Legal

Privacy policy.

How LITH LLC, the operator of NOANE.io and the NOANE Protocol, handles personal data under the EU General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

Effective date: 24 May 2026. Version 1.0.

Plain-language summary

What you actually need to know.

  • NOANE.io sets no advertising cookies, runs no analytics scripts, and does not embed third-party tracking pixels.
  • The only personal data the website collects is what you voluntarily submit through the contact form.
  • Submissions are delivered as email to the LITH LLC team and are not stored in a website database.
  • Web fonts are self-hosted from noane.io, so your IP address is not shared with Google Fonts.
  • Cloudflare delivers the site and provides DDoS and bot protection; Resend delivers contact-form emails. Both are sub-processors of LITH LLC and are listed below.
  • You have rights under GDPR, UK GDPR, and CCPA/CPRA, including access, correction, deletion, and the right to lodge a complaint with a supervisory authority. The exercise route is the contact page.

1. Data Controller

Who is responsible for your data.

The data controller for personal data processed through NOANE.io is LITH LLC, a US-based limited liability company with global industry presence. LITH LLC operates the NOANE Protocol and the NOANE.io website. For all privacy matters, contact LITH LLC through the contact form and select "Other" in the reason for contact, with the word "Privacy" in your message.

EU and UK representative (Article 27 GDPR / Article 27 UK GDPR): LITH LLC has not yet appointed a representative in the European Union or the United Kingdom. EU and UK data subjects may contact LITH LLC directly through the contact form. We will publish representative details on this page once appointed.

2. Data We Collect

Categories of personal data.

2.1 Contact form submissions. When you submit the form at /contact/, you provide: first name, last name, work email address, optional company, optional role, reason for contact (selected from a list), and a free-text message. We also receive a hidden timestamp used to defeat automated bot submissions.

2.2 Technical access data. Our hosting provider (Cloudflare) processes IP address, request headers, User-Agent, requested URL, and timestamp for the purpose of delivering the site and protecting it against denial-of-service and abuse. This is standard reverse-proxy log data and is retained by Cloudflare under its own data processing terms.

2.3 No analytics, advertising, or profiling cookies. NOANE.io does not set first-party or third-party cookies for analytics, profiling, or advertising. No Google Analytics, no Meta Pixel, no LinkedIn Insight Tag, no Hotjar, no session-replay, no fingerprinting. The only cookie that may be set during your visit is the Cloudflare strictly-necessary security cookie `__cf_bm`, used by Cloudflare to distinguish humans from automated traffic for bot-management purposes; this cookie is short-lived, contains no personal identifiers, and is exempt from the consent requirement under the EU ePrivacy Directive Article 5(3) "strictly necessary" exemption as it is required to deliver the site you have requested. We do not use localStorage, sessionStorage, IndexedDB, or fingerprinting to track visitors.

2.4 Special category data. We do not request, and you should not submit, any special category data as defined in Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation).

2.5 Children. NOANE.io is a business-to-business website. It is not directed to children. We do not knowingly process personal data of anyone under the age of 16. If you believe a child has submitted data, contact us and we will delete the record.

3. Purposes and Lawful Bases

Why we process, and under what legal basis.

3.1 Responding to your inquiry. We process the data you submit through the contact form to read and respond to your message, to evaluate fit for a product demo, partner program, security review, or other inquiry type you selected. Lawful basis under GDPR: Article 6(1)(b) (steps taken at the request of the data subject prior to entering into a contract) and, where you submit on behalf of a business, Article 6(1)(f) (legitimate interest of LITH LLC and of your organization in business correspondence). The legitimate interest assessment balances your privacy expectations against the operational need to receive and reply to inbound business inquiries; we consider this minimal-risk because the data is voluntarily submitted, you control the content, and we use it only to reply. The required checkbox at submission is a Article 13 transparency acknowledgment of this notice, not an Article 6(1)(a) consent flag; you may object to ongoing processing or request deletion under Article 21 and Article 17 at any time through the contact form, as described in section 7.

3.2 Site delivery and security. We process technical access data through Cloudflare to deliver the site over HTTPS and to protect it against denial-of-service, abuse, and credential-stuffing. Lawful basis: Article 6(1)(f) (legitimate interest in keeping a public-facing website online and resistant to attack).

3.3 Compliance and legal claims. We may process and retain personal data where necessary to comply with a legal obligation, to establish, exercise, or defend a legal claim, or to comply with a lawful request from a public authority. Lawful basis: Article 6(1)(c) (legal obligation) or Article 6(1)(f) (legitimate interest in defending claims).

3.4 No automated decision-making, no profiling. We do not subject your data to automated decision-making with legal or similarly significant effects (Article 22 GDPR), and we do not profile contact form submitters.

4. Sub-processors

Third parties that handle your data on our behalf.

LITH LLC uses the following sub-processors. Each operates under its own data processing terms and, for transfers outside the European Economic Area or the United Kingdom, has implemented appropriate safeguards including the European Commission Standard Contractual Clauses.

