Privacy Policy
Last updated: 10 July 2025
1. Who we are
KD Incubator UG (haftungsbeschränkt), Schönensche Str. 13, 10439 Berlin, Germany ("Northlight", "we", "our", "us") operates the Northlight user‑feedback platform at gonorthlight.com and through our iOS/Android SDK.
2. Scope of this Policy
This Policy applies when you:
- visit gonorthlight.com or any sub‑domain (the "Site");
- create a Northlight account or sign in with Google OAuth;
- embed the Northlight SDK in your apps; or
- otherwise interact with any service that links to this Policy (together, the "Services").
3. Information we collect
| Category | Typical data | Source |
|---|---|---|
| Account data | Name, email address, Google UID, profile photo | You / Google |
| Feedback & content | Feature requests, bug reports, votes, comments, attachments | You / End‑users |
| Device & usage data | OS, device model, app version, locale, IP, timestamps, event logs | Automatically |
| Payment data | Billing name & address, last four digits of card, expiry (processed by Polar) | Polar |
| Cookies & similar tech | Auth tokens, analytics events, CSRF tokens | Automatically |
4. Why we process your data (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide, secure and maintain the Services | Contract (1 (b)) |
| Process payments and issue invoices | Contract / Legal obligation |
| Analyse usage, detect duplicates, rank feature demand, improve product | Legitimate interest (1 (f)) |
| Send product updates or marketing e‑mails | Consent (1 (a)) – opt‑out anytime via footer link |
5. Sharing & disclosure
| Recipient | Role | Location |
|---|---|---|
| Supabase | Authentication, database & storage | EU‑central (Frankfurt) |
| Polar | Subscription & payment processing (PCI‑DSS L1) | EU/US (SCCs) |
| PostHog | Product analytics | EU deployment |
| Sentry | Error & crash reporting | EU/US (SCCs) |
| Transactional e‑mail provider (e.g., Resend/Postmark) | Sends magic links, invoices, updates | EU/US (SCCs) |
We may also disclose data when legally required or to protect rights, property or safety. All vendors are bound by data‑processing agreements with GDPR‑equivalent safeguards.
6. Data retention
| Data type | Retention rule |
|---|---|
| Account & subscription records | Until you delete your account, then as long as required for tax/audit (max 10 years under §147 AO) |
| Feedback & bug data | Retained until the workspace owner deletes it |
| Server logs | 30 days |
| Marketing consents | Until you unsubscribe |
Workspace deletion triggers cascading deletion of feedback and analytics events within 30 days except where law requires longer retention.
7. Security
All traffic is encrypted (TLS 1.3) and data is encrypted at rest. We follow least‑privilege access, store secrets in environment variables, run periodic penetration tests and monitor 24 × 7.
8. International transfers
Where data leaves the EEA we rely on the European Commission's Standard Contractual Clauses plus vendor audits to ensure adequate protection.
9. Your rights
EEA/UK residents can:
- Access, correct, delete or port their data
- Restrict or object to processing
- Lodge a complaint with a supervisory authority
Email support@gonorthlight.com — we'll reply within 30 days.
10. Age limitations
The Services are intended for adults 18 years or older (the minimum age to publish apps on Apple App Store and Google Play). We do not knowingly collect data from anyone under 18.
11. Changes to this Policy
Material changes will be announced via e‑mail or an in‑app banner at least 14 days before they take effect.
12. Contact
KD Incubator UG (haftungsbeschränkt)
Schönensche Str. 13, 10439 Berlin, Germany
Email: support@gonorthlight.com