NodePlus.ai← Home
Legal

Privacy Policy

Effective: 2026-05-15
Last updated: 2026-05-15
NodePlus Inc.
james@nodeplus.ai

1. Introduction

NodePlus Inc. ("NodePlus," "we," "our," or "us") operates the NodePlus AI Platform (the "Service") at nodeplus.ai and related subdomains. NodePlus is a business-to-business (B2B) operating platform. Our users are operators at customer organizations - finance leads, ops managers, executives, and others authorized by their employer to use the Service on the organization's behalf. We do not market the Service to the general consumer public and we are not a personal-finance application.

This Privacy Policy explains what information we collect from and about you when you use the Service, how we use and share that information, and the choices you have. By using the Service you agree to the practices described in this Policy.

If you have any questions about this Policy or our privacy practices, contact us at james@nodeplus.ai.

2. Who this Policy applies to

This Policy applies to information we collect from:

  • Visitors to our public website
  • Registered users of the Service who access NodePlus as authorized representatives of a customer organization
  • Authorized representatives of a customer organization who connect their organization's financial accounts through Plaid Inc. ("Plaid") within the Service

It does not apply to information you provide to third-party services that we link to or integrate with - those services have their own privacy policies which we encourage you to review (including Plaid's End User Privacy Policy).

Where customer organizations are themselves data controllers of personal information about their own staff or counterparties, those organizations' privacy policies govern that information. NodePlus acts as a processor / service provider on behalf of those organizations under our Master Services Agreement and Data Processing Addendum.

3. Information we collect

3.1 Information you provide directly

  • Account information: name, work email address, the customer organization you represent, and any optional profile information you choose to provide. Authentication is by OAuth (federated identity via your organization's identity provider) or by short-lived email magic link.
  • Communications: any message, support ticket, or feedback you send us.

3.2 Information we collect from Plaid

When you, as an authorized representative of your organization, choose to connect a business financial account belonging to your organization, you authorize Plaid to share certain information with NodePlus. Depending on the product you use and the Plaid scopes you authorize, this may include:

  • The identity of the financial institution your organization connected
  • Account identifiers, account names, and account types (e.g., business checking, business savings)
  • Account balances
  • Transaction history (descriptions, amounts, dates, categories)
  • Account owner information (organization name, address, phone, email as reported by the institution)

We do not receive bank login credentials. Plaid handles the authentication directly with the financial institution. NodePlus uses Plaid Link in a business-to-business configuration; we do not invoke Plaid Link against personal consumer accounts.

3.3 Information we collect automatically

  • Device and usage data: IP address, browser type, operating system, pages viewed, timestamps, referring URLs.
  • Cookies and similar technologies: session cookies required to operate the Service, and limited analytics cookies. We do not use third-party advertising cookies.

4. How we use information

We use the information described above to:

  • Provide, operate, and improve the Service
  • Authenticate you and protect your organization's account
  • Display the financial accounts your organization has connected and surface insights based on them, as part of the product features your organization has enabled
  • Communicate with you about your account, security, and important updates
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with applicable laws and respond to lawful requests

We do not sell personal information. We do not use financial data for advertising, and we do not share financial data with advertisers, data brokers, or marketing partners.

5. How we share information

We share information only in the following circumstances:

  • With service providers under written contracts that limit their use of information to providing services to us. Our principal service providers are:
    • Supabase - database, authentication (hosted on AWS)
    • Cloudflare - DNS, edge compute, CDN, security
    • Netlify - frontend hosting
    • Plaid Inc. - provides the financial-account-linking service when you choose to connect an account on behalf of your organization
    • Google Workspace - internal email and document collaboration
  • With your direction or your organization's direction. If you or your organization ask us to share specific information with a third party, we will do so.
  • For legal reasons. We may disclose information to comply with a valid legal process, to protect the rights or safety of NodePlus or others, or to investigate fraud or security incidents.
  • In a business transfer. If NodePlus is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

6. Plaid-specific disclosures

When you elect to connect a business financial account through Plaid:

  • You are directed to a Plaid-hosted flow ("Plaid Link") and authenticate directly with your financial institution within that flow.
  • Plaid acts as a service provider to NodePlus. Plaid's collection, use, and disclosure of information is also subject to Plaid's End User Privacy Policy.
  • We receive only the information described in §3.2.
  • You can disconnect a connected account at any time from Settings → Connected Accounts → Disconnect. Disconnection causes us to (a) immediately revoke Plaid access via /item/remove, and (b) delete derived data per our retention schedule.

7. Your choices and rights

7.1 Access, correction, deletion

You may, at any time:

  • Access the information we hold about you in your capacity as a user of the Service, by logging in or by emailing james@nodeplus.ai.
  • Correct inaccurate information about you.
  • Delete the personal information we hold about you. Deletion is processed within 30 days. Note that information your organization holds in its NodePlus workspace (including financial data your organization has connected) is controlled by your organization; if you wish to delete organization-owned data, please direct your request to your organization's NodePlus administrator. See our Data Retention and Disposal Policy for details about what is removed and what (if anything) is retained for legal or audit purposes.

7.2 Consent withdrawal

Where we rely on consent to process financial data, that consent can be withdrawn at any time by disconnecting the relevant account (which stops future data flow from Plaid) and/or by deleting your NodePlus account (which removes the personal information we hold about you). Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

7.3 California / CPRA rights

If you are a California resident, you have the rights granted by the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), including the rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share (as defined under CPRA) personal information.

7.4 Other jurisdictions

Where the privacy laws of other US states or non-US jurisdictions grant additional rights (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, GDPR for users in the EEA), we honor those rights to the extent they apply. Contact us at james@nodeplus.ai to exercise any such right.

8. Lawful bases for processing

Where the GDPR or a similar regime applies, we rely on the following lawful bases:

  • Performance of a contract - with your organization, to operate the Service.
  • Consent - for the collection and processing of financial-account data via Plaid (clicked at account linking by an authorized representative of the customer organization).
  • Legitimate interests - securing the Service, preventing fraud, and improving the product, where those interests are not overridden by your rights.
  • Legal obligations where we are required to retain or disclose information.

9. Security

We protect information with administrative, technical, and physical safeguards described in our Access Controls Policy, MFA Policy, Encryption Policy, and Vulnerability Management Policy (available on request to enterprise customers and regulators). Highlights:

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption at rest for all customer data, including Plaid access tokens, which are additionally encrypted at the column level
  • Multi-factor authentication enforced for every NodePlus workforce account that accesses systems holding customer data
  • Least-privilege access for all employees and contractors, with quarterly access reviews
  • Zero-trust internal network access via Tailscale

No system is perfectly secure. If we ever experience a security incident that involves personal information, we will notify affected parties in accordance with applicable law and our contractual obligations to customer organizations.

10. Data retention

Information is retained only for as long as needed for the purposes set out in this Policy or as required by law. The specific retention periods per data category are documented in our Data Retention and Disposal Policy, available on request.

11. Children's privacy

The Service is intended for use by authorized representatives of customer organizations, who must be 18 years of age or older. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. International transfers

We are based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses).

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the Service before the changes take effect. The "Last updated" date at the top of this Policy reflects the most recent change.

14. Contact

NodePlus Inc.
Email: james@nodeplus.ai

For privacy-specific inquiries or to exercise any right described in this Policy, please email the address above with "Privacy request" in the subject line.

Version 1.1 · 2026-05-15← Return home