GDPR Compliance

0.mk is committed to compliance with the General Data Protection Regulation (GDPR). This page explains how we handle personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland.

Data controller

NoCode, Inc. is the data controller for personal data processed through 0.mk.

• Company: NoCode, Inc.
• Address: 16192 Coastal Hwy, Lewes, DE 19958, United States
• For data protection inquiries, contact us here

Legal bases for processing

We process personal data under the following legal bases:

Your rights under GDPR

As a data subject in the EEA/UK, you have the following rights:

Right of access (Art. 15)

You can request a copy of all personal data we hold about you. Use the CSV export feature in your dashboard for link data, or contact us for a full data export.

Right to rectification (Art. 16)

You can update your profile information directly in Settings. For other corrections, contact us.

Right to erasure (Art. 17)

You can delete your account from Settings > Danger Zone. This permanently removes your account, all links, analytics, tags, API keys, and audit logs within 30 days. You can also request deletion via our contact page.

Right to restrict processing (Art. 18)

You can request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of your data.

Right to data portability (Art. 20)

Export your links as CSV from the dashboard. For a machine-readable export of all your data, contact us.

Right to object (Art. 21)

You can object to processing based on legitimate interest. We will stop processing unless we have compelling grounds that override your interests.

Right to withdraw consent (Art. 7(3))

Where processing is based on consent (e.g., marketing emails), you can withdraw at any time. This does not affect the lawfulness of prior processing.

Right to lodge a complaint

You have the right to lodge a complaint with your local data protection authority. For users in the EU, a list of authorities is available at edpb.europa.eu.

Data processing agreements

We have data processing agreements (DPAs) with all sub-processors:

International data transfers

As our infrastructure is primarily US-based, data is transferred from the EEA to the United States. We ensure lawful transfers through:

• Standard Contractual Clauses (SCCs): incorporated into our agreements with all sub-processors
• EU-US Data Privacy Framework: where applicable, our processors are certified under the DPF
• Data minimization: we transfer only the minimum data necessary for each processing purpose

Data protection by design

• IP anonymization: visitor IP addresses are never stored - only the country code derived at the edge
• Aggregation: click analytics are stored as daily rollups, not individual events
• Minimal cookies: only essential session and preference cookies - no tracking
• Least privilege: the application database user has only the permissions it needs
• Workspace isolation: all queries are scoped to prevent cross-workspace data access

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected individuals without undue delay if the breach poses a high risk
• Document the breach, its effects, and remedial actions taken

Data Protection Impact Assessments

We conduct DPIAs for new processing activities that may result in a high risk to data subjects, including new analytics features and third-party integrations.

Exercising your rights

To exercise any GDPR right:

• Submit a request via our contact page
• We will verify your identity before processing requests
• We respond within 30 days (extendable by 60 days for complex requests)
• Rights are exercised free of charge

Contact

For any GDPR-related inquiries, reach out via our contact page.