Norly
Back to homepage

Legal

Privacy Policy

We only process the personal data necessary to operate Norly. Here is exactly what data we store, why, for how long, who we share it with — and what rights you have.

Last updated: 29 April 2026

1.Data controller

Cloud Ninja Consulting ApS is the data controller for the processing of your personal data on Norly.io.

Company

Cloud Ninja Consulting ApS

CVR (DK company reg.)

46044118

Country

Denmark

Contact

hey@norly.io

We do not have a formal Data Protection Officer (DPO), as we do not meet the criteria in GDPR Article 37. However, enquiries about personal data are always answered within 30 days, in accordance with GDPR.

2.What data we collect

When you create an account (fan or creator)

  • Email address
  • Password (stored only as an encrypted hash — we cannot see it)
  • Name (optional)
  • For creators: a URL to the channel you publish content on (RSS feed, YouTube channel, or blog)
  • For creators: profile data (short description, avatar, FAQ, external links) that you choose to fill in

When you support a creator

  • Card details: go directly to Stripe. Norly never sees or stores your card number, expiry date, or CVV. We only store an opaque token (Stripe Customer ID and Payment Method ID) used for future charges you have authorised yourself.
  • Email and name: you enter them at checkout so the creator can acknowledge your support and we can send you receipts.
  • Amount and date of each support/transaction.
  • For per-release support: the monthly cap you have set.

When you receive support (creator)

  • Stripe Connect account ID. Stripe carries out its own KYC procedure where they collect ID, address, date of birth, etc. This data is stored with Stripe, not with Norly. We only receive a boolean that tells us whether your account is ready to receive payments.
  • Aggregated statistics about incoming support (amounts, counts, dates).

Technical and behavioural data

  • IP address, used for security (rate limiting, fraud detection) and then deleted/aggregated after 30 days.
  • Browser string (User-Agent), only for debugging platform errors.
  • Aggregated page views on public creator profiles (anonymous counter — no cookie, no unique identification per visitor).
  • Session cookie (auth_token) when you are logged in — set by Supabase Auth.

3.Why we process your data (purposes and legal basis)

We only process data for specific purposes with a clear legal basis.

Performance of contract (GDPR Art. 6(1)(b))

  • To process your support payments to creators (the core purpose of the service)
  • To give you access to My subscriptions and let you manage them
  • To send you receipts for each completed payment

Legal obligation (GDPR Art. 6(1)(c))

  • To retain accounting data (transactions, amounts, dates) for 5 years in accordance with Danish Bookkeeping Act § 10 — even after you have deleted your account
  • To disclose information to tax authorities upon proper request

Legitimate interests (GDPR Art. 6(1)(f))

  • To prevent fraud and misuse of the platform — our legitimate interest in running a secure service outweighs the marginal impact on your privacy
  • To improve the platform via aggregated page views and error logging (no personal tracking)
  • To share your name and email with the specific creator you support so they can acknowledge your support. You can at any time request to be anonymous (write to hey@norly.io)

We do not process your data for marketing without your active consent, and we never sell or rent data to third parties.

4.How long we keep data

  • Account data (email, name, profile): for as long as your account is active. If you delete your account, this data is removed within 48 hours.
  • Financial records (transactions, amounts, timestamps): 5 years after the end of the financial year, in accordance with the Bookkeeping Act. This data is anonymised when the account is deleted — name, email, and other PII is removed, but the raw transaction figure (anonymous) is retained.
  • Stripe tokens: deleted upon account deletion by contacting Stripe directly.
  • IP addresses in logs: 30 days, after which they are aggregated into daily counts without personal reference.
  • Webhook events from Stripe: 90 days — we use them to debug payment issues and reconcile data.

5.Who we share data with

We only share data with the data processors necessary to operate Norly. Each of them has a data processing agreement with us and is obliged to process data in accordance with GDPR.

Stripe

Payment processing and KYC for creators. Stripe Payments Europe Ltd, Ireland, and Stripe Inc, USA. Transfer to the USA takes place under Stripe's Standard Contractual Clauses.

Supabase

Database and authentication. Supabase Inc, USA, but the database is physically hosted in the EU (Frankfurt region). Standard Contractual Clauses.

Vercel

Hosting of the web application. Vercel Inc, USA, hosted in EU regions. Standard Contractual Clauses.

The creator you support

Receives your name and email so they can acknowledge the support and contact you if necessary. You can choose to be anonymous.

We do not share data with advertising networks, data brokers, or other third parties for marketing purposes.

6.International transfers

Some of our data processors (Stripe, Supabase, Vercel) are US-owned. To ensure your data is protected to the same level as under EU law, transfers are made exclusively under the EU Commission's Standard Contractual Clauses (2021/914), and — where relevant — under the EU-US Data Privacy Framework where the sub-processor is certified.

You can request a copy of these agreements by writing to hey@norly.io.

7.Your rights

As a data subject you have the following rights under GDPR. Most of them can be exercised directly in the app under My subscriptions → My data.

  • Access — you can download a JSON file with all the data we hold about you directly from the app.
  • Rectification — update your name and email under account settings; for other corrections, write to us.
  • Erasure — delete your account directly from the app. Active support is cancelled, your personal data is removed, and only anonymised accounting figures are retained (legal requirement).
  • Restriction of processing — contact us if you want to temporarily pause the processing of your data.
  • Objection — particularly against processing based on legitimate interests. Write to us and we will stop the specific processing, unless we can document compelling reasons that override your interests.
  • Data portability — the JSON export is in a machine-readable format and can be imported elsewhere.
  • Withdrawal of consent — to the extent our processing is based on consent (rare, as we primarily rely on contract and legitimate interests), you can withdraw it without affecting prior lawful processing.

8.Cookies and local storage

Norly uses two kinds of cookies. Strictly necessary cookies (login and your cookie banner choice) are always set, since the platform cannot function without them. Google Analytics 4 cookies are set only if you click "Accept all" in the cookie banner — otherwise GA does not load at all. We have enabled IP anonymisation on GA, so Google does not receive your full IP. We do not set marketing cookies or other third-party trackers.

You can withdraw your GA consent at any time by clicking "Cookie settings" at the bottom of any page. See the full per-cookie inventory and management instructions at /en/cookies.

9.Security

We take security seriously. In concrete terms:

  • All communication to/from Norly is TLS 1.2+ encrypted
  • Passwords are stored as bcrypt hashes via Supabase Auth — we never have your password in plaintext
  • Card data is handled exclusively by Stripe (PCI-DSS Level 1 certified)
  • Database access is restricted by Row-Level Security policies; even our own staff cannot read a fan's data without it being logged
  • We review all changes before deployment and run automated tests to catch regressions

Should a data breach occur that could pose a high risk to you, we are obliged to notify you and the Danish Data Protection Authority within 72 hours in accordance with GDPR Articles 33–34.

10.Complaints

If you believe we are processing your data in violation of GDPR, we would like to hear from you first so we have the chance to put things right: hey@norly.io.

You can also lodge a complaint directly with the Danish Data Protection Authority (Datatilsynet):

Datatilsynet

Carl Jacobsens Vej 35, 2500 Valby, Denmark

Phone

+45 33 19 32 00

Web

datatilsynet.dk

11.Changes to this policy

If we update the policy — for example because we add a new data processor or expand the service — we will send a notice to the email associated with your account at least 14 days before the change takes effect, so you have the opportunity to object or delete your account.

The date at the top of the page shows when the policy was last updated.