Skip to Main Content
noodlbox

Privacy Policy

Last updated: March 24, 2026

Introduction

Youssef Khalil, operating as Noodlbox, is committed to protecting your privacy. This privacy policy outlines how we collect, use, share, and protect your information.

Definitions

Personal Data: Any information that relates to an identified or identifiable individual.

Usage Data: Data collected automatically, either generated by the use of the service or from the service infrastructure itself.

Account Data: Information provided to create and maintain your account.

Data Collection

We collect the following types of data:

  • Account data (email, name)
  • Device identifiers for licensing
  • Usage analytics (feature usage, error logs)
  • Payment data processed via Polar (no card storage)
  • Source code and analysis artifacts (only when you opt-in via noodl push)

Code and Repository Data

Noodlbox is local-first by design. The noodl analyze command runs entirely on your machine — your code never leaves your device during analysis.

If you choose to use noodl push, you explicitly opt-in to uploading source code and analysis artifacts to our cloud storage. This is optional and requires authentication.

What is stored: source code files, analysis artifacts (entities, relationships, communities, search indices), and snapshot metadata.

Where stored: Encrypted cloud storage provided by Cloudflare.

Who can access: Only authenticated members of your organization, verified through authentication and organization-level access controls.

Encryption: TLS 1.2+ in transit, server-side encryption at rest.

Deletion: artifacts are deleted when you delete the box, when your organization is deleted, or upon request. Failed upload artifacts are automatically cleaned up.

We do not use your code for model training, resale, or any purpose beyond providing the Noodlbox service.

Data Usage

Your data is used for the following purposes:

  • Account management and authentication
  • License validation
  • Service improvement and bug fixes
  • Feature prioritization via usage analytics
  • Transactional emails (receipts, updates)
  • Support communications

Data Sharing

We share your data with trusted third parties as follows:

  • Polar for payment processing
  • WorkOS for authentication
  • Cloudflare for edge security and CDN
  • AWS for infrastructure hosting
  • Neon for database hosting
  • Vercel for web application hosting
  • Resend for transactional email
  • PostHog for anonymized product analytics
  • Sentry for error tracking

We do not sell personal data and may disclose data if required by law. For details on each provider, see our Subprocessors page.

Cookies and Tracking

We use cookies and tracking technologies in the following ways:

  • Authentication cookies to keep you logged in
  • PostHog analytics (anonymized, no PII)
  • No advertising cookies
  • No cross-site tracking
  • Local CLI/MCP server uses no cookies
  • PostHog analytics cookies require your consent. You can accept or decline via the cookie banner. If you decline, PostHog operates in cookieless mode.

Data Retention

We retain your data as follows:

  • Account data is kept while the account is active and deleted within 30 days after deletion
  • Usage analytics aggregated data kept for 2 years; raw logs deleted after 90 days
  • Payment records kept for 10 years (as required by German tax law, AO §147)
  • Support tickets kept for 2 years after resolution
  • Local .nbx configuration files are stored only on your device. Pushed code artifacts are retained while the associated box exists and deleted when you delete the box or organization.

User Rights

You have the following rights regarding your personal data:

  • Right to access
  • Right to correct
  • Right to delete (self-service via dashboard or DELETE /api/user/account)
  • Right to export
  • Right to restrict processing
  • Right to object to analytics and marketing

Data Security

We take data security seriously and employ the following measures:

  • TLS encryption in transit
  • AES-256 encryption at rest
  • Secrets managed via AWS Secrets Manager
  • No plaintext credentials in code or logs
  • Security reviews and monitoring
  • SOC 2 compliance on our roadmap
  • Analysis runs locally by default. If you opt-in to cloud push, your code is encrypted at rest and accessible only to your organization.

International Data Transfers

Data may be transferred internationally as follows:

  • AWS infrastructure in the EU (eu-central-1, Frankfurt)
  • Cloudflare R2 storage in Western Europe, edge nodes worldwide
  • Neon PostgreSQL in the EU
  • Some third-party processors (WorkOS, PostHog, Sentry) are US-based. Transfers comply with Standard Contractual Clauses.
  • Code artifacts uploaded via noodl push are stored and processed entirely within the EU

Third Party Links

Our service may contain links to third-party sites (e.g., GitHub, npm). We are not responsible for their privacy practices. Please review the policies of any third-party sites before sharing any personal information.

Changes to Policy

Material changes to this policy will be emailed to registered users. Non-material changes will be posted on our website. Continued use of the service after changes constitutes acceptance of the updated policy. Previous versions are available upon request.

Contact Information

If you have any questions about this privacy policy, please contact us at: