Legal · Last updated 2 May 2026

Privacy policy

How we handle personal data on this site and (later) on the platform. Written plainly, scoped to what we actually do today, and updated whenever the practice changes.

01Who we are

nuya is operated by Archevia BV, a Belgian limited company. Archevia BV is the data controller for personal data processed in connection with this website and (when launched) the nuya platform.

Legal entityArchevia BV
Registered officeBurgemeester Verhulstplein 13, 2040 Antwerpen, Belgium
VAT / company no.BE1026.413.121
Contactcontact@nuya.io
DPONo DPO is currently appointed; Archevia BV's processing does not currently meet the GDPR Art. 37 thresholds. The contact above answers privacy questions.

02What we collect

This site is a static landing page. The only personal data we process today is what you submit voluntarily.

Waitlist form

If you submit the waitlist form on the home page, we receive the email address you supply and the optional free-text note describing the implementation you're working on. The form constructs a pre-filled mailto: in your own email client; we receive the message when you press send. We do not run a server-side form handler today.

Server logs

The web server hosting nuya.io records standard HTTP request logs (IP address, timestamp, requested URL, user-agent string) for security and operational diagnostics. We do not link these logs to identifiable individuals and we do not use them for analytics or profiling. Logs are retained for at most 30 days then rotated.

Cookies

This site does not set first-party cookies. Third-party requests (e.g. fonts loaded from api.fontshare.com) may set cookies under their respective privacy policies. See the Cookies notice for details.

The platform itself (when you become a customer)

Once the nuya platform launches and you are onboarded as a customer, we process additional categories of personal data on your behalf as a processor (with your company as controller). This is governed by a separate Data Processing Agreement, not by this privacy policy. Customer privacy is documented at /legal/dpa when that page is published.

03Why we process it & legal basis

  • Waitlist email + note — to contact you about pilot availability, demos, and product launch updates. Legal basis: consent (GDPR Art. 6(1)(a)). You can withdraw at any time by replying to any of our emails or writing to contact@nuya.io.
  • HTTP server logs — to keep the site secure, diagnose outages, and meet our hosting provider's abuse-handling obligations. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — minimal data, retained briefly, no profiling.
  • Replies to incoming email — to answer questions you ask. Legal basis: legitimate interest in business correspondence and (where applicable) steps prior to entering a contract (Art. 6(1)(b)).

04Who has access

Personal data you give us is accessed by Archevia BV's small operating team. We use a limited set of sub-processors to run the website and respond to messages.

Sub-processors (today, waitlist phase)

  • Render — application hosting (static site + contact-form API) in the Frankfurt (EU) region. Privacy policy · GDPR & DPA.
  • Fontshare (ITF Foundry) — webfont CDN. Fonts are loaded from api.fontshare.com; their privacy posture is described at fontshare.com/legal/privacy.
  • Resend — transactional outbound email provider for any mail nuya.io sends (waitlist confirmations and contact-form notifications). When you submit the waitlist form, your email and any context you provide are processed by Resend to deliver the message to contact@nuya.io. EU region (Frankfurt) is the configured deployment region. See Resend's privacy policy.
  • Cloudflare — bot-protection (Turnstile) on the waitlist form, when enabled. Turnstile is privacy-preserving (no third-party cookies, no behavioural fingerprint exfiltration). See Cloudflare's privacy policy.

Sub-processors (added at platform launch)

When the platform launches the customer-facing list expands to include providers like Supabase (database + authentication, EU region), Anthropic (model inference, with Zero Data Retention contracted before any customer data flows through it), and Microsoft (Teams integration, where the customer's tenant is the host). Customers receive the up-to-date list as part of their Data Processing Agreement.

05International transfers

For waitlist-phase processing, all data stays inside the European Economic Area. Archevia BV's hosting and email providers are EU-based, and the only third-party service the static site touches at runtime is the Fontshare CDN which serves fonts from EU-located edges.

If the platform later requires transfers outside the EEA (e.g. inference via Anthropic in the US), we will rely on the European Commission's adequacy decisions where applicable and on Standard Contractual Clauses (SCCs) plus supplementary technical measures (Zero Data Retention, no training use) in all other cases. The applicable DPA addendum will spell out the transfer mechanism per sub-processor.

06How long we keep it

  • Waitlist email + note — kept while we are still pre-launch and you have not asked us to stop. After product launch we ask you to confirm continued consent (re-opt-in); without confirmation we delete your record.
  • Email correspondence — kept for 24 months by default, longer only if a contractual or legal-defence basis arises.
  • HTTP server logs — at most 30 days, then rotated.

07Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erase your data — the "right to be forgotten" (Art. 17).
  • Restrict our processing (Art. 18).
  • Receive a portable copy of the data you provided to us (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, write to contact@nuya.io. We respond within one month and free of charge in most cases (Art. 12). For waitlist requests we typically resolve within a few business days.

If you believe we have mishandled your data, you can lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):

AddressRue de la Presse 35, 1000 Brussels, Belgium
Webwww.dataprotectionauthority.be
Phone+32 (0)2 274 48 00

08Security

Personal data is held in EU-resident systems with at-rest encryption. Access is limited to Archevia BV staff who need it for the specific operational task. We do not use personal data submitted via the waitlist to train any AI model.

The platform itself, when launched, is built around tenant isolation (Postgres row-level security on every table), an immutable audit log, and Zero Data Retention contracts with model providers. The customer-facing security posture is documented separately at /legal/security when that page is published.

09Updates to this policy

We update this page when our processing changes — new sub-processors, new platform features, jurisdictional changes. The "Last updated" date at the top reflects the most recent material change. We do not silently rewrite history; superseded versions are kept on request.