Privacy Policy
1. Introduction
Nodaloom Inc. (“Nodaloom”, “we”, “us”, or “our”) is committed to protecting the privacy and personal data of its users. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the Nodaloom platform (the “Service”), visit our website at www.nodaloom.com, or otherwise interact with us.
This Privacy Policy should be read together with our Terms of Service and, where applicable, our Data Processing Addendum.
We process personal data in accordance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Chilean Law on the Protection of Personal Data (Ley N° 21.719, effective 1 December 2026, and its predecessor Ley N° 19.628) (“Chilean Data Protection Law”), and any other applicable data protection laws in the jurisdictions where our users are located.
2. Data Controller
For the purposes of applicable data protection law, the data controller is:
Nodaloom Inc.
Email: privacy@nodaloom.com
Website: www.nodaloom.com
San Ignacio, Chile
If you have questions or concerns about how we process your personal data, or if you wish to exercise any of your rights under applicable law, please contact us at privacy@nodaloom.com.
3. Personal Data We Collect
3.1 Data You Provide Directly
(a) Account and Identity Data: your name, email address, institutional affiliation, academic role or title, and country of residence, provided during registration or account settings.
(b) Payment Data: billing information, including payment card details or other payment method information, processed by our designated payment processor. Nodaloom does not store full payment card numbers on its own servers.
(c) User Content: any text, manuscripts, documents, research materials, prompts, queries, and other content that you upload, submit, or input into the Service. User Content is processed solely to provide the Service and is not used for model training (see Section 5).
(d) Communications: any information you provide when you contact our support team, respond to surveys, or participate in research activities.
3.2 Data We Collect Automatically (Usage Data)
When you access or use the Service, we automatically collect Usage Data, which includes:
(a) Feature and Module Usage: which Modules you access (Forge, Scribe, Lens, Loom, Engine Room), how frequently you use each, which features you engage with, and your workflow sequences across Modules.
(b) Session and Engagement Data: session duration, timestamps of access, pages viewed, navigation paths, and interaction patterns (such as clicks, scrolls, and form interactions).
(c) Search and Filter Queries: search terms and filter parameters used within the Service, stripped of substantive academic content where technically feasible.
(d) Performance and Error Data: API call patterns, response times, error codes and rates, latency measurements, and system performance metrics.
(e) Device and Technical Data: device type, operating system, browser type and version, screen resolution, language and locale settings, and IP address (which may be truncated or anonymised for analytics purposes).
(f) Onboarding and Workflow Progression: completion status of onboarding steps, tutorial engagement, and progression through guided workflows.
(g) Referral and Attribution Data: how you arrived at the Service (e.g., referral links, marketing campaigns, organic search).
3.3 Data We Do Not Collect
We do not knowingly collect sensitive personal data (also referred to as “special categories” of personal data under the GDPR), including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
4. Legal Bases for Processing
We process your personal data on the following legal bases under applicable Data Protection Laws:
| Purpose | Legal Basis (GDPR/UK GDPR) | Legal Basis (Chilean Law) |
|---|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) | Execution of contract (Art. 13(a) Ley 21.719) |
| Account management and authentication | Performance of contract | Execution of contract |
| Processing payments | Performance of contract | Execution of contract |
| Service improvement and optimisation | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 13(e) Ley 21.719) |
| New product development using Usage Data | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 13(e) Ley 21.719) |
| Anonymised analytics and aggregate reporting | Legitimate interests (Art. 6(1)(f)) | Legitimate interests (Art. 13(e) Ley 21.719) |
| Security, fraud prevention | Legitimate interests | Legitimate interests |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | Legal obligation (Art. 13(c) Ley 21.719) |
| Marketing communications (where consented) | Consent (Art. 6(1)(a)) | Consent (Art. 13(b) Ley 21.719) |
Where we rely on legitimate interests, we have conducted a balancing assessment and determined that our interests in improving the Service, developing new products, and generating aggregate insights do not override your fundamental rights and freedoms, particularly given the safeguards described in Section 5.4 (anonymisation and pseudonymisation of Usage Data).
5. How We Use Your Data
5.1 Providing the Service
We use your Account Data and User Content to operate the Service, including authenticating your identity, managing your subscription, and processing your inputs through the AI Modules. User Content is transmitted to Third-Party AI Providers (currently Anthropic and Google) solely for the purpose of generating AI-Assisted Output. This transmission is transient: we do not retain User Content on Third-Party AI Provider systems beyond the duration of each API request-response cycle.
5.2 Service Improvement and Optimisation
We use Usage Data to improve, optimise, and enhance the performance, functionality, and user experience of the Service. This includes analysing feature adoption to inform product priorities, optimising AI model routing and response quality, identifying and resolving errors and performance bottlenecks, refining workflow sequences and user interface design, and improving onboarding processes.
5.3 New Product Development
We use aggregated and anonymised Usage Data to develop new features, products, services, tools, or functionalities. These may be integrated into the existing Service or offered as separate products or services by Nodaloom. For the avoidance of doubt, new product development based on Usage Data relies on aggregate patterns and trends, not on the substantive academic content of any individual User.
5.4 Research, Analytics, and Publications
We use anonymised and aggregated Usage Data to conduct internal research, generate statistical insights about platform usage patterns, and produce benchmarking analyses related to academic writing workflows and AI-assisted research processes. We may publish anonymised, aggregate reports, white papers, or data-driven publications based on platform usage trends. No individual User, their institution, or their research can be identified from such publications.
