Privacy Policy
Last updated: 7th of July 2026
To help you better understand this Privacy Policy, we include short explanatory summaries at the end of each section. These summaries are provided for convenience only and are not legally binding. The full legal text governs your rights and obligations.
1. Introduction
NoFo (“NoFo”, “we”, “us”, or “our”) is committed to protecting your privacy and processing personal data in a lawful, fair, and transparent manner. We design NoFo as a voluntary focus-support tool that combines a physical NFC puck and a mobile application to enable intentional focus sessions in shared environments such as coworking spaces, universities, libraries, and offices.
This Privacy Policy explains how we process personal data when you use NoFo, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), the Danish Data Protection Act, and other applicable European data protection laws. It describes who we are, what personal data we process, the purposes for which we process it, the legal basis for processing, how long we retain data, how it may be shared, the security measures applied, and the rights you have as a data subject.
Summary — This Policy explains how NoFo handles your personal data when you use the service in the EU.
2. Who We Are
For the purposes of the GDPR, NoFo (currently operating as a pre-incorporation project in Denmark) acts as the Data Controller of the personal data processed through the NoFo application and NFC puck system, except where explicitly stated otherwise in contractual arrangements with organizations. This means we determine the purposes and means of processing your personal data when you use NoFo.
If NoFo is made available within an organization, such as a coworking space, educational institution, or company, the allocation of roles (independent controllers, joint controllers pursuant to Article 26 GDPR, or processor relationships pursuant to Article 28 GDPR) will be clarified in a written agreement depending on the specific deployment model.
No Data Protection Officer (DPO) has been appointed, as NoFo does not currently meet the criteria under Article 37 GDPR. You may contact us regarding privacy matters at:
Email: f.gorla@nofo.life
You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet):
Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
www.datatilsynet.dk
Summary — We are responsible for how your personal data is processed when you use NoFo.
3. How NoFo Works and Why We Process Data
NoFo enables users to initiate voluntary focus sessions by interacting with a physical NFC puck connected to a digital interface. The system registers session activity in order to support the ritual of focus and provide users with feedback about their engagement. We process personal data in order to:
- operate and maintain the NoFo service,
- register and complete voluntary focus sessions,
- provide users with information about their own focus activity,
- generate aggregated engagement insights at organizational level,
- ensure system security and technical reliability,
- comply with legal obligations.
NoFo is not designed or operated as a monitoring or surveillance tool. It does not evaluate individual performance, rank users, or generate automated decisions that produce legal or similarly significant effects under Article 22 GDPR.
Summary — We process data to operate the service and support voluntary focus sessions, not to monitor or evaluate individuals.
4. Categories of Personal Data We Process
To provide the NoFo service, we process different categories of personal data. When you create an account, we process basic identification and account information such as your email address and username. If you choose to upload a profile picture, this is also processed. We maintain information about your account status (for example, whether the account is active, invited, anonymous, or suspended) to manage access to the service.
When you activate a focus session through the NoFo puck, we process session-related information necessary to register and complete that session. This includes a user identifier, the start and end time of the session, session status (such as ongoing or completed), the selected focus mode, the total duration of the session, and a timestamp reflecting your last activity within the system. This information allows us to ensure that sessions function correctly and that users can review their own engagement history.
To maintain service integrity and prevent misuse, we also process limited technical information such as IP address and user agent. This processing is based on our legitimate interest in maintaining system security and operational stability and is limited to what is necessary for those purposes.
Because NoFo operates through physical pucks in shared environments, we also process contextual system identifiers such as puck ID, organization ID, and puck status. These identifiers enable proper routing of sessions and ensure that the system functions correctly within a given location.
NoFo does not collect or process special categories of personal data under Article 9 GDPR, such as data relating to health, race, political opinions, religious beliefs, or biometric identifiers. NoFo also does not collect the content of communications or detailed app usage data from your device.
Summary — We process account data, session timing data, and limited technical information required to operate the service. We do not collect sensitive or content-level data.
