Privacy Policy

Last updated: 2 May 2026

This Privacy Policy explains how we process personal data when you visit nodetool.ai, use the NodeTool desktop application, or contact us. We follow the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for processing your personal data under Art. 4 (7) GDPR is the NodeTool team. You can reach us at hello@nodetool.ai for any privacy-related question, including requests to exercise your rights described in section 9.

2. Local-first by design

NodeTool is an open-source desktop application that runs on your own machine. Workflows, prompts, model files, generated outputs, API keys and other content you create stay on your device. We do not collect, sync or transmit this data to our servers. If you choose to connect third-party AI providers (OpenAI, Anthropic, Replicate, Hugging Face, etc.), your prompts and inputs are sent directly from your device to those providers under their own terms and privacy policies.

3. Data we process when you visit nodetool.ai

3.1 Server logs

When you load a page, our hosting provider temporarily processes technical data needed to deliver the site: IP address, user agent, referrer, requested URL, response status and timestamp. This data is processed on the legal basis of our legitimate interest in operating a secure, stable website (Art. 6 (1) (f) GDPR) and is deleted or anonymised within 14 days unless we need to retain specific entries to investigate a security incident.

3.2 Privacy-friendly analytics (Plausible)

We use Plausible Analytics to understand aggregate traffic patterns. Plausible is hosted in the EU, does not use cookies and does not collect personal data or cross-site identifiers. IP addresses are processed transiently to generate a daily, salted hash and are never stored. Because no personal data is processed, no consent is required (Art. 6 (1) (f) GDPR — legitimate interest in measuring product reach).

3.3 Cookies and local storage

The marketing website does not set advertising or tracking cookies. We may use strictly necessary local storage for UI preferences such as theme. Strictly necessary storage does not require consent under § 25 (2) Nr. 2 TDDDG.

4. Data we process when you contact us

If you email us (e.g. hello@nodetool.ai, matti@nodetool.ai, david@nodetool.ai), we process your email address and the contents of your message to respond to your enquiry. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual / contractual) or Art. 6 (1) (f) GDPR (legitimate interest in handling enquiries). We retain correspondence for as long as needed to address your matter and afterwards in accordance with statutory retention periods.

5. Optional cloud services

Some parts of the NodeTool ecosystem (for example a hosted runner, account features, or future cloud sync) may be offered as opt-in services. Where such services exist, the data they process is described in service-specific terms presented at sign-up. By default, no account is required to use NodeTool.

6. Hosting and data location

We host our infrastructure on EU-based providers. Persistent application data is stored in Frankfurt, Germany. Edge requests for static content may be served from a global CDN; in that case only the technical data described in 3.1 is processed at the edge, on the basis of standard contractual clauses where applicable.

7. Recipients and processors

We use carefully selected processors who act only on our documented instructions under data processing agreements (Art. 28 GDPR), including:

  • Hosting / CDN — delivery of nodetool.ai (EU region, Frankfurt for persistent storage).
  • Plausible Analytics (Plausible Insights OÜ, Estonia) — cookieless, aggregated traffic statistics.
  • Email providers — to receive and respond to messages you send us.
  • GitHub — for our open-source repository, issues, and downloads, when you choose to use those services.

We do not sell personal data, and we do not use your data to train machine-learning models.

8. International transfers

Where a processor is located outside the EU/EEA, we rely on an adequacy decision or, where none exists, on EU Standard Contractual Clauses together with appropriate supplementary measures.

9. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15);
  • request rectification (Art. 16);
  • request erasure (Art. 17);
  • request restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw any consent you have given, with effect for the future (Art. 7 (3)).

To exercise any of these rights, write to hello@nodetool.ai. You also have the right to lodge a complaint with a data protection supervisory authority, in particular the authority of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

10. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected and to comply with legal obligations. Server logs: ≤ 14 days. Analytics events: aggregated and non-personal. Email correspondence: as long as required to address your matter, plus any statutory retention period.

11. Security

We use TLS for all traffic, restrict administrative access on a need-to-know basis, keep dependencies up to date, and follow current best practices for the technologies we use. No system is perfectly secure; if you believe you have found a vulnerability, please report it to hello@nodetool.ai.

12. Children

NodeTool is not directed at children under 16 and we do not knowingly collect personal data from them.

13. Changes to this policy

We may update this policy to reflect changes in our services or legal obligations. Material changes will be highlighted on this page. The current version is identified by the "Last updated" date above.

See also our Terms of Use.