5.5 Safeguards on Usage Data Processing
Where Usage Data is processed for service improvement, new product development, research, or publication purposes:
(a) Data is aggregated and anonymised or, where full anonymisation is not technically feasible, pseudonymised in accordance with applicable Data Protection Laws.
(b) Raw, non-anonymised Usage Data is not sold to third parties.
(c) Any sharing of Usage Data with third parties is limited to aggregated and anonymised datasets, or to service providers bound by contractual confidentiality obligations who process data on Nodaloom’s behalf.
(d) Users may request information about the categories of Usage Data collected in connection with their account by contacting privacy@nodaloom.com.
5.6 No Training on User Content
Nodaloom does not use User Content to train, fine-tune, or improve its own proprietary AI models or the models of any Third-Party AI Provider. This commitment is also set out in Clause 7.4 of the Terms of Service.
5.7 Communications
We may use your email address to send transactional communications (such as account confirmations, billing notifications, and service alerts) and, where you have opted in, marketing communications about the Service. You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us at privacy@nodaloom.com.
6. Data Sharing and Disclosure
We share personal data only in the following circumstances:
6.1 Third-Party AI Providers
User Content is transmitted to Third-Party AI Providers for the generation of AI-Assisted Output. Current providers include:
| Provider | Purpose | Location | Relevant Privacy Policy |
|---|---|---|---|
| Anthropic, PBC | AI model processing (Claude API) | United States | anthropic.com/legal/privacy |
| Google LLC | AI model processing (Gemini API) | United States | ai.google.dev/gemini-api/terms |
6.2 Service Providers
We engage trusted service providers to assist in operating the Service. These providers process data on our behalf and are bound by contractual obligations to protect your data. Current service providers include hosting (Railway Corp.), web delivery (Vercel Inc.), authentication (Clerk Inc.), database (Neon Inc.), and payment processing (Paddle.com Market Ltd).
6.3 Legal Requirements
We may disclose personal data where required by applicable law, regulation, legal process, or enforceable government request.
6.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the acquiring entity, provided that the acquiring entity agrees to be bound by terms no less protective than those set out in this Privacy Policy.
6.5 Anonymised and Aggregated Data
We may share anonymised and aggregated Usage Data with third parties, including in published reports and analyses. Such data does not identify any individual User.
7. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our Third-Party AI Providers and certain service providers are located. Where such transfers are made from the European Economic Area or the United Kingdom, we rely on the following transfer mechanisms:
(a) The European Commission’s Standard Contractual Clauses (SCCs), as approved by Commission Implementing Decision (EU) 2021/914.
(b) The UK International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner.
(c) Any adequacy decision by the European Commission or the UK Secretary of State, as applicable.
For transfers from Chile, we comply with the requirements of the Chilean Data Protection Law regarding international transfers of personal data.
8. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, as described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of account + 30 days after deletion |
| User Content | Duration of account + 30 days after deletion |
| Usage Data | 36 months from collection, then anonymised |
| Anonymised and Aggregated Data | Retained indefinitely |
| Payment Records | As required by applicable tax and accounting law (typically 7 years) |
| Consent Records | Duration of account + 3 years |
| Communication Records | 24 months from last communication |
9. Your Rights
9.1 Rights Under the GDPR and UK GDPR
If you are located in the EEA or the United Kingdom, you have the following rights under applicable Data Protection Laws: the right of access (Art. 15), the right to rectification (Art. 16), the right to erasure (Art. 17), the right to restriction of processing (Art. 18), the right to data portability (Art. 20), the right to object to processing based on legitimate interests (Art. 21), the right not to be subject to automated decision-making (Art. 22), and the right to lodge a complaint with a supervisory authority.
Where we process Usage Data on the basis of legitimate interests (see Section 4), you have the right to object to such processing. Upon receiving an objection, we will cease processing your Usage Data for the purposes objected to, unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
9.2 Rights Under Chilean Data Protection Law
If you are located in Chile, you have the following rights under the Chilean Data Protection Law (Ley N° 21.719): the right of access, the right to rectification, the right to cancellation (deletion), the right to object to processing, the right to data portability, and the right to lodge a complaint with the Agencia de Protección de Datos Personales (once operational).
9.3 Exercising Your Rights
To exercise any of your rights, please contact us at privacy@nodaloom.com. We will respond to your request within thirty (30) days. We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.
10. Cookies and Tracking Technologies
The Service uses essential cookies necessary for the operation of the platform (such as authentication tokens and session identifiers). We do not use third-party advertising cookies or tracking cookies for behavioural advertising purposes.
We may use analytics tools to collect aggregate, anonymised usage statistics for the purpose of improving the Service. Where such tools involve the processing of personal data, we ensure that appropriate safeguards are in place, including anonymisation at the point of collection where feasible.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include encryption of data in transit and at rest, access controls based on the principle of least privilege, regular security assessments, and incident response procedures. No method of electronic transmission or storage is completely secure; while we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security.
12. Children’s Privacy
The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the Service. Where changes are material, we will notify you by email or through the Service interface at least thirty (30) days before the changes take effect. The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Nodaloom Inc.
Email: privacy@nodaloom.com
Website: www.nodaloom.com
San Ignacio, Chile
For users in the European Economic Area or the United Kingdom, you may also contact our designated representative at: To be appointed. Please contact privacy@nodaloom.com in the interim.
End of Privacy Policy