Privacy Notice

Who is the controller

The data controller is Noxum Media & Consulting PVV, a sole proprietorship registered in the Netherlands (KvK: [TBD: composer fills in]). You can contact us at [email protected] for any privacy-related matters.

What we collect

We collect the following personal data when you use the commission form: preferred name, pronouns, legal name, email address, country, billing address, VAT number, concept and off-limits text, custom name text, custom touches text, reference URL, your IP address hash, and your user agent.

Why we collect it

We collect this data based on the following legal grounds:

• Contract performance: To process and fulfill your commission requests.
• Legitimate interest: To prevent fraud and abuse (via IP hashing for rate limiting).
• Legal obligation: To retain invoices as required by Dutch tax law.

Processors

We use the following third-party processors to operate our services. Each is bound by a Data Processing Agreement:

• Supabase (database, authentication, storage). See their privacy policy.
• Render (hosting). See their privacy policy.
• Cloudflare (DNS, CDN, WAF). See their privacy policy.
• Resend (email delivery). See their privacy policy.
• Sentry (error tracking). See their privacy policy.

International data transfers

Some of our processors (Supabase, Render, Cloudflare, Sentry, Resend) may transfer and process your data outside the European Economic Area (EEA), including in the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, as documented in each processor's Data Processing Agreement linked above.

Data retention

We retain your data for the following periods:

• Invoiced commissions: 7 years, as required by Dutch tax law.
• Declined or unaccepted commissions: 90 days, after which personally identifiable information is anonymized.
• Rate-limit buckets: 24 hours.
• IP hashes: Retained for the lifetime of the associated commission record.
• Sentry error events: 30 days.

Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, object to the processing of, and request the portability of your personal data. To exercise any of these rights, please email us at [email protected].

You also have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), reachable at autoriteitpersoonsgegevens.nl.

Provision of data

Providing your personal data via the commission form is a contractual requirement. If you do not provide the required fields (name, email, billing address, concept), we cannot process your commission request.

Automated decision-making

We do not use automated decision-making or profiling as defined under Article 22 of the GDPR. All commission requests are reviewed and processed manually.

Cookies

We currently use only strictly necessary cookies to ensure the basic functionality and security of the site. We do not use analytics or marketing cookies that require consent.

Last updated

May 15, 2026