Version 1.2 (14-08-2025)
Nothing to hide (NTH) is a privacy infrastructure provider based in The Netherlands. As a part of the Church of Cyberology (also Cyberology hereafter), we operate privacy-enhancing services world wide and in this privacy statement we will elaborate on what personal data we collect, how we collect personal data, for what purposes we use personal data, how we retain personal data and to whom personal data is disclosed by us. Further, this privacy statement includes information regarding your rights with respect to the processing of your personal data. If you have any questions about the processing of (your) personal data, please contact us.
Our public services are built in accordance with current privacy design strategies and best practices in mind. In short this means:
- We limit, separate, abstract and hide (the processing of) personal data as much as possible.
- We’re transparent about the processing of personal data to our data subjects.
- We will never sell personal data to third-parties.
- We don’t share personal data with third-parties unless it’s one of our data processors or unless we are compelled to do so by lawful and valid request by a competent authority.
1 Website
When you visit our websites, your IP address and browser user agent are processed by our webserver in order to serve the website’s content to your browser. In addition we retain these personal data for 30 days for the purpose of finding and preventing abuse and keeping the website available.
Our webservers run on infrastructure and servers provided by Nozel, a small infrastructure provider based in the Netherlands. In the context of the GDPR, Nozel acts as the data processor for this service.
| Personal data | Controller | Processor | Purpose | Legal basis |
|---|---|---|---|---|
| IP address | Cyberology | Nozel | Detect and prevent abuse/availability | Legitimate interest |
| Browser user agent | Cyberology | Nozel | Detect and prevent abuse/availability | Legitimate interest |
2 Email
You can send us an email. In order to receive, read, reply to and (permanently) archive these emails we process your mail server’s IP address, contents of the email and email address(es)/account name(s) of email recipients and senders.
Nothing to hide uses the Netherlands based secure email service provider Soverin by Soverin B.V. (Soverin).
| Personal data | Controller | Processor | Purpose | Legal basis |
|---|---|---|---|---|
| Mail server’s IP | Cyberology | Soverin | Handling email | Legitimate interest |
| Email address | Cyberology | Soverin | Handling email | Legitimate interest |
| Name(s) | Cyberology | Soverin | Handling email | Legitimate interest |
| Email content | Cyberology | Soverin | Handling email | Legitimate interest |
3 Tor
When you use one of our Tor relays, your traffic will be routed through our infrastructure. Nothing to hide operates many Tor exit relays, but we also have a few Tor guard/middle relays. Do note that under normal circumstances (i.e. using the Tor Browser) our guard/middle and exit relays won’t be used together.
We don’t log anything regarding the Tor relays or Tor traffic so although we process such data on a real-time basis, we are not able to educe or reproduce these data.
3.1 Guard relays
When you use one of our guard relays, your current outgoing IP address and your heavily encrypted traffic content are processed. We retain the IP address for the duration of your connection to our guard relay while the encrypted content is processed on a real-time basis to and from the middle relay (generally less than a second per packet).
| Personal data | Controller | Purpose | Legal basis |
|---|---|---|---|
| Source IP address | Cyberology | Required for Tor | Legitimate interest |
| Encrypted content | Cyberology | Required for Tor | Legitimate interest |
3.2 Middle relays
When you use one of our middle relays, your heavily encrypted traffic content are processed. We retain these personal data until the packets have been delivered to the target exit relay (your requests) or your device (their response), generally less than a second.
| Personal data | Controller | Purpose | Legal basis |
|---|---|---|---|
| Encrypted content | Cyberology | Required for Tor | Legitimate interest |
3.3 Exit relays
When you use one of our exit relays, the destination IP address of your request and your traffic content are processed. We retain these personal data until the packets have been delivered to the target server (your request) or your device (their response), generally less than a second. Do note that the traffic content in this stage of Tor isn’t encrypted by Tor, so make sure to use another encryption mechanism such as TLS.
| Personal data | Controller | Purpose | Legal basis |
|---|---|---|---|
| Destination IP address | Cyberology | Required for Tor | Legitimate interest |
| Encrypted content | Cyberology | Required for Tor | Legitimate interest |
3.4 Processing outside of the EEA
Because of the global scope and purpose of the Tor network, it is possible or even likely that your personal data transferred through one of our Tor relays will be transferred to (other data controllers and their data processors in) countries outside of the European Economic Area (EEA). The EEA comprises all EU countries, Norway, Liechtenstein and Iceland.
