at any time where processing is based on consent (Art. 7(3));
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

9. Supervisory authority

If you believe your data-protection rights have been violated, you have the right to lodge a complaint with:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) P.O. Box 800, 00531 Helsinki, Finland tietosuoja.fi

Or with the supervisory authority of your EU member state of residence.

10. Children's privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. The "Effective date" at the top indicates the latest version.

12. Contact

Wudaku Oy Email: [email protected]