nixie.yt
nixie.yt
Your nixie companion, always in your pocket.
Free
Get
Legal document v1.6

Privacy Policy

How we process your data in the catalog, listings, chat and API — under GDPR.

Last updated: 2026-05-16 Jurisdiction: Polish law

The Polish version is the legally binding version.

This Privacy Policy explains how the Operator of nixie.yt processes data within the nixie tube catalog, knowledge base, private inventory, wishlist, classifieds board, chat, administration panel and API.

The controller of personal data is: InfoData S.A., ul. Trojańska 7/217, 02-261 Warsaw, Poland; KRS 0000589525; NIP (Polish tax ID) 5993179193; District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register; share capital PLN 100,000 paid up in full.

Privacy and GDPR contact: [email protected]. Operational contact, including content notices: [email protected].

English translation provided for convenience. In case of doubt, the Polish-language version is binding.

1. Data we process

  • Account: user name, email address, password hash, role, public advertiser alias, account type (private individual or Trader), preferred language, email verification date, account approval date and document acceptance date.
  • Apple and Google sign-in: you may create an account or sign in with Apple or Google. From these services we receive the data needed to identify you and create the account: your name or profile name, email address and the provider's stable identifier, respectively the Apple user identifier or Google sub identifier. If Google returns a profile avatar, we currently do not store it in your nixie.yt account. When using Apple, you may choose “Hide My Email”, so we may store an Apple relay address instead of your real email address.
  • Sessions and API: session identifiers, remember-me tokens, API tokens, device name provided for API login, token last-used date, IP address and user agent stored by session mechanisms and server logs.
  • Community catalog: tube models, manufacturers, symbols, descriptions, suggested edits, tube images, image notes and file metadata such as size, MIME type, dimensions and SHA-256 hash.
  • Knowledge base: article title, slug, excerpt, Markdown body, tags, tube references, moderation status, author identifier, approver identifier and creation, update and approval dates.
  • Classifieds board: listing type, tube model, quantity, condition, price, currency, description, exchange notes, listing images, public advertiser alias, listing status, archiving and listing change history, including price history.
  • Listing chat: conversation participant identifiers, aliases, message content, timestamps, read status and thread archive status.
  • Private inventory and wishlist: collection locations, location descriptions, owned tubes, quantities, condition, notes, wanted tubes and priorities.
  • Notifications: device token, platform, device name and last-used date if you enable push notifications.
  • Violation reports: URL, reported content identifier, description of the issue and contact details provided in report correspondence.
  • Administrative access log: administrator or moderator identifier, identifier of the user whose data was accessed, resource type and identifier, action, access reason, IP address, user agent and access time when an administrator or moderator accesses another user's private inventory or a reported chat message or thread.
  • Cookies and browser storage: data required for sessions, CSRF protection, theme preference and remembering the cookie notice. Details are available in the cookies policy.

If you upload images, make sure they do not contain data you do not want to publish, such as information visible in the frame or file metadata.

2. Purposes and legal bases

  • Creating and operating an account, login, email verification, account approval and service features - GDPR Article 6(1)(b).
  • Apple or Google sign-in - data received from the provider is used to create an account, sign you in, automatically link an existing account to a verified email address, ensure security, contact you and support the account. We do not use Apple or Google sign-in data for advertising, marketing tracking or advertising profiling without separate consent. Legal basis: GDPR Article 6(1)(b).
  • Operating the catalog, knowledge base, inventory, wishlist, classifieds board, chat and API - GDPR Article 6(1)(b).
  • Publishing approved catalog content, articles, images and listings identified by a public alias or author name - GDPR Article 6(1)(b) and, for maintaining catalog and knowledge-base quality, Article 6(1)(f).
  • Moderation, handling notices, administrative access logging, spam prevention, abuse prevention and unauthorized-access prevention - GDPR Article 6(1)(f) (legitimate interest — security of the Service and community, accountability of access to private data) and Article 6(1)(c) (legal obligation under the Digital Services Act — DSA).
  • Listing change history and price history (snapshots) - GDPR Article 6(1)(c) (obligations under Polish consumer law, in particular regarding price-reduction information) and Article 6(1)(f).
  • Trader identification data (company / trading name, address, registration number / VAT / tax ID, contact details) - GDPR Article 6(1)(f) (legitimate interest — transparency of Listings, protection of Users and the community, abuse prevention, handling of Notices) and Article 6(1)(c) to the extent the Operator is subject at the relevant time to legal obligations concerning such data (including those under Regulation (EU) 2022/2065 — DSA — where applicable). The data is collected and stored to support transparency of Listings by Traders shown to other Users and to fulfil any applicable legal obligations of the Operator.
  • Complaints, legal claims and other legal obligations - GDPR Article 6(1)(c) and 6(1)(f).
  • Technical logs and security (typically up to 12 months) - GDPR Article 6(1)(f) (legitimate interest — diagnostics, security, pursuit of claims).
  • Transactional emails about accounts, approvals, verification and new chat messages - GDPR Article 6(1)(b) and 6(1)(f).
  • Push notifications - GDPR Article 6(1)(a); you can disable them in your browser or device settings.
  • Cloudflare Turnstile, if enabled during registration - GDPR Article 6(1)(f), meaning protection of forms against automated abuse.

3. What is public

  • The approved tube catalog, approved catalog images and active approved listings are public.
  • Approved knowledge-base articles are publicly available — visible to all visitors, including those who are not logged in. An article may publicly show the author's name, creation date, title, excerpt, body, tags and tube references.
  • Pending articles are visible to the author and to administrators or moderators.
  • Listings publicly show the Advertiser's public alias, the Advertiser's account type label ("Private advertiser" or "Business advertiser"), listing details, price or exchange terms and images added to the listing.
  • User email addresses are not published in catalog or listing views. Full Trader details (e.g. business name, tax ID, address) are not published by the Service automatically — a Trader provides them themselves in the body of the Listing, to the extent required by law.
  • Inventory, collection locations and wishlist data are private to the account owner, subject to administrative access needed for security and service operation.
  • Chat messages are visible to conversation participants; administrators or moderators may access them when needed to handle reports, security or enforcement of the Terms. Moderator or administrator access to a reported chat message or thread is logged.

4. Data recipients

  • hosting, database, backup and file-storage providers, including local storage or S3/MinIO depending on production configuration;
  • email providers used for transactional emails and notifications;
  • Apple Inc. - for Sign in with Apple if you choose Apple login;
  • Google LLC - for Sign in with Google, Firebase Cloud Messaging for push notifications, Firebase scripts, Google Fonts and gstatic assets used by the interface;
  • Cloudflare, Inc. - for Turnstile if form protection is enabled;
  • authorized administrators and moderators of the Service;
  • other users and visitors, only for content that is public or that you send to a given user in chat;
  • public authorities or authorized entities where required by law.

The Operator does not sell personal data.

5. Transfers outside the EEA

Some providers, in particular Apple, Google, Firebase and Cloudflare, may process data outside the European Economic Area. In such cases, mechanisms required by GDPR are used, especially adequacy decisions or Standard Contractual Clauses.

6. Retention

  • Account data is kept for the life of the account and, after deletion, for the period needed for reports, security and claims.
  • Apple or Google login-link data, including the provider and provider identifier, is removed with the account unless retaining a specific item is needed for security, report handling, claims or legal duties. Temporary data used to finish Apple or Google registration is kept only for the time needed to complete that process or until the session or short-lived token expires.
  • Public catalog contributions, including approved images and technical data, may remain in the Service after account deletion to preserve catalog integrity; where possible they are detached from identifying author data.
  • Knowledge-base articles may be deleted together with the author's account, unpublished, anonymised or retained where needed for knowledge-base consistency, report handling, security or claims.
  • Listings, listing archives and change history, including price history, are kept as needed to operate the classifieds board, handle reports, document changes and protect claims.
  • Chat messages are kept for the life of participant accounts and for the period needed for security, reports and claims.
  • Private inventory and wishlist data are removed with the account unless further retention is required for security or claims.
  • Device tokens are kept until notifications are disabled, the device is unregistered or the account is deleted.
  • Administrative access logs are usually kept for up to 24 months unless a specific security incident, report, complaint, claim or legal duty requires longer retention.
  • Technical logs are kept as long as needed for security and diagnostics, usually no longer than 12 months unless a specific incident requires longer retention.
  • Backups are retained in a rolling cycle covering the last 90 days and are then overwritten or deleted. Data removed from the production system may remain in backups until the end of that cycle, and access is limited to system restore, security, legal-duty or claims situations.

7. Your rights

You have the right to access, rectify, erase, restrict processing, transfer data, object to processing based on legitimate interest and withdraw consent where processing is based on consent.

You can delete your account in profile settings, through the mobile app API or by contacting the Operator. Deleting the nixie.yt account deletes the application account and the data subject to deletion per the “Retention” section, but does not always remove public catalog contributions, approved articles together with their images, listing archives, price history, Notices, security logs and data needed for claims or legal obligations. Unpublished articles (pending moderation or rejected) together with their images are removed with the account — they were never published, so the purpose of their processing ends when the author leaves. Deleting the nixie.yt account does not delete your Apple or Google account. In the mobile app, users signed in with Apple or Google can delete their account directly by re-authenticating with their identity provider — no password required. On the website, if you sign in only with Apple or Google, you may first set a password through password reset or contact the Operator.

The Service currently does not provide a self-service button to disconnect Apple or Google without deleting the account. You can revoke nixie.yt access in your Apple or Google account settings; doing so does not automatically delete your nixie.yt account. If you want to disconnect the login provider on the nixie.yt side and continue using the account, contact the Operator.

Send GDPR rights requests to [email protected] (formal channel). For operational matters and Notices about Content, you may also write to [email protected]. You also have the right to lodge a complaint with the Polish President of the Personal Data Protection Office.

8. Automated decisions

Activating (verifying) a new account may be carried out with the help of an automated AI assistant. After you confirm your email address your account awaits verification, and the welcome message sets out two clearly marked paths: a faster one using the AI assistant at [email protected], and a human contact at [email protected]. Using the AI assistant is optional. The AI assistant runs on the Operator's own infrastructure (InfoData S.A.) — for this purpose your account data is not shared with any third-party AI provider or transferred outside the European Economic Area.

Human oversight and intervention are ensured. Accounts are also reviewed by administrators or moderators, and at any time you have the right to request human review, to express your point of view and to contest the outcome — by writing to [email protected]. No decision producing legal effects or similarly significant effects is taken solely on the basis of automated processing, without the possibility of human intervention (GDPR Article 22). Content moderation is performed by administrators or moderators.

9. Security

The Service uses Laravel mechanisms including password hashing, CSRF protection, sessions, permissions, moderation, access restrictions (API rate limiting), file-upload validation and — for protection of public forms — the Cloudflare Turnstile service. The Operator also applies anti-abuse mechanisms compliant with the DSA (including limits on repeat infringements and on manifestly unfounded notices). No system can guarantee complete security, so use a unique password and do not publish data you do not want to disclose.

10. Changes

This Policy may be updated when service features, infrastructure providers or legal requirements change. The current version is always available at this address.

Legal or privacy questions?

Write to [email protected]

Send a message