In general transfers of personal data to countries outside of the EEA are subject to additional rules under the General Data Protection Regulation (GDPR). Due to the nature of the Tor network we can’t give any guarantees about appropriate safeguards. Please be mindful about what Tor relays are part of your circuit and your traffic destination.
4 DNS servers
When you use our DNS servers, your current outgoing IP address and the content of the DNS query itself are processed by our DNS servers. Your DNS queries will be encrypted before they are send to us for further processing. This makes sure parties with a network presence in between your client (requesting a specific DNS record) and the DNS server (answering) can’t eavesdrop on the DNS query/answer content.
You will also automatically use our DNS servers if you use one of our Tor exit relays, because those DNS queries are resolved by our own DNS servers. In this case your current outgoing IP address isn’t processed by us.
| Personal data | Controller | Purpose | Legal basis |
|---|---|---|---|
| Source IP address | Cyberology | Required for DNS | Legitimate interest |
| DNS query content | Cyberology | Required for DNS | Legitimate interest |
5 Donations and payments
In order to use our donation and payment facilities, in many cases personal identifiable information must be processed. Donations and payments can be made either via a direct bank transfer or through our payment service provider.
5.1 Direct bank transfer
You have the option to make a payment or donation via a direct bank transfer to our bank account. Your bank will process the transaction, and the details of the transfer will appear on our bank statement. We process this personal data to identify your payment or donation and to fulfill our legal obligations for accounting and record-keeping.
We use an ING banking account by the Netherlands based ING Bank N.V. (ING).
| Personal data | Controller | Processor | Purpose | Legal basis |
| Name of account holder | Cyberology | Your bank, ING | Identify payment, accounting | Contract, Legal obligation |
| Bank account number (IBAN) | Cyberology | Your bank, ING | Identify payment, accounting | Contract, Legal obligation |
| Transaction amount and reference | Cyberology | Your bank, ING | Identify payment, accounting | Contract, Legal obligation |
Please be aware that your bank and ING are also independent data controllers for their own purposes, such as legal compliance and fraud prevention. We encourage you to consult their respective privacy statements for more information on how they process your personal data.
5.2 Other payment methods
Other payment processing (such as credit cards) is handled by our payment service provider Mollie by Mollie B.V. (Mollie), a Netherlands-based company. When you enter your payment information, you are redirected to Mollie’s secure payment environment. As a result, we do not store sensitive payment details such as your full credit card number on our servers. Instead, we receive a unique payment token and transaction details from Mollie to manage the payment and any recurring donations you have set up.
| Personal data | Controller | Processor | Purpose | Legal basis |
| Name | Cyberology | Mollie | Process transaction, send receipts, accounting | Contract, Legal obligation |
| Email address | Cyberology | Mollie | Process transaction, send receipts, accounting | Contract, Legal obligation |
| Transaction details (ID, IBAN, amount, date) | Cyberology | Mollie | Accounting | Legal obligation |
| Payment token/mandate for recurring payments | Cyberology | Mollie | Manage recurring payments | Contract |
Please be aware that Mollie is also an independent data controller for its own purposes, such as legal compliance and fraud prevention. We encourage you to consult their respective privacy statements for more information on how they process your personal data.
6 Your rights
Although the GDPR only applies to data subjects who are in the European Economic Area, we will take every request and complaint seriously no matter the data subject’s physical location on planet earth.
- You may ask us for information about your personal data.
- You may ask us for access to your personal data.
- You may object to the processing of your personal data by us.
- You may ask us to rectify your personal data.
- You may ask us to delete your personal data.
- You may ask us to restrict the processing of your personal data.
- You may ask us to receive your personal data in a structured, commonly used and machine readable format.
And finally, you have the right to lodge a complaint with the Dutch Data Protection Authority.
7 Policy review
We will periodically review and update this Privacy Policy to ensure it remains current, effective, and consistent with our mission.