Privacy Policy

Last updated: January 22, 2026

We do everything we can to protect the data and privacy of our users. We have a strict data protection and privacy policy that we constantly improve in accordance with new standards and best practices.

1. Infrastructure Security#

Our applications are hosted by Google Cloud Platform. We use Google's infrastructure to distribute our services.

Google Cloud Platform adheres to strict rules regarding data security and privacy.

Google Cloud Platform undergoes independent verification of its security, privacy and compliance controls to help us achieve our regulatory and strategic objectives. Details of their compliance services can be found, such as ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP certifications, as well as alignment with HIPAA, GDPR, and CCPA laws and regulations, among others, in our compliance resource center.

We conduct account and rights reviews (at least once a month) on our network infrastructures.

We work with DoiT International France SAS, a Google Cloud Premier Partner, to provide us with responsive support for Google Cloud Platform and recommendations on best practices, cost optimization and platform security. DoiT International France SAS does not have access to our infrastructure.

2. Network Security#

Our network infrastructure consists of several layers of security.

  • A private virtual cloud with Cloud Identity and Access Management (IAM) access control
  • A VPN to access the infrastructure
  • IP address and port filtering
  • A mitigation system to protect against malicious attacks

3. Data Security#

3.1. Data Location#

Data is hosted on Google Cloud Platform in Belgium (for European customers).

3.2. Critical Data#

All critical data (passwords and access tokens) is encrypted using proven encryption algorithms.

3.3. Data Transport#

We use TLS to securely transmit data.

3.4. Management of Customer-Delegated Shortened Domain#

We handle the generation, renewal and implementation of SSL certificates on our load balancers. Our SSL certificates use recommended encryption algorithms. We regularly test our domains to evaluate the quality of our SSL encryption.

4. Client Data Privacy and Asset Ownership#

4.1. Use of Private Data#

Nonli formally commits not to communicate, share, sell or use for commercial purposes or for its own account the private data of its customers. This data is strictly reserved for use as part of the services provided by Nonli, in accordance with agreements concluded with each customer.

4.2. Ownership and Use of Client Assets#

  1. All private assets provided by the client, including but not limited to fonts, images, logos, and any other graphic or textual content, remain the exclusive property of the client.
  2. Nonli commits to using these assets only within the framework of services provided to the client via the Nonli platform, and exclusively on behalf of the client owner.
  3. Nonli does not acquire any ownership or usage rights to these assets outside the scope defined by the agreement with the client.
  4. Nonli commits not to use, reproduce, modify, or distribute these assets for any purpose other than that expressly authorized by the client in the context of using the Nonli platform.
  5. At the end of the business relationship, or upon client request, Nonli commits to cease all use of these assets and to delete them from its systems, unless otherwise required by law.

4.3. Asset Confidentiality#

Nonli commits to maintaining the confidentiality of assets provided by the client and to implementing appropriate security measures to prevent any unauthorized access, use, modification or disclosure of these assets.

5. Google User Data Disclosure#

5.1. Scope of Access to Google User Data#

When you connect your YouTube account to Nonli, our application may access the following data based on the permissions you grant:

  • YouTube account information: Your YouTube channel name, profile picture, and channel ID
  • YouTube content: Your uploaded videos, playlists, video metadata (titles, descriptions, tags, thumbnails), and channel content
  • YouTube analytics: Performance metrics for your videos and channel, including views, watch time, audience demographics, traffic sources, and engagement data
  • YouTube monetization data: Revenue reports, ad performance metrics, and channel monetization statistics

5.2. How We Use Google User Data#

Nonli uses your YouTube data exclusively to:

  • Display analytics and performance metrics for your YouTube channel within the Nonli dashboard
  • Allow you to upload and manage video content directly from the Nonli platform
  • Aggregate your YouTube data with other social media platforms for unified reporting
  • Provide insights and recommendations to optimize your content strategy

We do NOT use your Google user data for:

  • Advertising or marketing purposes unrelated to your use of Nonli
  • Sale, rental, or transfer to third parties for commercial purposes
  • Training artificial intelligence or machine learning models
  • Any purpose unrelated to the core functionality of the Nonli platform

5.3. How We Store and Protect Google User Data#

  • All Google user data is securely stored on Google Cloud Platform servers located in Belgium (European Union)
  • Access tokens and sensitive credentials are encrypted using industry-standard encryption algorithms
  • All data transmissions are protected using TLS encryption
  • Access to user data is strictly limited to authorized personnel and systems required to provide our services

5.4. Data Retention and Deletion#

  • Google user data is retained only as long as necessary to provide our services to you
  • When you disconnect your YouTube account from Nonli or delete your Nonli account, all associated Google user data is permanently deleted from our systems
  • You may request the deletion of your Google user data at any time by contacting [email protected]

5.5. Data Sharing#

We do not share, sell, rent, or disclose your Google user data to third parties, except:

  • When required by applicable law or legal process
  • With your explicit prior consent
  • With service providers who help us operate our platform, under strict confidentiality agreements and only to the extent necessary to provide our services

5.6. Access Revocation#

You can revoke Nonli's access to your YouTube and Google data at any time by visiting your Google Account Permissions page and removing Nonli from the list of connected applications.

5.7. Compliance#

Nonli's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.8. YouTube API Services Notice#

Nonli uses YouTube API Services to enable users to connect their YouTube accounts, manage their video content, and access analytics and performance metrics for their channels within the Nonli platform.

