Privacy Policy for nystaknit.com

Last updated: 2026-05-22

This policy describes how we process your personal data when you sign up for our waiting list on nystaknit.com.

The policy covers the landing page only. The Nysta app will have its own policy when it launches.

1. Data controller

StatLab
CVR: 41068027
Alleen 39
8660 Skanderborg
Denmark
Contact: hi@nystaknit.com

2. What data we collect

When you sign up for the waiting list, we collect:

  • Your email address
  • Language (Danish or English)
  • Time of sign-up
  • Confirmation status (whether you have confirmed your email via the link)
  • Source (which channel you came from, e.g. Reddit, Instagram, direct link). This is typically derived from UTM parameters or the referring page.

When you visit the site, we collect pseudonymised usage data through PostHog:

  • Which pages you have viewed
  • Which buttons you have clicked
  • Language switches
  • Scroll depth
  • Approximate region derived server-side (your full IP address is not stored)

We do not set any tracking cookies. PostHog is configured to run without cookies and without IP storage. The configuration is described in §7 and verified at every release.

Data from PostHog is pseudonymised, not fully anonymised: each browser is assigned a random session identifier so we can follow a user's path within a single visit, but we do not link it to your email address or any other identifier.

IP addresses may appear in Vercel's technical logs for operations, debugging and abuse protection. They are not used for analytics or profiling.

3. Purpose and legal basis

Purpose Legal basis (GDPR)
Confirm your email address via a link (double opt-in) Consent, art. 6(1)(a)
Send you emails related to Nysta's launch: launch announcement and at most one reminder to create an account Consent, art. 6(1)(a)
Understand which channels people arrive from (UTM/referrer) to prioritise communication Legitimate interest, art. 6(1)(f)
Improve the landing page through pseudonymised analytics Legitimate interest, art. 6(1)(f)
Defend the sign-up form against abuse (rate limiting, spam filtering) Legitimate interest, art. 6(1)(f)

We only send you emails directly related to Nysta's launch. We do not send newsletters, offers or other marketing unless you explicitly opt in.

We do not carry out automated decision-making about you, and we do not profile you.

4. Recipients and sub-processors

We share your data with the following data processors. We have signed data processing agreements (DPAs) with all of them under GDPR art. 28.

Processor What is processed Where Function Transfer basis
SupabaseEmail, language, consent timestampEU (Frankfurt, AWS eu-central-1)DatabaseData resides in the EU. Supabase Inc. is US-based; any US support access happens under SCC.
Amazon Web Services (SES)Email address, sending metadataEU (Ireland, eu-west-1)Sending confirmation and launch emailsData resides in the EU. AWS Inc. is US-based; SCCs are included in the AWS Customer Agreement.
VercelRequest headers, IP address in hosting logs, pseudonymised analyticsEU + US edge networkHosting of nystaknit.comVercel Inc. is US-based. Transfers happen under SCC.
DanDomainDomain registration and DNS lookupsDenmarkDNS host for nystaknit.comEU-internal.
PostHogSession ID, page views, clicks, scroll depth, approximate regionEU (Frankfurt, eu.posthog.com)Pseudonymised product analyticsPostHog Inc. is US-based; any US support access happens under SCC.
SentryError data, browser type, code stack traces (no personally identifiable content)EU (Frankfurt, sentry.io EU region)Error monitoringSentry (Functional Software Inc.) is US-based; any US support access happens under SCC.

Data is processed primarily within the EU/EEA. For Vercel, requests may be routed through their US edge network, and for Supabase, PostHog and Sentry, US support access may occur. In both cases, the transfer takes place under the European Commission's Standard Contractual Clauses (SCC), supplemented by technical and organisational measures in line with EDPB recommendations following Schrems II.

5. How long we keep your data

Data Period Justification
Waiting-list sign-up Until you ask us to delete it, or up to 6 months after you have received the launch email Gives you time to create an account after launch before we clean up
Unconfirmed sign-ups (you never clicked the confirmation link) 30 days, then deleted automatically Without confirmation we have no valid consent
Pseudonymised statistics in PostHog 12 months Year-over-year comparison of channels and content
Error reports in Sentry 90 days Time to diagnose and fix errors

If you unsubscribe through the unsubscribe link in an email from us, your email is removed from the waiting list immediately. Your data will be fully deleted within 30 days.

6. Your rights

Under GDPR, you have the right to:

  • Access (art. 15). You can ask for a copy of the data we hold about you.
  • Rectification (art. 16). You can have incorrect information corrected.
  • Erasure (art. 17). You can ask us to delete your data.
  • Restriction (art. 18). You can require us to temporarily stop using your data while a dispute is resolved.
  • Data portability (art. 20). You can have your data delivered in a common, machine-readable format.
  • Objection (art. 21). You can object to processing based on legitimate interest.
  • Withdrawal of consent (art. 7(3)). You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Write to hi@nystaknit.com. We respond within one month under GDPR art. 12(3). For particularly complex requests the deadline may be extended by up to two months, in which case we will inform you.

Note that GDPR applies to people in the EU/EEA and the UK. If you are located elsewhere, you may have similar or different rights under your local data protection law.

You can always complain to the Danish Data Protection Authority (Datatilsynet):

  • Address: Carl Jacobsens Vej 35, 2500 Valby, Denmark
  • Phone: +45 33 19 32 00
  • Email: dt@datatilsynet.dk
  • Web: datatilsynet.dk

7. Security

We have implemented the following technical and organisational measures under GDPR art. 32:

  • All communication between your browser and nystaknit.com runs over TLS 1.2 or later (HTTPS).
  • Data at Supabase is encrypted at rest (AES-256) and in transit.
  • PostHog is configured without cookies and without IP storage; the configuration is verified at every release.
  • Sentry is configured with the EU region, no session replay, no PII storage, and only error reporting enabled.
  • Access to the database is limited to people with a work-related need, through individual, encrypted API keys.
  • Secrets (API keys, database credentials) are stored in encrypted environment variables on Vercel and are never used in client-side code.
  • We review our setup with every significant change to the landing page and document the changes.

8. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights, we will report it to the Danish Data Protection Authority within 72 hours under GDPR art. 33. If the breach is likely to result in a high risk, we will notify you directly without undue delay under art. 34.

9. Data Protection Officer (DPO)

We are not required to appoint a Data Protection Officer, as our processing does not meet the criteria in GDPR art. 37. Enquiries about data protection go to hi@nystaknit.com.

10. Children

Nysta is not aimed at children. The lawful age for consent to information society services is 13 years in Denmark under section 6(3) of the Danish Data Protection Act. Within the EU, the age varies between 13 and 16 depending on the member state of residence. We do not knowingly collect data about children below the applicable age. If you believe a child has signed up for the waiting list, please contact us and we will delete the information.

11. Governing law and venue

This policy and our processing of personal data are governed by Danish law. Disputes are settled by the Danish ordinary courts, with the District Court of Aarhus as the court of first instance.

12. Changes to this policy

We may change the policy. The current version is always available at nystaknit.com/privacy with the date of the last update at the top. Material changes are announced to the waiting list by email at least 14 days before they take effect.

13. Questions

Write to hi@nystaknit.com.