Legal · GDPR · Data processing

Privacy policy.

How we process personal data on noa.life — transparent, in line with GDPR and German data protection law.

Last updated: May 2026
This privacy policy informs you about the nature, scope, and purposes of processing personal data on the website www.noa.life as well as your rights as a data subject.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws is:

Geotrace GmbH & Co. KG
Waldleite 21
97295 Waldbrunn, Germany
Phone: +49 (0) 93 06 / 53 42 380
E-mail: info@noa.life

Data protection contact

For questions about data protection and the exercise of your data subject rights, you can reach our data protection contact point by e-mail at datenschutz@noa.life or by post at the address given above marked "Data protection".

2. General data processing

We process personal data of our users only insofar as necessary to provide a functional website as well as our content and services. Processing generally takes place only with user consent or where permitted by law.

Legal bases

  • Art. 6 (1) (a) GDPR — Consent
  • Art. 6 (1) (b) GDPR — Contract performance / pre-contractual measures
  • Art. 6 (1) (c) GDPR — Legal obligation
  • Art. 6 (1) (f) GDPR — Legitimate interest

3. Hosting & server log files

The website is hosted by:

ALL-INKL.COM – Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68, 02742 Friedersdorf, Germany

A data processing agreement pursuant to Art. 28 GDPR is in place with the hosting provider. The servers are located in a data centre in Germany. The legal basis for using the host is Art. 6 (1) (f) GDPR (legitimate interest in the secure and efficient provision of the website).

On every request, your browser automatically transmits information to the server, temporarily stored in a log file: IP address, date/time, name and URL of the requested file, data volume transmitted, success of the request, browser/OS information, referrer URL.

Legal basis: Art. 6 (1) (f) GDPR. The data is stored to ensure the functionality of the website and to defend against attacks. Retention: server log files are deleted automatically after 7 days. Individual entries are kept longer only where required to investigate a specific security incident; the affected log files are then retained until the incident has been fully resolved.

4. Cookies

Our website uses cookies. These are small text files stored in your browser or by your browser on your device.

4.1 Technically necessary cookies

Required for the website to function (e.g. cart, login, locally stored account data). Legal basis: Art. 6 (1) (f) GDPR / § 25 (2) TDDDG.

5. Contact form & e-mail

You can contact us by e-mail at info@noa.life. Personal data submitted with your message is stored and used solely to process the conversation. Legal basis: Art. 6 (1) (b) and (f) GDPR.

6. Account system & orders

If you create a NOA account or order a NOA device, we process: master data (name, e-mail, address, phone), order data (product, quantity, price, date), payment and shipping data, and any stored trusted contacts and device data.

Account and order data are processed and stored server-side in our database (orders, subscription/plan data, assigned devices and emergency contacts). Sign-in to the NOA app uses an encrypted access token.

Legal basis: Art. 6 (1) (b) GDPR (contract performance). Retention: until contract termination plus statutory retention periods.

6.1 Device, location & emergency data (NOA service)

To provide its protective function, the NOA service processes the following data of the person carrying a NOA device:

  • Location data (GPS/position of the device) for location display, safe zones (geofence) and the inactivity monitor (no-movement),
  • Alarm and event data (triggered alarms, time, position, notification history),
  • Emergency contacts (name, phone, e-mail of the stored trusted persons).

In an alarm, recipients are the customer's stored emergency contacts (via SMS, e-mail or call) and — only if booked and if the alarm is not acknowledged in time — an emergency/monitoring centre (escalation).

Consent of the person carried: The customer ensures that the person equipped with a NOA device has consented to the processing of their location data.

Legal basis: Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (contract); for any health data additionally Art. 9 (2) (a) GDPR; to protect vital interests in an alarm additionally Art. 6 (1) (d) GDPR. Retention of location/telemetry data: 90 days after invoicing; after that the data is deleted or anonymised, unless statutory retention obligations or an alarm/clarification process that has not yet been concluded require otherwise.

Maps: map tiles are delivered via our own server proxy; users' IP/location is not transmitted to a third-party map provider.

7. Embedded services & tools

7.1 Material Symbols (icon font from Google)

To display interface symbols (icons), this site embeds the “Material Symbols” font from Google. When you access the site, the icon font file is loaded from Google servers, which may transmit your IP address to Google. The website’s body text, by contrast, is not loaded from Google — it uses only system fonts already present on your device. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Art. 6 (1) (f) GDPR.

7.2 Map service (self-hosted)

The location map uses the Leaflet library (self-hosted) and obtains map tiles via our own server proxy. No user IP or location is transmitted to an external map provider (data minimisation, Art. 5 (1) (c) GDPR).

7.3 Payment processing

For payment processing we use the following payment service providers as recipients of the payment-relevant data, depending on the payment method you choose:

  • PayPal – PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (for payment by PayPal).
  • Stripe – Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (for payment by credit card or Apple Pay).
  • SEPA direct debit – processed via our account-holding bank on the basis of the SEPA mandate you have granted.

Only the data required for the respective payment is transmitted (e.g. name, invoice amount, payment/account details). The named payment service providers process this data as independent controllers on the basis of their own privacy policies. Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (f) GDPR (secure and smooth payment processing).

7.4 Notification services (alarm)

To provide the alarm function, the NOA service transmits notifications to the emergency contacts you have stored in the event of an incident. For this we use telecommunications and dispatch service providers as processors:

  • SMS and voice call/announcement dispatch via a telecommunications gateway provider,
  • E-mail dispatch (order, account and alarm notifications) via an e-mail dispatch service,
  • where the monitoring centre option is booked, the transmission of alarm and location data to a connected 24/7 emergency/service centre (escalation only if no trusted person confirms in time).

Data processing agreements pursuant to Art. 28 GDPR are in place with these service providers; only the data required for the respective notification is transmitted. Legal basis: Art. 6 (1) (b) GDPR (contract performance), Art. 6 (1) (a) GDPR (consent) and, to protect vital interests, Art. 6 (1) (d) GDPR.

7.5 Further services

Shipping: To deliver the devices, we pass the required shipping data (name, delivery address and, for shipment notification, e-mail/phone where applicable) to the commissioned shipping company — usually DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn). Legal basis: Art. 6 (1) (b) GDPR.

Newsletter: If you consent to receiving our newsletter, we process your e-mail address using the double opt-in procedure to send the newsletter. You can unsubscribe at any time via the unsubscribe link in every e-mail or in your customer account. Legal basis: Art. 6 (1) (a) GDPR; the withdrawal takes effect for the future.

Reach measurement: For statistical analysis we use our own cookieless, self-operated reach measurement (a short anonymous signal sent to our own server, track.php, evaluated only in aggregate — no Google Analytics and no Meta Pixel). No data is passed to third parties, and your IP address is not stored permanently for this purpose. Legal basis: Art. 6 (1) (f) GDPR.

8. Rights of data subjects

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Withdraw consent (Art. 7 (3) GDPR) with effect for the future

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Competent for the controller's seat (Bavaria):

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

9. Changes to this policy

We reserve the right to update this policy to reflect current legal requirements or changes to our services. The updated version applies to your next visit.