Privacy Policy

Last updated: February 18, 2026

This Privacy Policy describes how NodeLoom ("NodeLoom," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the NodeLoom platform, including our website at nodeloom.io, APIs, embeddable chat widgets, documentation, and related services (collectively, the "Service"). This Policy applies to all users of the Service, including account holders, team members, and visitors to our website.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

  • Account Information: When you register, we collect your name, email address, and password (stored as a cryptographic hash, never in plain text).
  • Team and Organization Data: Team name, member information, and role assignments.
  • Payment Information: Billing details and payment method information processed through our payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Support Communications: Information you provide when contacting support, submitting tickets, or providing feedback.
  • Credentials: API keys, OAuth tokens, and other credentials you store in the Service for connecting to third-party services. These are encrypted at rest using AES-256 encryption and are only used to execute workflows on your behalf.

1.2 Information Generated Through Use

  • Workflow Data: Workflow configurations, node settings, execution logs, and outputs generated by your workflows.
  • Chat Data: Conversations with AI agents, including messages, tool call logs, and agent responses, whether through the agent chat interface or embeddable widgets.
  • Audit Logs: Activity records including actions performed, timestamps, and associated user and team identifiers.
  • Usage Data: Feature usage, API calls, workflow execution counts, token consumption, and other usage metrics.

1.3 Information Collected Automatically

  • Authentication Data: We use httpOnly cookies for session management and authentication. These cookies are not accessible to client-side JavaScript and are transmitted only over secure connections.
  • Server Logs: IP addresses, browser type, operating system, referring URLs, and request timestamps.
  • Device Information: Device type, screen resolution, and language preferences.

1.4 Information from Third Parties

  • OAuth Providers: When you connect third-party accounts (e.g., Google, GitHub, Slack), we receive tokens and basic profile information as authorized by you through the OAuth flow.
  • Payment Processor: We receive transaction status, payment confirmation, and limited billing information from Stripe.

1.5 Chat Widget Visitor Data

When end users interact with embeddable chat widgets deployed on third-party websites, we may collect: IP addresses (for rate limiting), conversation content, and any information the end user voluntarily provides (such as email address, if configured by the widget operator). Widget operators (our customers) are responsible for providing their own privacy disclosures to end users.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: Operating, maintaining, and delivering the features of the Service, including executing workflows, processing AI requests, and managing your account.
  • Authentication and Security: Verifying your identity, protecting against unauthorized access, detecting fraud, and enforcing our Terms of Service.
  • Billing and Payments: Processing payments, managing subscriptions, and enforcing usage limits.
  • Support: Responding to your inquiries, troubleshooting issues, and providing technical assistance.
  • Communications: Sending transactional emails (account verification, password resets, billing notifications, trial expiration alerts, usage warnings) and, with your consent, product updates and announcements.
  • Service Improvement: Analyzing aggregated, anonymized usage patterns to improve the Service, fix bugs, and develop new features. We do not use your Customer Data (including workflow configurations, credentials, or conversation content) to train AI models.
  • Compliance: Fulfilling legal obligations, responding to lawful requests, and enforcing our agreements.
  • Safety: Detecting and preventing abuse, security threats, and violations of our acceptable use policies.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, where those interests are not overridden by your rights.
  • Consent (Article 6(1)(a)): Processing based on your explicit consent, such as marketing communications. You may withdraw consent at any time.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal requirements.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: We share information with trusted third-party service providers who perform services on our behalf, including payment processing (Stripe), email delivery, and infrastructure hosting. These providers are contractually obligated to use your information only for the purposes of providing services to us and are bound by data processing agreements.
  • AI Providers: When you use AI features, your prompts and relevant data are transmitted to the AI provider you select (e.g., OpenAI, Anthropic, Google Gemini). This transmission is necessary to provide the AI functionality you request. Each provider's use of your data is governed by their own privacy policies.
  • Third-Party Integrations: When you connect third-party services through your workflows, data is transmitted to those services as directed by your workflow configurations. You control which services are connected and what data is transmitted.
  • Legal Requirements: We may disclose your information if required by law, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of NodeLoom, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the successor entity. We will notify you of any such change in ownership or control of your personal information.
  • With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

5. Data Retention

5.1 Active Accounts. We retain your personal information for as long as your account is active or as needed to provide the Service. Workflow execution logs and audit logs are retained in accordance with your team's configured retention policies (configurable by account administrators).

5.2 Terminated Accounts. Upon account termination, we retain your Customer Data for thirty (30) days to allow for export. After this period, Customer Data is permanently deleted from our active systems. Backups containing your data may persist for up to ninety (90) additional days before being purged through our normal backup rotation cycle.

5.3 Legal Requirements. We may retain certain information for longer periods as required by applicable law, including for tax, legal, and audit purposes.

