Nox&Hop
Menu

Crea un account gratuito e guadagna punti ad ogni visita.

Punti ad ogni ordine
🎴Colleziona timbri, sblocca premi
🏆Scala la classifica
💎Personalizza il tuo profilo
AccediCrea account gratuito

Privacy Policy

Last updated: 21.04.2026

This policy describes how the Nox&Hop loyalty application ("the App", available at https://loyalty.noxhop.it) collects, uses, and protects your personal data, in accordance with Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by 101/2018.

1. Data Controller

The Nox S.n.c.
Registered office: Viale Ivo Montagni 195, 50050 Capraia e Limite sull'Arno (FI), Italy
VAT number (Partita IVA): 07109530480
Email: info@noxhop.com

2. What data we collect

When you register or use the App, we collect:

  • Account data: email address, display name, password (hashed — we never store or see your plaintext password).
  • If you sign in with Google: your Google account email, name, and Google user ID. We request only the openid, email, and profile scopes — we do not access your Gmail, Calendar, Drive, or any other Google service.
  • Loyalty data: points balance, level, achievements unlocked, streak history, cosmetics purchased, QR-code identifiers we generate for you.
  • Purchase data synced from our point-of-sale system: the date, total amount, and line items of orders you make at the pub when you are identified (by email, at checkout) as a loyalty member. We do not receive your payment card details — those are handled by the pub's POS provider and never reach the App.
  • Technical data: IP address, browser user-agent, session tokens. Used only for authentication, security, and debugging.

We do not collect: location data, device contacts, photos, payment details, or sensitive categories of data (health, political opinions, religion, etc.).

3. Why we use your data (legal bases, GDPR Art. 6)

  • Create and maintain your loyalty account — Contract (Art. 6(1)(b))
  • Track points, levels, achievements, rewards — Contract (Art. 6(1)(b))
  • Send account-related emails (e.g. password reset) — Contract (Art. 6(1)(b))
  • Send optional marketing / promotional notifications — Consent (Art. 6(1)(a)), opt-out any time
  • Keep the App secure (rate limiting, fraud detection, logs) — Legitimate interest (Art. 6(1)(f))
  • Comply with tax and accounting law — Legal obligation (Art. 6(1)(c))

4. Who we share your data with (third-party processors)

Your data is processed on our behalf by the following parties. All are bound by GDPR-compliant data processing agreements.

  • Hetzner Online GmbH (Germany) — hosts the application server. Data stays within the EU.
  • Google LLC / Google Ireland Ltd — if you use "Sign in with Google", Google processes your authentication. See Google's Privacy Policy.
  • Odoo S.A. (Belgium) — our point-of-sale system, running on Odoo Online (odoo.com). Purchase data is synced to the App to award points. Data is processed within the EU. See Odoo's Privacy Policy.
  • Cloudflare, Inc. — manages our DNS records.
  • OVHcloud (France) — our domain registrar for noxhop.it.

We do not sell your data, and we do not share it with advertisers.

5. International transfers

Your data is stored in the European Union (Germany). When you sign in with Google, some data may be transferred to Google servers outside the EU under Standard Contractual Clauses approved by the European Commission.

6. How long we keep your data

  • Active accounts: for as long as you use the App.
  • Inactive accounts: if you haven't logged in or made a purchase for 36 months, we will email you and delete the account if you don't respond within 30 days.
  • Deleted accounts: personal data is removed immediately; anonymised aggregate statistics may be retained.
  • Transaction records required by tax law: kept for 10 years as required by Italian law (D.P.R. 633/1972, Art. 39), but stored in the POS system, not the App.
  • Backups: encrypted DB backups are rotated every 14 days, so deleted data persists up to 14 days in cold storage before full erasure.

7. Your rights (GDPR Arts. 15–22)

You have the right to:

  • Access the data we hold about you.
  • Rectify inaccurate data.
  • Erase your account and associated data.
  • Restrict or object to processing.
  • Data portability — receive your data in a machine-readable format.
  • Withdraw consent for marketing at any time.
  • Lodge a complaint with the Italian Data Protection Authority, Piazza Venezia 11, 00187 Roma.

To exercise any of these rights, email info@noxhop.com. We will respond within 30 days.

8. Cookies and tracking

The App uses only strictly necessary cookies — specifically, a session cookie to keep you logged in. We do not use analytics cookies, advertising cookies, or third-party tracking pixels.

9. Children

The App is not intended for users under 16 years of age. Since Nox&Hop serves alcohol, users should in any case be of legal drinking age in Italy (18+). If we learn that we have collected data from someone under 16, we will delete it.

10. Security

  • Passwords are hashed using industry-standard algorithms (bcrypt).
  • All traffic is encrypted with TLS 1.2+ (HTTPS).
  • The server is hardened: no password SSH, firewall enabled, security updates applied.
  • Database access is restricted to the application server.

11. Changes to this policy

We will post material changes here and, if you have an account, notify you by email. Keep an eye on the "Last updated" date at the top.

Questions? Email info@noxhop.com and a human will reply.