nanoconn
Nanoconn Privacy and Cookies Policy
Nanoconn privacy and cookies policy covering data, purposes, legal bases, providers, retention, rights and security.
- Status
- informational English version
- Version
- 1.0 / production service
- Source language
- Polish
- Nanoconn data controller
- QWERTAJ Klaudiusz Mikolap, Jana Olbrachta 120/66, 01-373 Warsaw, Poland, Polish tax ID/NIP 5223087443, klaudiusz@nanoconn.com
This English version is provided for convenience. The Polish version is the source version.
1. What This Document Covers
This policy explains how Nanoconn processes personal data and uses cookies or similar technologies. Nanoconn is a platform for merchants, so roles may differ:
- Nanoconn is the controller for accounts, login, platform security, Nanoconn billing, its own communication and platform operation.
- The merchant is the controller for its customers, orders, newsletter, reviews, messages and content in its workspace.
- Nanoconn acts as a processor when it technically operates a merchant's workspace, store, messages, reviews, newsletter and orders.
- External partners are separate controllers when a user goes to their store or uses their service.
2. Contact
Privacy questions can be sent to legal@nanoconn.com.
If the question concerns a specific store, order, newsletter or message in a merchant workspace, the user may also contact the merchant shown in that workspace or checkout.
3. Data We May Process
Nanoconn may process:
- account data, such as e-mail, name, username, photo, settings, roles, workspace, invitations and login history,
- merchant data, such as company data, contact data, workspace settings, offer, content, media, integrations, payments and billing data,
- customer data, such as name, e-mail, phone, delivery address, billing address, cart items, orders, payment, delivery and complaint status,
- newsletter data, such as e-mail, consent, source, unsubscribe status and campaign history,
- message and review data, such as message content, product context, conversation history, review content, rating and moderation status,
- technical and security logs, such as IP address, User-Agent, session identifiers, security logs, cookie settings, accessibility settings, language, region and device data,
- first-party product analytics, such as event name, path, product or cart context and event time, without IP, User-Agent or a specific user identifier,
- error monitoring data and diagnostic logs, and - if enabled and the user gives valid consent - masked Session Replay data for diagnostics,
- partner redirect data, such as clicks, product, discount code, external link, partner domain and redirect events.
Users should not submit special categories of data, such as health data, unless there is a separate legal basis and Nanoconn consent.
4. Purposes and Legal Bases
Data is processed to create and operate accounts and workspaces, provide the Nanoconn service, operate mini-stores, carts, checkouts, payments, delivery and orders, send system e-mails and notifications, operate newsletters and marketing messages, respond to messages and complaints, publish and moderate reviews, ensure security, prevent abuse, keep accounting records, analyze product stability and defend claims.
Where processing is based on consent, consent can be withdrawn at any time. This does not affect processing that happened before withdrawal.
5. Recipients and Providers
Nanoconn may use providers needed for hosting, database, storage, backups, e-mail, payments, external login, error monitoring, product analytics, delivery integrations, administration and technical support.
In the current production model Nanoconn uses in particular:
- Railway - hosting, runtime, scheduled jobs and operational logs in the EU,
- Supabase - hosted PostgreSQL database on AWS in the EU region eu-west-1,
- Backblaze B2 - S3-compatible media storage, product assets, encrypted backups and backup status in the EU region eu-central,
- Resend - transactional and newsletter e-mail and delivery webhooks,
- Stripe - payments, subscriptions, Connect and payment webhooks,
- Google OAuth - Google account login when chosen by the user,
- Sentry - error and stability monitoring; optional masked Session Replay may be used only if enabled and there is a valid basis such as consent,
- Plausible - privacy-friendly, cookieless analytics enabled only after analytics consent,
- Nanoconn first-party product events - analytics without IP, User-Agent or a specific user identifier,
- Cloudflare Turnstile - bot and abuse protection when enabled,
- InPost - delivery integrations when configured by the merchant,
- external commercial partners - only for partner redirect or integrations activated by a user or merchant.
If Nanoconn enables a new provider processing user data, this policy is updated before that provider is used in production.
6. Transfers Outside the EEA
Nanoconn tries to choose EEA regions where available. Database data in Supabase (EU region eu-west-1), backups and media in Backblaze B2 (EU region eu-central) and Plausible analytics are configured in the EEA.
Some providers, especially Stripe, Google, Sentry, Resend and Cloudflare or their subprocessors, may process data outside the EEA. Nanoconn relies on appropriate safeguards such as standard contractual clauses, adequacy decisions or another mechanism available under the GDPR.
7. Cookies and Similar Technologies
Nanoconn uses cookies, localStorage and similar technologies for login, sessions, cart, consent storage, accessibility settings, language, region, preferences, security, analytics and marketing if such tools are enabled with valid consent.
Categories:
- Essential - required for Nanoconn, login, cart, security and settings.
- Analytics - help measure product use and stability. They include Plausible and optional frontend diagnostic tools such as masked Session Replay. They run only after consent. Basic server-side security and error logs may run without consent where needed for security and stability.
- Marketing - intended for advertising and remarketing. They are not enabled without a separate decision, consent and policy update.
Users can manage consent in the Nanoconn cookie panel.
8. Newsletter and Marketing
Newsletter subscription requires consent or another legal basis shown at signup. The public signup form uses double opt-in: an e-mail confirmation link is sent and the subscription becomes active only after clicking it. Each marketing e-mail contains an unsubscribe option.
If a newsletter is sent by a merchant to its own list, the merchant is the controller and Nanoconn provides the technical tool.
9. Retention
Data is kept as long as needed for the purposes for which it was collected and for periods required by law or needed to defend claims.
Typical retention:
- account data - while the account exists and then for claims or legal duties,
- orders and accounting data - usually 5-6 years,
- payments and webhooks - usually up to 2 years unless needed longer,
- support messages - usually up to 2 years after closing,
- newsletter - until unsubscribe or consent withdrawal, with a minimal proof of consent and unsubscribe,
- newsletter campaigns - usually up to 2 years,
- reviews - while published and for moderation/audit,
- security and platform logs - usually up to 12-24 months,
- short-lived tokens, sessions and idempotency keys - according to technical retention,
- backups - according to the backup policy.
10. User Rights
Users have the right to access, rectify, delete, restrict, transfer and object to processing of their data, withdraw consent and lodge a complaint with the Polish Data Protection Authority.
Requests can be sent to legal@nanoconn.com. If the request concerns data for which a merchant is the controller, Nanoconn may forward the request to the merchant or help the merchant handle it as a processor.
Deletion may be limited by tax, accounting, order, invoice, claim or legal requirements. In such cases data may be anonymized rather than fully deleted where necessary.
11. Security
Nanoconn uses technical and organizational measures appropriate to the scale and risk, including access control, authorization, upload validation, backups, security logs, error monitoring, administrative access restrictions and incident response procedures.
No system is risk-free, but Nanoconn aims to reduce risk and respond to incidents in accordance with the law.
12. Children
Nanoconn is not intended for children. Users should not knowingly submit data of children or run campaigns targeted at children without a separate legal review and Nanoconn consent.
13. Automated Decisions
Nanoconn does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect users.
14. Language and International Users
The Polish version is the source version. English and other translations are informational. If a function, workspace or merchant targets users in other countries, additional local privacy information may be required for that market.
15. Changes
This policy may change as Nanoconn, providers, functions, law or the business model evolve. Material changes will be communicated appropriately.