5.4 Anonymized Data. We may retain aggregated, anonymized data that does not identify any individual for an indefinite period for analytics and service improvement purposes.

6. Data Security

We implement comprehensive security measures to protect your information, including:

  • Encryption: All data is encrypted in transit (TLS) and sensitive data (including credentials) is encrypted at rest using AES-256 encryption.
  • Access Controls: Role-based access control (RBAC) with four roles (Admin, Builder, Operator, Viewer) ensures that team members only access what they need.
  • Authentication: Secure authentication using httpOnly cookies with configurable security attributes. Passwords are cryptographically hashed and never stored in plain text.
  • Audit Logging: Comprehensive audit trails with cryptographic integrity verification for tamper detection.
  • Code Execution Isolation: All user code executes in isolated, hardened containers with multiple layers of OS-level protection.
  • Regular Assessments: We conduct regular security assessments and vulnerability testing.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

7. International Data Transfers

7.1 Transfer Mechanisms. If you are located outside the United States, your information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure that such transfers comply with applicable data protection laws through appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

7.2 Self-Hosted Deployments. If you use a self-hosted deployment, your Customer Data is stored on your own infrastructure in the jurisdiction you choose. NodeLoom does not have access to Customer Data in self-hosted deployments except as required for license validation (which transmits only the license key and a machine identifier, not Customer Data).

8. Your Rights

8.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Restriction: Request that we restrict processing of your personal data in certain circumstances.
  • Portability: Request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Objection: Object to processing of your personal data based on legitimate interests.
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
  • Lodge a Complaint: File a complaint with your local data protection authority.

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. As such, there is no need to opt out.
  • Right to Limit Use of Sensitive Personal Information: Request that we limit the use and disclosure of your sensitive personal information to what is necessary to perform the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Categories of Personal Information Collected: Identifiers (name, email, IP address); commercial information (subscription plan, payment history); internet or electronic network activity (usage data, server logs); professional information (team and role data); and inferences drawn from the above.

Sensitive Personal Information: We may process account login credentials (email and password). We do not collect Social Security numbers, financial account numbers, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data, health information, or sexual orientation.

8.3 Additional State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out. To exercise your rights, contact us at privacy@nodeloom.io.

8.4 Exercising Your Rights

To exercise any of the rights described above, please contact us at privacy@nodeloom.io. We will respond to your request within thirty (30) days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

9. AI and Automated Decision-Making

9.1 AI Processing. The Service enables you to create workflows that use third-party AI models. When you use AI features, your prompts and data are sent to the AI provider you select. The processing of your data by third-party AI providers is governed by their respective privacy policies. NodeLoom does not use your Customer Data to train AI models.

9.2 Automated Decision-Making. The Service may perform automated processing as configured by you through workflows (e.g., AI Decision nodes, AI Classifier nodes). NodeLoom does not make automated decisions about you based on profiling that produce legal or similarly significant effects. If you use the Service to make automated decisions about your own end users, you are responsible for compliance with applicable laws regarding automated decision-making, including providing appropriate disclosures and mechanisms for human review.

9.3 AI Safety. The Service includes configurable guardrails for prompt injection detection, PII redaction, and content filtering. These features operate on your data only within the Service and are designed to enhance safety, not for surveillance or profiling.

10. Cookies and Tracking

10.1 Essential Cookies. We use essential httpOnly cookies for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled.

10.2 No Third-Party Tracking. We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. We do not participate in ad networks or behavioral advertising.

10.3 CAPTCHA. We use Cloudflare Turnstile on certain pages (such as registration) for bot protection. This service may set cookies and collect limited data as described in Cloudflare's privacy policy. This processing is based on our legitimate interest in preventing abuse.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at privacy@nodeloom.io.

12. Data Processing Agreement

If you are a customer that requires a Data Processing Agreement (DPA) for GDPR compliance, we offer a standard DPA that covers our obligations as a data processor. To request a DPA, contact us at legal@nodeloom.io. The DPA covers: processing instructions, security measures, sub-processor management, data breach notification, audit rights, and data deletion upon termination.

13. Sub-Processors

We use the following categories of sub-processors to provide the Service:

  • Cloud Infrastructure: Hosting and infrastructure services for the SaaS Instance.
  • Payment Processing: Stripe for subscription billing and payment processing.
  • Email Delivery: Transactional email services for account notifications.
  • AI Providers: Third-party AI model providers (as selected by you) for AI workflow execution.

A current list of sub-processors is available upon request at privacy@nodeloom.io. We will notify customers of any changes to our sub-processor list with at least thirty (30) days' advance notice.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated with at least thirty (30) days' prior notice via email or in-product notification before they take effect. We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top indicates when this Policy was last revised.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

  • Privacy inquiries: privacy@nodeloom.io
  • Legal inquiries: legal@nodeloom.io
  • Security concerns: security@nodeloom.io
  • Website: https://nodeloom.io

If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Back to Home