Privacy Policy

1. Data we collect

Account data

When you sign up, we collect your name, email address, and profile photo from your identity provider (Google or Microsoft). If you are a workspace owner, we also collect billing details (name, company name, address, VAT number) through our payment processor, Stripe.

Workspace data

Data you or your organisation create within Nodo, including:

• Organisational structure — people, teams, reporting lines, job titles, departments
• Pulse surveys — questions, responses, and participation data
• Performance reviews — review cycles, peer feedback, self-assessments, manager evaluations
• Goals — objectives, key results, and progress updates
• Shoutouts — peer recognition messages and associated values

Directory sync data

If you connect Google Workspace or Microsoft 365, we access your organisation’s directory via the Google Admin SDK or Microsoft Graph API. We import names, email addresses, job titles, departments, manager relationships, and profile photos. We only request the minimum scopes required and do not access email content, calendar events, files, or any data outside the directory.

Usage data

We automatically collect IP addresses, browser type, device information, pages visited, and feature interactions. This data helps us understand how the Service is used and where we can improve.

2. How we use your data

• •Provide the Service — display your org chart, deliver survey results, run review cycles, track goals, and facilitate shoutouts.
• •Billing and payments — process subscriptions, sync seat counts, and handle invoices through Stripe.
• •Transactional communications — send survey invitations, review reminders, onboarding emails, and account-related notices.
• •Product improvement — analyse aggregated and anonymised usage patterns to improve features and performance.
• •Security and fraud prevention — monitor for suspicious activity, enforce rate limits, and protect the integrity of the Service.
• •Legal compliance — meet our obligations under applicable law, including tax and accounting requirements.

We do not sell your personal data. We do not use your workspace data to train machine-learning models. We do not serve advertisements.

3. Legal bases for processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases:

• •Contract performance — processing necessary to deliver the Service you signed up for (Art. 6(1)(b)).
• •Legitimate interests — improving the Service, preventing fraud, and maintaining security (Art. 6(1)(f)).
• •Legal obligations — tax, accounting, and regulatory compliance (Art. 6(1)(c)).
• •Consent — where you have opted in to optional communications (Art. 6(1)(a)). You can withdraw consent at any time.

4. Who we share data with

Service providers

We work with a small number of trusted third parties who process data on our behalf:

Each provider is bound by a data processing agreement and processes data only as instructed by us.

Within your organisation

Workspace administrators can view and manage all data within their workspace. Other workspace members can see org chart information, shoutouts, and any content shared with them through the Service (e.g. survey assignments, review cycles). Pulse survey responses are anonymous by default and cannot be traced to individual respondents by other workspace members.

Legal disclosure

We may disclose personal data if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Nodo, our users, or the public.

Business transfers

If Nodo is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. We will notify affected users before their data becomes subject to a different privacy policy.

5. International transfers

Nodo is operated from the Netherlands. Some of our service providers are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on:

• European Commission adequacy decisions, where available
• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-U.S. Data Privacy Framework, where the recipient is certified

You may request a copy of the relevant transfer safeguards by contacting us at privacy@nodohq.com.

6. Data retention

We retain personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Active workspace data is retained for the lifetime of the workspace.
• Deleted workspace data is permanently removed within 30 days of workspace deletion.
• Billing records are retained for 7 years to comply with Dutch tax and accounting obligations.
• Server logs are retained for up to 90 days for debugging and security purposes.

When you remove a person from your workspace, their associated survey responses and review data are anonymised. Their personal identifiers (name, email, photo) are deleted.

7. Your rights

Under the GDPR and other applicable data protection laws, you have the right to:

• •Access — request a copy of the personal data we hold about you.
• •Rectification — correct inaccurate or incomplete data.
• •Erasure — request deletion of your personal data, subject to legal retention requirements.
• •Data portability — receive your data in a structured, machine-readable format.
• •Restriction — request that we limit how we process your data.
• •Objection — object to processing based on legitimate interests.
• •Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at privacy@nodohq.com. We will respond within 30 days.

If you are a workspace member (not the account holder), please first contact your workspace administrator. For data held by Nodo as a data processor, we will assist you via your organisation.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Cookies and tracking

We use strictly necessary cookies for authentication and session management. These cookies are essential for the Service to function and cannot be disabled.

We do not use advertising cookies, social media trackers, or third-party analytics services that track individuals across websites. We do not participate in cross-site behavioural advertising.

9. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• TLS encryption for all data in transit
• Encryption at rest for database storage
• Role-based access controls and authentication via OAuth 2.0
• Regular dependency and security audits
• Secrets management through environment variable isolation

No system is perfectly secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with Article 33 and 34 of the GDPR.

10. Children

Nodo is a business-to-business service designed for organisations and their teams. It is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will notify workspace owners by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Contact us

If you have questions about this Privacy Policy or how we handle your data: