How does Nodua work with the tools I already use?

Nodua's engineering team connects our systems to your existing CRM, email, calendar, and communication platforms. You don't need to migrate anything — we build on top of what you already have.

Is my business data safe?

Yes. Every automation is checked by our AI security guard before it goes live — it looks for risks like data leaks or unauthorized actions. Your data is encrypted with bank-grade security, never shared, and never used to train our models.

What happens if an automation doesn't know how to handle something?

It stops immediately and sends you a notification with full context. You're always in control — no automation will ever make a decision it's not confident about.

How quickly can I get results?

Most businesses have their first system running within 48 hours of their Strategic Roadmap analysis. Our team handles the engineering and architecture; you just approve the blueprint.

What is the ROI potential?

During your Economic Impact Analysis, we identify specific 'Operational Leaks' where you are losing revenue. Our managed systems are engineered to recapture that revenue, often providing a positive ROI within the first 30 days.

Will Nodua keep getting better?

Yes. We continuously upgrade to the latest AI technology, so your automations get smarter over time — no action needed on your end. You always get the best available AI working for your business.

Can I use Nodua if I have a larger team or enterprise needs?

Absolutely. Our Scale plan includes dedicated infrastructure, unlimited automations, and priority support. Contact our sales team for custom solutions.

Privacy Policy

This Privacy Policy ("Policy") describes how Nodua ("we," "us," or "our") collects, uses, shares, and protects personal data when you visit our website at www.nodua.studio or use the Nodua platform and related services (collectively, the "Service"). This Policy applies to all users of the Service, including business customers, their authorized users, and visitors to our website.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), and all other applicable data protection legislation. By accessing or using the Service, you acknowledge that you have read and understood this Policy.

1. Identity of the Data Controller

The data controller responsible for the processing of your personal data is:

Entity: Nodua
Email: info@nodua.studio
Data Protection Contact: info@nodua.studio
Website: www.nodua.studio

For all privacy-related inquiries, data subject requests, or complaints, please contact us at info@nodua.studio. We will respond to verified requests within thirty (30) calendar days, as required by applicable law.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data, depending on how you interact with the Service:

2.1. Account & Identity Data

When you register for an account, we collect your full name, business email address, and an encrypted password hash. If you sign up via a third-party authentication provider (e.g., Google OAuth), we receive your name, email, and profile identifier from that provider.

2.2. Business Profile Data

During our AI-guided onboarding interview, you may voluntarily provide information about your business, including industry sector, company size, tools used, operational challenges, and automation objectives. This data is stored as part of your project context to tailor the Service to your needs.

2.3. Usage & Interaction Data

We collect data about how you use the Service, including: workflows created, automations deployed, features accessed, credit consumption history, conversation transcripts with AI agents, and general interaction metrics.

2.4. Technical & Device Data

We automatically collect technical information such as IP address, browser type and version, operating system, device identifiers, screen resolution, referring URL, and pages visited. This data is collected through server logs and analytics tools.

2.5. Integration Data

When you connect third-party services (e.g., CRM platforms, email providers, calendar systems) to Nodua, we access and process only the data strictly necessary to execute your defined automations. OAuth tokens and API credentials are encrypted at rest using AES-256-GCM encryption and are never stored in plaintext.

2.6. Financial & Billing Data

Payment processing is handled exclusively by Stripe, Inc. We do not store or have access to your full credit card numbers. We retain transaction identifiers, subscription status, invoice records, and billing history as necessary for accounting and tax compliance.

3. Legal Bases for Processing

We process your personal data under one or more of the following legal bases, as defined in Article 6(1) of the GDPR:

Performance of a contract (Art. 6(1)(b)): Processing is necessary to provide and maintain the Service, execute your automated workflows, manage your account, and process payments under our Terms of Service.
Legitimate interests (Art. 6(1)(f)): Processing is necessary for our legitimate interests, including: improving platform security and preventing fraud; analyzing usage patterns to enhance the Service; providing customer support; and ensuring network and information security. These interests do not override your fundamental rights and freedoms.
Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before: sending marketing communications; deploying non-essential analytics cookies; and processing data for purposes not covered by the above bases. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with applicable legal obligations, including tax reporting, financial record-keeping, and responding to lawful requests from governmental authorities.

4. Purpose of Data Processing

We process personal data exclusively for the following purposes:

Providing, operating, and maintaining the Service;
Creating and managing your user account;
Processing subscription payments and managing billing;
Executing AI-generated and user-approved automated workflows;
Providing customer support and responding to inquiries;
Conducting security audits and Data Loss Prevention (DLP) scans on workflows before deployment;
Monitoring Service performance, availability, and error resolution;
Communicating essential service updates, security alerts, and administrative notices;
Sending marketing communications (with your consent);
Complying with legal, regulatory, and tax obligations;
Enforcing our Terms of Service and investigating violations.