5. Legal Basis for Processing
We process personal data on different legal bases depending on the context. Where you create an account and use NoFo directly, processing is generally necessary for the performance of a contract under Article 6(1)(b) GDPR, namely to provide you with the NoFo service.
In certain contexts, where specific processing activities require your permission, we may rely on your explicit consent under Article 6(1)(a) GDPR. Where consent is relied upon, it may be withdrawn at any time without negative consequences.
We may also process limited data where necessary for our legitimate interests under Article 6(1)(f) GDPR, such as maintaining system security, preventing fraud, and ensuring technical reliability. Our legitimate interest consists of ensuring the security, stability, and integrity of the NoFo platform and preventing misuse. This interest has been assessed against the rights and freedoms of users and is considered proportionate given the limited scope of the technical data processed.
Summary — We process your data to provide the service, based on contract, consent, or legitimate interest where appropriate.
6. Access to Data and Organizational Visibility
Individual focus session data is accessible only to the individual user through their own account interface.
Where NoFo is used within an organization, administrators are limited to viewing aggregated, non-identifiable engagement metrics at group level. These may include measures such as average focus time, participation rate, or overall session volume. The system is designed so that identifiable individual behavioral data is not made available to organizational administrators through standard dashboard functionality.
NoFo does not conduct automated profiling or automated decision-making that produces legal or similarly significant effects.
Summary — Individual data remains visible only to the user. Organizations receive aggregated insights, not personal behavioral data.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy. Session data and account data are retained while your account remains active and while necessary to provide the service.
Where an account is deleted, personal data is deleted or anonymized within 3 months after account deletion. Where an account becomes inactive without deletion, session data is anonymized or deleted within 6 months of inactivity, unless retention is required by law.
Technical logs are retained for a maximum of 30 days unless required for incident investigation or compliance with legal obligations.
Summary — We keep your data only as long as needed to provide and secure the service, subject to defined retention periods.
8. Data Sharing and International Transfers
We do not sell personal data. We use Amazon Web Services (AWS) as our cloud infrastructure provider to host and operate the NoFo platform. AWS acts as a Data Processor and processes personal data solely on our documented instructions in accordance with Article 28 GDPR. AWS data centers used for hosting are located within the European Union.
Where personal data may be accessed or transferred outside the EU/EEA, such transfers are safeguarded through Standard Contractual Clauses (SCCs) approved by the European Commission. Where required under applicable law, NoFo conducts a Transfer Impact Assessment (TIA) to assess whether the level of data protection in the recipient country ensures adequate protection in accordance with the requirements established by the Court of Justice of the European Union in Schrems II.
Summary — We rely on AWS as a cloud provider under GDPR-compliant safeguards, including SCCs and, where required, Transfer Impact Assessments.
9. Security Measures
NoFo implements appropriate technical and organizational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk. These measures include encryption of data in transit, role-based access controls, restricted internal access to systems, logging of administrative access, and regular monitoring and updating of system security.
Summary — We apply appropriate technical and organizational measures to protect your personal data.
10. Cookies and Similar Technologies
NoFo currently does not use tracking, advertising, or analytics cookies within the NoFo mobile application. If you access our website, only cookies that are strictly necessary for the operation, security, or functionality of the website may be used.
Should NoFo introduce additional cookies or similar technologies in the future, such processing will be described in a separate Cookie Policy and, where required by applicable law, your consent will be obtained before those technologies are used.
Summary — NoFo currently does not use tracking or advertising cookies. If this changes in the future, we will provide a separate Cookie Policy and obtain consent where legally required.
11. Your Rights Under GDPR
Under the GDPR, you have the right to access your personal data, to request correction of inaccurate data, to request deletion of your data, to restrict processing, to receive your data in a portable format, and to object to certain processing activities. You also have the right to withdraw consent at any time where processing is based on consent.
You have the right to lodge a complaint with Datatilsynet if you believe your rights have been violated. To exercise your rights, you may contact us at: f.gorla@nofo.life
We will respond to requests in accordance with applicable law.
Summary — You have full data protection rights under EU and Danish law.