Legal
Privacy Policy.
What we collect, why, and your rights.
Last updated: 29 April 2026 · Effective date: 1 June 2026
The short version: NOLO uses Stripe to process card payments at the station. We do not store your card data, we do not require an account, we do not sell your information. We log rental events to make the service work and to comply with tax law. That's it.
1. Who we are
NOLO is operated by NOLO Sharing S.L. (legal entity in formation, Spain). For all data-protection matters you can write to privacy@nolosharing.com. Postal address available on request.
This Privacy Policy applies to nolosharing.com and to NOLO powerbank stations operated in the European Union. We act as the Data Controller for the personal data described below.
2. What data we collect
2.1 When you rent a powerbank
- Payment data — your card details are read directly by the Stripe Terminal at the station. Stripe is the data controller for that processing. NOLO never sees or stores your full card number; we receive a tokenised reference, the transaction amount, and the timestamp.
- Rental event data — station ID, slot number, powerbank ID, rental start/end timestamps, total amount charged.
2.2 When you visit nolosharing.com
- Analytics — anonymised usage data (page views, country, device type) via Google Analytics 4 with IP-anonymisation enabled. We never receive your name or email from this source.
- Cookies — a single first-party analytics cookie. You can refuse it via the consent banner.
2.3 When you contact us or fill the venue form
- The data you submit: name, email, venue name, venue type, expected guest volume, free-text notes.
3. Why we process your data (legal basis)
- Contract performance (GDPR Art. 6(1)(b)) — to operate the rental, charge your card, and resolve disputes.
- Legal obligation (Art. 6(1)(c)) — to keep accounting records under Spanish tax law (typically 6 years).
- Legitimate interest (Art. 6(1)(f)) — to detect fraud, prevent payment abuse, and improve the service. You can object at any time.
- Consent (Art. 6(1)(a)) — for analytics cookies. Withdrawable at any time via the banner or by clearing cookies.
4. Who sees your data
We share data only with processors necessary to operate NOLO:
- Stripe — payment processing (PCI DSS Level 1 certified). Stripe is the controller for card data, NOLO is the controller for rental data. stripe.com/privacy
- WeShare — station/SIM telemetry provider (China). Receives only powerbank IDs and station status. Adequacy mechanism: standard contractual clauses + technical safeguards.
- Netlify — website hosting (USA, GDPR-compliant under EU-US Data Privacy Framework).
- Google Analytics 4 — anonymised website analytics.
We do not sell, rent, or share your data with advertisers or data brokers.
5. International transfers
Stripe and Netlify operate globally. Where personal data is transferred outside the EEA, we rely on EU Standard Contractual Clauses or equivalent legal mechanisms.
6. How long we keep your data
- Rental and payment records — up to 6 years (Spanish tax law, Art. 30 Código de Comercio).
- Venue partnership leads — until partnership is closed or 24 months from last contact, whichever first.
- Analytics data — 26 months in Google Analytics, then automatically deleted.
- Support emails — 12 months from resolution.
7. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Correct inaccurate data (Art. 16)
- Request erasure (Art. 17), subject to legal retention obligations
- Restrict processing (Art. 18)
- Receive your data in a portable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for analytics at any time
- Lodge a complaint with the Spanish Data Protection Authority (aepd.es)
To exercise any of these rights, write to privacy@nolosharing.com. We respond within 30 days.
8. Children
NOLO is intended for adults (18+). We do not knowingly collect data from minors. If you believe a minor has rented a powerbank, contact us and we will delete the records.
9. Security
Card data never touches our infrastructure — it is processed end-to-end by Stripe (PCI DSS Level 1). Rental records are stored in encrypted databases with restricted access. The website uses HTTPS exclusively.
10. Changes to this policy
If we make material changes, we will update the "Last updated" date and post a notice on the homepage at least 14 days before the change takes effect.
This policy is provided in English. Spanish, Italian, and German translations are available on request and have equal legal effect once published.
← Back to NOLO