Privacy Policy
Norta DeSyCo OU ("we", the "Provider") operates NDSC Lab. This Privacy Policy explains what personal data we process and your rights under the EU General Data Protection Regulation (GDPR).
1. Data we collect
- Account: email address, optional display name and profile fields.
- Content: items, comments, and other material you publish.
- Authentication: hashed passwords, session identifiers, IP address of recent logins.
- Analytics (only with your consent): per-user view events on content items.
- Audit log: actions you perform that are relevant to security or moderation.
2. Lawful basis
We process account and content data on the basis of contract (your agreement with us). Analytics are processed on the basis of consent. Audit logs are processed on the basis of legitimate interest in operating a secure service.
3. Per-user view tracking
If you accept the "Analytics" option in the cookie banner, we record an event each time you view a content item, associated with your account. We use this only to compute aggregate viewership for administrators. Raw events are retained for 90 days; aggregated counts are kept indefinitely.
4. Your rights
- Access — request a copy of your data via your account settings (data export).
- Erasure — delete your account and data from your account settings.
- Portability — the data export ZIP includes all data you can take with you.
- Rectification — edit profile and content.
- Object / restrict — change your analytics consent at any time.
5. Data residency
All personal data is processed and stored within the European Union: compute resides in Hetzner (Germany); object storage on Cloudflare R2 EU jurisdiction.
6. Recipients
We use the following processors: Hetzner (hosting), Cloudflare (CDN/WAF), Resend (transactional email). They process data on our behalf under DPA agreements.
7. Retention
- Account: until you delete it; max grace 30 days after request.
- Audit log: default 365 days, configurable.
- Analytics raw events: 90 days. Aggregates: indefinite.
- Login attempts: 90 days.
8. Contact
Data controller: Norta DeSyCo OU, Estonia. For privacy requests, email privacy@ (domain TBD).
Version 2026-05-13.