Privacy Policy
Last updated: 1 March 2026
This policy explains what personal data Noa collects, why, and what rights you have under the General Data Protection Regulation (GDPR / Regulation EU 2016/679) and Czech Act No. 110/2019 Coll. on personal data processing.
1. Data Controller
The controller of your personal data is:
Noa Scout
Noa Scout
E-mail: noa.assist.core@gmail.com
If you have any questions about this policy or wish to exercise your rights, contact us at the address above.
2. What Data We Collect and Why
a) Account data (Google Sign-In)
When you sign in with Google we receive your name, e-mail address, and profile picture URL from Google's OpenID Connect service. We store these to identify your account and personalise your experience.
Lawful basis: Contract performance (Article 6(1)(b) GDPR) — without an account we cannot provide personalised alerts or saved listings.
b) Newsletter preferences
If you opt in to e-mail alerts we store your preferences: frequency (immediate / daily / weekly), location filter, maximum price, property types, and the timestamp of the last e-mail sent.
Lawful basis: Consent (Article 6(1)(a) GDPR). You can withdraw consent at any time by clicking the Unsubscribe link in any alert e-mail, or by toggling off alerts in Settings.
c) Saved listings
When you bookmark a listing we store your user ID and the listing ID, together with the timestamp. Lawful basis: Contract performance.
d) Server logs
Our hosting provider (Railway) automatically records standard web-server access logs (IP address, browser type, pages visited) for security and operational purposes. These logs are retained for 30 days and are not used for profiling. Lawful basis: Legitimate interest (Article 6(1)(f) GDPR) in operating a secure service.
3. Cookies and Session Storage
Noa uses a single, technically-necessary session cookie to keep you signed in after authentication. No tracking or advertising cookies are set. No third-party analytics scripts are loaded. Because the only cookie is strictly necessary, no consent banner is required under ePrivacy rules.
4. Third-Party Services (Sub-processors)
| Service | Purpose | Data transferred | Safeguard |
|---|---|---|---|
| Google LLC (OAuth) | Authentication | Name, email, picture | EU SCCs / Google Data Processing Terms |
| Railway.app | Hosting & database | All stored data | Railway DPA / GDPR-compliant infrastructure |
| OpenStreetMap / Overpass API | Livability scores | GPS coordinates of listings (no PII) | Public API, ODbL licence |
5. Data Retention
- Account & preferences — deleted automatically 12 months after your last sign-in if the account remains inactive. You can request earlier deletion at any time (see Section 6).
- Newsletter metadata (last sent timestamp) — deleted together with the account.
- Saved listings — deleted together with the account.
- Listing data (prices, titles, locations) — retained for up to 24 months for historical analysis. This data is not personally identifiable.
- Server logs — 30 days, then automatically purged by Railway.
6. Your Rights
Under GDPR you have the right to:
- Access — request a copy of all personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and all associated personal data.
- Portability — receive your data in a machine-readable format (JSON).
- Objection — object to processing based on legitimate interest.
- Withdraw consent — unsubscribe from e-mail alerts at any time without affecting your account.
- Lodge a complaint — with the Czech Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.
To exercise any right, e-mail us at noa.assist.core@gmail.com. We will respond within 30 days.
7. Changes to This Policy
We may update this policy. The "Last updated" date at the top will change accordingly. For material changes we will notify you by e-mail at least 14 days before they take effect.