Privacy Policy

Last updated: [PLACEHOLDER - date]

This is an AI-drafted template. Fields marked [PLACEHOLDER] must be completed by the operator, and this policy should be reviewed by a qualified data-protection lawyer before it is relied upon.

1. Who we are (controller)

The controller responsible for the processing of personal data through nod. (usenod.io) is:

Mesper SH.P.K.
[PLACEHOLDER — street address]
[PLACEHOLDER — postal code, city], Kosovo
hello@usenod.io

Data protection contact: [PLACEHOLDER - DPO or responsible contact; we have not appointed a statutory DPO]. You can reach us about any privacy matter at hello@usenod.io.

2. What data we collect

  • Account data - your name and email address when you register, and authentication data.
  • Usage data - brands, campaigns, comments, approval statuses, and settings you create in the Service.
  • Uploaded creatives - images, videos, and copy you upload for review.
  • Reviewer details - email addresses of people you invite to review creatives, and their feedback.
  • AI prompts & inputs - briefs and prompts you submit to AI features, which are sent to our AI provider to generate a result.
  • Technical data - IP address, browser/device information, and timestamps collected automatically by our infrastructure for security and operation.

3. Legal bases for processing

  • Art. 6(1)(b) GDPR - performance of our contract with you (providing the Service, including AI features you invoke).
  • Art. 6(1)(a) GDPR - your consent (e.g. non-essential cookies / analytics, marketing communications).
  • Art. 6(1)(c) GDPR - compliance with legal obligations (e.g. tax records held by our Merchant of Record).
  • Art. 6(1)(f) GDPR - our legitimate interests in operating, securing, and improving the Service.

4. How we use your data

  • To provide, operate, and secure the Service.
  • To send transactional emails and review/approval notifications.
  • To generate AI suggestions from the inputs you submit.
  • To publish creatives to Meta when you connect and instruct that integration.
  • To improve the product based on aggregated usage.
  • To comply with legal and accounting obligations.

We do not sell your personal data.

5. Payments (Merchant of Record)

Paid plans are sold and processed by Paddle.com Market Ltd as our Merchant of Record. Card and payment details are entered with and handled by Paddle, nod. never sees or stores your card data. Paddle processes the personal data needed to take payment, invoice you, and calculate and remit tax/VAT, under its own privacy policy. We receive only limited billing metadata (e.g. plan, status, country, and a transaction reference) to manage your subscription.

6. Sub-processors & data flows

We use the following processors to operate the Service. Each is bound to process personal data only on our instructions and in accordance with the GDPR. Some are used only when you choose to enable the relevant feature.

ProcessorPurposeRegion
SupabaseDatabase, authentication & file storage[PLACEHOLDER — likely EU]
VercelApplication hosting & CDNGlobal / EU edge
Paddle (Paddle.com Market Ltd)Payments & Merchant of RecordUK / EU
Google (Gemini API)AI features - processes briefs & prompts you submitEU / USA
ResendTransactional email & notification deliveryEU / USA
MetaOnly when you connect Meta Ads to publish creativesEU / USA
Slack / Microsoft Teams / Google ChatOnly if you connect them for notificationsVaries by provider

7. International transfers

Some processors may process data outside the EU/EEA (e.g. in the USA). Where this happens, the transfer is safeguarded by appropriate mechanisms such as the EU Standard Contractual Clauses and/or an adequacy decision (e.g. the EU-US Data Privacy Framework where the recipient is certified). You may request more detail on the safeguards in place at hello@usenod.io.

8. Data retention

We retain account and usage data for as long as your account is active. On account deletion, associated personal data is removed within [PLACEHOLDER — e.g. 30] days, except where we must retain limited records to meet legal obligations (e.g. billing/tax records held via our Merchant of Record). You can request deletion at any time (see section 9).

9. Your rights (GDPR)

You have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - request correction of inaccurate data.
  • Erasure - request deletion of your data ("right to be forgotten").
  • Restriction - restrict processing in certain circumstances.
  • Portability - receive your data in a structured, machine-readable format.
  • Objection - object to processing based on legitimate interests.
  • Withdraw consent - at any time, where processing is based on consent.

To exercise any of these rights, contact hello@usenod.io. You also have the right to lodge a complaint with your local data-protection supervisory authority.

10. Cookies

nod. uses essential cookies required for authentication and session management, which cannot be disabled. Any non-essential cookies (e.g. analytics or marketing) are loaded only with your consent, which you give or decline through our cookie banner and can change at any time. For details and to manage your choices, use the cookie banner on the site.

11. Contact & changes

Questions about this policy, or to exercise your rights? Contact hello@usenod.io.

We may update this policy from time to time. Material changes will be communicated with reasonable notice, and the "Last updated" date above will reflect the latest version.