Privacy Policy

01Who we are

The website nstop.app is operated by nstop Ltd., a company registered in England and Wales under company number 17117879, with its registered office at:

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

nstop Ltd. is the data controller for the personal data described in this policy, for the purposes of the UK GDPR, the Data Protection Act 2018, and the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR").

We have not appointed a formal Data Protection Officer because we are not required to under Article 37 of the UK/EU GDPR. For any privacy or data-protection matter, contact us at hello@nstop.app. Our EU Article 27 representative is listed in Section 11.

02What we collect

2.1 Information you give us

If you enter your email address into the "Join waitlist" form, we collect and store in a Cloudflare KV database (see Section 5):

Your email address (normalised to lowercase and trimmed of surrounding whitespace).
A waitlist status — either pending (you submitted the form but haven't confirmed via email yet) or confirmed (you clicked the confirmation link).
Timestamps of when you submitted the form (createdAt) and when you confirmed (confirmedAt).
A source tag indicating where the signup came from (e.g. nstop.app).
A consent text version identifier — a short label (e.g. v1) recording which wording of the form's consent notice you agreed to, so we can prove what you consented to if you ever ask or if a regulator does.
The IP address from which you submitted the form, and your browser's user-agent string, captured for consent-evidence and anti-abuse purposes (see Section 3 for the legal basis).

Providing your email is entirely voluntary. We can't add you to the waitlist without it, but there is no statutory or contractual obligation to give it to us, and there is no consequence for choosing not to — you simply won't be on the waitlist.

If you email us at hello@nstop.app, we will receive whatever information you choose to send us — your name, message content, attachments, and anything else you include.

2.2 Information collected automatically

When your browser fetches the site, a small amount of technical data is processed. This is standard for any website.

Cloudflare CDN, proxy, Worker, and Turnstile data. Cloudflare sits in front of nstop.app as a reverse proxy, runs our backend as a Cloudflare Worker, and provides the Turnstile CAPTCHA on the waitlist form. In the course of handling your request, Cloudflare processes your IP address, request headers, page URL, approximate location derived from IP, and (for Turnstile) a set of browser signals used to distinguish humans from automated traffic. Cloudflare uses this data to route requests, cache content, mitigate abuse (DDoS and bot protection), and produce aggregate, non-identifying traffic analytics for us.
Rate-limit counters. We keep a short-lived, per-IP counter in Cloudflare KV (automatically deleted after one hour) to stop the same IP from hammering the waitlist endpoint.

We do not use Google Analytics, Meta Pixel, advertising pixels, session-replay tools, fingerprinting scripts, or any cross-site tracking on this site.

2.3 The waitlist confirmation token

When you submit the waitlist form, our Cloudflare Worker generates a short-lived, HMAC-signed verification token containing your email address, a random nonce, and an expiry timestamp (24 hours). This token is emailed to you as part of the confirmation link. It is stored alongside your pending record so we can verify that the link you clicked is the current one. The token becomes unusable once you confirm (the stored record flips to confirmed status and subsequent attempts to use the link are rejected) or 24 hours after issue, whichever comes first. The token value itself stays in the stored record as part of the audit trail, but it is cryptographically past its expiry and cannot be reused to confirm the address again. The token is first-party: no third party sees it or creates it.

03Why we collect it (legal bases)

Purpose	Data used	Legal basis (UK & EU GDPR)
Adding you to the waitlist and emailing you the confirmation link	Email address, timestamp, source tag, consent text version, verification token	Consent — Art. 6(1)(a)
Sending you launch, onboarding and marketing communications about nstop	Email address, waitlist status, consent text version	Consent — Art. 6(1)(a). Every email contains a one-click unsubscribe link; unsubscribing withdraws consent.
Keeping contemporaneous evidence of your consent (IP, user-agent, consent text version, timestamps) so we can demonstrate compliance with Art. 7(1) UK/EU GDPR	IP address, user-agent, consent text version, timestamps	Legitimate interests — Art. 6(1)(f); our interest in being able to demonstrate lawful processing under Art. 7(1) UK/EU GDPR if challenged or audited
Preventing abuse of the waitlist form (rate-limiting, Turnstile bot mitigation, anti-duplicate checks)	IP address, user-agent, Turnstile challenge data, rate-limit counters	Legitimate interests — Art. 6(1)(f); our interest in running a waitlist that isn't flooded with fake submissions
Delivering the website, routing traffic, caching, securing it against attack	IP address, request headers, user-agent, approximate location	Legitimate interests — Art. 6(1)(f); site operation and security
Responding to data-subject requests, legal requests, tax obligations	Whatever is necessary	Legal obligation — Art. 6(1)(c)

You can withdraw your consent at any time (Section 9). Doing so does not affect the lawfulness of any processing that happened before you withdrew.

