Privacy Policy
Who we are
Nodus Events Limited is a company registered in England and Wales (Company No. 17208744), with its registered office at 79 Belgrave Road, Aylesbury, England, HP19 9TN ("we", "us", "our"). We operate the website and platform available at thenodus.uk (the "Platform").
We are the data controller for personal data collected through the Platform. For the purposes of UK GDPR and the Data Protection Act 2018, our representative can be contacted at privacy@thenodus.uk.
What data we collect and why
Account and identity data
When you register for an account, we collect your name, email address, job title, company name, and password hash. We need this to create and maintain your account, verify your identity, and communicate with you about the service. Our lawful basis is contract (Article 6(1)(b) UK GDPR) — we cannot provide you access without it.
Usage and behavioural data
We collect information about how you use the Platform: pages visited, features used, session duration, error logs, and API calls made. We use this to improve the Platform, fix bugs, and understand which features deliver value. Our lawful basis is legitimate interests (Article 6(1)(f)) — we have a genuine business interest in understanding how our product performs, and this does not override your rights.
Payment and billing data
Payment card details are processed by Stripe. We receive only tokenised payment references and billing metadata (amount, currency, date, last four digits of card). We never store full card numbers. Our lawful basis is contract.
Communications data
When you contact our support team or respond to our emails, we retain those communications. Our lawful basis is legitimate interests — keeping records of support interactions lets us resolve disputes and improve the service.
Technical data
We collect IP addresses, browser type, device type, operating system, and referral URLs. We use this for security monitoring, fraud prevention, and aggregated analytics. Our lawful basis is legitimate interests.
Marketing data
If you opt in to marketing communications, we process your contact details and preferences for that purpose. Our lawful basis is consent (Article 6(1)(a)). You can withdraw consent at any time by clicking "unsubscribe" in any email or contacting us directly.
Cookies and tracking
Our use of cookies is governed by our Cookie Policy. We use PECR-compliant consent mechanisms — non-essential cookies are only placed after you give explicit consent.
Who we share data with
We share data only where necessary:
Processors acting on our behalf. We use third-party services that process data under our instruction, including cloud hosting (Supabase (EU-hosted infrastructure, eu-west-1 Ireland)), email delivery (Resend), and analytics (PostHog (EU region)). Each processor is bound by a Data Processing Agreement meeting Article 28 UK GDPR requirements.
Legal obligations. We may disclose data where required by law, court order, or to cooperate with a regulatory investigation.
Business transfers. If we undergo a merger, acquisition, or asset sale, personal data may transfer to the acquiring entity. We will notify you before this occurs where required.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
International transfers
Some of our processors operate outside the UK. Where data is transferred to a country without an adequacy decision from the UK Secretary of State, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent safeguards. You can request a copy of the relevant transfer mechanism by contacting us.
How long we keep your data
| Category | Retention period |
|---|---|
| Account data | Duration of the contract, then 2 years for dispute resolution |
| Usage logs | 12 months rolling |
| Billing records | 7 years (HMRC statutory requirement) |
| Support communications | 3 years from last interaction |
| Marketing data | Until consent is withdrawn, then deleted within 30 days |
After the relevant period, data is securely deleted or anonymised.
Your rights
Under UK GDPR, you have the right to:
Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data where we have no lawful reason to retain it.
Restriction — ask us to pause processing while a dispute is resolved.
Portability — receive your data in a machine-readable format where processing was based on consent or contract.
Object — object to processing based on legitimate interests, including for direct marketing (which we will always honour immediately).
Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, contact us at privacy@thenodus.uk. We will respond within one calendar month. If the request is complex, we may extend this by a further two months and will notify you accordingly. We will not charge a fee unless the request is manifestly unfounded or excessive.
Automated decision-making
We do not subject you to decisions made solely by automated means that produce legal or similarly significant effects. If this changes, we will update this policy and notify you in advance.
Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest, access controls based on least privilege, and regular security reviews. No transmission over the internet is entirely secure — we cannot guarantee absolute security, but we take our obligations seriously.
If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you without undue delay.
Children
The Platform is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have done so inadvertently, contact us and we will delete the data promptly.
Changes to this policy
We may update this policy to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email or prominent notice on the Platform at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the current version.
How to complain
If you have concerns about how we handle your data, please contact us first at privacy@thenodus.uk. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk
Contact us
Email: privacy@thenodus.uk
Post: 79 Belgrave Road, Aylesbury, England, HP19 9TN