Privacy Policy

Nodem LLC is the controller of personal data processed about you as a Nodem user (for example, your email, profile, and billing information). For the information you add about other people in your network ("Network Data"), you act as the controller and Nodem acts as your processor under your instructions.

When you share contacts with another Nodem user through a co-orbit, that user becomes a separate controller of the shared data on their own account.

Account information.

When you sign up, we collect your name, email address, password hash, and (if you enable it) two-factor authentication secrets.

Profile and preferences.

Bio, organisation, role, avatar, theme, background, onboarding answers, and relationship categories you create.

Network Data.

Contacts you add (name, email, phone, organisation, role, notes, social links, dates such as "met at" or "last contact," follow-up dates, closeness, position in the orbit map, archive state) and connections you draw between them.

Billing information.

Subscription tier, status, renewal dates, and identifiers from our payments provider (Paddle, who acts as Merchant of Record). We do not see or store full payment-card numbers.

Technical and security logs.

IP address, browser/device information, timestamps, and limited request metadata used to keep the Service secure and operational.

Communications.

Messages you send us (support, feedback, security reports).

• Provide the Service: store and display your network, sync across devices, send follow-up reminders, and power search.
• Account management: authenticate you, enforce subscription tiers, process payments, and respond to support requests.
• Security and abuse prevention: detect fraud, abuse, and unauthorised access.
• Service improvement: aggregate, de-identified usage analytics so we can understand which features work and which need attention.
• Legal compliance: comply with applicable laws and respond to lawful requests.

We do not use your Network Data or message content to train machine-learning models, and we do not show you third-party advertising.

If you are in the EEA, UK, or Switzerland, we rely on the following legal bases:

• Contract — to provide the Service you signed up for.
• Legitimate interests — to secure the Service and improve it, balanced against your rights.
• Consent — for optional features that require it (you can withdraw consent at any time).
• Legal obligation — for tax, accounting, and compliance.

We share data only with the providers necessary to run Nodem:

• Supabase — managed database, auth, and file storage (US/EU regions).
• Paddle — payment processing and Merchant of Record for subscriptions, including invoicing and tax compliance.
• Email delivery and analytics providers — transactional email and privacy-respecting product analytics.
• Law enforcement / regulators — only when required by valid legal process, and we will notify you where permitted.

We never sell your personal data, and we never share Network Data with advertisers or data brokers.

Our providers may process data in the United States or the European Union. Where data leaves your region, we rely on appropriate safeguards (such as the EU Standard Contractual Clauses) to protect it.

We keep your account and Network Data for as long as your account is active. When you delete your account (Settings → Danger Zone → Delete account), we permanently delete your profile, contacts, connections, orbits, categories, co-orbits, co-orbit layouts, contact-share requests, settings, and subscription record within 30 days. Paddle retains billing and invoice records per their own policies and applicable tax law.

You can export your contacts as JSON at any time from Settings → Export & Import.

We protect your data with industry-standard measures: TLS in transit, encryption at rest, row-level security in the database (so users can only access their own rows), optional two-factor authentication, and server-side enforcement of plan limits. No system is 100% secure; please report suspected vulnerabilities tosecurity@nodem.app.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Delete your data ("right to be forgotten");
• Export your data in a portable format;
• Object to or restrict certain processing;
• Withdraw consent at any time;
• Lodge a complaint with your local data protection authority.

Most of these you can exercise directly in the app. For anything else, emailprivacy@nodem.app and we will respond within 30 days.

Because Nodem is a personal CRM, our users add information about other people. We process that information on the user's behalf and only to provide the Service. If you are not a Nodem user and you believe a Nodem user has stored information about you, you can ask us to delete, share, or correct it.

Submit a request through ourdata-rights form or by email atprivacy@nodem.app. We respond within 30 days. If a Nodem user has not given us enough information to locate records about you, we may need to ask you for additional identifiers (such as the email address or phone number they may have used).

Nodem is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

We use a small number of strictly necessary cookies and local storage entries to keep you signed in, remember your preferences (theme, background), and protect against abuse. We do not use third-party advertising cookies.

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the latest revision.

Privacy questions, requests, and complaints:privacy@nodem.app or the data-rights form. General contact:hello@nodem.app. Operator: Nodem LLC.