"You" or "User" refers to any individual who visits our website, registers for an account, or uses the Nodest platform in any capacity.
This Privacy Policy is incorporated into, and forms part of, our Terms of Service. Capitalised terms not defined here have the meanings given in the Terms of Service.
If you have any questions about this policy or wish to exercise your rights, contact us at: privacy@nodest.com.
1. Who We Are
The data controller responsible for your personal data is:
Nodest
Janine Große-Beck
Grünewalder Straße 29-31
42657 Solingen Germany
Email: privacy@nodest.com
Website: nodest.com
VAT ID: DE286813247
Responsible person for content pursuant to § 55 Abs. 2 RStV: Janine Große-Beck
2. Scope & Updates
This Privacy Policy applies to all Users of nodest.com, the Nodest web application, the Nodest API, and the Nodest WordPress plugin.
It does not apply to third-party services or applications that you connect to via Integrations — those services have their own privacy policies that govern their data processing.
We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 14 days before the change takes effect. The latest version is always available at nodest.com/privacy. The "last updated" date at the top of this document indicates when changes were last made.
3. Categories of Personal Data We Process
Depending on how you use Nodest, we may process the following categories of personal data:
Contact Data — information used to identify and contact you, such as your name, email address, and country of residence.
Account & Usage Data — information relating to your account and use of the Service, including workspace identifiers, account settings, authentication events, Automation configurations, enabled Integrations, feature usage metrics, and subscription details.
Automation Execution Data (Customer Data) — data that flows through your Automations when they run, including trigger payloads, node inputs and outputs, API responses, and webhook bodies. This data is yours. We process it solely to execute your Automations and store it temporarily in Execution Logs. See § 8 for full detail.
Communication Data — content of messages you send us, including support requests, emails, and feedback.
Payment & Billing Data — plan selection, billing history, and invoice records. Payment card data is processed directly by Stripe and never stored by Nodest.
Traffic & Device Data — technical information generated when you access the Service or our website, including IP address, browser type, operating system, timestamps, and referral URLs.
Marketing Data — where applicable, information relating to your communication preferences or newsletter subscriptions.
Our Service is not intended for individuals under 16 years of age. See § 21 for more detail.
4. Overview of Processing Activities
The table below provides a structured overview of our main data processing activities, the personal data involved, the purpose, and the legal basis under GDPR.
| Purpose | Personal Data | Description | Legal Basis |
|---|---|---|---|
| Account registration & management | Contact Data, Account & Usage Data | Creating and maintaining user accounts, authentication, account settings | Art. 6(1)(b) GDPR — contract performance |
| Providing and operating the Service | Account & Usage Data, Automation Execution Data | Executing Automations, storing Execution Logs, displaying results, running the platform | Art. 6(1)(b) GDPR — contract performance |
| Payment processing | Contact Data, Billing Data | Processing subscription payments, invoicing, VAT compliance, fraud prevention | Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(c) GDPR — legal obligation |
| Service improvement | Account & Usage Data, Traffic & Device Data | Analysing feature usage, error rates, and performance to improve the Service | Art. 6(1)(f) GDPR — legitimate interests |
| Security & fraud prevention | All categories as needed | Detecting abuse, preventing unauthorised access, protecting infrastructure | Art. 6(1)(f) GDPR — legitimate interests |
| Customer support | Contact Data, Communication Data, Account & Usage Data | Responding to support requests, resolving issues, managing customer relationships | Art. 6(1)(f) GDPR — legitimate interests |
| Transactional email delivery | Contact Data | Sending verification emails, password resets, invoices, and service notifications | Art. 6(1)(b) GDPR — contract performance |
| Website analytics | Traffic & Device Data | Understanding how visitors use nodest.com to improve the website | Art. 6(1)(a) GDPR — consent (via cookie banner); § 25(1) TDDDG |
| Legal compliance & record-keeping | Contact Data, Billing Data | Complying with tax, commercial, and regulatory obligations | Art. 6(1)(c) GDPR — legal obligation |
| Marketing communications | Contact Data, Marketing Data | Sending product updates or newsletters where you have opted in | Art. 6(1)(a) GDPR — consent |
5. When You Visit Our Website
When you visit nodest.com, our servers automatically record access data in server log files. This includes:
- Date and time of the visit
- IP address (anonymised after session end)
- Browser type and version
- Operating system
- Pages visited and time spent
- Referral URL
This data is processed to ensure the stable and secure operation of the website, to diagnose technical issues, and to protect against attacks. It is not linked to your identity unless required for security investigation purposes.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure, functional website. Log files are retained for 30 days and then deleted.
6. When You Register for an Account
When you create a Nodest account, we collect:
- Your name
- Your email address
- Your password
- Your job title
- The industry you work in
- The company you are associated with
- The website of your company
- Account creation timestamp and IP address
We use this data to create your account, enable authentication, and fulfil our contractual obligations under the Terms of Service.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract between you and Nodest.
We send a verification email to the address you provide to confirm your identity. This is processed via Brevo — see § 13.
You can delete your account at any time via account settings or by contactingsupport@nodest.com. Upon deletion, your account data is retained for 30 days before permanent deletion, except for billing records which are subject to statutory retention periods (see § 15).
7. When You Use the Service
When you use the Nodest platform — creating Workspaces, building Automations, configuring Integrations, or reviewing Execution Logs — we process:
- Workspace and Automation configurations you create
- Feature interactions and usage events (e.g. which node types you use, how often Automations run)
- Error events and performance data (without the content of your Customer Data)
- Authentication events (login, logout, token refresh)
We use this data to operate the Service, to diagnose and fix bugs, to understand how features are used, and to improve the product experience.
Legal basis: Art. 6(1)(b) GDPR — contract performance (operating the Service); Art. 6(1)(f) GDPR — legitimate interest in improving and securing the Service.
We do not use personal data from your use of the Service to train machine learning or AI models. We do not sell or share your usage data with third parties for their own marketing purposes.
8. How Your Automations Process Data
This section is important if you use Nodest to process data from your WordPress site or from third-party APIs, as it may involve personal data about your customers or users.
What happens when an Automation runs. When a trigger fires (e.g. a WordPress event, an incoming webhook, or a scheduled cron), data flows through the configured nodes in your Automation. Nodest's execution engine processes this data transiently — reading it, applying your configured logic, and passing outputs to the next node or Integration. The input and output of each node is recorded in an Execution Log for the duration of the retention period applicable to your subscription plan.
What Nodest does with this data. We process Automation Execution Data solely to execute your Automations and display the results in your account. We do not analyse the content of your Automation data for our own purposes, use it for advertising, or share it with third parties except as required to operate the Service (e.g. our hosting provider, Hetzner, stores the data on disk).
Execution Log retention. Execution Logs are retained for a plan-dependent period specified in the Documentation. After this period, logs are permanently and irreversibly deleted. You may also manually delete individual Execution Logs at any time from within the Service.
You are the data controller. For any personal data of third parties (e.g. your WordPress visitors, WooCommerce customers, or API data subjects) that passes through your Automations, you are the data controller under GDPR. Nodest acts as your data processor. This means:
- You are responsible for ensuring you have a lawful basis for processing that personal data
- You are responsible for informing those individuals about the processing in your own privacy notices
- You must not pass special category data (Art. 9 GDPR — health, biometric, racial, religious, or similar data) through Automations without appropriate safeguards and a specific legal basis
- You are responsible for responding to data subject rights requests in relation to data within your Automations
A Data Processing Agreement, as required by GDPR Art. 28, is available at nodest.com/dpa. B2B Customers processing personal data through the Service are required to execute the DPA.
Credentials and API keys. When you configure Integrations, you may provide API keys, tokens, OAuth credentials, or other secrets. Nodest stores these credentials in encrypted form. We use them solely to authenticate the Integration connections you configure. You are responsible for revoking credentials upon account termination or if you suspect they have been compromised.
9. When You Install the WordPress Plugin
The Nodest WordPress plugin enables your WordPress site to communicate with the Nodest platform. When the plugin is active:
- WordPress events you configure as triggers are sent from your WordPress site to Nodest via HTTPS
- Actions configured in your Automations may send data back to WordPress via the plugin's REST bridge
- The plugin authenticates these requests using your Nodest API key, stored in your WordPress database
Nodest does not have direct access to your WordPress database or your site's visitor data. We only receive data that your Automations are explicitly configured to send.
You are responsible for the installation, configuration, maintenance, and security of the WordPress plugin and your WordPress environment. You should keep the plugin up to date to receive security patches.
Legal basis: Art. 6(1)(b) GDPR — contract performance (enabling the core functionality of the Service).
10. When You Subscribe to a Paid Plan
When you upgrade to a paid plan, we additionally process:
- Plan selection and subscription start date
- Billing contact information (name, email, billing address)
- Invoice records
Payment processing is handled by Stripe, Inc. Stripe collects and processes your payment card details directly. Nodest does not store card numbers, CVV codes, or other raw payment credentials. Stripe may act as an independent data controller for payment data processed in its own name.
Invoices are issued electronically and retained for 10 years in compliance with German commercial law (§ 147 AO / § 257 HGB).
Legal basis: Art. 6(1)(b) GDPR — contract performance; Art. 6(1)(c) GDPR — legal obligation (tax and commercial record-keeping).
11. When You Contact Us or Request Support
When you contact us by email or via support channels, we process:
- Your name and email address
- The content of your message and any attachments or screenshots you provide
- Account context relevant to your support request
We use this data solely to respond to and resolve your inquiry. We do not use support communications for marketing purposes without your separate consent.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in responding effectively to customer inquiries and resolving issues.
Support communication data is retained for 2 years from the date the matter was resolved, after which it is deleted.
12. Analytics & Tracking (Google Analytics)
Our website (nodest.com) uses Google Analytics, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics helps us understand how visitors use the website so we can improve it.
Google Analytics collects:
- Pages visited, navigation paths, and time on page
- Referral sources (where you came from)
- Browser type, device type, and operating system
- Approximate geographic location (country and city level)
- Anonymised IP address (IP anonymisation is enabled — your full IP address is never stored by Google Analytics)
This processing occurs only with your consent, given via our cookie consent banner when you first visit nodest.com. If you do not consent, no analytics cookies are set and no data is sent to Google.
You can withdraw consent at any time via the cookie settings link in the footer of our website.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG — consent.
Google acts as a data processor and, in certain respects, as an independent data controller. Data may be transferred to Google's servers in the United States. This transfer is governed by Standard Contractual Clauses approved by the European Commission. For more information on Google's data practices: policies.google.com/privacy.
Analytics cookies are stored for up to 14 months, after which the associated data is automatically deleted.
13. Transactional Emails (Brevo)
We use Brevo (Sendinblue SAS, 7 rue de Madrid, 75008 Paris, France) to deliver transactional emails, including:
- Email address verification during registration
- Password reset emails
- Subscription confirmation and invoice delivery
- Automation failure notifications and other service alerts
For this purpose, Brevo processes your name and email address as a data processor acting on our behalf under a data processing agreement. Brevo is an EU-based processor and does not use your data for its own marketing purposes.
Legal basis: Art. 6(1)(b) GDPR — contract performance (enabling core account and service functionality).
Brevo's privacy policy: brevo.com/legal/privacypolicy.
14. Where Your Data Is Stored
The Nodest platform and all Customer Data are hosted on servers operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany), located in Germany within the EU/EEA.
Hetzner processes infrastructure-level data (e.g. server access logs, disk storage) as a data processor under a data processing agreement. Hetzner does not have access to the content of your Customer Data or account information beyond what is technically necessary to operate the infrastructure.
All data in transit between your browser, the WordPress plugin, and Nodest's servers is encrypted using TLS (HTTPS).
15. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data type | Retention period |
|---|---|
| Account data (name, email, settings) | Duration of account + 30 days after deletion request |
| Billing records and invoices | 10 years (§ 147 AO / § 257 HGB — German commercial law) |
| Execution Logs | Per subscription plan (see Documentation) |
| Server access logs | 30 days |
| Support communications | 2 years from resolution |
| Google Analytics data | 14 months |
| Cookie consent records | 3 years (for compliance documentation) |
In some circumstances we may anonymise personal data so that it can no longer be associated with any individual. We may retain and use anonymised data indefinitely for statistical and product improvement purposes.