By using Nonli features connected to YouTube, you also agree to Google's Privacy Policy, available at: http://www.google.com/policies/privacy

You can revoke Nonli's access to your YouTube data at any time by visiting Google's security settings page at: https://security.google.com/settings/security/permissions

Nonli has participated in the CNIL's "audience measurement" evaluation process and is therefore able to offer a consent-exempt solution in compliance with the CNIL's "cookies and other trackers" guidelines. Nonli is listed on the CNIL website where you can download the configuration guide.

6.1. How the Nonli Analytics Tag (SDK) Works#

The Nonli analytics tag works independently on each domain. The data collected is completely anonymous and is never consolidated between different domains. The tag does not set any cookies and does not allow tracking of an individual user's journey.

The tag is deployed on a subdomain of the client's main domain. Traffic analysis is done anonymously directly on our servers, without using cookies. The tag does not allow identification or tracking of a specific user's journey.

All data collected using this tag is anonymized and is not consolidated with other domains. No personal data is collected using this tag.

We commit not to use our clients' data for our own purposes.

7. Service Availability#

We make our best efforts to maintain a 99.99% availability rate.

Service availability is available on our status page.

8. Disaster Recovery and Business Continuity#

We replicate and back up all our data multiple times a day. We regularly run disaster recovery scenarios to restore service as quickly as possible.

9. Nonli Application Security#

All our applications are developed internally by our full-time employees; we do not use any external contractors or subcontractors.

10. Development Method#

Our developers regularly practice pair programming. All developments are unit and functionally tested.

We have dedicated QA environments; if a test fails, the code cannot be deployed to production.

Our developers regularly undergo training to stay up to date with best practices for combating security vulnerabilities.

We follow OWASP recommendations.

Before deployment to production, we have a strict code validation process:

  1. Each development must be deployed in an isolated and secure "sandbox" environment
  2. Pull Requests must be reviewed and approved by other developers
  3. Unit tests must pass
  4. Functional tests must be validated
  5. Non-regression tests must be validated
  6. The code quality score must not decrease
  7. No security vulnerabilities must be revealed by our external code and security audit tools

If the development does not pass one of these validation steps, the code must be improved until all steps are validated.

11. Application Security Inspection and Scanning#

We scan the application with external tools that inspect security vulnerabilities, potential bugs, code quality and produce weekly reports.

12. Security and Access Rights in Nonli#

12.1. Resource Access Management#

Administrators have the ability to create specific roles for each department of the company with very fine granularity.

It is possible to create cross-brand roles for reading and/or writing and add specific rights per resource.

12.2. Authentication#

All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique per device type. It is allowed to have 2 simultaneous sessions on desktop and mobile. If 2 sessions are initiated on 2 desktops simultaneously, the first session will be invalidated. The same applies to simultaneous sessions on mobile.

Any password change must be validated by email.

Any email change must be validated by SMS.

Any phone change must be validated by email.

12.3. API Access#

A username/password access is provided for using the server-to-server API. To use the REST API, you must request a token during authentication. This token is valid for 7 days.

13. Company Security#

13.1. Personnel and Equipment Security#

All employees are trained in security and staff regularly attend workshops on OWASP recommendations as well as literature we discover every week through monitoring. We dedicate 1 to 2 hours per week per employee to IT security awareness.

We regularly conduct internal penetration tests to combine theory with practice.

We consider networks as untrusted, which is why we have implemented protection and installation procedures. Development machines are all installed following a unified protocol to ensure the update and compliance of all computer equipment (encryption, firewall, fingerprint access restriction...).

Our workstation sessions are automatically locked after 5 minutes.

Staff are made aware of the confidentiality, integrity and sensitivity of all our clients' data.

13.2. Security Audit#

We regularly perform security tests with Cloud Web Security Scanner on a weekly basis, as well as Scrutinizer daily. Our clients have the option to perform external security audits and penetration tests by informing us in advance.

13.3. Reporting a Security Incident#

Vulnerabilities can be reported to [email protected]

13.4. Compliance and Certifications#

Company employees make their best efforts to apply ISO 27001 and SOC 2 standards.

Nonli follows strict rules regarding data security, privacy and compliance, and adheres to ISO 27001 and SOC 2 standards. However, due to the high cost of these certifications, we have not yet been able to implement them.

Nonli is GDPR compliant.

Data subject to GDPR is data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted along with users attached to the company; no personal data is retained.

13.5. Transaction Compliance#

Nonli is PCI-DSS compliant. Credit card transactions are managed by ADYEN.

Adyen is fully PCI DSS 3.2 compliant as a Level 1 service provider. This is the main security standard governing the payments industry.

As a payment institution, Adyen is fully supervised by the Dutch Central Bank and we comply with the requirements of the European Payment Services Directive (EU Directive 2015/2366), as well as any other requirements applicable to financial services provided by Adyen.

Adyen complies with ISAE3402/SOC 1 (Service Organizational Control 1), which evaluates and tests internal controls over financial reporting within a service organization. This reflects the service organization's compliance with policies and procedures through monitoring, training and verification of policies and procedures.

14. Partnership and Status#

Nonli is an official partner of Facebook, Instagram, Twitter and LinkedIn. Nonli joined the Google Startup Pack program and later became a Google Partner.

Nonli has obtained the Innovative Young Company status issued by the Ministry of Research.

Q&A

Yes, we comply with legal data retention periods and justify them through our legal and regulatory obligations. We implement procedures for regular deletion and archiving of data based on their legal retention period.

Other Legal Pages

Terms of ServiceCookie PolicyGDPR - Data Processing