Privacy policy

Nodus LLC operates a software platform that runs AI specialists for your firm. We collect the data needed to deliver the service. We don’t sell your data. We don’t use customer content to train AI models. You can ask for an export or deletion at any time by emailing support@nodusos.ai.

• Account data. Your name, email address, and authentication identifiers managed by Clerk.
• Firm context. Your industry, company size, revenue range, brand voice samples, and the answers you provide during onboarding. We use this to configure the specialists for your firm.
• Specialist conversations. Messages you exchange with your specialists in chat or voice. Voice call transcripts are generated and retained for a limited time.
• Connected-tool data. When you connect a third-party service (Google, Microsoft, QuickBooks, Plaid, etc.), the specialist accesses data from that service on your behalf. Examples: calendar events you ask the executive assistant to schedule, transactions the finance specialist categorizes, drafts the marketing specialist writes for review.
• Bank-account data (Plaid). If you connect a bank account through Plaid, we receive institution name, account type, masked account numbers, and transaction descriptions and amounts. We do not receive your full account number, login credentials, or ability to initiate transfers.
• Payment data. Handled by Stripe. We see a receipt and the last four digits of your card. Stripe holds the full card data under PCI-DSS controls.
• Operational data. Logs, error reports, and aggregated usage metrics so we can keep the service running and improve it.

We process this data to operate Nodus for you, support you when you ask, bill you, and improve the product. Specifically:

• Specialist conversations are processed by Anthropic’s API to generate responses. Anthropic’s commercial terms exclude customer API content from training.
• Voice calls are processed by Vapi using ElevenLabs voices and Anthropic models. Transcripts are stored in our database for a limited window so you can review them.
• Connected-tool data is fetched only when needed and only for the specific action you authorized.
• We do not use your firm’s data to train AI models, and we do not share it with other customers.

We share specific data with the providers below for the specific purposes listed. We don’t sell personal data, and we don’t share it for advertising.

• Vercel — application hosting and edge runtime
• Supabase — primary database and file storage; SOC 2 Type 2
• Clerk — user authentication and session management
• Stripe — payment processing; PCI-DSS Level 1
• Anthropic — large language model API for specialist conversations
• Vapi — voice infrastructure for specialist phone and browser calls
• Plaid — bank-account data aggregation, when you choose to connect a bank
• Composio — OAuth aggregation for many third-party integrations
• Resend — transactional email delivery
• Sentry — error monitoring; PII is scrubbed before storage
• PostHog — product analytics; we configure this to avoid sending personal content in event payloads
• Cloudflare — DNS and CDN
• Google, Microsoft, and other connected-tool providers— only when you explicitly connect those tools through OAuth

We notify you at least 30 days before a new subprocessor begins handling your data. The current list is maintained on this page.

Customer data is stored in the United States by default. Backups and incident-response copies may briefly cross regions for durability. Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). OAuth refresh tokens are additionally encrypted in our database with a separate key.

• Account profile and firm context: while your account is active, plus 90 days after cancellation
• Specialist conversations: while your account is active, plus 30 days after cancellation
• Voice call transcripts: 90 days while active, 30 days after cancellation
• OAuth tokens and connected-tool data: deleted when you disconnect the integration or cancel your subscription
• Bank-account data (Plaid): removed at cancellation or when you disconnect the bank
• Payment and tax records: retained 7 years to meet US tax law
• Backups age out within 30 days

You can:

• Request a copy of your data (export)
• Ask us to correct inaccurate data
• Ask us to delete your data
• Withdraw your consent for any specific connected tool
• Opt out of any future product analytics collection

For most of this, you can self-serve from your dashboard’s Settings and Integrations pages. For deletion or anything else, email support@nodusos.ai and we’ll respond within 72 hours and complete the request within 30 days.

If you’re in California, you have rights under the CCPA and CPRA, including the right to know what we collect, the right to delete it, and the right not to be discriminated against for exercising your rights. If you’re in Virginia, Colorado, Connecticut, Utah, or another state with a comprehensive privacy law, you have analogous rights. If you’re in the EU or UK, you have rights under GDPR and UK GDPR, including the right to access, rectify, erase, restrict processing, port, and object.

We don’t sell personal information as that term is defined under CCPA. We don’t share personal information for cross-context behavioral advertising.

When you sign up, you consent to the data processing described in this policy. When you connect a third-party tool, you provide additional consent through that tool’s own authorization screen, which describes specifically what data Nodus will receive. When you connect a bank account through Plaid, Plaid’s consent screen describes the data their service will share with Nodus.

You can withdraw consent for any specific tool at any time by disconnecting it from your dashboard. You can revoke all consent by requesting account deletion.

We use cookies needed for sign-in and session management (managed by Clerk), and a small set of first-party analytics cookies (managed by PostHog and Vercel Analytics) to understand how customers use the product. We don’t use cross-site advertising trackers.

Nodus is for businesses. We don’t knowingly collect data from children under 13. If you believe a child has provided us data, email support@nodusos.ai and we’ll delete it.

We operate an information security program covering access controls, MFA, encryption, vulnerability management, and incident response. Production access requires multi-factor authentication. Customer-side MFA is enforced before connecting bank accounts via Plaid. If you believe you’ve discovered a security issue, email security@nodusos.ai. We’ll respond within 72 hours.

We’ll post updates here with a new “Last updated” date. For material changes, we’ll email account owners at least 30 days before the change takes effect.

General privacy questions: support@nodusos.ai. Security issues: security@nodusos.ai.

Mailing address (for legal notices): Nodus LLC, c/o Registered Agent, 611 South Dupont Highway, Suite 102, New Castle, DE 19720, USA.