16. Sub-Processors & Third-Party Recipients
We use the following sub-processors who process personal data on our behalf:
| Sub-processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting and infrastructure | Germany (EU) | DPA under Art. 28 GDPR |
| Stripe, Inc. | Payment processing | USA | Standard Contractual Clauses |
| Brevo (Sendinblue SAS) | Transactional email delivery | France (EU) | DPA under Art. 28 GDPR |
| Google LLC | Website analytics (with consent) | USA | Standard Contractual Clauses |
We do not sell personal data to third parties. We do not share personal data with third parties for their own advertising or marketing purposes.
We may disclose personal data to law enforcement or regulatory authorities where required to do so by applicable law, valid legal process, or to protect the rights, property, or safety of Nodest, its users, or the public.
An up-to-date sub-processors list is maintained at nodest.com/sub-processors. We will notify Customers of material changes to our sub-processors with at least 14 days' notice via email, giving Customers the opportunity to object.
17. International Data Transfers
For sub-processors based outside the EEA (currently Stripe and Google), we transfer personal data on the basis of Standard Contractual Clauses (SCCs) as adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, which provide appropriate safeguards for the protection of personal data.
You can request a copy of the applicable transfer mechanisms by contactingprivacy@nodest.com.
18. Your Rights Under GDPR
You have the following rights in relation to personal data that Nodest processes as data controller (i.e. your account and usage data — not data within your Automations, for which you are the controller):
Right of access (Art. 15 GDPR) — You may request a copy of the personal data we hold about you, along with information about how we use it.
Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate or incomplete personal data.
Right to erasure / "right to be forgotten" (Art. 17 GDPR) — You may request deletion of your personal data. This right is subject to legal retention obligations (e.g. invoices must be retained for 10 years). Exercising this right will result in account deletion.
Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict processing of your personal data in certain circumstances, for example while a dispute about accuracy is being resolved.
Right to data portability (Art. 20 GDPR) — You may request a copy of personal data you have provided to us in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
Right to object (Art. 21 GDPR) — Where we process your data on the basis of legitimate interests (Art. 6(1)(f)), you may object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent (e.g. analytics cookies, marketing emails), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right not to be subject to solely automated decisions (Art. 22 GDPR) — We do not make solely automated decisions that produce significant legal effects on you. See § 20.
To exercise any of these rights, contact us at privacy@nodest.com. We will respond within 30 days. There is no charge for exercising your rights. We may ask you to verify your identity before processing a request.
Right to lodge a complaint. If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority. The authority responsible for Nodest is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Husarenstraße 30, 53117 Bonn, Germany
bfdi.bund.de
You may also contact the supervisory authority in your EU member state of habitual residence or place of work.
19. Cookies
We use cookies and similar tracking technologies on nodest.com. Cookies are small text files stored on your device by your browser.
Strictly necessary cookies are required for the website and application to function correctly — for example, session tokens, CSRF protection tokens, and authentication state. These cookies are set automatically and cannot be opted out of without disabling the Service. No consent is required for strictly necessary cookies.
Analytics cookies are set by Google Analytics to help us understand how visitors use nodest.com. These cookies are only set after you provide consent via our cookie banner. You can change or withdraw your consent at any time using the cookie settings link in our website footer.
Detailed information about specific cookies, their purpose, and their expiry is available in our cookie settings panel.
20. Automated Decision-Making
We do not engage in automated decision-making or profiling within the meaning of Art. 22 GDPR — i.e. we do not make decisions about you solely by automated means that produce legal or similarly significant effects. Plan enforcement (e.g. blocking usage beyond plan limits) is a technical enforcement of contract terms, not a significant automated decision in the GDPR sense.
21. Children
The Service is not directed at individuals under 16 years of age. We do not knowingly collect or process personal data from individuals under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@nodest.com and we will delete it promptly.
22. Questions & Contact
We have worked to make this Privacy Policy as clear and readable as possible. If you have questions, concerns, or suggestions about how we handle your personal data, we would like to hear from you.
Nodest
Janine Große-Beck
Gründwalder Straße 29-31, 42657 Solingen, Germany
privacy@nodest.com
nodest.com