5. Artificial Intelligence & Automated Decision-Making

Nodua uses artificial intelligence models (including models provided by Anthropic and Google) to analyze your business requirements and generate automated workflows. In accordance with Article 22 of the GDPR, we wish to inform you of the following:

No autonomous decisions with legal effects: AI-generated workflows are always presented to you for explicit review and approval before deployment. No automation is activated without your affirmative consent.
Security review: Every workflow undergoes an automated security analysis for data loss prevention before deployment. Workflows assessed as medium or high risk require additional explicit user approval.
No model training with your data: We do not use your proprietary business data, API payloads, workflow configurations, or conversation content to train, fine-tune, or improve any AI foundation model. All interactions with language models are sandboxed and ephemeral.
Human oversight: You retain full control to modify, disable, or delete any automation at any time.

6. Data Sharing & Sub-Processors

We do not sell, rent, or trade your personal data to third parties. We may share your data with trusted sub-processors who act on our behalf under binding Data Processing Agreements ("DPAs"). Our current sub-processors include:

Supabase, Inc. — Database hosting, authentication, and real-time services (United States).
Stripe, Inc. — Payment processing and subscription management (United States).
Anthropic, PBC — AI language model inference for workflow generation (United States).
Google LLC — AI language model inference and analytics services (United States).
Vercel, Inc. — Application hosting and content delivery (Global Edge Network).

We may also disclose personal data when required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Nodua, our users, or the public.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland — particularly the United States, where our primary sub-processors operate.

For transfers to countries not covered by an adequacy decision of the European Commission, we rely on Standard Contractual Clauses ("SCCs") approved by European Commission Implementing Decision (EU) 2021/914, supplemented by additional technical and organizational safeguards where appropriate. You may request a copy of the applicable SCCs by contacting info@nodua.studio.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are:

Account data: Retained for the duration of your active account, plus a thirty (30) day grace period after account deletion to allow for recovery. After this period, all account data is permanently and irreversibly deleted.
Workflow execution logs: Automatically purged ninety (90) days after generation.
AI conversation transcripts: Retained for the duration of the active conversation session. Message windowing limits stored context to a maximum of thirty (30) messages per session, with automatic summarization applied to older messages.
Billing and tax records: Retained for seven (7) years in accordance with applicable financial record-keeping obligations.
Technical logs (server and access): Retained for ninety (90) days, except where longer retention is required for security incident investigation.

9. Your Data Protection Rights

9.1. Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to applicable legal exceptions.
Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent (Art. 7(3)): Withdraw previously given consent at any time, without affecting the lawfulness of processing performed prior to withdrawal.
Right to lodge a complaint: File a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

9.2. Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you have additional rights under the CCPA and CPRA:

Right to know: Request disclosure of the categories and specific pieces of personal information collected, the sources of collection, the business purposes for processing, and the categories of third parties with whom data is shared.
Right to delete: Request deletion of personal information, subject to applicable exceptions.
Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Right to correct: Request correction of inaccurate personal information.
Right to limit use of sensitive personal information: Request that we limit the use and disclosure of sensitive personal information to purposes necessary for providing the Service.

To exercise any of the above rights, please email info@nodua.studio with the subject line "Data Subject Request." We will verify your identity before processing the request and respond within thirty (30) calendar days.

10. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies. We categorize them as follows:

Strictly necessary cookies: Essential for the operation of the website (e.g., session management, security tokens). These cannot be disabled.
Analytics cookies: Used to understand website usage and improve our Service (e.g., Google Analytics via Google Tag Manager). Deployed only with your explicit consent.
Preference cookies: Store your settings such as language preference. Deployed only with your explicit consent.

You can manage your cookie preferences at any time via our cookie consent banner. You may also configure your browser to refuse all cookies or to indicate when a cookie is being sent.

11. Data Security

We implement and maintain appropriate technical and organizational security measures, including but not limited to:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
Encryption of stored OAuth tokens and API credentials using AES-256-GCM;
Row Level Security (RLS) policies enforced at the database layer;
Automated Data Loss Prevention (DLP) scanning of all workflows before deployment;
Network isolation for workflow execution environments;
Content Security Policy (CSP) headers with per-request cryptographic nonces;
Strict firewall rules, rate limiting, and circuit-breaker patterns;
Regular access reviews and principle of least privilege for all internal systems.

While we take commercially reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and disclaim any liability for unauthorized access resulting from circumstances beyond our reasonable control.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the GDPR.

13. Children's Privacy

The Service is designed for use by businesses and is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete such data. If you believe we may have collected data from a child, please contact us at info@nodua.studio.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least thirty (30) days' advance notice via email to the address associated with your account and/or by posting a prominent notice on our website. Your continued use of the Service after the effective date of any revised Policy constitutes acceptance of the updated terms. We encourage you to review this Policy periodically.

15. Contact Information

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data processing practices, please contact us:

General inquiries: info@nodua.studio
Privacy & data requests: info@nodua.studio
Website: www.nodua.studio

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.