  • Cloudflare, Inc. (United States). Purpose: site delivery, TLS termination, DDoS and bot protection, Worker runtime that serves the static site and the contact-form handler. Data: technical access data described in section 2.2; contact form payload at the moment of submission, in memory only. Transfer safeguard: Cloudflare Data Processing Addendum incorporating Standard Contractual Clauses. Cloudflare privacy policy (opens in new tab).
  • Resend (Wovr, Inc.) (United States). Purpose: transactional email delivery for contact-form submissions to the LITH LLC team. Data: contact-form fields you submitted, plus your email address as Reply-To. Transfer safeguard: Resend Data Processing Agreement incorporating Standard Contractual Clauses. Resend privacy policy (opens in new tab).
  • Google Cloud (font infrastructure): not used. We self-host web fonts from noane.io. No request is made to Google Fonts (fonts.googleapis.com or fonts.gstatic.com) when you load any page on this site.

We do not sell personal data, and we do not share personal data with third parties for advertising or marketing-attribution purposes.

5. International Transfers

Transfers outside the EEA and the UK.

LITH LLC is established in the United States. When you submit data from the European Economic Area, the United Kingdom, or Switzerland, that data is transferred to the United States for processing by LITH LLC and the sub-processors listed in section 4. Each transfer relies on the European Commission Standard Contractual Clauses (Module Two, controller-to-processor) incorporated in the respective sub-processor data processing terms, together with the UK Addendum to the SCCs and the Swiss supplementary provisions where applicable. We rely on appropriate organisational and technical measures, including encryption in transit (TLS 1.3), access controls, and minimal-data collection, to safeguard transferred data.

6. Retention

How long we keep your data.

Contact-form correspondence: retained in the LITH LLC team's email systems for the duration of the active conversation and up to 24 months thereafter for record-keeping and legal-defence purposes, then deleted or anonymised unless a longer retention period is required by law or for an active commercial relationship.

Technical access data (Cloudflare): retained by Cloudflare under its own retention schedule, typically a small number of days for raw logs.

Email-delivery logs (Resend): retained by Resend under its own retention schedule, typically a small number of days for delivery telemetry.

You may request earlier deletion of your data at any time, subject to the limits in section 7.

7. Your Rights

Rights you can exercise.

7.1 EU GDPR and UK GDPR. If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • access the personal data we hold about you (Article 15);
  • request rectification of inaccurate or incomplete data (Article 16);
  • request erasure of your data, subject to applicable exceptions (Article 17);
  • request restriction of processing (Article 18);
  • receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Article 20);
  • object to processing carried out under Article 6(1)(f) legitimate interest, including the right to object at any time (Article 21);
  • withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal (Article 7(3));
  • lodge a complaint with a supervisory authority, in particular in the EU or UK member state of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR; section 165 Data Protection Act 2018 for the UK).

7.2 California (CCPA/CPRA). If you are a California resident, you have the right to know what personal information we have collected about you, to request deletion of that information, to request correction, to opt out of any sale or sharing of personal information (we do not sell or share for cross-context behavioural advertising), and to be free from retaliation for exercising your rights. To exercise these rights, use the contact form with "Privacy" in your message.

7.3 How to exercise. Submit your request through the contact form. We may need to verify your identity (for example, by responding to a verification email sent to the address on file for the original submission) before fulfilling the request. We will respond within one month of receipt, as required by Article 12(3) GDPR, and within 45 days for CCPA/CPRA requests. There is no fee for a first request in a given 12-month period.

8. Security

How we protect your data.

All traffic to and from NOANE.io is served over TLS 1.3 with modern cipher suites. The contact-form handler runs inside a Cloudflare Worker with no writable filesystem. We apply input validation, header-injection guards, anti-spam pipeline checks, and a strict allow-list on form fields. Access to the LITH LLC mailbox that receives contact-form submissions is limited to authorised personnel and protected by multi-factor authentication. We will notify affected data subjects and the competent supervisory authority of any personal data breach within 72 hours of becoming aware of it, as required by Articles 33 and 34 GDPR, where the breach is likely to result in a risk to the rights and freedoms of natural persons.

9. Cookies and Similar Technologies

No cookie banner because nothing on this site requires consent.

NOANE.io sets no cookies that require consent under the EU ePrivacy Directive (as transposed in each member state) or the UK Privacy and Electronic Communications Regulations. No analytics, advertising, profiling, or session-replay cookies are set. The only cookie that may be observed during your visit is Cloudflare's strictly-necessary security cookie `__cf_bm`, used for bot management. It is exempt from consent under the ePrivacy Article 5(3) "strictly necessary for the provision of an information society service explicitly requested by the user" exemption, contains no personal identifiers, and cannot be used to identify you across sites. We do not use localStorage, sessionStorage, IndexedDB, or fingerprinting to track visitors. Static-asset caching by your browser is technical and does not transmit personal data. If this ever changes, for example if we add an analytics tool, we will publish a cookie notice and a consent mechanism before any non-essential cookie is set.

10. Changes

How we revise this policy.

We may revise this policy to reflect changes in our practices, the services we use, or applicable law. The current version, effective date, and version number are shown at the top of this page. Material changes will be highlighted on this page. Continued use of the site after revisions take effect constitutes acceptance of the revised policy where acceptance is permitted as a basis under applicable law.

LITH LLC. US-based, global industry presence. Last updated: 24 May 2026. Version 1.0.