04Marketing communications

If you confirm your waitlist signup, we will email you:

Launch notifications — when TestFlight opens, when the app goes live on the App Store, and closely related operational updates (e.g. "the link in yesterday's email was broken, here it is again").
Post-launch product updates and marketing emails — new features, relevant Dutch-transit content, and occasional updates about nstop.

Because nstop Ltd. is established in the United Kingdom, our marketing emails are also governed by the UK Privacy and Electronic Communications Regulations 2003 ("PECR"), in particular Regulation 22, which restricts unsolicited commercial email to recipients who have given prior opt-in consent (or who fall within the narrow "soft opt-in" exemption for existing customers). Our waitlist relies on prior opt-in consent, confirmed via double opt-in by clicking the link in our confirmation email, which satisfies both PECR Reg 22 and Art. 6(1)(a) UK/EU GDPR.

Every marketing email contains a one-click unsubscribe link. Unsubscribing withdraws your consent under Art. 6(1)(a). Once you unsubscribe, we will stop sending you marketing but may retain your email on a suppression list so we don't accidentally re-email you. We keep the suppression list on the legal basis of legitimate interests (Art. 6(1)(f) UK/EU GDPR) — specifically our interest in honouring your unsubscribe, which aligns with the ICO's explicit guidance that a suppression list is the appropriate mechanism to do so. You have an unconditional right to ask us to delete your record entirely instead (see Section 9).

05Who we share it with (processors)

We only share personal data with the service providers we need to run the site and the waitlist. We do not sell personal data, and we do not share it for cross-context behavioural advertising.

Processor	What they do for us	Where data is processed
Cloudflare, Inc.	Hosts and runs the website as a Cloudflare Worker (static assets + API backend); stores waitlist records, rate-limit counters, and verification tokens in Cloudflare Workers KV; provides CDN, reverse proxy, DDoS mitigation, and the Turnstile CAPTCHA on the waitlist form. See Cloudflare's privacy policy and DPA.	Cloudflare's global edge network. KV is primarily served from data centres close to the user and in the EU/UK; occasional reads may be served from other regions.
Amazon Web Services EMEA SARL ("AWS")	Sends the waitlist confirmation email (and potentially other transactional emails) via Amazon Simple Email Service (SES) in the Europe (Frankfurt) `eu-central-1` region. See AWS privacy notice and AWS GDPR DPA.	European Union (Frankfurt, Germany)
Intercom R&D Unlimited Company (part of Intercom, Inc.)	Once you confirm, we create or update a contact record in Intercom with your email, waitlist status, timestamps, source tag, and the version of consent text you agreed to. Intercom is used to send launch and post-launch marketing emails and to manage the suppression/unsubscribe list. Our Intercom tenant is hosted on Intercom's US infrastructure — Intercom does not currently offer tenant relocation to the EU. See Intercom's privacy notice and DPA.	United States (Intercom US tenant)
Google LLC (conditional)	If your browser requests any web fonts from Google's CDN, Google will log your IP address. We self-host our fonts to avoid this, but a browser extension, a cached page, or a future change could route font requests through Google. See Google's privacy policy.	United States

We may also disclose personal data if we are legally required to — for example, in response to a valid court order, regulatory request, or subpoena — or if nstop Ltd. is ever sold, merged, or otherwise transferred, in which case we will notify you in advance.

06International transfers

Some of our processors are based outside the UK and the EEA — specifically, Intercom (United States) and Cloudflare (US-headquartered, operating a global edge network). The confirmation email flow through AWS SES is configured to stay inside the EU (Frankfurt), but AWS is a US-headquartered group.

