nonto

Legal

Privacy Policy

This policy explains what personal data Nonto collects, why we collect it, how we use and share it, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

Effective
26 May 2026
Controller
Sunday Engineering, MB, Chemijos g. 27C-62, LT-51331 Kaunas, Lithuania
Company code
307395994
VAT
LT100019085117
Privacy contact
hello@sunday.engineering

We have not appointed a Data Protection Officer as the scale and nature of our processing do not require one under Art. 37 GDPR. For any privacy matter, write to the contact above.

1. Our two roles

We act as data controller for the personal data of our users — the account holder and people we communicate with directly. We act as data processor on your behalf for the personal data of your clients and other contacts that you store in Nonto to issue invoices. Sections 2–8 below describe how we process data as controller. Section 9 describes the processor role.

2. Data we collect

You provide directly

  • Account & identity: email address, name, trade name, phone number.
  • Business profile: registered address, registration code, VAT number, bank account (IBAN, BIC, account holder, bank name), invoice series, tax rates.
  • Content: client records you create (name, address, contact details, registration / VAT codes), invoices, line items, notes.
  • Support correspondence: messages you send us and our replies.

Collected automatically

  • Authentication: one-time login codes, session tokens, sign-in timestamps and IP address.
  • Technical logs: request metadata, user-agent, error and audit logs, for security and reliability.
  • Strictly necessary cookies / local storage: session and CSRF protection. We do not use advertising or cross-site tracking cookies.

3. Purposes & lawful bases

Provide the service
Account creation, authentication, generating invoices, storing your data. Art. 6(1)(b) GDPR — performance of a contract.
Security & abuse prevention
Rate limiting, fraud detection, audit logs. Art. 6(1)(f) GDPR — legitimate interest in keeping the service safe.
Legal & tax records
Retaining billing and invoicing records. Art. 6(1)(c) GDPR — compliance with legal obligation.
Service communications
Operational emails (sign-in codes, billing receipts, security alerts). Art. 6(1)(b)/(c) GDPR.
Product improvement
Aggregated, non-identifying usage analysis. Art. 6(1)(f) GDPR — legitimate interest, balanced against your rights.
Marketing (only if you opt in)
Newsletters or product announcements. Art. 6(1)(a) GDPR — consent, withdrawable at any time.

4. How long we keep it

  • Account & profile data: for the life of your account, then deleted within 30 days of closure, unless retention is legally required.
  • Invoices & billing records: retained for the period required by applicable tax law (typically up to 7–10 years depending on EU Member State).
  • Authentication logs: up to 12 months.
  • Technical / security logs: up to 90 days, unless retained for incident investigation.
  • Support correspondence: up to 24 months after the case is closed.

5. Who we share it with

We share personal data only with sub-processors and recipients that are necessary to operate the Service. They process data on our documented instructions under written contracts compliant with Art. 28 GDPR.

  • Cloud hosting & database — infrastructure provider in the EU/EEA.
  • Transactional email — sending sign-in codes and operational notifications.
  • Error monitoring & logging — diagnosing technical issues.
  • Payment processor — billing for paid plans (we do not store card numbers).
  • Professional advisers — accountants and lawyers under confidentiality, where strictly necessary.
  • Public authorities — when required to comply with a binding legal request.

A current list of named sub-processors is available on request at hello@sunday.engineering.

6. International transfers

We store data primarily within the EU/EEA. Where a sub-processor processes data outside the EU/EEA we rely on transfer mechanisms recognised under Chapter V GDPR, including the European Commission’s Standard Contractual Clauses and, where applicable, an adequacy decision. We carry out transfer impact assessments and apply supplementary measures (encryption in transit and at rest, access controls).

7. Your rights

Under the GDPR you have the right to:

  • Access (Art. 15) — obtain confirmation and a copy of your personal data.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion, subject to legal retention obligations.
  • Restriction (Art. 18) — limit how we process your data in specific cases.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format or have it sent to another controller.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art. 7) — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
  • Not be subject to solely automated decisions (Art. 22). Nonto does not make decisions with legal effect about you using solely automated means.

To exercise any of these rights write to hello@sunday.engineering. We respond within one month (extendable by two further months for complex requests). We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State where you live, work or where the alleged infringement occurred. Our lead supervisory authority is the State Data Protection Inspectorate of the Republic of Lithuania (Valstybinė duomenų apsaugos inspekcija, VDAI).

8. Security

We apply technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest, principle-of-least-privilege access controls, audit logging, regular backups, and one-time-code authentication (no stored passwords). No system is perfectly secure; in the event of a personal data breach affecting your rights we will notify the supervisory authority and, where required, you directly, in accordance with Art. 33–34 GDPR.

9. Processing of client data on your behalf

Personal data you enter about your clients (e.g. names, contact and tax details on invoices) is processed by us as a processor on your behalf. You are the controller of that data and remain responsible for: having a lawful basis to process it, informing your clients of the processing, responding to their requests, and ensuring it is accurate and lawful to store.

Our processing is limited to what is necessary to provide the Service. We will assist you with security, data subject requests and breach notifications, in line with Art. 28 GDPR. A standard data processing addendum (DPA) is available on request.

10. Cookies & local storage

Nonto uses only strictly necessary cookies and local storage entries to keep you signed in, protect against CSRF, and remember interface preferences such as theme. These do not require consent under Art. 5(3) of the ePrivacy Directive. We do not use advertising, profiling or third-party tracking cookies. If we introduce any non-essential cookies in future we will ask for your consent first.

11. Children

The Service is intended for use by adults in a business context. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify you by email or in-app notice before they take effect. The effective date at the top of this page indicates when the current version was published.

13. Contact

Questions, requests or complaints: hello@sunday.engineering. See also our Terms & Conditions.