Privacy Policy

Last updated: May 30, 2026

This Privacy Policy explains how Nodle (“Nodle”, “we”, “us”, or “our”) collects, uses, shares, and protects personal information when you visit our website, create an account, or use our construction-management product (together, the “Service”). It also explains the rights you have over your information.

We try to collect only what we need to run the Service, and we are transparent about the third parties — including artificial-intelligence (“AI”) providers — that process data on our behalf.

Who we are

Nodle provides an AI-native workspace for construction teams. For questions about this policy or your personal information, contact us at support@nodle.tech.

Our role: controller and processor

  • For information about your account, billing, website usage, and our direct relationship with you, Nodle acts as a data controller.
  • For the content you and your team put into a workspace (tasks, messages, meeting recordings and transcripts, documents, and similar project data), Nodle generally acts as a data processor on behalf of the organization that owns the workspace (the “Customer”), which is the controller of that content. If you use Nodle through your employer or another organization, that organization’s own privacy practices also apply, and our handling of workspace content is additionally governed by our Data Processing Addendum.

Information we collect

Information you provide

  • Account and identity data: your name, email address, password (stored only as a hash by our authentication provider), profile photo, role, and the workspaces and teams you belong to.
  • Invitations and team directory: names, emails, job titles, and similar details you add when inviting colleagues or describing your team.
  • Communications with us: messages you send to support or sales.

Information created in your workspace

  • Projects and tasks: project descriptions, tasks, schedules, statuses, priorities, dependencies, comments, tags, and edit history.
  • Documents and blueprints: files you upload (such as construction drawings and PDFs) and the structured data we extract from them (sheets, spaces, elements, schedules).
  • Onboarding information: the answers and conversation history captured when setting up a workspace, which we use to tailor the Service.

Information from meetings and calls

  • Meeting audio: when you record a meeting or call, audio is captured and sent to our storage and transcription providers (see Service providers and sub-processors). We do not retain raw meeting audio in our application database; audio is held transiently for processing.
  • Transcripts and summaries: we store the resulting transcript, speaker-attributed segments, and AI-generated summaries, decisions, and action items.

Technical and usage information

  • Device and log data: IP address, browser and device type, pages viewed, actions taken, timestamps, and similar diagnostic information.
  • Error and performance data: crash reports and performance traces (with text input masked and media blocked in session recordings) used to keep the Service reliable.

How we use information

We use personal information to:

  • provide, operate, and secure the Service and your workspace;
  • power AI features such as task planning, document understanding, meeting transcription, summarization, and research (see below);
  • authenticate users and prevent fraud, abuse, and security incidents;
  • communicate with you about the Service, including invitations, notifications, and support;
  • understand how the Service is used so we can improve it; and
  • comply with legal obligations and enforce our Terms of Service.

We rely on the following legal bases (where GDPR applies): performance of a contract, our legitimate interests in operating and improving the Service, your consent (where required, such as for certain cookies), and compliance with legal obligations.

We do not sell your personal information, and we do not use the content in your workspace to train our own general-purpose AI models.

AI features and third-party AI processing

Nodle is an AI-native product. To provide AI features, content you submit is transmitted to and processed by third-party AI providers acting as our sub-processors. Specifically:

  • Text AI (OpenAI): chat messages, meeting transcripts, task and project text, onboarding conversations, and similar text are sent to OpenAI to generate plans, summaries, suggestions, and embeddings.
  • Document and vision AI (Google Gemini): uploaded blueprints and documents (including images and PDFs) and their extracted text are sent to Google to analyze and classify them.
  • Speech-to-text (AssemblyAI): meeting audio is sent to AssemblyAI to produce transcripts and identify speakers.
  • Research AI (Perplexity): where you use research features, your prompts and relevant project context are sent to Perplexity.
  • Anthropic (Claude): may be used as an additional or fallback text-AI provider for similar purposes.

These providers process your content to return a result to us and may log requests for security, abuse-monitoring, and operational purposes for a limited period. Under their applicable API terms, these providers act as our service providers/processors and do not use content submitted through their APIs to train their models, except where we would have separately enabled such use (we do not). We provide only the data needed to perform the requested AI task.

If you do not want your content processed by AI providers, avoid using AI features; note, however, that AI is core to much of the Service. AI output can be inaccurate or incomplete and should be reviewed before you rely on it.

Service providers and sub-processors

We share personal information with vendors who process it on our behalf to run the Service. We require them to protect the information and use it only to provide their services to us. A current list, including each provider’s purpose and the data category involved, is maintained on our Sub-processors page. Categories of providers include:

  • Cloud database and authentication (e.g., Supabase) — stores account and workspace data and manages sign-in.
  • File and object storage (e.g., Cloudflare R2) — stores uploaded documents and meeting audio.
  • AI providers (OpenAI, Google, AssemblyAI, Perplexity, Anthropic) — as described above.
  • Meeting and audio infrastructure (self-hosted Jitsi and recording servers) — handles real-time audio/video.
  • Email delivery (e.g., Resend) — sends invitations and notifications.
  • Hosting and logging (e.g., Railway, DigitalOcean) — runs our application and stores operational logs.
  • Error and performance monitoring (e.g., Sentry) — helps us detect and fix problems.

We may also disclose information to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice where required).

International data transfers

We and several of our providers are located in, or process data in, the United States and other countries. When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

How long we keep data

We keep personal information for as long as your account or workspace is active and as needed to provide the Service, then for a limited period as required to comply with legal obligations, resolve disputes, and enforce our agreements. Some records use “soft deletion,” meaning they are marked deleted and removed from normal use before being purged. Meeting audio is retained only transiently for processing; transcripts and summaries are retained as part of your workspace until deleted. You can request deletion as described below.

Security

We use reasonable technical and organizational measures to protect personal information, including authenticated workspaces, role-based access controls, encryption in transit, and restricted access to production systems. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Learn more on our Security page.

Your privacy rights

EEA, UK, and Switzerland (GDPR)

Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal information, to data portability, and to withdraw consent. You may also lodge a complaint with your local data protection authority. To exercise these rights, contact support@nodle.tech. Where Nodle processes workspace content as a processor, we will refer your request to the relevant Customer (controller).

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request access and deletion, to correct inaccurate information, and to be free from discrimination for exercising your rights. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. To exercise these rights, contact support@nodle.tech.

Cookies and similar technologies

We use cookies and similar technologies (such as browser local storage) to keep you signed in and to operate and improve the Service. For details and your choices, see our Cookie Policy.

Children’s privacy

The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us so we can delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and revise the “Last updated” date, and we will provide additional notice where required.

Contact us

Questions or requests regarding this policy or your personal information: support@nodle.tech.