Where personal data is transferred outside the UK/EEA, we rely on the following safeguards required by Chapter V of the UK/EU GDPR:

where personal data is transferred to the United States, we rely primarily on the EU-US Data Privacy Framework (and its UK Extension) where the receiving organisation is certified under it; and otherwise on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum issued by the Information Commissioner's Office, in each case incorporated by reference via the relevant processor's Data Processing Agreement listed in Section 5. Intercom, Inc. and Cloudflare, Inc. are certified under the EU-US Data Privacy Framework (and its UK Extension) as of the "Last updated" date of this policy;
for transfers to other third countries outside the UK/EEA, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, incorporated via each processor's DPA; and
each processor's own supplementary technical and organisational measures (encryption in transit, access controls, pseudonymisation where applicable).

We keep the volume of data crossing borders to a minimum: the confirmation email flow is EU-only, rate-limit counters and pending records sit in Cloudflare KV, and only the confirmed contact and its minimum attributes are copied into Intercom's US tenant for marketing delivery. If Intercom offers EU tenancy in the future, we will migrate.

07How long we keep it

Data	Retention
Pending waitlist record (email, verification token, IP, user-agent, consent text version, timestamp) in Cloudflare KV	Automatically deleted after 7 days if you don't confirm
Confirmed waitlist record in Cloudflare KV and the corresponding Intercom contact (email, waitlist status, timestamps, source tag, consent text version, and the expired verification token retained as audit-trail evidence)	Kept until nstop publicly launches plus 24 months, unless you ask us to delete it sooner or we re-confirm your interest by email at a later point (in which case the clock restarts from the new confirmation). We will also delete your record earlier if you unsubscribe and ask us to remove you fully.
IP address and user-agent captured as consent evidence (stored inside the confirmed waitlist record in Cloudflare KV; the pending-record copies are deleted with the 7-day TTL above)	Deleted 3 years after your most recent confirmation, or within 30 days of your unsubscribe or erasure request, whichever comes sooner. The same stored IP and user-agent serve both consent-evidence and abuse-prevention purposes; the retention above governs the entire record. We keep these fields on a shorter clock than the rest of the record because their primary purpose is to evidence your consent under Art. 7(1) UK/EU GDPR, and three years comfortably covers the typical limitation window for consent-related challenges.
Unsubscribe / suppression list in Intercom	Kept indefinitely, or until you ask us to delete you, because we need to remember that you asked us not to email you
Rate-limit counters in Cloudflare KV	Automatically deleted after 1 hour
Cloudflare traffic logs and aggregate analytics	Per Cloudflare's retention schedule — short rolling windows for raw logs, longer for aggregated analytics. See Cloudflare's privacy policy.
AWS SES sending logs	Per AWS's retention schedule — typically short-term, used for bounce/complaint handling and deliverability.
Support correspondence sent to hello@nstop.app	Kept for up to 24 months after your last message, then deleted, unless we need to retain it longer to meet a legal, regulatory, or tax obligation.

08Cookies and similar technologies

nstop.app does not set any cookies for analytics, advertising, personalisation, or behavioural tracking. There is no cookie banner because we do not place non-essential cookies or other non-essential storage on your device; the UK Privacy and Electronic Communications Regulations 2003 ("PECR"), the EU ePrivacy Directive 2002/58/EC, and the relevant EDPB and ICO guidance do not require consent for storage that is strictly necessary to provide the service you asked for.

The only cookies and storage you may encounter when you use this site are strictly necessary and fall under the "communication" or "strictly necessary" exemption in Article 5(3) of the ePrivacy Directive:

Cloudflare __cf_bm and similar short-lived Cloudflare-set cookies, used to distinguish humans from bots and protect the site from abusive traffic.
Cloudflare Turnstile challenge cookies (cf_clearance, cf_chl_*, etc.), set only when you interact with the CAPTCHA on the waitlist form, and used solely to complete and remember the challenge for that session.

We do not set any other cookies. We do not use localStorage or sessionStorage for analytics, advertising, or identification.

If Cloudflare changes its cookie behaviour in the future, we'll update this section.

09Your rights

Under the UK GDPR and the EU GDPR, you have the following rights:

Access — ask for a copy of the personal data we hold about you (Art. 15).
Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
Erasure — ask us to delete your data, the "right to be forgotten" (Art. 17).
Restriction — ask us to stop using your data in certain ways (Art. 18).
Portability — receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller (Art. 20).
Object — object to any processing we base on legitimate interests (Art. 21).
Withdraw consent — at any time, without affecting past processing (Art. 7(3)). For the waitlist, clicking "unsubscribe" in any email we send you is the easiest way, or you can email us.
Rights relating to automated decision-making — we do not make any decisions about you by solely automated means that produce legal or similarly significant effects (Art. 22). The Turnstile CAPTCHA is solely used to keep bots out of the waitlist form; it does not make decisions about individuals.
Complain to a supervisory authority — if you think we've mishandled your data. In the UK, the Information Commissioner's Office (ico.org.uk). In the EU/EEA, your local Data Protection Authority — you can find yours via the European Data Protection Board.

To exercise any of these rights, email hello@nstop.app. We will respond within one month of receiving your request, as required by Art. 12(3) UK/EU GDPR. We may ask you to verify your identity before we action a request so we don't hand your data to somebody else by mistake.

If you have a concern, we'd appreciate the chance to put it right first — please email hello@nstop.app before escalating to a supervisory authority. You always retain the right to complain directly to a regulator without contacting us first.

10Security

We protect your data with:

HTTPS / TLS encryption in transit across the whole site and all API endpoints.
HMAC-SHA-256-signed confirmation tokens, so that tampered-with links are rejected.
Cloudflare's DDoS and bot mitigation protecting the waitlist endpoint.
Rate-limiting on the waitlist endpoint, to stop abusive traffic.
No storage of passwords — the website has no user accounts, so there's nothing to crack.
Encryption at rest provided by our processors (Cloudflare KV, AWS SES, Intercom) as described in their DPAs.

No system is ever completely secure, but we take proportionate steps to prevent unauthorised access. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by Art. 33 UK GDPR, and notify you directly where required by Art. 34.

11EU representative (Article 27 GDPR)

Because nstop Ltd. is established in the United Kingdom and offers services to individuals in the European Union, Article 27 of the EU GDPR requires us to designate a representative in the Union. nstop Ltd. is in the process of appointing an Article 27 representative. In the meantime, EU data subjects may contact the controller directly at hello@nstop.app about any matter relating to the processing of their personal data by nstop Ltd. We will update this section with the representative's details as soon as the appointment is finalised.

12California residents (CCPA / CPRA)

If you are a California resident, you also have the right, under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the "CCPA"), to:

Know what categories of personal information we have collected about you and how we use it.
Request deletion of your personal information.
Request correction of inaccurate personal information.
Opt out of the "sale" or "sharing" of your personal information for cross-context behavioural advertising.
Not be discriminated against for exercising any of these rights.

We do not sell personal information, and we do not share it for cross-context behavioural advertising, so no opt-out mechanism is required. The only personal information we collect from California residents in the past 12 months falls into the CCPA categories "identifiers" (email address, IP address) and "internet or other electronic network activity" (the automatic data described in Section 2.2). To exercise your California rights, email hello@nstop.app.

13Children

nstop is not directed at children. In the United Kingdom, section 9 of the Data Protection Act 2018 sets the age of consent for information-society services at 13. In some EU Member States, the threshold set under Article 8 EU GDPR is higher (up to 16); in the Netherlands, for example, it is 16. We apply whichever threshold applies to your country of residence and do not knowingly collect personal data from anyone below it. If you believe a child has submitted personal data to us, email hello@nstop.app and we will delete it without delay.

14Changes to this policy

We may update this policy as nstop evolves. When we do, we will change the "Last updated" date at the top. If the change is material — for example, if we add a new category of data, a new processor, or a new purpose of use — we will also email everyone on the confirmed waitlist before the change takes effect. The iOS app will ship with its own in-app notice when the time comes.

15Contact us

Controller:

nstop Ltd.

71-75 Shelton Street, Covent Garden

London, WC2H 9JQ, United Kingdom

Company number: 17117879

Email: hello@nstop.app

EU representative (Article 27 GDPR): see Section 11.

UK supervisory authority: Information Commissioner's Office — ico.org.uk

EU supervisory authority: your local Data Protection Authority — directory at edpb.europa.eu

End of policy — version 1.0, 19 April 2026. Back to top